[Oisf-users] Suricata 4.1.5 - unable to complete certain TLS connections
Victor Julien
lists at inliniac.net
Mon Oct 21 14:21:35 UTC 2019
On 21-10-19 15:00, Nuno Oliveira wrote:
> Thanks to Karl and Victor for the help in pinpointing this.
>
> In suricata.yaml, I've uncommented the 3 drop log lines, enabled syslog,
> and also the emerging-info.rules line to avoid warnings about unset
> flowbits during startup.
>
> In suricata-oinkmaster.conf, after the line
>
> modifysid emerging-trojan.rules "^alert" | "drop"
>
> I've added
>
> modifysid 2024772 "^drop" | "alert"
>
> to revert rule 2024772 back to its original behavior. The new config
> files are attached.
>
> And that's it, for the previously reported 4 sites TLS can now be
> established. It turns out that I was relying only on syslog information
> for the configuration debugging. Dropped packets by this rule are always
> registered in eve.json only.
>
> In alert mode, matching rule 2024772 is never acknowledged in the logs.
> Is this behaviour normal? Simple tests like
Yes, the rule contains:
flowbits:noalert;
This is meant to tell Suricata it should not generate an alert, just set
the flowbit.
I use a catch all for that:
modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list