From patchwork Fri Mar  1 01:28:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 2101
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id BEAE588B0B9
	for <patchwork@web07.i.ipfire.org>;
	Thu, 28 Feb 2019 14:28:46 +0000 (GMT)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 449FKV07Ffz5KvHS;
	Thu, 28 Feb 2019 14:28:46 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1551364126;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=+b2I8S+3dyEhlPyxpbEEO1Stw0yf4ywUaaaJh6UYdA8=;
	b=eXX6KFcArvM8r7OpT7IiWSIgVYxj6nhqrUB3C9tj9TAze/NhtBDTFJ8QgI8vTfyQzydGFu
	zg46aYKWARmmaJuPjxZ43px9YBYiO2Qkd4kqUPxwheumdqyOYq04E5Gqp/tlZSqTxCHYcJ
	BrAYO5JRIC/qsUVynQsSvBf/JX1vZXeQrWLBYy+xcqGc8zE3RCT/FZZmhBncaqOMYLIYu0
	9AWU9NjvPAEszpSw4YmOfiVdaWIW+04GVJQkI132wnf18usEeWDimoJqa7QkUd44Hk9WXa
	FXSFt+hVPezycaj5ShncgA8HXO/mowW851tDe9dhbA94ZYPsNBT61Uex9BdxfQ==
Received: from ipfire.tremer.co.uk (unknown [88.215.19.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKK5DW4z5KvHK;
	Thu, 28 Feb 2019 14:28:37 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1551364117;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to: references:references;
	bh=+b2I8S+3dyEhlPyxpbEEO1Stw0yf4ywUaaaJh6UYdA8=;
	b=WYDc4s178pKbSBPVrb5JO64XNtiGwAmC4EHDEdspni1sKGSGKE09kAWxkmIbh58KfoUuaR
	FIPIfeKGv4FzuVvQALBQqa6+oiI+SyzwQ1O/j4ocQEihsWWot5jIC80aD/0fPg0HKfj8eg
	j47GmbgrHcNrud4gnQxXfkgzdeair14qqs3aiQGeDvvhgymDw1RwDxvSV2tSB185nQFnhC
	hp9XFEI3xk3FdQ4TU9UsO+tvFPXV/bl6MGD8mm602b3ZuRkdxqEDQUjbp+CKbWkO5ZA6Bf
	bs33OucA8EDrAz1O36mwzk2lwWgPvB6pMaeBiOZR9n4jckhfSGCrsedFe1WmNg==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 01/20] Revert "Suricata: detect DNS events on port 853, too"
Date: Thu, 28 Feb 2019 14:28:06 +0000
Message-Id: <20190228142825.5153-2-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.12.2
In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org>
References: <20190228142825.5153-1-michael.tremer@ipfire.org>
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org
X-Spamd-Result: default: False [-8.84 / 11.00]; ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
	MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.74)[-0.914,0];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB];
	RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%]
X-Spam-Status: No, score=-8.84
X-Rspamd-Server: mail01.i.ipfire.org
Cc: Michael Tremer <michael.tremer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.

It does not make any sense to try to decode the TLS connection
with the DNS decoder.

Therefore should 853 (TCP only) be added to the TLS decoder.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4fbd32b85..301a157a3 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: "[443,465,993,995]"
+        dp: "[443,465,853,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow
@@ -208,11 +208,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
       udp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
     http:
       enabled: yes
       # memcap: 64mb