[Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444

Peter Manev petermanev at gmail.com
Wed Mar 14 07:02:08 UTC 2018


On Wed, Mar 14, 2018 at 7:07 AM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> It is a Ubuntu linux appliance running Suricata.  I set the MTU 1400 from
> the MTU 1500 it was set at and I kinds of bad things started happening like
> losing connections.
>
> Leonard
>
>
> From: Chris Boley <ilgtech75 at gmail.com>
> To: Leonard Jacobs <ljacobs at netsecuris.com>
> Cc: Open Information Security Foundation
> <oisf-users at lists.openinfosecfoundation.org>
> Sent: 3/13/2018 8:59 PM
> Subject: Re: [Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444
>
> Ok, thanks Leonard, just to rule it out, from whatever node you’re sourcing
> the traffic from; I’d have a look at setting that MTU per my suggestion. If
> it’s a windows box, there’s a netsh command to set mtu on an interface
> temporarily. If you still have the same issues you can rule out it being a
> simple networking related problem induced via af-packet copying the tunnel
> through Suri and more something else. It’s a quick 2 mins check and is at
> least one data point to rule out.
>
> Best,
> CB
>
> On Tue, Mar 13, 2018 at 9:45 PM Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> af-packet in copy mode.  Inline IPS.  Not using IPtables.  I don't like that
> mode of IPS
>
> Leonard
>
>
>
> From: Chris Boley <ilgtech75 at gmail.com>
> To: <ljacobs at netsecuris.com>
> Cc: Open Information Security Foundation
> <oisf-users at lists.openinfosecfoundation.org>
> Sent: 3/13/2018 8:31 PM
> Subject: Re: [Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444
>
> leonard, Suricata is running as an in-line bridge or zero-copy style
> install?
>
> Pure speculation here:
>  I’m suspecting that it’s causing packet fragmentation due to tcp-mss
> growing during ssl sessions within/over the vpn tunnel. I’m not sure how
> Suricata is causing that, but as a test you might try manually adjusting
> your mtu on your client interface to something like:
>
> sudo ip link set dev eth0 mtu 1400
> sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS
> --clamp-mss-to-pmtu
>
> That should let you squeeze the SSL session through the tunnel.
>
> If not, I'm out of ideas.  :)
> Good luck,
> CB
>
>
>
> On Tue, Mar 13, 2018 at 9:14 PM Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> Why would Suricata be stopping communications to Sophos Web GUI on TCP Port
> 4444 through an IPSec VPN Tunnel?
>
> The weird thing about this is packet captures on both sides of tunnel from
> the firewalls don't show the traffic being blocked or dropped.  I disconnect
> the wan connection from Suricata appliance and connect directly to the
> firewall and everything works.  Suricata running on the outside of the
> firewall.
>
> In suricata.yaml, I put this HTTP_PORTS: "[80,443,4444]" and it still does
> not work.  Does the problem have something to do with how Suricata interacts
> with the IPSec tunnel?  But this does not make any sense because the tunnel
> comes up and I can even Putty into the firewall command line console and
> ping the firewall through the tunnel.  For some reason, Suricata does not
> like ports 4444 and 443 to the private ip address of the firewall through
> the tunnel.


Which suri version is that?
I would also check if there is anything in the logs alert wise to that
specific connection - that may give you some idea.
If you didnt have the problem before but it appeared with the new
Sophos version - maybe some rule is triggering/dropping the comms.



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list