[Oisf-users] SSL Connections breaking in nfqueue mode.

Chris Boley ilgtech75 at gmail.com
Tue Apr 10 21:34:42 UTC 2018


I’m not really sure if by posting this that I’m adding to the confusion or
helping steer you Down the correct path? Anyway this article seems sort of
relevant but I might be sending you on a goose chase. Proceed with caution
;)

https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/


On Tue, Apr 10, 2018 at 4:18 PM Albert Whale <
Albert.Whale at it-security-inc.com> wrote:

> Can someone please tell me why the connecting to HTTPS websites are
> problematic when using the nfqueue run mode?  This doesn't happen when I am
> using af-packet mode.
>
> In fact in nfqueue mode, I also get the following alerts from fast.log:
>
> 04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe STREAM 3way
> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
> 192.168.1.180:61378
> 04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe STREAM 3way
> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
> 192.168.1.180:61378
> 04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe STREAM 3way
> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
> 192.168.1.180:61378
> 04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe STREAM 3way
> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
> 192.168.1.180:61378
>
>
> This is the error displayed in safari when I am running in-line IPS mode:
>
> Any ideas or suggestions?
> --
> --
>
> Albert E. Whale, CEH CHS CISA CISSP
> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
> Cell: 412-889-6870
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180410/694007ce/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bohimnnhonmpjjin.png
Type: image/png
Size: 36421 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180410/694007ce/attachment-0001.png>


More information about the Oisf-users mailing list