[Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444
Leonard Jacobs
ljacobs at netsecuris.com
Wed Mar 14 01:45:00 UTC 2018
af-packet in copy mode. Inline IPS. Not using IPtables. I don't like that mode of IPS
Leonard
From: Chris Boley <ilgtech75 at gmail.com>
To: <ljacobs at netsecuris.com>
Cc: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Sent: 3/13/2018 8:31 PM
Subject: Re: [Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444
leonard, Suricata is running as an in-line bridge or zero-copy style install?
Pure speculation here:
I’m suspecting that it’s causing packet fragmentation due to tcp-mss growing during ssl sessions within/over the vpn tunnel. I’m not sure how Suricata is causing that, but as a test you might try manually adjusting your mtu on your client interface to something like:
sudo ip link set dev eth0 mtu 1400
sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
That should let you squeeze the SSL session through the tunnel.
If not, I'm out of ideas. :)
Good luck,
CB
On Tue, Mar 13, 2018 at 9:14 PM Leonard Jacobs <ljacobs at netsecuris.com> wrote:
Why would Suricata be stopping communications to Sophos Web GUI on TCP Port 4444 through an IPSec VPN Tunnel?
The weird thing about this is packet captures on both sides of tunnel from the firewalls don't show the traffic being blocked or dropped. I disconnect the wan connection from Suricata appliance and connect directly to the firewall and everything works. Suricata running on the outside of the firewall.
In suricata.yaml, I put this HTTP_PORTS: "[80,443,4444]" and it still does not work. Does the problem have something to do with how Suricata interacts with the IPSec tunnel? But this does not make any sense because the tunnel comes up and I can even Putty into the firewall command line console and ping the firewall through the tunnel. For some reason, Suricata does not like ports 4444 and 443 to the private ip address of the firewall through the tunnel.
Thanks.
Leonard
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180313/28c7f7c8/attachment-0002.html>
More information about the Oisf-users
mailing list