[Oisf-users] Suricata 4.1.5 - unable to complete certain TLS connections
Nuno Oliveira
nuno at eq.uc.pt
Mon Oct 21 15:21:01 UTC 2019
* Victor Julien <lists at inliniac.net> [2019-10-21 15:21]:
>On 21-10-19 15:00, Nuno Oliveira wrote:
>> Thanks to Karl and Victor for the help in pinpointing this.
>>
>> In suricata.yaml, I've uncommented the 3 drop log lines, enabled syslog,
>> and also the emerging-info.rules line to avoid warnings about unset
>> flowbits during startup.
>>
>> In suricata-oinkmaster.conf, after the line
>>
>> modifysid emerging-trojan.rules "^alert" | "drop"
>>
>> I've added
>>
>> modifysid 2024772 "^drop" | "alert"
>>
>> to revert rule 2024772 back to its original behavior. The new config
>> files are attached.
>>
>> And that's it, for the previously reported 4 sites TLS can now be
>> established. It turns out that I was relying only on syslog information
>> for the configuration debugging. Dropped packets by this rule are always
>> registered in eve.json only.
>>
>> In alert mode, matching rule 2024772 is never acknowledged in the logs.
>> Is this behaviour normal? Simple tests like
>
>Yes, the rule contains:
>flowbits:noalert;
>
>This is meant to tell Suricata it should not generate an alert, just set
>the flowbit.
>
>I use a catch all for that:
>
>modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
>
>--
>---------------------------------------------
>Victor Julien
>http://www.inliniac.net/
>PGP: http://www.inliniac.net/victorjulien.asc
>---------------------------------------------
Hi Victor,
That's it. Thanks for the help,
Regards,
Nuno.
More information about the Oisf-users
mailing list