[Oisf-users] Suricata 4.1.5 - unable to complete certain TLS connections

Nuno Oliveira nuno at eq.uc.pt
Mon Oct 21 08:15:16 UTC 2019


Hi Karl,

Thanks for confirming this. Now there's about 6000 rules in 
emerging-trojan.rules to bisect.. I'm not sure if I will be able to look 
into this in the next days, but I'll post any future findings.

Regards,

Nuno.

* Kare <privat at it-connect-linux.de> [2019-10-21 08:29]:
>Hi,
>
>I can confirm this behaviour on a debian stretch and debian buster
>installation.
>Both were updated to suricata 5.0 but the problem persists.
>
>On one machine, I'm using oinkmaster and the other is using py update,
>but was not able to tear down the reason for this behaviour.
>
>regards,
>Karl
>
>Am 21.10.19 um 00:18 schrieb Nuno Oliveira:
>> Hi,
>>
>> This happens with suricata 4.1.5 on Linux debian testing / unstable,
>> working in inline (IPS) mode. I've used the official binary package
>> available.
>>
>> I've started with the default suricata.yaml and
>> suricata-oinkmaster.conf files, which seem to be the default upstream
>> files (attached); in suricata.yaml, I've just changed the external
>> interface name, and specified host-mode: router, for inline (nfqueue)
>> mode.
>>
>> In suricata-oinkmaster.conf, I've also added
>> modifysid emerging-trojan.rules "^alert" | "drop"
>>
>> and started suricata. There are no error / warning messages in the log
>> during the startup phase.
>>
>> After the above modifysid change is introduced, certain https sites
>> hang during the TLS negotiation phase. These are a bit rare, but a few
>> of them are:
>>
>> https://microbiotec19.net/en/
>> https://www.geekrar.com
>> https://www.asbeiras.pt/
>> https://www.runningwonders.com/meiamaratonacoimbra/
>>
>> All of these pages load normally when the modifysid line is commented.
>> Since I get no logs of the emerging-trojan rules being activated, this
>> seems unrelated, and should not occur.
>>
>> So far I've obtained the same behavior on 2 different systems. Can
>> anyone else try to reproduce this?
>>
>> Thanks,
>>
>> Nuno.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>

pub   RSA 2048/095AC8B1 2018-05-08 K. Tischler <privat at it-connect-linux.de>
>sub   RSA 2048/E3C2CBBF 2018-05-08
>
>_______________________________________________
>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>Conference: https://suricon.net
>Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list