[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Fwd: Fwd: Unblock whatsapp
From: Michał Purzyński <michalpurzynski1 () gmail ! com>
Date: 2020-01-16 5:07:33
Message-ID: CAJ6bFK05sgqOxt-rj8HSQKa_AgEUAATeJsW=cq6dFr9M3jAbtg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Well, that is not really a dump of the Suricata configuration, but rather a
pfsense version of it (but that's OK it kind of makes sense).
I see you have eve-log enabled. The best thing you can do is to observe
what kind of alerts are generated while you're trying to access whatsapp
and send them here.
On Wed, Jan 15, 2020 at 8:43 PM =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=BB=
=D0=B0=D0=B2 =D0=94=D1=83=D0=B1=D0=BE=D0=B2 <vladislav.dubov@gmail.com>
wrote:
> Attached is our configuration.
>
> ---------- Forwarded message ---------
> =D0=9E=D1=82: =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=
=94=D1=83=D0=B1=D0=BE=D0=B2 <vladislav.dubov@gmail.com>
> Date: =D1=87=D1=82, 16 =D1=8F=D0=BD=D0=B2. 2020 =D0=B3. =D0=B2 00:17
> Subject: Fwd: [Oisf-users] Fwd: Unblock whatsapp
> To: <Oisf-users@lists.openinfosecfoundation.org>
>
>
> Thank you. How can I view configuration? I am totally new to this.
>
> ---------- Forwarded message ---------
> =D0=9E=D1=82: Micha=C5=82 Purzy=C5=84ski <michalpurzynski1@gmail.com>
> Date: =D1=81=D1=80, 15 =D1=8F=D0=BD=D0=B2. 2020 =D0=B3. =D0=B2 23:41
> Subject: Re: [Oisf-users] Fwd: Unblock whatsapp
> To: =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=94=D1=83=
=D0=B1=D0=BE=D0=B2 <vladislav.dubov@gmail.com>
> Cc: Open Information Security Foundation <
> Oisf-users@lists.openinfosecfoundation.org>
>
>
> If Suricata is blocking anything, there will be an alert or a few. Can yo=
u
> share you configuration and events that are generated? The eve-log, ideal=
ly.
>
> On Wed, Jan 15, 2020 at 12:22 PM =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=
=BB=D0=B0=D0=B2 =D0=94=D1=83=D0=B1=D0=BE=D0=B2 <
> vladislav.dubov@gmail.com> wrote:
>
>> My notebook's local IP address was 192.168.33.217. I use the Whatsapp
>> web version via Chrome.
>>
>> ---------- Forwarded message ---------
>> =D0=9E=D1=82: =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=
=94=D1=83=D0=B1=D0=BE=D0=B2 <vladislav.dubov@gmail.com>
>> Date: =D1=81=D1=80, 15 =D1=8F=D0=BD=D0=B2. 2020 =D0=B3. =D0=B2 23:15
>> Subject: Fwd: [Oisf-users] Unblock whatsapp
>> To: <oisf-users@lists.openinfosecfoundation.org>
>>
>>
>> Thank you. 195.68.154.66 is our pfSense router, which hosts Suricata an=
d
>> connects our LAN to the outside WAN.
>>
>> When the 'messy' things start, I cannot even open the Whatsapp home page
>> in my browser. I tried that yesterday because I initially thought that =
the
>> problem was to do with the Whatsapp web version.
>>
>> I am going to send you today's log tomorrow morning after I get it from
>> my sysadmin. I will also provide my machine's local IP address.
>>
>> Thanks again,
>>
>> Vladislav Dubov
>>
>> ---------- Forwarded message ---------
>> =D0=9E=D1=82: James Moe <jimoe@sohnen-moe.com>
>> Date: =D1=81=D1=80, 15 =D1=8F=D0=BD=D0=B2. 2020 =D0=B3. =D0=B2 22:42
>> Subject: Re: [Oisf-users] Unblock whatsapp
>> To: oisf-users@lists.openinfosecfoundation.org <
>> oisf-users@lists.openinfosecfoundation.org>
>>
>>
>> On 2020-01-15 5:23 AM, =D0=92=D0=BB=D0=B0=D0=B4=D0=B8=D1=81=D0=BB=D0=B0=
=D0=B2 =D0=94=D1=83=D0=B1=D0=BE=D0=B2 wrote:
>>
>> I am not convinced that Suricata is the cause here, rather a symptom.
>> There
>> may be resource constraints that are aggravated by Suricata running in
>> the host.
>> The log shows something messy starting at 10:56:07 from IP
>> 195.68.154.66,
>> about when your Whatsapp failure starts. That IP does not resolve to
>> anything here.
>>
>> > Today this behavior occurred again. Whatsapp stopped working at aroun=
d
>> 11AM+3:00.
>> >
>> Here, Whatsapp shows IP addresses 169.55.60.148 and 108.168.254.65.
>> Neither of
>> those appear in your log, not even the first octet.
>> What is the IP for Whatsapp at your location?
>>
>> The log shows only alerts; there are no dropped packets.
>>
>> Try this: disable the Suricata rules. In disable.conf add:
>> # Disable all SURICATA rules
>> re:SURICATA
>>
>> and restart Suricata.
>>
>> > Yesterday, when we stopped Suricata, Whatsapp restored
>> > connection after some time.
>> >
>> If the alert log was not rotated, suricata was stopped at 00:38:49?
>> And when did Whatsapp reconnect?
>>
>> Execute this command at the router, post result:
>> $ sudo iptables -nvL INPUT -w 3 | head -7
>>
>>
>> --
>> James Moe
>> moe dot james at sohnen-moe dot com
>> 520.743.3936
>> Think.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support=
/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-user=
s
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support=
/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-user=
s
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
[Attachment #5 (text/html)]
<div dir="ltr"><div>Well, that is not really a dump of the Suricata configuration, \
but rather a pfsense version of it (but that's OK it kind of makes \
sense).</div><div><br></div><div>I see you have eve-log enabled. The best thing you \
can do is to observe what kind of alerts are generated while you're trying to \
access whatsapp and send them here.</div><div><br></div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 15, 2020 at 8:43 PM \
Владислав Дубов <<a \
href="mailto:vladislav.dubov@gmail.com">vladislav.dubov@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Attached is our configuration.<br><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong \
class="gmail_sendername" dir="auto">Владислав Дубов</strong> <span \
dir="auto"><<a href="mailto:vladislav.dubov@gmail.com" \
target="_blank">vladislav.dubov@gmail.com</a>></span><br>Date: чт, 16 янв. \
2020 г. в 00:17<br>Subject: Fwd: [Oisf-users] Fwd: Unblock whatsapp<br>To: <<a \
href="mailto:Oisf-users@lists.openinfosecfoundation.org" \
target="_blank">Oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div \
dir="ltr">Thank you. How can I view configuration? I am totally new to \
this.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- \
Forwarded message ---------<br>От: <strong class="gmail_sendername" \
dir="auto">Michał Purzyński</strong> <span dir="auto"><<a \
href="mailto:michalpurzynski1@gmail.com" \
target="_blank">michalpurzynski1@gmail.com</a>></span><br>Date: ср, 15 янв. \
2020 г. в 23:41<br>Subject: Re: [Oisf-users] Fwd: Unblock whatsapp<br>To: \
Владислав Дубов <<a href="mailto:vladislav.dubov@gmail.com" \
target="_blank">vladislav.dubov@gmail.com</a>><br>Cc: Open Information Security \
Foundation <<a href="mailto:Oisf-users@lists.openinfosecfoundation.org" \
target="_blank">Oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div \
dir="ltr">If Suricata is blocking anything, there will be an alert or a few. Can you \
share you configuration and events that are generated? The eve-log, \
ideally.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Wed, Jan 15, 2020 at 12:22 PM Владислав Дубов <<a \
href="mailto:vladislav.dubov@gmail.com" \
target="_blank">vladislav.dubov@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">My notebook's local IP address \
was 192.168.33.217. I use the Whatsapp web version via Chrome.<br><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message \
---------<br>От: <strong class="gmail_sendername" dir="auto">Владислав \
Дубов</strong> <span dir="auto"><<a href="mailto:vladislav.dubov@gmail.com" \
target="_blank">vladislav.dubov@gmail.com</a>></span><br>Date: ср, 15 янв. \
2020 г. в 23:15<br>Subject: Fwd: [Oisf-users] Unblock whatsapp<br>To: <<a \
href="mailto:oisf-users@lists.openinfosecfoundation.org" \
target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div \
dir="ltr">Thank you.
195.68.154.66 is our pfSense router, which hosts Suricata and connects our LAN to \
the outside WAN. <div><br></div><div>When the 'messy' things start, I cannot \
even open the Whatsapp home page in my browser. I tried that yesterday because I \
initially thought that the problem was to do with the Whatsapp web \
version.</div><div><br></div><div>I am going to send you today's log tomorrow \
morning after I get it from my sysadmin. I will also provide my machine's local \
IP address.</div><div><br></div><div>Thanks \
again,</div><div><br></div><div>Vladislav Dubov</div><div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message \
---------<br>От: <strong class="gmail_sendername" dir="auto">James Moe</strong> \
<span dir="auto"><<a href="mailto:jimoe@sohnen-moe.com" \
target="_blank">jimoe@sohnen-moe.com</a>></span><br>Date: ср, 15 янв. 2020 \
г. в 22:42<br>Subject: Re: [Oisf-users] Unblock whatsapp<br>To: <a \
href="mailto:oisf-users@lists.openinfosecfoundation.org" \
target="_blank">oisf-users@lists.openinfosecfoundation.org</a> <<a \
href="mailto:oisf-users@lists.openinfosecfoundation.org" \
target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br>On \
2020-01-15 5:23 AM, Владислав Дубов wrote:<br> <br>
I am not convinced that Suricata is the cause here, rather a symptom. There<br>
may be resource constraints that are aggravated by Suricata running in the host.<br>
The log shows something messy starting at 10:56:07 from IP 195.68.154.66,<br>
about when your Whatsapp failure starts. That IP does not resolve to anything \
here.<br> <br>
> Today this behavior occurred again. Whatsapp stopped working at around \
11AM+3:00.<br> ><br>
Here, Whatsapp shows IP addresses 169.55.60.148 and 108.168.254.65. Neither of<br>
those appear in your log, not even the first octet.<br>
What is the IP for Whatsapp at your location?<br>
<br>
The log shows only alerts; there are no dropped packets.<br>
<br>
Try this: disable the Suricata rules. In disable.conf add:<br>
# Disable all SURICATA rules<br>
re:SURICATA<br>
<br>
and restart Suricata.<br>
<br>
> Yesterday, when we stopped Suricata, Whatsapp restored<br>
> connection after some time.<br>
><br>
If the alert log was not rotated, suricata was stopped at 00:38:49?<br>
And when did Whatsapp reconnect?<br>
<br>
Execute this command at the router, post result:<br>
$ sudo iptables -nvL INPUT -w 3 | head -7<br>
<br>
<br>
-- <br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
520.743.3936<br>
Think.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a \
href="mailto:oisf-users@openinfosecfoundation.org" \
target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" \
target="_blank">http://suricata-ids.org</a> | Support: <a \
href="http://suricata-ids.org/support/" rel="noreferrer" \
target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" \
rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" \
target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" \
target="_blank">https://suricata-ids.org/training/</a></div></div></div> </div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a \
href="mailto:oisf-users@openinfosecfoundation.org" \
target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" \
target="_blank">http://suricata-ids.org</a> | Support: <a \
href="http://suricata-ids.org/support/" rel="noreferrer" \
target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" \
rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" \
target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" \
target="_blank">https://suricata-ids.org/training/</a></blockquote></div> \
</div></div> </div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a \
href="mailto:oisf-users@openinfosecfoundation.org" \
target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" \
target="_blank">http://suricata-ids.org</a> | Support: <a \
href="http://suricata-ids.org/support/" rel="noreferrer" \
target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" \
rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" \
target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" \
target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic