From patchwork Mon Oct 18 10:10:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4792 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9y0xJrz3wcq for ; Mon, 18 Oct 2021 10:18:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p2mnKz4S8; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p1mfkz30bD; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9m6VFHz2yVc for ; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m5PyPzld; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Z8w7G6XxrU1gwdmZTPLtbdW9Z6hurBOt6TiDFC6oK0=; b=P+oq6AGBKx5Xpfff8LDms0/trGi4Dv7YmLApyiWT474fqP34u5h/lFISVb2IiNlS/AZiIv CvHR/kjW0jfxCtCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Z8w7G6XxrU1gwdmZTPLtbdW9Z6hurBOt6TiDFC6oK0=; b=RpSjeM7eeWTUnqFF/Pf+RFjBEdjZFDSs1KHM/2jdMGXu00n64VCXmN0SIyf5UfujX174TZ eY1oWdFt5Jqy2MI4rIEOjLprictoQSUI6mmPCYMS0i/5Ll2vq1bLhmuLZfzYQdZHZYsiqf hnPUySb1b8sTBSCI5hgfsbkxR2s+zlIBkm8c6/woTTQRXMCrE1QUhODeh/IWRkawpE9DX/ XvmXcbQm2/jHzdXvLMACS2C5tD+ahfU+tqN3Enl+5dJQEcSUE6b3VZOAAbPPp7SGD/QJdb dILW5albScrXVWEgZZE5+IgMk5oHGSsJb7Fqt6qMnMFnrN6ebankdENNKlyIfg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 4/9] suricata: Enable bypassing unhandled streams Date: Mon, 18 Oct 2021 10:10:17 +0000 Message-Id: <20211018101022.15448-4-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- config/suricata/suricata.yaml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f02b93d76..6f37671c8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -389,11 +389,19 @@ app-layer: # will be disabled by default, but enabled if rules require it. ja3-fingerprints: auto - # Completely stop processing TLS/SSL session after the handshake - # completed. If bypass is enabled this will also trigger flow - # bypass. If disabled (the default), TLS/SSL session is still - # tracked for Heartbleed and other anomalies. - #no-reassemble: yes + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + encryption-handling: bypass dcerpc: enabled: yes ftp: @@ -810,6 +818,7 @@ stream: prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream