From patchwork Fri Mar 1 01:28:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2108 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 94DE188B0B9 for ; Thu, 28 Feb 2019 14:29:22 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLB0YQcz5JKXV; Thu, 28 Feb 2019 14:29:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364162; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=Z4DWzM4kkledxJwL4KOdcvF85ROVOA+Ium3L2u92fzs=; b=0ST6QrJ2+FmEJnwh3bUuX116UTqhMd0MF6TLlwCeKoqDVecK8pZ7x4r7UkfwZqHr1gl9u6 jsXejZSMLt1UERDA6O5pyuBalFSWerik/qGpBfa4hVJxAhrXGDSitPhe1B5ohzNeSZD5Cn BkN8M9qyeqtcPPWU9gV8PSGA/B0vlR/wXtVy4mPapm/blgyB/zAeVi79mPtS2be0fnupHx f7Nje45OCOIsGXVc8ZcTDXdFYT1Nd91bvWO+hRnXf0ebtmdHaUS0GGj2lrRaEu37MtLvKY cdw3uGckfrP4LNsKTmogZ1LOY7vWupOepeTDbNzewfFMQsNKA8MxICuQ6CvG6w== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKQ5Jbtz5KvHW; Thu, 28 Feb 2019 14:28:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364123; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=Z4DWzM4kkledxJwL4KOdcvF85ROVOA+Ium3L2u92fzs=; b=A+vsC+ESqRxMTiPD2S95Dr1+/+J7liSnwkS1SO+aEGkwXFmT3mW/K0F1U3cd9cO17R5Fx8 pM7xoQZqfq+S2ymY5zOBR2qpSqXD1FQ1HH9gEcu32xVhBczNQJ/riICKET6YnQmEH4KoH6 Y2qDUh3g1luERwBQScM7RO9CYK/mADjwyTo1YHGAFO4KeqBSneIOfF82m7ntNTM9Q+0Cwb hAHWt7yrNPlD4moS/Mqx9qONhXuksNTQqDG/jDuQecJR0uYoScDeWYazmyPvv0gbGpnYMs YFPIVk8GSgFOrsyrUgLhmf3wgjPAFoYLHpBsc4niV+LCf2ceH1mY0ExjHrgyEg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 08/20] suricata: Configure HTTP decoder Date: Thu, 28 Feb 2019 14:28:13 +0000 Message-Id: <20190228142825.5153-9-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.83 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.73)[-0.911,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.83 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This will now scan all request and response bodies where possible and use up to 256MB of RAM Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 66 ++++--------------------------------------- 1 file changed, 5 insertions(+), 61 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4f3ac5744..b09d5906d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -211,7 +211,7 @@ app-layer: dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +225,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +234,8 @@ app-layer: # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0 # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,41 +246,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field # Only Modbus message length (greater than Modbus header length) # And Protocol ID (equal to 0) are checked in probing parser