[Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444

Wed Mar 14 01:59:39 UTC 2018

Ok, thanks Leonard, just to rule it out, from whatever node you’re sourcing
the traffic from; I’d have a look at setting that MTU per my suggestion. If
it’s a windows box, there’s a netsh command to set mtu on an interface
temporarily. If you still have the same issues you can rule out it being a
simple networking related problem induced via af-packet copying the tunnel
through Suri and more something else. It’s a quick 2 mins check and is at
least one data point to rule out.

Best,
CB

On Tue, Mar 13, 2018 at 9:45 PM Leonard Jacobs <ljacobs at netsecuris.com>
wrote:

> af-packet in copy mode.  Inline IPS.  Not using IPtables.  I don't like
> that mode of IPS
>
> Leonard
>
>
>
> * From: * Chris Boley <ilgtech75 at gmail.com>
> * To: * <ljacobs at netsecuris.com>
> * Cc: * Open Information Security Foundation <
> oisf-users at lists.openinfosecfoundation.org>
> * Sent: * 3/13/2018 8:31 PM
> * Subject: * Re: [Oisf-users] Suricata Stopping Sophos Web GUI on TCP
> Port 4444
>
> leonard, Suricata is running as an in-line bridge or zero-copy style
> install?
>
> Pure speculation here:
>  I’m suspecting that it’s causing packet fragmentation due to tcp-mss
> growing during ssl sessions within/over the vpn tunnel. I’m not sure how
> Suricata is causing that, but as a test you might try manually adjusting
> your mtu on your client interface to something like:
>
> sudo ip link set dev eth0 mtu 1400
> sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS
> --clamp-mss-to-pmtu
>
> That should let you squeeze the SSL session through the tunnel.
>
> If not, I'm out of ideas.  :)
> Good luck,
> CB
>
>
>
> On Tue, Mar 13, 2018 at 9:14 PM Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> Why would Suricata be stopping communications to Sophos Web GUI on TCP
> Port 4444 through an IPSec VPN Tunnel?
>
> The weird thing about this is packet captures on both sides of tunnel from
> the firewalls don't show the traffic being blocked or dropped.  I
> disconnect the wan connection from Suricata appliance and connect directly
> to the firewall and everything works.  Suricata running on the outside of
> the firewall.
>
> In suricata.yaml, I put this HTTP_PORTS: "[80,443,4444]" and it still does
> not work.  Does the problem have something to do with how Suricata
> interacts with the IPSec tunnel?  But this does not make any sense because
> the tunnel comes up and I can even Putty into the firewall command line
> console and ping the firewall through the tunnel.  For some reason,
> Suricata does not like ports 4444 and 443 to the private ip address of the
> firewall through the tunnel.
>
> Thanks.
>
> Leonard
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> If you have received this email in error please notify Netsecuris
> management at mgmt at netsecuris.com. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Netsecuris Inc. The integrity and security
> of this message cannot be guaranteed on the Internet
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> If you have received this email in error please notify Netsecuris
> management at mgmt at netsecuris.com. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Netsecuris Inc. The integrity and security
> of this message cannot be guaranteed on the Internet
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180314/e07c5f2e/attachment-0002.html>