Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 53 replies
  • Subscribers 0 subscribers
  • Views 26036 views
  • Users 0 members are here
Options
Suggested

[9.185][BUG] Many Suspicious TCP state log entry's

mod2402
I've configured for android phones a Proxy Profile with transparent scanning and no HTTPS Scan. My firewall log shows many Suspicious TCP state entry's. See following extract:
Same result if I use Lync client on my notebook with same scan Settings.
  

17:44:40 Suspicious TCP state TCP 

192.168.24.69 : 40437

→ 

173.194.70.188 : 5228

 

[ACK PSH] len=145 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:50 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[ACK PSH] len=245 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=52 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 42822

→ 

173.194.112.67 : 443

 

[ACK] len=52 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 42822

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:53 Suspicious TCP state TCP 

192.168.24.69 : 40321

→ 

173.252.79.23 : 443

 

[ACK PSH] len=245 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:54 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[RST] len=40 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:54 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[RST] len=40 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

 
The lync client disconnects the connection often if I use non https scanning. With "URL Filtering only", the client seems to work without disconnections. 
 
regards
mod
Parents
  • 0
    I am also having the Suspicious TCP state log entry's connection gets drop  

    1. Strict TCP session enabled
    2. Web filtering--> HTTPS traffic-> Decrypt and scan enabled.
    3. Web filtering -> Transparent mode enabled.

    here are some logs

    2014:02:24-12:02:28 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.127" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="124.XX.XX.XX" proto="6" length="178" tos="0x00" prec="0x00" ttl="127" srcport="44677" dstport="20003" tcpflags="ACK PSH" 
    2014:02:24-12:02:28 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.127" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="124.XX.XX.XX" proto="6" length="178" tos="0x00" prec="0x00" ttl="127" srcport="44677" dstport="20003" tcpflags="ACK PSH

    2014:02:24-11:45:48 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.129" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="198.XX.XX.XX" proto="6" length="66" tos="0x00" prec="0x00" ttl="63" srcport="54834" dstport="5223" tcpflags="ACK PSH" 
    2014:02:24-11:45:48 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.129" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="198.XX.XX.XX" proto="6" length="136" tos="0x00" prec="0x00" ttl="63" srcport="54834" dstport="5223" tcpflags="ACK PSH FIN"
Reply
  • 0
    I am also having the Suspicious TCP state log entry's connection gets drop  

    1. Strict TCP session enabled
    2. Web filtering--> HTTPS traffic-> Decrypt and scan enabled.
    3. Web filtering -> Transparent mode enabled.

    here are some logs

    2014:02:24-12:02:28 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.127" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="124.XX.XX.XX" proto="6" length="178" tos="0x00" prec="0x00" ttl="127" srcport="44677" dstport="20003" tcpflags="ACK PSH" 
    2014:02:24-12:02:28 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.127" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="124.XX.XX.XX" proto="6" length="178" tos="0x00" prec="0x00" ttl="127" srcport="44677" dstport="20003" tcpflags="ACK PSH

    2014:02:24-11:45:48 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.129" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="198.XX.XX.XX" proto="6" length="66" tos="0x00" prec="0x00" ttl="63" srcport="54834" dstport="5223" tcpflags="ACK PSH" 
    2014:02:24-11:45:48 AYALl ulogd[388]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth11.129" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.XX.XX.XX" dstip="198.XX.XX.XX" proto="6" length="136" tos="0x00" prec="0x00" ttl="63" srcport="54834" dstport="5223" tcpflags="ACK PSH FIN"
Children
Unfiltered HTML