From patchwork Fri Mar 1 01:28:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2104 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 5BF3288B0B9 for ; Thu, 28 Feb 2019 14:29:02 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKn61j1z5KvHS; Thu, 28 Feb 2019 14:29:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364142; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=THxvw9D9lL/67RQcSOOMKLfzP+gGcVwsogZ1OPjeRPs=; b=wvZsd7KqGoJ8RBwo8t/AAjxlpLAhw3cszTyzm2tTDMFaGvJwtKMQQJpsIbbRC+4E9bsRru PkAjbMXlOoGCK9ld/Ch0TOYC4wAOy0da+MDCYC35gF5rBCed4OCBzaL7xsbDzVfI4+ImCY 1Sa38osf4HWIw7tSaMUWaTmUhUMAD5li3stAhyjdYhCCQPB8CFNVM/g//8SruLnnlhqaie C1mX0p+eGJHv7vO6E7Avv59A4oaj9d5S0pQ6PGt1FL1vtRNhm0xPasCQn9zlGzSBXXmBf3 pmMBirTfhZPqYMmNQBWBRG3hphiCpTJO1V6C/tWiMnWa3Zewz251pZMVkovktg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKM3fy2z5KvHQ; Thu, 28 Feb 2019 14:28:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364120; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=THxvw9D9lL/67RQcSOOMKLfzP+gGcVwsogZ1OPjeRPs=; b=R2UwYf6IX4+VUO/7YSU3xmT5M4oG2Lz362/yQSvcGdZ1vSPm5gAHRUgdHeajUODCI2whTt In4fg/wecqTLqyHLAWdnfZUSVrrKJfGu+5mQzZM+KAYdikzaLxJzvX/5fuG15q39QW5WgP EfsEMDVonHkxl4sY7AN3Om1zUXIS+s5AUiiTBFpm7nfjfgox8hhAH3y/Cv58zAGnQSkvkN DA4QmrO1+AwTebx5oQenZQv8JA5pDSFxHm+AhJVS8x/e9jl+dkdnjX0mlGrVCYwTeHy4G3 LFUakSpQvu8hERGqn231NB6lQ1ADyuWIxrGHr/dchPszNQyjwyku041XsoXxTA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 04/20] suricata: Set detection profile to high Date: Thu, 28 Feb 2019 14:28:09 +0000 Message-Id: <20190228142825.5153-5-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.79 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.69)[-0.896,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.79 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This will merge rules more aggressively so that the engine is only processing those that can actually match. Memory is cheap. People with little memory should not run suricata anyways. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index dc1163820..10dbdc99b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -745,7 +745,7 @@ decoder: # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect: - profile: medium + profile: high custom-values: toclient-groups: 3 toserver-groups: 25