[Oisf-users] SSL Connections breaking in nfqueue mode.
Albert Whale
Albert.Whale at IT-Security-inc.com
Wed Apr 11 16:02:22 UTC 2018
I just rechecked the nfqueue (cat /proc/net/netfilter/nfnetlink_queue) -
no dropped packets. But there is also no file called
/proc/net/netfilter/nf_queue
Is this supposed to be there?
--
Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Security Officer*
IT Security, Inc. <http://www.IT-Security-inc.com> - A Service Disabled
Veteran Owned Company - (*SDVOSB*)
*HUBZone Certified*
LinkedIn <https://www.linkedin.com/in/albertwhale> Profile
Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
Cell: 412-889-6870
On 4/10/18 5:34 PM, Chris Boley wrote:
> I’m not really sure if by posting this that I’m adding to the
> confusion or helping steer you Down the correct path? Anyway this
> article seems sort of relevant but I might be sending you on a goose
> chase. Proceed with caution ;)
>
> https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/
>
>
> On Tue, Apr 10, 2018 at 4:18 PM Albert Whale
> <Albert.Whale at it-security-inc.com
> <mailto:Albert.Whale at it-security-inc.com>> wrote:
>
> Can someone please tell me why the connecting to HTTPS websites
> are problematic when using the nfqueue run mode? This doesn't
> happen when I am using af-packet mode.
>
> In fact in nfqueue mode, I also get the following alerts from
> fast.log:
>
> 04/10/2018-13:05:49.504292 [**] [1:2210007:2] ITS Safe STREAM
> 3way handshake SYNACK with wrong ack [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443
> <http://17.249.105.246:443> -> 192.168.1.180:61378
> <http://192.168.1.180:61378>
> 04/10/2018-13:05:50.534691 [**] [1:2210007:2] ITS Safe STREAM
> 3way handshake SYNACK with wrong ack [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443
> <http://17.249.105.246:443> -> 192.168.1.180:61378
> <http://192.168.1.180:61378>
> 04/10/2018-13:05:51.570889 [**] [1:2210007:2] ITS Safe STREAM
> 3way handshake SYNACK with wrong ack [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443
> <http://17.249.105.246:443> -> 192.168.1.180:61378
> <http://192.168.1.180:61378>
> 04/10/2018-13:05:53.632130 [**] [1:2210007:2] ITS Safe STREAM
> 3way handshake SYNACK with wrong ack [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443
> <http://17.249.105.246:443> -> 192.168.1.180:61378
> <http://192.168.1.180:61378>
>
>
> This is the error displayed in safari when I am running in-line
> IPS mode:
>
> Any ideas or suggestions?
>
> --
> --
>
> Albert E. Whale, CEH CHS CISA CISSP
> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
> <mailto:Albert.Whale at IT-Security-inc.com>
> Cell: 412-889-6870
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/f2dfb4e5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bohimnnhonmpjjin.png
Type: image/png
Size: 36421 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/f2dfb4e5/attachment-0001.png>
More information about the Oisf-users
mailing list