[Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444

Chris Boley ilgtech75 at gmail.com
Wed Mar 14 01:31:08 UTC 2018 

leonard, Suricata is running as an in-line bridge or zero-copy style
install?

Pure speculation here:
 I’m suspecting that it’s causing packet fragmentation due to tcp-mss
growing during ssl sessions within/over the vpn tunnel. I’m not sure how
Suricata is causing that, but as a test you might try manually adjusting
your mtu on your client interface to something like:

sudo ip link set dev eth0 mtu 1400
sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS
--clamp-mss-to-pmtu

That should let you squeeze the SSL session through the tunnel.

If not, I'm out of ideas.  :)
Good luck,
CB



On Tue, Mar 13, 2018 at 9:14 PM Leonard Jacobs <ljacobs at netsecuris.com>
wrote:

> Why would Suricata be stopping communications to Sophos Web GUI on TCP
> Port 4444 through an IPSec VPN Tunnel?
>
> The weird thing about this is packet captures on both sides of tunnel from
> the firewalls don't show the traffic being blocked or dropped.  I
> disconnect the wan connection from Suricata appliance and connect directly
> to the firewall and everything works.  Suricata running on the outside of
> the firewall.
>
> In suricata.yaml, I put this HTTP_PORTS: "[80,443,4444]" and it still does
> not work.  Does the problem have something to do with how Suricata
> interacts with the IPSec tunnel?  But this does not make any sense because
> the tunnel comes up and I can even Putty into the firewall command line
> console and ping the firewall through the tunnel.  For some reason,
> Suricata does not like ports 4444 and 443 to the private ip address of the
> firewall through the tunnel.
>
> Thanks.
>
> Leonard
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> If you have received this email in error please notify Netsecuris
> management at mgmt at netsecuris.com. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Netsecuris Inc. The integrity and security
> of this message cannot be guaranteed on the Internet
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180314/e6dbd8a5/attachment-0002.html>

More information about the Oisf-users mailing list