[Oisf-users] Suricata 4.1.5 - unable to complete certain TLS connections

Kare privat at it-connect-linux.de
Mon Oct 21 07:28:57 UTC 2019


I can confirm this behaviour on a debian stretch and debian buster
Both were updated to suricata 5.0 but the problem persists.

On one machine, I'm using oinkmaster and the other is using py update,
but was not able to tear down the reason for this behaviour.


Am 21.10.19 um 00:18 schrieb Nuno Oliveira:
> Hi,
> This happens with suricata 4.1.5 on Linux debian testing / unstable,
> working in inline (IPS) mode. I've used the official binary package
> available.
> I've started with the default suricata.yaml and
> suricata-oinkmaster.conf files, which seem to be the default upstream
> files (attached); in suricata.yaml, I've just changed the external
> interface name, and specified host-mode: router, for inline (nfqueue)
> mode.
> In suricata-oinkmaster.conf, I've also added
> modifysid emerging-trojan.rules "^alert" | "drop"
> and started suricata. There are no error / warning messages in the log
> during the startup phase.
> After the above modifysid change is introduced, certain https sites
> hang during the TLS negotiation phase. These are a bit rare, but a few
> of them are:
> https://microbiotec19.net/en/
> https://www.geekrar.com
> https://www.asbeiras.pt/
> https://www.runningwonders.com/meiamaratonacoimbra/
> All of these pages load normally when the modifysid line is commented.
> Since I get no logs of the emerging-trojan rules being activated, this
> seems unrelated, and should not occur.
> So far I've obtained the same behavior on 2 different systems. Can
> anyone else try to reproduce this?
> Thanks,
> Nuno.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191021/b5e39f29/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x82ED98EC095AC8B1.asc
Type: application/pgp-keys
Size: 2460 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191021/b5e39f29/attachment.key>

More information about the Oisf-users mailing list