[Oisf-users] Suricata 4.1.5 - unable to complete certain TLS connections

Victor Julien lists at inliniac.net
Mon Oct 21 14:21:35 UTC 2019

On 21-10-19 15:00, Nuno Oliveira wrote:
> Thanks to Karl and Victor for the help in pinpointing this.
> In suricata.yaml, I've uncommented the 3 drop log lines, enabled syslog,
> and also the emerging-info.rules line to avoid warnings about unset
> flowbits during startup.
> In suricata-oinkmaster.conf, after the line
> modifysid emerging-trojan.rules "^alert" | "drop"
> I've added
> modifysid 2024772 "^drop" | "alert"
> to revert rule 2024772 back to its original behavior. The new config
> files are attached.
> And that's it, for the previously reported 4 sites TLS can now be
> established. It turns out that I was relying only on syslog information
> for the configuration debugging. Dropped packets by this rule are always
> registered in eve.json only.
> In alert mode, matching rule 2024772 is never acknowledged in the logs.
> Is this behaviour normal? Simple tests like

Yes, the rule contains:

This is meant to tell Suricata it should not generate an alert, just set
the flowbit.

I use a catch all for that:

modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list