[1/3] suricata: Update config file.

Message ID 20211208171031.308639-1-stefan.schantl@ipfire.org
State Rejected
Headers show
Series [1/3] suricata: Update config file. | expand

Commit Message

Stefan Schantl Dec. 8, 2021, 5:10 p.m. UTC
* This will enable swf decompression.
* Enable modbus parser.
* Enable dnp3 parser.
* Enable enip parser.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

Comments

Michael Tremer Dec. 9, 2021, 4:38 p.m. UTC | #1
Hello,

I would like to NACK this patch.

Do we need these parsers? I have no idea if we have any users for those. And if that is the case, I would prefer to keep them off to reduce the attack surface of the IPS.

Is there any strong reason that I have missed?

-Michael

> On 8 Dec 2021, at 17:10, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> * This will enable swf decompression.
> * Enable modbus parser.
> * Enable dnp3 parser.
> * Enable enip parser.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++
> 1 file changed, 84 insertions(+)
> 
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index 0ad36e705..49921db86 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -525,6 +525,20 @@ app-layer:
>            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
>            http-body-inline: auto
> 
> +           # Decompress SWF files.
> +           # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
> +           # compress-depth:
> +           # Specifies the maximum amount of data to decompress,
> +           # set 0 for unlimited.
> +           # decompress-depth:
> +           # Specifies the maximum amount of decompressed data to obtain,
> +           # set 0 for unlimited.
> +           swf-decompression:
> +             enabled: yes
> +             type: both
> +             compress-depth: 0
> +             decompress-depth: 0
> +
>            # Take a random value for inspection sizes around the specified value.
>            # This lower the risk of some evasion technics but could lead
>            # detection change between runs. It is set to 'yes' by default.
> @@ -539,6 +553,76 @@ app-layer:
>            double-decode-path: no
>            double-decode-query: no
> 
> +           # Can disable LZMA decompression
> +           #lzma-enabled: yes
> +           # Memory limit usage for LZMA decompression dictionary
> +           # Data is decompressed until dictionary reaches this size
> +           #lzma-memlimit: 1mb
> +           # Maximum decompressed size with a compression ratio
> +           # above 2048 (only LZMA can reach this ratio, deflate cannot)
> +           #compression-bomb-limit: 1mb
> +           # Maximum time spent decompressing a single transaction in usec
> +           #decompression-time-limit: 100000
> +
> +         server-config:
> +
> +           #- apache:
> +           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
> +           #    personality: Apache_2
> +           #    # Can be specified in kb, mb, gb.  Just a number indicates
> +           #    # it's in bytes.
> +           #    request-body-limit: 4096
> +           #    response-body-limit: 4096
> +           #    double-decode-path: no
> +           #    double-decode-query: no
> +
> +           #- iis7:
> +           #    address:
> +           #      - 192.168.0.0/24
> +           #      - 192.168.10.0/24
> +           #    personality: IIS_7_0
> +           #    # Can be specified in kb, mb, gb.  Just a number indicates
> +           #    # it's in bytes.
> +           #    request-body-limit: 4096
> +           #    response-body-limit: 4096
> +           #    double-decode-path: no
> +           #    double-decode-query: no
> +
> +    # Note: Modbus probe parser is minimalist due to the poor significant field
> +    # Only Modbus message length (greater than Modbus header length)
> +    # And Protocol ID (equal to 0) are checked in probing parser
> +    # It is important to enable detection port and define Modbus port
> +    # to avoid false positive
> +    modbus:
> +      # How many unreplied Modbus requests are considered a flood.
> +      # If the limit is reached, app-layer-event:modbus.flooded; will match.
> +      #request-flood: 500
> +
> +      enabled: yes
> +      detection-ports:
> +        dp: 502
> +      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
> +      # is recommended to keep the TCP connection opened with a remote device
> +      # and not to open and close it for each MODBUS/TCP transaction. In that
> +      # case, it is important to set the depth of the stream reassembling as
> +      # unlimited (stream.reassembly.depth: 0)
> +
> +      # Stream reassembly size for modbus. By default track it completely.
> +      stream-depth: 0
> +
> +    # DNP3
> +    dnp3:
> +      enabled: yes
> +      detection-ports:
> +        dp: 20000
> +
> +    # SCADA EtherNet/IP and CIP protocol support
> +    enip:
> +      enabled: yes
> +      detection-ports:
> +        dp: 44818
> +        sp: 44818
> +
>     ntp:
>       enabled: yes
>     dhcp:
> -- 
> 2.30.2
>
Peter Müller Dec. 9, 2021, 7:26 p.m. UTC | #2
Hello Michael, hello Stefan,

first, thanks for working on this.

While I have no strong opinion on SWF and DNP3 - I have not seen both in production for
a long time, but there might be legacy/special setups out there which needs them -, SCADA-
related protocol parsers won't probably help the majority of our users, but are very helpful
in networks where SCADA is used.

To me, coming to a decision is tricky: I would oppose against making this configurable,
since most users won't understand what they are configuring. Truth to be told, we have very
little insights into use-cases for IPFire apart from common network setups, so at least I
am a bit lost when it comes to set a default for our users.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I would like to NACK this patch.
> 
> Do we need these parsers? I have no idea if we have any users for those. And if that is the case, I would prefer to keep them off to reduce the attack surface of the IPS.
> 
> Is there any strong reason that I have missed?
> 
> -Michael
> 
>> On 8 Dec 2021, at 17:10, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>
>> * This will enable swf decompression.
>> * Enable modbus parser.
>> * Enable dnp3 parser.
>> * Enable enip parser.
>>
>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
>> ---
>> config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++
>> 1 file changed, 84 insertions(+)
>>
>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
>> index 0ad36e705..49921db86 100644
>> --- a/config/suricata/suricata.yaml
>> +++ b/config/suricata/suricata.yaml
>> @@ -525,6 +525,20 @@ app-layer:
>>            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
>>            http-body-inline: auto
>>
>> +           # Decompress SWF files.
>> +           # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
>> +           # compress-depth:
>> +           # Specifies the maximum amount of data to decompress,
>> +           # set 0 for unlimited.
>> +           # decompress-depth:
>> +           # Specifies the maximum amount of decompressed data to obtain,
>> +           # set 0 for unlimited.
>> +           swf-decompression:
>> +             enabled: yes
>> +             type: both
>> +             compress-depth: 0
>> +             decompress-depth: 0
>> +
>>            # Take a random value for inspection sizes around the specified value.
>>            # This lower the risk of some evasion technics but could lead
>>            # detection change between runs. It is set to 'yes' by default.
>> @@ -539,6 +553,76 @@ app-layer:
>>            double-decode-path: no
>>            double-decode-query: no
>>
>> +           # Can disable LZMA decompression
>> +           #lzma-enabled: yes
>> +           # Memory limit usage for LZMA decompression dictionary
>> +           # Data is decompressed until dictionary reaches this size
>> +           #lzma-memlimit: 1mb
>> +           # Maximum decompressed size with a compression ratio
>> +           # above 2048 (only LZMA can reach this ratio, deflate cannot)
>> +           #compression-bomb-limit: 1mb
>> +           # Maximum time spent decompressing a single transaction in usec
>> +           #decompression-time-limit: 100000
>> +
>> +         server-config:
>> +
>> +           #- apache:
>> +           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
>> +           #    personality: Apache_2
>> +           #    # Can be specified in kb, mb, gb.  Just a number indicates
>> +           #    # it's in bytes.
>> +           #    request-body-limit: 4096
>> +           #    response-body-limit: 4096
>> +           #    double-decode-path: no
>> +           #    double-decode-query: no
>> +
>> +           #- iis7:
>> +           #    address:
>> +           #      - 192.168.0.0/24
>> +           #      - 192.168.10.0/24
>> +           #    personality: IIS_7_0
>> +           #    # Can be specified in kb, mb, gb.  Just a number indicates
>> +           #    # it's in bytes.
>> +           #    request-body-limit: 4096
>> +           #    response-body-limit: 4096
>> +           #    double-decode-path: no
>> +           #    double-decode-query: no
>> +
>> +    # Note: Modbus probe parser is minimalist due to the poor significant field
>> +    # Only Modbus message length (greater than Modbus header length)
>> +    # And Protocol ID (equal to 0) are checked in probing parser
>> +    # It is important to enable detection port and define Modbus port
>> +    # to avoid false positive
>> +    modbus:
>> +      # How many unreplied Modbus requests are considered a flood.
>> +      # If the limit is reached, app-layer-event:modbus.flooded; will match.
>> +      #request-flood: 500
>> +
>> +      enabled: yes
>> +      detection-ports:
>> +        dp: 502
>> +      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
>> +      # is recommended to keep the TCP connection opened with a remote device
>> +      # and not to open and close it for each MODBUS/TCP transaction. In that
>> +      # case, it is important to set the depth of the stream reassembling as
>> +      # unlimited (stream.reassembly.depth: 0)
>> +
>> +      # Stream reassembly size for modbus. By default track it completely.
>> +      stream-depth: 0
>> +
>> +    # DNP3
>> +    dnp3:
>> +      enabled: yes
>> +      detection-ports:
>> +        dp: 20000
>> +
>> +    # SCADA EtherNet/IP and CIP protocol support
>> +    enip:
>> +      enabled: yes
>> +      detection-ports:
>> +        dp: 44818
>> +        sp: 44818
>> +
>>     ntp:
>>       enabled: yes
>>     dhcp:
>> -- 
>> 2.30.2
>>
>

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ad36e705..49921db86 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -525,6 +525,20 @@  app-layer:
            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
            http-body-inline: auto
 
+           # Decompress SWF files.
+           # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: yes
+             type: both
+             compress-depth: 0
+             decompress-depth: 0
+
            # Take a random value for inspection sizes around the specified value.
            # This lower the risk of some evasion technics but could lead
            # detection change between runs. It is set to 'yes' by default.
@@ -539,6 +553,76 @@  app-layer:
            double-decode-path: no
            double-decode-query: no
 
+           # Can disable LZMA decompression
+           #lzma-enabled: yes
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: yes
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
+
+    # SCADA EtherNet/IP and CIP protocol support
+    enip:
+      enabled: yes
+      detection-ports:
+        dp: 44818
+        sp: 44818
+
     ntp:
       enabled: yes
     dhcp: