From patchwork Sun Mar  3 04:18:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 2122
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 2C9B588B0AC
	for <patchwork@web07.i.ipfire.org>;
	Sat,  2 Mar 2019 17:18:56 +0000 (GMT)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 44BY0v27K3z5HMKr;
	Sat,  2 Mar 2019 17:18:55 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1551547135;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references:list-id:
	list-unsubscribe:list-subscribe:list-post;
	bh=DBH5WsiRSaXYMzrA5Rvw2pF0BWIj3iTRuvsH1m2369U=;
	b=uZml+4OYL9HOrBa1mGaoMYS7Kd79qJey7A2JdaCt60neo4CLgQQyRTyHnu8UsSk+mW92Z7
	NgVtbLSZtFdRIiUaFYsjc9olssDZlzJAuRqdPfD8n+sMslI5z5upTGllg6bXIwNuPsayeX
	ou/bYKZPAcTNp2EVMAVvsoD68oaroB+t/Vu3LUqv6Th6qLPDHG7idYYAMOdK4SGozIk6Gz
	yrXzPAaq9QJUca1M38NH82z6fyY+VWBU38P8WcWx/XfHUOMru+PWjYnNZ2LnADjpBZ8Fyg
	A9zwdolIw2XyUAO1yrSMGEN9JHUW1i3DGSKobwe9TOhXmtxBbq3qJDDr8K3/sA==
Received: from ipfire.tremer.co.uk (unknown [88.215.19.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 44BY0m1T0Kz57Jh3;
	Sat,  2 Mar 2019 17:18:48 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1551547128;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references;
	bh=DBH5WsiRSaXYMzrA5Rvw2pF0BWIj3iTRuvsH1m2369U=;
	b=e11TvJIFbOgHrJT1kEQWZPGLbT4wZKyyJDHWYBLOZmfged2g5FMj0eKKb8u+lx3cEpw3C7
	wBkMn1wIYeISiM9e6dJnK0gstYRc2VAWMY2OBI1wSW5Ikd/SRavS/yFZPBYn1g8u1ehjY/
	t5CS1AW+aSTM/lBEDWBsuumEkjlHIYANwA50/4BHxYk+49G1mAALGoLHIlf/Whrh5xrg/c
	+bhnM9DNlh3vjECBxIGxnuDKQ2ELJXbVamVmt55auiQezWdNENooeYSnHhWPtvlM7CivNK
	P7Qdt7EYt9GRdBA/I1y85e+Ma385SuxUl+AeLqCLxdzqpYTAhCbCJEC16tBngA==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 1/3] Revert "Suricata: detect DNS events on port 853, too"
Date: Sat,  2 Mar 2019 17:18:37 +0000
Message-Id: <20190302171839.16341-1-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.12.2
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org
X-Spamd-Result: default: False [-4.47 / 11.00]; ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
	MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.41)[-0.802,0];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB];
	RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-2.96)[99.85%]
X-Spam-Status: No, score=-4.47
X-Rspamd-Server: mail01.i.ipfire.org
Cc: Michael Tremer <michael.tremer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.

It does not make any sense to try to decode the TLS connection
with the DNS decoder.

Therefore should 853 (TCP only) be added to the TLS decoder.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d3ebbcfe4..767f84074 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: "[443,444,465,993,995]"
+        dp: "[443,444,465,853,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow
@@ -204,11 +204,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
       udp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
     http:
       enabled: yes
       # memcap: 64mb