[Oisf-users] HTTPs connections fail.

Andreas Herz andi at geekosphere.org
Thu Aug 30 21:11:15 UTC 2018


On 28/08/18 at 08:14, Albert Whale wrote:
> OK, after validating the Interfaces and the bridge, I still have an issue
> with HTTPs connections andf Apple (perhaps other as well) products.  One
> thing that I notice is the following:

Can you give us more details about the setup with the interfaces,
bridge, iptables etc.?

Did you convert alert rules to drop?

Did you try to use tcpdump to debug the traffic?

> 08/28/2018-07:31:46.969628  [**] [1:2260002:1] ITS Safe Applayer Detect
> protocol only one direction [**] [Classification: Generic Protocol Command
> Decode] [Priority: 3] {TCP} 192.168.1.235:55360 -> 192.168.1.187:50037
> 
> However, this does not indicate a problem, and there were no Drops during
> the connection test.
> 
> There are no dropped packets either.
> 
> Stats.log
> 
> Date: 8/28/2018 -- 08:12:19 (uptime: 0d, 00h 42m 37s)
> ------------------------------------------------------------------------------------
> Counter                                    | TM Name                   |
> Value
> ------------------------------------------------------------------------------------
> decoder.pkts                               | Total                     |
> 20529
> decoder.bytes                              | Total                     |
> 5618109
> decoder.ipv4                               | Total                     |
> 20529
> decoder.ipv6                               | Total                     | 15
> decoder.tcp                                | Total                     |
> 12418
> decoder.udp                                | Total                     |
> 7848
> decoder.icmpv4                             | Total                     | 171
> decoder.teredo                             | Total                     | 15
> decoder.avg_pkt_size                       | Total                     | 273
> decoder.max_pkt_size                       | Total                     |
> 1500
> flow.tcp                                   | Total                     | 624
> flow.udp                                   | Total                     |
> 1793
> tcp.sessions                               | Total                     | 562
> tcp.syn                                    | Total                     | 658
> tcp.synack                                 | Total                     | 494
> tcp.rst                                    | Total                     | 339
> tcp.overlap                                | Total                     |
> 1555
> detect.alert                               | Total                     | 8
> app_layer.flow.http                        | Total                     | 106
> app_layer.tx.http                          | Total                     | 106
> app_layer.flow.ftp                         | Total                     | 1
> app_layer.flow.tls                         | Total                     | 89
> app_layer.flow.smb                         | Total                     | 1
> app_layer.flow.failed_tcp                  | Total                     | 3
> app_layer.flow.dns_udp                     | Total                     |
> 1363
> app_layer.tx.dns_udp                       | Total                     |
> 1472
> app_layer.flow.failed_udp                  | Total                     | 430
> ips.accepted                               | Total                     |
> 18777
> ips.blocked                                | Total                     |
> 2077
> flow_mgr.closed_pruned                     | Total                     | 338
> flow_mgr.new_pruned                        | Total                     | 508
> flow_mgr.est_pruned                        | Total                     |
> 1571
> flow.spare                                 | Total                     |
> 10000
> flow_mgr.rows_checked                      | Total                     |
> 65536
> flow_mgr.rows_skipped                      | Total                     |
> 65536
> tcp.memuse                                 | Total                     |
> 2293760
> tcp.reassembly_memuse                      | Total                     |
> 327680
> flow.memuse                                | Total                     |
> 7074304
> 
> Does any of this indicate a problem?  If not, what are my next steps?   A
> Wireshark trace of the activity for IPS and unmonitored Mode?
> 
> 
> On 8/27/18 8:35 PM, Albert Whale wrote:
> >Hold off on this guys, I had to replace an Ethernet port on the bridge, let me get a fresh set of eyes on this in the morning.
> >
> >Thank you.
> >
> >Sent from my iPad
> >
> >>On Aug 27, 2018, at 8:03 PM, Albert Whale <Albert.Whale at IT-Security-inc.com> wrote:
> >>
> >>Hi I am running Suricata 4.0.5 in the IPS mode (NFQUEUE), and I have issues connecting to https websites through the IPS.
> >>
> >>I have run the same process with IDS (AF-QUEUE), and have not had any issues.
> >>
> >>I am perplexed as to what is creating this issue, because the issue does not exist when I use a Windows machine.
> >>
> >>All of the issues I am experiencing only occur with the Mac IOS or the iPhone devices.
> >>
> >>Has anyone experienced this issue before?
> >>
> >>-- 
> >>--
> >>
> >>Albert E. Whale, CEH CHS CISA CISSP
> >>Email: Albert.Whale at IT-Security-inc.com
> >>Cell: 412-889-6870
> >>
> >>_______________________________________________
> >>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>
> >>Conference: https://suricon.net
> >>Trainings: https://suricata-ids.org/training/
> >>
> >_______________________________________________
> >Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >Conference: https://suricon.net
> >Trainings: https://suricata-ids.org/training/
> >
> 
> -- 
> --
> 
> Albert E. Whale, CEH CHS CISA CISSP
> *President - Chief Security Officer*
> IT Security, Inc. <http://www.IT-Security-inc.com> - A Service Disabled
> Veteran Owned Company - (*SDVOSB*)
> *HUBZone Certified*
> LinkedIn <https://www.linkedin.com/in/albertwhale> Profile
> 
> 
> Phone: 412-515-3010 | Email: Albert.Whale at IT-Security-inc.com
> Cell: 412-889-6870
> 

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-- 
Andreas Herz


More information about the Oisf-users mailing list