| Message ID | 20190228142825.5153-1-michael.tremer@ipfire.org |
|---|---|
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 83BE788B0B9 for <patchwork@web07.i.ipfire.org>; Thu, 28 Feb 2019 14:28:41 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKN2yBxz5KvHC; Thu, 28 Feb 2019 14:28:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364120; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=WDfP3sE86GsPiGwqI3qC9BUN7ycXwy1F422WJvEOUq4=; b=z6yAuQEkf2LmhIQYg+Q82Ku0Swv15pBx0LWCttFIOEZzYWb2+g3BLu3Cg1ljyoHz0U8mDA JbhYIDGNEbxFr60BdO0LwONk4nDEE7inEgVzwv7SB0iKy5bWSmRAnpls97oQ0lmDIRR6Ja ZzsZjp9bWJrFQvYkvjczgizQDaFfHYnVfqzbR3XMO/j+qZibFGTGFn5T8eNwHeVv3qcQ7r Nes0whVSvK8xc3sEZPvEPlLGSrKzxWnFB9TrFcIikd5Lvfa+Wreo620j/l06NkcrTs5EOm 1o97FGJiVNGdDDRx1I4SF4NrVvaNF3Iw7iLI8mUeKoBs9GCsmCN7pWhUJUZpJA== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKJ5pn1z5KvGj; Thu, 28 Feb 2019 14:28:36 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364117; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=WDfP3sE86GsPiGwqI3qC9BUN7ycXwy1F422WJvEOUq4=; b=saJmHte7FpaILRDkhlKanQF9QvInXWRRNJZw01bSFZEdZ2O3KOqM3SXWQeZRU2YHwq6i1k F6WHLUnfIRyNUCvZe1MNSSPg9sdorWCPiNwVryoiI/K1NANbxm0oKdHMV0UQekpsQJlVXT W3mJqJrJaK3H5UKRnYi4w28N04qiFB1AQHUxipLydxIDWNeVOtjJzaYeUc8pX23n6MAZ2S XdcsXMfIp5AZe4VoDmKmatYrN5Kc6tIQuc/P042k6RnhW6DEWKwabuAt+xh9dtg6Ym44sQ XG715F8T5r9unwxbKbpmpMnaQzMaBuZG2ABYyYOutJmQGMo6+tJXctEypK9ZTg== From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 00/20] Suricata Configuration Updates Date: Thu, 28 Feb 2019 14:28:05 +0000 Message-Id: <20190228142825.5153-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-4.44 / 11.00]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.34)[-0.781,0]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-4.44 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer <michael.tremer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
Suricata Configuration Updates
|
|
Message
Michael Tremer
March 1, 2019, 1:28 a.m. UTC
I have worked on suricata's configuration. My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching. Please review these changes and let me know what you think. All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS. On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM. Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++------------------------------------- 2 files changed, 30 insertions(+), 254 deletions(-)
Comments
Hello Michael, thanks for working on optimizing the suricata configuration file. I've merged all of the patches except number "8" and "10" which does not apply with "git am". When simple adding the changes with "patch" the changes can be applied - any idea why this happened? Thanks in advance, -Stefan > I have worked on suricata's configuration. > > My objective was to use more system resources (because suricata did > not use much RAM, etc.) > to make it faster and to be able to have some deeper decoding and > matching. > > Please review these changes and let me know what you think. > > All in all, suricata should not use more than 1G of RAM which I think > is a very good > amount. If your system is weaker than that, there is no point in > running an IPS. > > On my system in my office, this runs with a hand full of rules > enabled from the > Emerging Threats Community set at around 110MB of RAM. > > Michael Tremer (20): > Revert "Suricata: detect DNS events on port 853, too" > suricata: Set max-pending-packets to 1024 > suricata: Set default packet size to 1514 > suricata: Set detection profile to high > suricata: Drop profiling section from configuration > suricata: Drop some commented stuff from configuration > suricata: Drop sections that require Rust > suricata: Configure HTTP decoder > suricata: Allow 32MB of RAM for DNS decoding > suricata: Drop parsers I have never heard of > suricata: We do not use any IP reputation lists > suricata: Log to syslog > suricata: Use the correct path for the magic database > suricata: Use 64MB of RAM for defragmentation > suricata: Use up to 256MB of RAM for the flow cache > suricata: Log to syslog like a normal process > suricata: Increase memory size for the stream engine > suricata: Disable decoding for Teredo > suricata: Start capture first and then load rules > suricata: Fix syntax error > > config/etc/syslog.conf | 2 +- > config/suricata/suricata.yaml | 282 +++++--------------------------- > ---------- > 2 files changed, 30 insertions(+), 254 deletions(-) >
Hi, Did you apply all of them in order? It is not very helpful to only merge half the patchset. Did you use pwclient? -Michael > On 1 Mar 2019, at 17:09, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael, > > thanks for working on optimizing the suricata configuration file. > > I've merged all of the patches except number "8" and "10" which does > not apply with "git am". > > When simple adding the changes with "patch" the changes can be applied > - any idea why this happened? > > Thanks in advance, > > -Stefan >> I have worked on suricata's configuration. >> >> My objective was to use more system resources (because suricata did >> not use much RAM, etc.) >> to make it faster and to be able to have some deeper decoding and >> matching. >> >> Please review these changes and let me know what you think. >> >> All in all, suricata should not use more than 1G of RAM which I think >> is a very good >> amount. If your system is weaker than that, there is no point in >> running an IPS. >> >> On my system in my office, this runs with a hand full of rules >> enabled from the >> Emerging Threats Community set at around 110MB of RAM. >> >> Michael Tremer (20): >> Revert "Suricata: detect DNS events on port 853, too" >> suricata: Set max-pending-packets to 1024 >> suricata: Set default packet size to 1514 >> suricata: Set detection profile to high >> suricata: Drop profiling section from configuration >> suricata: Drop some commented stuff from configuration >> suricata: Drop sections that require Rust >> suricata: Configure HTTP decoder >> suricata: Allow 32MB of RAM for DNS decoding >> suricata: Drop parsers I have never heard of >> suricata: We do not use any IP reputation lists >> suricata: Log to syslog >> suricata: Use the correct path for the magic database >> suricata: Use 64MB of RAM for defragmentation >> suricata: Use up to 256MB of RAM for the flow cache >> suricata: Log to syslog like a normal process >> suricata: Increase memory size for the stream engine >> suricata: Disable decoding for Teredo >> suricata: Start capture first and then load rules >> suricata: Fix syntax error >> >> config/etc/syslog.conf | 2 +- >> config/suricata/suricata.yaml | 282 +++++--------------------------- >> ---------- >> 2 files changed, 30 insertions(+), 254 deletions(-) >>
> Hi, > > Did you apply all of them in order? > Yes, I did. The reported two patches did not apply. However, the changes on the second patch depends on modifications of the first one, but why does the first one does not apply by using "git am" ? > It is not very helpful to only merge half the patchset. > > Did you use pwclient? > > -Michael > > > On 1 Mar 2019, at 17:09, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > Hello Michael, > > > > thanks for working on optimizing the suricata configuration file. > > > > I've merged all of the patches except number "8" and "10" which > > does > > not apply with "git am". > > > > When simple adding the changes with "patch" the changes can be > > applied > > - any idea why this happened? > > > > Thanks in advance, > > > > -Stefan > > > I have worked on suricata's configuration. > > > > > > My objective was to use more system resources (because suricata > > > did > > > not use much RAM, etc.) > > > to make it faster and to be able to have some deeper decoding and > > > matching. > > > > > > Please review these changes and let me know what you think. > > > > > > All in all, suricata should not use more than 1G of RAM which I > > > think > > > is a very good > > > amount. If your system is weaker than that, there is no point in > > > running an IPS. > > > > > > On my system in my office, this runs with a hand full of rules > > > enabled from the > > > Emerging Threats Community set at around 110MB of RAM. > > > > > > Michael Tremer (20): > > > Revert "Suricata: detect DNS events on port 853, too" > > > suricata: Set max-pending-packets to 1024 > > > suricata: Set default packet size to 1514 > > > suricata: Set detection profile to high > > > suricata: Drop profiling section from configuration > > > suricata: Drop some commented stuff from configuration > > > suricata: Drop sections that require Rust > > > suricata: Configure HTTP decoder > > > suricata: Allow 32MB of RAM for DNS decoding > > > suricata: Drop parsers I have never heard of > > > suricata: We do not use any IP reputation lists > > > suricata: Log to syslog > > > suricata: Use the correct path for the magic database > > > suricata: Use 64MB of RAM for defragmentation > > > suricata: Use up to 256MB of RAM for the flow cache > > > suricata: Log to syslog like a normal process > > > suricata: Increase memory size for the stream engine > > > suricata: Disable decoding for Teredo > > > suricata: Start capture first and then load rules > > > suricata: Fix syntax error > > > > > > config/etc/syslog.conf | 2 +- > > > config/suricata/suricata.yaml | 282 +++++---------------------- > > > ----- > > > ---------- > > > 2 files changed, 30 insertions(+), 254 deletions(-) > > >
Why are you asking me that? What does “git am” tell you? There should be a reason why it didn’t work. Probably there have been other changes in the section? -Michael > On 1 Mar 2019, at 19:01, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > >> Hi, >> >> Did you apply all of them in order? >> > > Yes, I did. > > The reported two patches did not apply. > > However, the changes on the second patch depends on modifications of > the first one, but why does the first one does not apply by using "git > am" ? > >> It is not very helpful to only merge half the patchset. >> >> Did you use pwclient? >> >> -Michael >> >>> On 1 Mar 2019, at 17:09, Stefan Schantl <stefan.schantl@ipfire.org> >>> wrote: >>> >>> Hello Michael, >>> >>> thanks for working on optimizing the suricata configuration file. >>> >>> I've merged all of the patches except number "8" and "10" which >>> does >>> not apply with "git am". >>> >>> When simple adding the changes with "patch" the changes can be >>> applied >>> - any idea why this happened? >>> >>> Thanks in advance, >>> >>> -Stefan >>>> I have worked on suricata's configuration. >>>> >>>> My objective was to use more system resources (because suricata >>>> did >>>> not use much RAM, etc.) >>>> to make it faster and to be able to have some deeper decoding and >>>> matching. >>>> >>>> Please review these changes and let me know what you think. >>>> >>>> All in all, suricata should not use more than 1G of RAM which I >>>> think >>>> is a very good >>>> amount. If your system is weaker than that, there is no point in >>>> running an IPS. >>>> >>>> On my system in my office, this runs with a hand full of rules >>>> enabled from the >>>> Emerging Threats Community set at around 110MB of RAM. >>>> >>>> Michael Tremer (20): >>>> Revert "Suricata: detect DNS events on port 853, too" >>>> suricata: Set max-pending-packets to 1024 >>>> suricata: Set default packet size to 1514 >>>> suricata: Set detection profile to high >>>> suricata: Drop profiling section from configuration >>>> suricata: Drop some commented stuff from configuration >>>> suricata: Drop sections that require Rust >>>> suricata: Configure HTTP decoder >>>> suricata: Allow 32MB of RAM for DNS decoding >>>> suricata: Drop parsers I have never heard of >>>> suricata: We do not use any IP reputation lists >>>> suricata: Log to syslog >>>> suricata: Use the correct path for the magic database >>>> suricata: Use 64MB of RAM for defragmentation >>>> suricata: Use up to 256MB of RAM for the flow cache >>>> suricata: Log to syslog like a normal process >>>> suricata: Increase memory size for the stream engine >>>> suricata: Disable decoding for Teredo >>>> suricata: Start capture first and then load rules >>>> suricata: Fix syntax error >>>> >>>> config/etc/syslog.conf | 2 +- >>>> config/suricata/suricata.yaml | 282 +++++---------------------- >>>> ----- >>>> ---------- >>>> 2 files changed, 30 insertions(+), 254 deletions(-) >>>>
Hi, I rebased the whole branch and sent a second patchset with the three remaining patches only. Hope that helps and merges. -Michael > On 2 Mar 2019, at 16:52, Michael Tremer <michael.tremer@ipfire.org> wrote: > > Why are you asking me that? > > What does “git am” tell you? There should be a reason why it didn’t work. > > Probably there have been other changes in the section? > > -Michael > >> On 1 Mar 2019, at 19:01, Stefan Schantl <stefan.schantl@ipfire.org> wrote: >> >>> Hi, >>> >>> Did you apply all of them in order? >>> >> >> Yes, I did. >> >> The reported two patches did not apply. >> >> However, the changes on the second patch depends on modifications of >> the first one, but why does the first one does not apply by using "git >> am" ? >> >>> It is not very helpful to only merge half the patchset. >>> >>> Did you use pwclient? >>> >>> -Michael >>> >>>> On 1 Mar 2019, at 17:09, Stefan Schantl <stefan.schantl@ipfire.org> >>>> wrote: >>>> >>>> Hello Michael, >>>> >>>> thanks for working on optimizing the suricata configuration file. >>>> >>>> I've merged all of the patches except number "8" and "10" which >>>> does >>>> not apply with "git am". >>>> >>>> When simple adding the changes with "patch" the changes can be >>>> applied >>>> - any idea why this happened? >>>> >>>> Thanks in advance, >>>> >>>> -Stefan >>>>> I have worked on suricata's configuration. >>>>> >>>>> My objective was to use more system resources (because suricata >>>>> did >>>>> not use much RAM, etc.) >>>>> to make it faster and to be able to have some deeper decoding and >>>>> matching. >>>>> >>>>> Please review these changes and let me know what you think. >>>>> >>>>> All in all, suricata should not use more than 1G of RAM which I >>>>> think >>>>> is a very good >>>>> amount. If your system is weaker than that, there is no point in >>>>> running an IPS. >>>>> >>>>> On my system in my office, this runs with a hand full of rules >>>>> enabled from the >>>>> Emerging Threats Community set at around 110MB of RAM. >>>>> >>>>> Michael Tremer (20): >>>>> Revert "Suricata: detect DNS events on port 853, too" >>>>> suricata: Set max-pending-packets to 1024 >>>>> suricata: Set default packet size to 1514 >>>>> suricata: Set detection profile to high >>>>> suricata: Drop profiling section from configuration >>>>> suricata: Drop some commented stuff from configuration >>>>> suricata: Drop sections that require Rust >>>>> suricata: Configure HTTP decoder >>>>> suricata: Allow 32MB of RAM for DNS decoding >>>>> suricata: Drop parsers I have never heard of >>>>> suricata: We do not use any IP reputation lists >>>>> suricata: Log to syslog >>>>> suricata: Use the correct path for the magic database >>>>> suricata: Use 64MB of RAM for defragmentation >>>>> suricata: Use up to 256MB of RAM for the flow cache >>>>> suricata: Log to syslog like a normal process >>>>> suricata: Increase memory size for the stream engine >>>>> suricata: Disable decoding for Teredo >>>>> suricata: Start capture first and then load rules >>>>> suricata: Fix syntax error >>>>> >>>>> config/etc/syslog.conf | 2 +- >>>>> config/suricata/suricata.yaml | 282 +++++---------------------- >>>>> ----- >>>>> ---------- >>>>> 2 files changed, 30 insertions(+), 254 deletions(-) >>>>> >
Hello Michael, thanks for rebasing and resubmitting your patches. This time everything worked well - merged. Best regards, -Stefan > Hi, > > I rebased the whole branch and sent a second patchset with the three > remaining patches only. > > Hope that helps and merges. > > -Michael > > > On 2 Mar 2019, at 16:52, Michael Tremer <michael.tremer@ipfire.org> > > wrote: > > > > Why are you asking me that? > > > > What does “git am” tell you? There should be a reason why it didn’t > > work. > > > > Probably there have been other changes in the section? > > > > -Michael > > > > > On 1 Mar 2019, at 19:01, Stefan Schantl < > > > stefan.schantl@ipfire.org> wrote: > > > > > > > Hi, > > > > > > > > Did you apply all of them in order? > > > > > > > > > > Yes, I did. > > > > > > The reported two patches did not apply. > > > > > > However, the changes on the second patch depends on modifications > > > of > > > the first one, but why does the first one does not apply by using > > > "git > > > am" ? > > > > > > > It is not very helpful to only merge half the patchset. > > > > > > > > Did you use pwclient? > > > > > > > > -Michael > > > > > > > > > On 1 Mar 2019, at 17:09, Stefan Schantl < > > > > > stefan.schantl@ipfire.org> > > > > > wrote: > > > > > > > > > > Hello Michael, > > > > > > > > > > thanks for working on optimizing the suricata configuration > > > > > file. > > > > > > > > > > I've merged all of the patches except number "8" and "10" > > > > > which > > > > > does > > > > > not apply with "git am". > > > > > > > > > > When simple adding the changes with "patch" the changes can > > > > > be > > > > > applied > > > > > - any idea why this happened? > > > > > > > > > > Thanks in advance, > > > > > > > > > > -Stefan > > > > > > I have worked on suricata's configuration. > > > > > > > > > > > > My objective was to use more system resources (because > > > > > > suricata > > > > > > did > > > > > > not use much RAM, etc.) > > > > > > to make it faster and to be able to have some deeper > > > > > > decoding and > > > > > > matching. > > > > > > > > > > > > Please review these changes and let me know what you think. > > > > > > > > > > > > All in all, suricata should not use more than 1G of RAM > > > > > > which I > > > > > > think > > > > > > is a very good > > > > > > amount. If your system is weaker than that, there is no > > > > > > point in > > > > > > running an IPS. > > > > > > > > > > > > On my system in my office, this runs with a hand full of > > > > > > rules > > > > > > enabled from the > > > > > > Emerging Threats Community set at around 110MB of RAM. > > > > > > > > > > > > Michael Tremer (20): > > > > > > Revert "Suricata: detect DNS events on port 853, too" > > > > > > suricata: Set max-pending-packets to 1024 > > > > > > suricata: Set default packet size to 1514 > > > > > > suricata: Set detection profile to high > > > > > > suricata: Drop profiling section from configuration > > > > > > suricata: Drop some commented stuff from configuration > > > > > > suricata: Drop sections that require Rust > > > > > > suricata: Configure HTTP decoder > > > > > > suricata: Allow 32MB of RAM for DNS decoding > > > > > > suricata: Drop parsers I have never heard of > > > > > > suricata: We do not use any IP reputation lists > > > > > > suricata: Log to syslog > > > > > > suricata: Use the correct path for the magic database > > > > > > suricata: Use 64MB of RAM for defragmentation > > > > > > suricata: Use up to 256MB of RAM for the flow cache > > > > > > suricata: Log to syslog like a normal process > > > > > > suricata: Increase memory size for the stream engine > > > > > > suricata: Disable decoding for Teredo > > > > > > suricata: Start capture first and then load rules > > > > > > suricata: Fix syntax error > > > > > > > > > > > > config/etc/syslog.conf | 2 +- > > > > > > config/suricata/suricata.yaml | 282 +++++---------------- > > > > > > ------ > > > > > > ----- > > > > > > ---------- > > > > > > 2 files changed, 30 insertions(+), 254 deletions(-) > > > > > >