[Oisf-users] SSL Connections breaking in nfqueue mode.

David Sussens dsussens at gmail.com
Tue Apr 17 13:00:44 UTC 2018


Albert,

I installed suricata 4.0.4 in NFQ mode.

My iptable configs:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 4701 2019K NFQUEUE    all  --  enp0s3 enp0s2  0.0.0.0/0
0.0.0.0/0            NFQUEUE balance 0:1 bypass
 6061  598K NFQUEUE    all  --  enp0s2 enp0s3  0.0.0.0/0
0.0.0.0/0            NFQUEUE balance 0:1 bypass

Then I setup an apache2.4 web server with a self signed certificate on
it.   I am able to browse the website without problems.

This confirms, in my mind at least, that there is not an issue with 4.0.4
when it comes to SSL.

Regards,

David Sussens.

On Fri, Apr 13, 2018 at 8:10 AM, David Sussens <dsussens at gmail.com> wrote:

> Albert,
>
> Can you please share your iptables/nftables rule base configs with us.
> That might help to determine what the problem is here.
>
> David Sussens.
>
>
> On Tue, Apr 10, 2018 at 10:18 PM, Albert Whale <
> Albert.Whale at it-security-inc.com> wrote:
>
>> Can someone please tell me why the connecting to HTTPS websites are
>> problematic when using the nfqueue run mode?  This doesn't happen when I am
>> using af-packet mode.
>>
>> In fact in nfqueue mode, I also get the following alerts from fast.log:
>>
>> 04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>> 04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe STREAM 3way
>> handshake SYNACK with wrong ack [**] [Classification: Generic Protocol
>> Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 ->
>> 192.168.1.180:61378
>>
>>
>> This is the error displayed in safari when I am running in-line IPS mode:
>>
>> Any ideas or suggestions?
>> --
>> --
>>
>> Albert E. Whale, CEH CHS CISA CISSP
>> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/a1e562dd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bohimnnhonmpjjin.png
Type: image/png
Size: 36421 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/a1e562dd/attachment-0001.png>


More information about the Oisf-users mailing list