| Message ID | 20200123094428.3295-2-stefan.schantl@ipfire.org |
|---|---|
| State | Accepted |
| Commit | d6cc871067ef7f6cf69e261a84579b7403ffcee3 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 483HRm1C5Qz3xYF for <patchwork@web04.haj.ipfire.org>; Thu, 23 Jan 2020 09:44:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 483HRl1h2Hz6Pm; Thu, 23 Jan 2020 09:44:35 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1579772675; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8Q+auOXsrmP87h1zNh9rzWePdjvJa6sdhE7yhRoQhtw=; b=fKznXIdg4bOEc0mlGvQzkKnIWnnxgySgwLnj9tB6dUamQ9eUQFOKYuVdLAtS3eUhFILknl hfsteIJoxIb1VbBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1579772675; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8Q+auOXsrmP87h1zNh9rzWePdjvJa6sdhE7yhRoQhtw=; b=J3AXWsQO087RR2BuWGg1GguNeYdZa8a1+3o7tLVSG18epfJwVHrT1CDRnf0wrRivdo1iNK Le85dwmtbLDZBBjenRXfmAKQl6SGa4V3N97PtT5awbRbOQigkVYpB1x20/zcvKy+Mz9GXO MBBufjTR+rHtSERd0RobbbLOj+D7xYrv5PR6WKGbUOIYAtrOjE/5qq8KSL1ctzL1aJHGJa BJPTmfgASkV75KsiI2e3jVe7WFcV+m6Mv4qvMYiatSP8pqMOdmffBvQF9Zh+81pRpSEJnu iCi0ZtUJxD/HgPChQF9wUHopzBEbizF5XX7W8FIH3ffDq+0nOs4UTqjkLe8iEA== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 483HRl0wSfz2xfm; Thu, 23 Jan 2020 09:44:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 483HRj0Mfdz2xdK for <development@lists.ipfire.org>; Thu, 23 Jan 2020 09:44:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 483HRh42mWz3NF; Thu, 23 Jan 2020 09:44:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1579772672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8Q+auOXsrmP87h1zNh9rzWePdjvJa6sdhE7yhRoQhtw=; b=DjzPOYCnfTwW9yZXA8zpVEAV/tkR0I/x3aN4sGa1B1mA+Ixdst/rtgWzeralTkCP0NwZUN 0Z0PRoP7f3mxlFCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1579772672; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8Q+auOXsrmP87h1zNh9rzWePdjvJa6sdhE7yhRoQhtw=; b=K2t2eYvqFmgYK2ZOsRLI81eFKYRuXFBu21uciX10liZ+HsaWyQNyMQrR768NpnQ44CfdHZ ViFhCLg9/uxCwZ8GyNUpNy/4s68o2KslTuNu95xvZcZUqSwji0rDV9oSWu9QBVU9Y92riT KX6zSVBK0ULX3Tt66Xc7D0MyaNq/3K9gqi4bvrIP9SPQY0UR/0d+LaxJPqqK/jSfn2ZM99 xcmI6RAOXgSCFA8W6wMFltCHOwK5uHsci0mrZ/fC7lN1jiUfBUCuGmjZoDZAdP/Hs4/YaB XS7/G7JB0y7yHDczDu1tJNrrlSt5A2Umh2synaqrFmPJ3rWal48cEme6EUQ0Hw== From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers. Date: Thu, 23 Jan 2020 10:44:27 +0100 Message-Id: <20200123094428.3295-2-stefan.schantl@ipfire.org> In-Reply-To: <20200123094428.3295-1-stefan.schantl@ipfire.org> References: <20200123094428.3295-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[1/3] Suricata: Update to 5.0.1
|
|
Commit Message
Stefan Schantl
Jan. 23, 2020, 9:44 a.m. UTC
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
Comments
Hello, > On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- > 1 file changed, 21 insertions(+), 4 deletions(-) > > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index af9cb75a9..6a1af48fa 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -148,7 +148,9 @@ nfq: > app-layer: > protocols: > krb5: > - enabled: no # Requires rust > + enabled: yes > + snmp: > + enabled: yes > ikev2: > enabled: yes > tls: > @@ -156,6 +158,12 @@ app-layer: > detection-ports: > dp: "[443,444,465,853,993,995]" > > + # Generate JA3 fingerprint from client hello. If not specified it > + # will be disabled by default, but enabled if rules require it. > + #ja3-fingerprints: auto > + # Generate JA3 fingerprint from client hello > + ja3-fingerprints: no > + > # Completely stop processing TLS/SSL session after the handshake > # completed. If bypass is enabled this will also trigger flow > # bypass. If disabled (the default), TLS/SSL session is still > @@ -165,6 +173,8 @@ app-layer: > enabled: yes > ftp: > enabled: yes > + rdp: > + enabled: no Why is RDP disabled? This protocol is highly exploitable and I am sure that all rulesets have plenty of rules for this. Ideally the IPS should never see any RDP traffic going out to the Internet, but lets be honest, people do this. > ssh: > enabled: yes > smtp: > @@ -203,9 +213,10 @@ app-layer: > enabled: yes > detection-ports: > dp: 139, 445 > - # smb2 detection is disabled internally inside the engine. > - #smb2: > - # enabled: yes > + nfs: > + enabled: yes > + tftp: > + enabled: yes > dns: > # memcaps. Globally and per flow/state. > global-memcap: 32mb > @@ -271,6 +282,12 @@ app-layer: > double-decode-path: no > double-decode-query: no > > + ntp: > + enabled: yes > + dhcp: > + enabled: yes > + sip: > + enabled: yes > > # Limit for the maximum number of asn1 frames to decode (default 256) > asn1-max-frames: 256 > -- > 2.25.0.rc0 >
Hello Michael, thanks for reviewing and reporting the issue with the RDP parser. During importing the configuration details for the new suricata version, I found, that various protocol parsers are disabled by default and enabled all of them. I assume I simple forget to set the value to "yes" for RDP after I removed the comment that the parser is disabled by default. I'll send an extra patch which will do that. Many thanks, -Stefan > Hello, > > > On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- > > 1 file changed, 21 insertions(+), 4 deletions(-) > > > > diff --git a/config/suricata/suricata.yaml > > b/config/suricata/suricata.yaml > > index af9cb75a9..6a1af48fa 100644 > > --- a/config/suricata/suricata.yaml > > +++ b/config/suricata/suricata.yaml > > @@ -148,7 +148,9 @@ nfq: > > app-layer: > > protocols: > > krb5: > > - enabled: no # Requires rust > > + enabled: yes > > + snmp: > > + enabled: yes > > ikev2: > > enabled: yes > > tls: > > @@ -156,6 +158,12 @@ app-layer: > > detection-ports: > > dp: "[443,444,465,853,993,995]" > > > > + # Generate JA3 fingerprint from client hello. If not > > specified it > > + # will be disabled by default, but enabled if rules require > > it. > > + #ja3-fingerprints: auto > > + # Generate JA3 fingerprint from client hello > > + ja3-fingerprints: no > > + > > # Completely stop processing TLS/SSL session after the > > handshake > > # completed. If bypass is enabled this will also trigger flow > > # bypass. If disabled (the default), TLS/SSL session is still > > @@ -165,6 +173,8 @@ app-layer: > > enabled: yes > > ftp: > > enabled: yes > > + rdp: > > + enabled: no > > Why is RDP disabled? > > This protocol is highly exploitable and I am sure that all rulesets > have plenty of rules for this. > > Ideally the IPS should never see any RDP traffic going out to the > Internet, but lets be honest, people do this. > > > ssh: > > enabled: yes > > smtp: > > @@ -203,9 +213,10 @@ app-layer: > > enabled: yes > > detection-ports: > > dp: 139, 445 > > - # smb2 detection is disabled internally inside the engine. > > - #smb2: > > - # enabled: yes > > + nfs: > > + enabled: yes > > + tftp: > > + enabled: yes > > dns: > > # memcaps. Globally and per flow/state. > > global-memcap: 32mb > > @@ -271,6 +282,12 @@ app-layer: > > double-decode-path: no > > double-decode-query: no > > > > + ntp: > > + enabled: yes > > + dhcp: > > + enabled: yes > > + sip: > > + enabled: yes > > > > # Limit for the maximum number of asn1 frames to decode (default > > 256) > > asn1-max-frames: 256 > > -- > > 2.25.0.rc0 > >
Okay, thx. > On 23 Jan 2020, at 11:22, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael, > > thanks for reviewing and reporting the issue with the RDP parser. > > During importing the configuration details for the new suricata > version, I found, that various protocol parsers are disabled by default > and enabled all of them. > > I assume I simple forget to set the value to "yes" for RDP after I > removed the comment that the parser is disabled by default. > > I'll send an extra patch which will do that. > > Many thanks, > > -Stefan >> Hello, >> >>> On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>> --- >>> config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- >>> 1 file changed, 21 insertions(+), 4 deletions(-) >>> >>> diff --git a/config/suricata/suricata.yaml >>> b/config/suricata/suricata.yaml >>> index af9cb75a9..6a1af48fa 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -148,7 +148,9 @@ nfq: >>> app-layer: >>> protocols: >>> krb5: >>> - enabled: no # Requires rust >>> + enabled: yes >>> + snmp: >>> + enabled: yes >>> ikev2: >>> enabled: yes >>> tls: >>> @@ -156,6 +158,12 @@ app-layer: >>> detection-ports: >>> dp: "[443,444,465,853,993,995]" >>> >>> + # Generate JA3 fingerprint from client hello. If not >>> specified it >>> + # will be disabled by default, but enabled if rules require >>> it. >>> + #ja3-fingerprints: auto >>> + # Generate JA3 fingerprint from client hello >>> + ja3-fingerprints: no >>> + >>> # Completely stop processing TLS/SSL session after the >>> handshake >>> # completed. If bypass is enabled this will also trigger flow >>> # bypass. If disabled (the default), TLS/SSL session is still >>> @@ -165,6 +173,8 @@ app-layer: >>> enabled: yes >>> ftp: >>> enabled: yes >>> + rdp: >>> + enabled: no >> >> Why is RDP disabled? >> >> This protocol is highly exploitable and I am sure that all rulesets >> have plenty of rules for this. >> >> Ideally the IPS should never see any RDP traffic going out to the >> Internet, but lets be honest, people do this. >> >>> ssh: >>> enabled: yes >>> smtp: >>> @@ -203,9 +213,10 @@ app-layer: >>> enabled: yes >>> detection-ports: >>> dp: 139, 445 >>> - # smb2 detection is disabled internally inside the engine. >>> - #smb2: >>> - # enabled: yes >>> + nfs: >>> + enabled: yes >>> + tftp: >>> + enabled: yes >>> dns: >>> # memcaps. Globally and per flow/state. >>> global-memcap: 32mb >>> @@ -271,6 +282,12 @@ app-layer: >>> double-decode-path: no >>> double-decode-query: no >>> >>> + ntp: >>> + enabled: yes >>> + dhcp: >>> + enabled: yes >>> + sip: >>> + enabled: yes >>> >>> # Limit for the maximum number of asn1 frames to decode (default >>> 256) >>> asn1-max-frames: 256 >>> -- >>> 2.25.0.rc0 >>> >
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index af9cb75a9..6a1af48fa 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -148,7 +148,9 @@ nfq: app-layer: protocols: krb5: - enabled: no # Requires rust + enabled: yes + snmp: + enabled: yes ikev2: enabled: yes tls: @@ -156,6 +158,12 @@ app-layer: detection-ports: dp: "[443,444,465,853,993,995]" + # Generate JA3 fingerprint from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + # Generate JA3 fingerprint from client hello + ja3-fingerprints: no + # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow # bypass. If disabled (the default), TLS/SSL session is still @@ -165,6 +173,8 @@ app-layer: enabled: yes ftp: enabled: yes + rdp: + enabled: no ssh: enabled: yes smtp: @@ -203,9 +213,10 @@ app-layer: enabled: yes detection-ports: dp: 139, 445 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes + nfs: + enabled: yes + tftp: + enabled: yes dns: # memcaps. Globally and per flow/state. global-memcap: 32mb @@ -271,6 +282,12 @@ app-layer: double-decode-path: no double-decode-query: no + ntp: + enabled: yes + dhcp: + enabled: yes + sip: + enabled: yes # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256