[Oisf-users] SSL Connections breaking in nfqueue mode.

David Sussens dsussens at gmail.com
Mon Apr 16 20:18:03 UTC 2018


Apologies Albert. I did not see that you had already posted your iptable
configs.

I am deploying suricata 4.0.4 tomorrow in nfq mode. Will let you know if I
encounter the same problem.

David Sussens.
On 13 Apr 2018 08:10, "David Sussens" <dsussens at gmail.com> wrote:

> Albert,
>
> Can you please share your iptables/nftables rule base configs with us.
> That might help to determine what the problem is here.
>
> David Sussens.
>
>
> On Tue, Apr 10, 2018 at 10:18 PM, Albert Whale <
> Albert.Whale at it-security-inc.com> wrote:
>
>> Can someone please tell me why the connecting to HTTPS websites are
>> problematic when using the nfqueue run mode?  This doesn't happen when I am
>> using af-packet mode.
>>
>> In fact in nfqueue mode, I also get the following alerts from fast.log:
>>
>> 04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>>
>>
>> This is the error displayed in safari when I am running in-line IPS mode:
>>
>> Any ideas or suggestions?
>> --
>> --
>>
>> Albert E. Whale, CEH CHS CISA CISSP
>> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180416/c9a35f0f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bohimnnhonmpjjin.png
Type: image/png
Size: 36421 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180416/c9a35f0f/attachment-0001.png>


More information about the Oisf-users mailing list