[Oisf-users] Fwd: Unblock whatsapp

Michał Purzyński michalpurzynski1 at gmail.com
Fri Jan 17 16:48:40 UTC 2020 

Are you saying you can use WhatsApp and other pages?

My theory says those rules starting with Suricata, were blocking SSL. They are supposed to identify weirdness, anomalies in protocols, that might signify there’s an attack not detected by any other rule.

This assumption is sometimes broken by less than perfect protocol implementation in various software.

I’d say, be careful when using those.

> On Jan 17, 2020, at 2:34 AM, Владислав Дубов <vladislav.dubov at gmail.com> wrote:
> 
> 
> Thank you.  The router box has the following configuration
> 
> Intel(R) Xeon(TM) CPU 2.80GHz
> 2 CPUs: 1 package(s) x 2 hardware threads
> AES-NI CPU Crypto: No
> Memory 1997 MiB
> 
> Is it adequate for our needs?
> 
> We have now switched SURICATA altogether.  We are not experiencing any network problems at all.
> 
> 
> 
> пт, 17 янв. 2020 г. в 00:18, James Moe <jimoe at sohnen-moe.com>:
>> On 2020-01-15 1:15 PM, Владислав Дубов wrote:
>> 
>> > Thank you.  195.68.154.66 is our pfSense router, which hosts Suricata and
>> > connects our LAN to the outside WAN. 
>> > 
>>   Ah. That's helpful.
>>   I also wanted the IP address for whatsapp.com for your locale.
>> 
>>   Looking at the log, at 10:56:07 a lot of DNS requests are listed, followed by
>> some email, then a large amount of traffic between 94.124.195.19 and
>> 195.68.154.75. It continues throughout the day.
>> 
>> > When the 'messy' things start, I cannot even open the Whatsapp home page in my
>> > browser.
>> >
>>   How much memory does the router have?
>>   How much free RAM is available when Suricata is running? If the router is
>> swapping to disk, that slows processing to teletype speeds.
>>   What is the CPU usage when Suricata is running? Suricata is quite demanding of
>> CPU resources.
>> 
>>   Please try disabling the SURICATA rules. In disable.conf add:
>> # Disable all SURICATA rules
>> re:SURICATA
>> 
>> -- 
>> James Moe
>> moe dot james at sohnen-moe dot com
>> 520.743.3936
>> Think.
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200117/77debcfc/attachment.html>

More information about the Oisf-users mailing list