[Oisf-users] HTTPs connections fail.
Albert Whale
Albert.Whale at IT-Security-inc.com
Tue Aug 28 12:14:44 UTC 2018
OK, after validating the Interfaces and the bridge, I still have an
issue with HTTPs connections andf Apple (perhaps other as well)
products. One thing that I notice is the following:
08/28/2018-07:31:46.969628 [**] [1:2260002:1] ITS Safe Applayer Detect
protocol only one direction [**] [Classification: Generic Protocol
Command Decode] [Priority: 3] {TCP} 192.168.1.235:55360 ->
192.168.1.187:50037
However, this does not indicate a problem, and there were no Drops
during the connection test.
There are no dropped packets either.
Stats.log
Date: 8/28/2018 -- 08:12:19 (uptime: 0d, 00h 42m 37s)
------------------------------------------------------------------------------------
Counter | TM Name |
Value
------------------------------------------------------------------------------------
decoder.pkts | Total |
20529
decoder.bytes | Total |
5618109
decoder.ipv4 | Total |
20529
decoder.ipv6 | Total | 15
decoder.tcp | Total |
12418
decoder.udp | Total |
7848
decoder.icmpv4 | Total | 171
decoder.teredo | Total | 15
decoder.avg_pkt_size | Total | 273
decoder.max_pkt_size | Total |
1500
flow.tcp | Total | 624
flow.udp | Total |
1793
tcp.sessions | Total | 562
tcp.syn | Total | 658
tcp.synack | Total | 494
tcp.rst | Total | 339
tcp.overlap | Total |
1555
detect.alert | Total | 8
app_layer.flow.http | Total | 106
app_layer.tx.http | Total | 106
app_layer.flow.ftp | Total | 1
app_layer.flow.tls | Total | 89
app_layer.flow.smb | Total | 1
app_layer.flow.failed_tcp | Total | 3
app_layer.flow.dns_udp | Total |
1363
app_layer.tx.dns_udp | Total |
1472
app_layer.flow.failed_udp | Total | 430
ips.accepted | Total |
18777
ips.blocked | Total |
2077
flow_mgr.closed_pruned | Total | 338
flow_mgr.new_pruned | Total | 508
flow_mgr.est_pruned | Total |
1571
flow.spare | Total |
10000
flow_mgr.rows_checked | Total |
65536
flow_mgr.rows_skipped | Total |
65536
tcp.memuse | Total |
2293760
tcp.reassembly_memuse | Total |
327680
flow.memuse | Total |
7074304
Does any of this indicate a problem? If not, what are my next steps?
A Wireshark trace of the activity for IPS and unmonitored Mode?
On 8/27/18 8:35 PM, Albert Whale wrote:
> Hold off on this guys, I had to replace an Ethernet port on the bridge, let me get a fresh set of eyes on this in the morning.
>
> Thank you.
>
> Sent from my iPad
>
>> On Aug 27, 2018, at 8:03 PM, Albert Whale <Albert.Whale at IT-Security-inc.com> wrote:
>>
>> Hi I am running Suricata 4.0.5 in the IPS mode (NFQUEUE), and I have issues connecting to https websites through the IPS.
>>
>> I have run the same process with IDS (AF-QUEUE), and have not had any issues.
>>
>> I am perplexed as to what is creating this issue, because the issue does not exist when I use a Windows machine.
>>
>> All of the issues I am experiencing only occur with the Mac IOS or the iPhone devices.
>>
>> Has anyone experienced this issue before?
>>
>> --
>> --
>>
>> Albert E. Whale, CEH CHS CISA CISSP
>> Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
--
--
Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Security Officer*
IT Security, Inc. <http://www.IT-Security-inc.com> - A Service Disabled
Veteran Owned Company - (*SDVOSB*)
*HUBZone Certified*
LinkedIn <https://www.linkedin.com/in/albertwhale> Profile
Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
Cell: 412-889-6870
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180828/e8368ca3/attachment.html>
More information about the Oisf-users
mailing list