[4/9] suricata: Enable bypassing unhandled streams
Commit Message
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
config/suricata/suricata.yaml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
Comments
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> If a stream cannot be identified or if suricata has decided that it
> cannot do anything useful any more (e.g. TLS sessions after the
> handshake), we will allow suricata to bypass any following packets in
> that flow
>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
> config/suricata/suricata.yaml | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index f02b93d76..6f37671c8 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -389,11 +389,19 @@ app-layer:
> # will be disabled by default, but enabled if rules require
> it.
> ja3-fingerprints: auto
>
> - # Completely stop processing TLS/SSL session after the
> handshake
> - # completed. If bypass is enabled this will also trigger flow
> - # bypass. If disabled (the default), TLS/SSL session is still
> - # tracked for Heartbleed and other anomalies.
> - #no-reassemble: yes
> + # What to do when the encrypted communications start:
> + # - default: keep tracking TLS session, check for protocol
> anomalies,
> + # inspect tls_* keywords. Disables inspection of
> unmodified
> + # 'content' signatures.
> + # - bypass: stop processing this flow as much as possible. No
> further
> + # TLS parsing and inspection. Offload flow bypass
> to kernel
> + # or hardware if possible.
> + # - full: keep tracking and inspection as normal.
> Unmodified content
> + # keyword signatures are inspected as well.
> + #
> + # For best performance, select 'bypass'.
> + #
> + encryption-handling: bypass
> dcerpc:
> enabled: yes
> ftp:
> @@ -810,6 +818,7 @@ stream:
> prealloc-sessions: 4096
> checksum-validation: yes # reject wrong csums
> inline: auto # auto will use inline mode in IPS
> mode, yes or no set it statically
> + bypass: yes # Bypass packets when
> stream.reassembly.depth is reached.
> reassembly:
> memcap: 256mb
> depth: 1mb # reassemble 1mb into a stream
@@ -389,11 +389,19 @@ app-layer:
# will be disabled by default, but enabled if rules require it.
ja3-fingerprints: auto
- # Completely stop processing TLS/SSL session after the handshake
- # completed. If bypass is enabled this will also trigger flow
- # bypass. If disabled (the default), TLS/SSL session is still
- # tracked for Heartbleed and other anomalies.
- #no-reassemble: yes
+ # What to do when the encrypted communications start:
+ # - default: keep tracking TLS session, check for protocol anomalies,
+ # inspect tls_* keywords. Disables inspection of unmodified
+ # 'content' signatures.
+ # - bypass: stop processing this flow as much as possible. No further
+ # TLS parsing and inspection. Offload flow bypass to kernel
+ # or hardware if possible.
+ # - full: keep tracking and inspection as normal. Unmodified content
+ # keyword signatures are inspected as well.
+ #
+ # For best performance, select 'bypass'.
+ #
+ encryption-handling: bypass
dcerpc:
enabled: yes
ftp:
@@ -810,6 +818,7 @@ stream:
prealloc-sessions: 4096
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
+ bypass: yes # Bypass packets when stream.reassembly.depth is reached.
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream