diff mbox series

[4/9] suricata: Enable bypassing unhandled streams

Message ID	20211018101022.15448-4-michael.tremer@ipfire.org
State	Accepted
Commit	9deccd1cbab7e446a362b6410fb88b36b655a7cd
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 4/9] suricata: Enable bypassing unhandled streams Date: Mon, 18 Oct 2021 10:10:17 +0000 Message-Id: <20211018101022.15448-4-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/9] suricata: Set most significant bit as repeat marker \| [1/9] suricata: Set most significant bit as repeat marker [2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK [3/9] suricata: Define bypass mark [4/9] suricata: Enable bypassing unhandled streams [5/9] suricata: Always append rules instead of inserting them [6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set [7/9] suricata: Store bypass flag in connmark and restore [8/9] suricata: Introduce IPSBYPASS chain [9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK

Commit Message

Michael Tremer Oct. 18, 2021, 10:10 a.m. UTC

  If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

Comments

Stefan Schantl Oct. 19, 2021, 4:03 a.m. UTC | #1

Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> If a stream cannot be identified or if suricata has decided that it
> cannot do anything useful any more (e.g. TLS sessions after the
> handshake), we will allow suricata to bypass any following packets in
> that flow
> 
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/suricata/suricata.yaml | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index f02b93d76..6f37671c8 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -389,11 +389,19 @@ app-layer:
>        # will be disabled by default, but enabled if rules require
> it.
>        ja3-fingerprints: auto
>  
> -      # Completely stop processing TLS/SSL session after the
> handshake
> -      # completed. If bypass is enabled this will also trigger flow
> -      # bypass. If disabled (the default), TLS/SSL session is still
> -      # tracked for Heartbleed and other anomalies.
> -      #no-reassemble: yes
> +      # What to do when the encrypted communications start:
> +      # - default: keep tracking TLS session, check for protocol
> anomalies,
> +      #            inspect tls_* keywords. Disables inspection of
> unmodified
> +      #            'content' signatures.
> +      # - bypass:  stop processing this flow as much as possible. No
> further
> +      #            TLS parsing and inspection. Offload flow bypass
> to kernel
> +      #            or hardware if possible.
> +      # - full:    keep tracking and inspection as normal.
> Unmodified content
> +      #            keyword signatures are inspected as well.
> +      #
> +      # For best performance, select 'bypass'.
> +      #
> +      encryption-handling: bypass
>      dcerpc:
>        enabled: yes
>      ftp:
> @@ -810,6 +818,7 @@ stream:
>    prealloc-sessions: 4096
>    checksum-validation: yes      # reject wrong csums
>    inline: auto                  # auto will use inline mode in IPS
> mode, yes or no set it statically
> +  bypass: yes                   # Bypass packets when
> stream.reassembly.depth is reached.
>    reassembly:
>      memcap: 256mb
>      depth: 1mb                  # reassemble 1mb into a stream

diff mbox series

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index f02b93d76..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -389,11 +389,19 @@  app-layer:
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: auto
 
-      # Completely stop processing TLS/SSL session after the handshake
-      # completed. If bypass is enabled this will also trigger flow
-      # bypass. If disabled (the default), TLS/SSL session is still
-      # tracked for Heartbleed and other anomalies.
-      #no-reassemble: yes
+      # What to do when the encrypted communications start:
+      # - default: keep tracking TLS session, check for protocol anomalies,
+      #            inspect tls_* keywords. Disables inspection of unmodified
+      #            'content' signatures.
+      # - bypass:  stop processing this flow as much as possible. No further
+      #            TLS parsing and inspection. Offload flow bypass to kernel
+      #            or hardware if possible.
+      # - full:    keep tracking and inspection as normal. Unmodified content
+      #            keyword signatures are inspected as well.
+      #
+      # For best performance, select 'bypass'.
+      #
+      encryption-handling: bypass
     dcerpc:
       enabled: yes
     ftp:
@@ -810,6 +818,7 @@  stream:
   prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
     depth: 1mb                  # reassemble 1mb into a stream