[Oisf-users] Fwd: Unblock whatsapp
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Jan 15 20:41:09 UTC 2020
If Suricata is blocking anything, there will be an alert or a few. Can you
share you configuration and events that are generated? The eve-log, ideally.
On Wed, Jan 15, 2020 at 12:22 PM Владислав Дубов <vladislav.dubov at gmail.com>
wrote:
> My notebook's local IP address was 192.168.33.217. I use the Whatsapp web
> version via Chrome.
>
> ---------- Forwarded message ---------
> От: Владислав Дубов <vladislav.dubov at gmail.com>
> Date: ср, 15 янв. 2020 г. в 23:15
> Subject: Fwd: [Oisf-users] Unblock whatsapp
> To: <oisf-users at lists.openinfosecfoundation.org>
>
>
> Thank you. 195.68.154.66 is our pfSense router, which hosts Suricata and
> connects our LAN to the outside WAN.
>
> When the 'messy' things start, I cannot even open the Whatsapp home page
> in my browser. I tried that yesterday because I initially thought that the
> problem was to do with the Whatsapp web version.
>
> I am going to send you today's log tomorrow morning after I get it from my
> sysadmin. I will also provide my machine's local IP address.
>
> Thanks again,
>
> Vladislav Dubov
>
> ---------- Forwarded message ---------
> От: James Moe <jimoe at sohnen-moe.com>
> Date: ср, 15 янв. 2020 г. в 22:42
> Subject: Re: [Oisf-users] Unblock whatsapp
> To: oisf-users at lists.openinfosecfoundation.org <
> oisf-users at lists.openinfosecfoundation.org>
>
>
> On 2020-01-15 5:23 AM, Владислав Дубов wrote:
>
> I am not convinced that Suricata is the cause here, rather a symptom.
> There
> may be resource constraints that are aggravated by Suricata running in the
> host.
> The log shows something messy starting at 10:56:07 from IP 195.68.154.66,
> about when your Whatsapp failure starts. That IP does not resolve to
> anything here.
>
> > Today this behavior occurred again. Whatsapp stopped working at around
> 11AM+3:00.
> >
> Here, Whatsapp shows IP addresses 169.55.60.148 and 108.168.254.65.
> Neither of
> those appear in your log, not even the first octet.
> What is the IP for Whatsapp at your location?
>
> The log shows only alerts; there are no dropped packets.
>
> Try this: disable the Suricata rules. In disable.conf add:
> # Disable all SURICATA rules
> re:SURICATA
>
> and restart Suricata.
>
> > Yesterday, when we stopped Suricata, Whatsapp restored
> > connection after some time.
> >
> If the alert log was not rotated, suricata was stopped at 00:38:49?
> And when did Whatsapp reconnect?
>
> Execute this command at the router, post result:
> $ sudo iptables -nvL INPUT -w 3 | head -7
>
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> Think.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200115/948e3024/attachment-0001.html>
More information about the Oisf-users
mailing list