[Oisf-users] SSL Connections breaking in nfqueue mode.

Leonard ljacobs at netsecuris.com
Tue Apr 17 13:53:06 UTC 2018 

I might have had a similar problem but with at-packet mode and sslvpn connection to a remote Sophos XG firewall. The symptom was not being able to have the Sophos admin GUI to appear. Was able to reach ssh and command line. Still exploring what is causing this problem.

Maybe not the same issue as you experienced but just weird.

> On Apr 17, 2018, at 8:00 AM, David Sussens <dsussens at gmail.com> wrote:
> 
> Albert,
> 
> I installed suricata 4.0.4 in NFQ mode.  
> 
> My iptable configs:
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>  4701 2019K NFQUEUE    all  --  enp0s3 enp0s2  0.0.0.0/0            0.0.0.0/0            NFQUEUE balance 0:1 bypass
>  6061  598K NFQUEUE    all  --  enp0s2 enp0s3  0.0.0.0/0            0.0.0.0/0            NFQUEUE balance 0:1 bypass
> 
> Then I setup an apache2.4 web server with a self signed certificate on it.   I am able to browse the website without problems. 
> 
> This confirms, in my mind at least, that there is not an issue with 4.0.4 when it comes to SSL.  
> 
> Regards,
> 
> David Sussens.
> 
>> On Fri, Apr 13, 2018 at 8:10 AM, David Sussens <dsussens at gmail.com> wrote:
>> Albert,
>> 
>> Can you please share your iptables/nftables rule base configs with us.  That might help to determine what the problem is here.
>> 
>> David Sussens.
>>  
>> 
>>> On Tue, Apr 10, 2018 at 10:18 PM, Albert Whale <Albert.Whale at it-security-inc.com> wrote:
>>> Can someone please tell me why the connecting to HTTPS websites are problematic when using the nfqueue run mode?  This doesn't happen when I am using af-packet mode.
>>> 
>>> In fact in nfqueue mode, I also get the following alerts from fast.log:
>>> 
>>> 04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 -> 192.168.1.180:61378
>>> 04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 -> 192.168.1.180:61378
>>> 04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 -> 192.168.1.180:61378
>>> 04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 17.249.105.246:443 -> 192.168.1.180:61378
>>> 
>>> 
>>> This is the error displayed in safari when I am running in-line IPS mode:
>>> 
>>> 
>>> 
>>> Any ideas or suggestions?
>>> 
>>> -- 
>>> --
>>> 
>>> Albert E. Whale, CEH CHS CISA CISSP
>>> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
>>> Cell: 412-889-6870
>>> 
>>> 
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> 
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/c93f8475/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bohimnnhonmpjjin.png
Type: image/png
Size: 36421 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/c93f8475/attachment-0001.png>

More information about the Oisf-users mailing list