suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes
| Message ID | 20220929203518.3684141-1-matthias.fischer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | e79c4372ceb87d3fa91cd440745cb6125c57e23e |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MdlVb2R3Nz3wbw for <patchwork@web04.haj.ipfire.org>; Thu, 29 Sep 2022 20:35:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MdlVY2nNpz1gn; Thu, 29 Sep 2022 20:35:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MdlVY1QSmz301d; Thu, 29 Sep 2022 20:35:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MdlVX0TVJz2xGC for <development@lists.ipfire.org>; Thu, 29 Sep 2022 20:35:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MdlVM3MLPzCl for <development@lists.ipfire.org>; Thu, 29 Sep 2022 20:35:23 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1664483723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IybvdDEcMHBZfpDNbScrD4lvCcpB0mkaNPVe/7Q3GAw=; b=VlFcHxWbAADS8xRqyVs0TE3tGDIdw3ZXBGi+1CP62ZBOuGpyPi/T27xFyloDQFJCh76jHn Y4r2wUy5E6XPnfDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1664483723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IybvdDEcMHBZfpDNbScrD4lvCcpB0mkaNPVe/7Q3GAw=; b=OErGSMjXAyx5VP/gLP1DfU/qrJQ/snzpmcyQj2xNRZ/ySHEmle31VDzIPM+r+M0R72wV0J SoE4x26sZJtvBCK67Jyih8UxoTYdvPvwYQKS0OUPcg0h+fWIZHFG9eES+Red7QdfQCoLPh 91JwuSH/fxxNOCNps9+tRCFgevd63tsIPZFeA7syQgyYLXz05FDr2nxAOBXokEvdojekxp CfkcxSj/BC0c8nSEQhfDYjGyc2BR3GcV8XRZEThBCtrzNjed1YgjJin/rss009q0XYsF1m 8EcSqSUnJcqdJ4hc2y4goXkQgCszAm2WDis3j5Azqm6IeYVGDHx+Ks0rm4BS/g== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes Date: Thu, 29 Sep 2022 22:35:18 +0200 Message-Id: <20220929203518.3684141-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes
|
|
Commit Message
Matthias Fischer
Sept. 29, 2022, 8:35 p.m. UTC
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/suricata/suricata.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Good morning, Why would we need this change? -Michael > On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/suricata/suricata.yaml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 03a7a83af..fb4f9426b 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -371,7 +371,7 @@ app-layer: > dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 > # MQTT, disabled by default. > mqtt: > - # enabled: no > + enabled: yes > # max-msg-length: 1mb > krb5: > enabled: yes > -- > 2.34.1 >
On 30.09.2022 06:57, Michael Tremer wrote: > Good morning, Hi, > Why would we need this change? I'm not sure if we *really* need this change. My first thought was to enable it to avoid this "ERRCODE"-message during startup: ... [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. ... v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to detect and avoid mqtt flooding attacks. Current standard action is 'alert'. => https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : What is 'mqtt'? => https://www.opc-router.com/what-is-mqtt/ : "MQTT – Message Queuing Telemetry Transport MQTT (Message Queuing Telemetry Transport) is a messaging protocol for restricted low-bandwidth networks and extremely high-latency IoT devices. Since Message Queuing Telemetry Transport is specialized for low-bandwidth, high-latency environments, it is an ideal protocol for machine-to-machine (M2M) communication. MQTT works on the publisher / subscriber principle and is operated via a central broker. This means that the sender and receiver have no direct connection. The data sources report their data via a publish and all recipients with interest in certain messages (“marked by the topic”) get the data delivered because they have registered as subscribers. In IoT and IIoT, MQTT is used all the way to connecting cloud environments..." I wanted to test v6.0.8 in its (new) standard config, so I activated this protocol. Until now, I found no information what "this behavioir will change in Suricata 7" really means. The only information I just found: => https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 "Upgrading 5.0 to 6.0 ... Major changes: ... New protocols enabled by default: mqtt, rfb ..." 'rfb' is already enabled in our config. If we don't want 'mqtt' we should set 'mqtt' to "enabled: no" Best, Matthias > -Michael > >> On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> config/suricata/suricata.yaml | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >> index 03a7a83af..fb4f9426b 100644 >> --- a/config/suricata/suricata.yaml >> +++ b/config/suricata/suricata.yaml >> @@ -371,7 +371,7 @@ app-layer: >> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >> # MQTT, disabled by default. >> mqtt: >> - # enabled: no >> + enabled: yes >> # max-msg-length: 1mb >> krb5: >> enabled: yes >> -- >> 2.34.1 >> >
Hello *, > On 30.09.2022 06:57, Michael Tremer wrote: >> Good morning, > > Hi, > >> Why would we need this change? > > I'm not sure if we *really* need this change. My first thought was to > enable it to avoid this "ERRCODE"-message during startup: > > ... > [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable > status not set, so enabling by default. This behavior will change in > Suricata 7, so please update your config. See ticket #4744 for more details. > ... > > v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to > detect and avoid mqtt flooding attacks. Current standard action is 'alert'. > > => > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : > > What is 'mqtt'? > > => https://www.opc-router.com/what-is-mqtt/ : > > "MQTT – Message Queuing Telemetry Transport > > MQTT (Message Queuing Telemetry Transport) is a messaging protocol for > restricted low-bandwidth networks and extremely high-latency IoT > devices. Since Message Queuing Telemetry Transport is specialized for > low-bandwidth, high-latency environments, it is an ideal protocol for > machine-to-machine (M2M) communication. > > MQTT works on the publisher / subscriber principle and is operated via a > central broker. This means that the sender and receiver have no direct > connection. The data sources report their data via a publish and all > recipients with interest in certain messages (“marked by the topic”) get > the data delivered because they have registered as subscribers. In IoT > and IIoT, MQTT is used all the way to connecting cloud environments..." > > I wanted to test v6.0.8 in its (new) standard config, so I activated > this protocol. > > Until now, I found no information what "this behavioir will change in > Suricata 7" really means. > > The only information I just found: > => > https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 > > "Upgrading 5.0 to 6.0 > ... > Major changes: > ... > New protocols enabled by default: mqtt, rfb > ..." > > 'rfb' is already enabled in our config. If we don't want 'mqtt' we > should set 'mqtt' to "enabled: no" just my two cents: I think it cannot hurt to enable this; if it gets us some more coverage on malicious IoT activity (a pleonasm, I know), there is a benefit from it. Acked-by: Peter Müller <peter.mueller@ipfire.org> @Michael: What is your opinion on that? Thanks, and best regards, Peter Müller > > Best, > Matthias > >> -Michael >> >>> On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>> --- >>> config/suricata/suricata.yaml | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >>> index 03a7a83af..fb4f9426b 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -371,7 +371,7 @@ app-layer: >>> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >>> # MQTT, disabled by default. >>> mqtt: >>> - # enabled: no >>> + enabled: yes >>> # max-msg-length: 1mb >>> krb5: >>> enabled: yes >>> -- >>> 2.34.1 >>> >> >
Hello, MQTT seems to be getting more and more popular and I have seen this in a couple of networks. So I do not see any reason not to enable this. -Michael > On 2 Oct 2022, at 12:07, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello *, > > >> On 30.09.2022 06:57, Michael Tremer wrote: >>> Good morning, >> >> Hi, >> >>> Why would we need this change? >> >> I'm not sure if we *really* need this change. My first thought was to >> enable it to avoid this "ERRCODE"-message during startup: >> >> ... >> [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable >> status not set, so enabling by default. This behavior will change in >> Suricata 7, so please update your config. See ticket #4744 for more details. >> ... >> >> v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to >> detect and avoid mqtt flooding attacks. Current standard action is 'alert'. >> >> => >> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : >> >> What is 'mqtt'? >> >> => https://www.opc-router.com/what-is-mqtt/ : >> >> "MQTT – Message Queuing Telemetry Transport >> >> MQTT (Message Queuing Telemetry Transport) is a messaging protocol for >> restricted low-bandwidth networks and extremely high-latency IoT >> devices. Since Message Queuing Telemetry Transport is specialized for >> low-bandwidth, high-latency environments, it is an ideal protocol for >> machine-to-machine (M2M) communication. >> >> MQTT works on the publisher / subscriber principle and is operated via a >> central broker. This means that the sender and receiver have no direct >> connection. The data sources report their data via a publish and all >> recipients with interest in certain messages (“marked by the topic”) get >> the data delivered because they have registered as subscribers. In IoT >> and IIoT, MQTT is used all the way to connecting cloud environments..." >> >> I wanted to test v6.0.8 in its (new) standard config, so I activated >> this protocol. >> >> Until now, I found no information what "this behavioir will change in >> Suricata 7" really means. >> >> The only information I just found: >> => >> https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 >> >> "Upgrading 5.0 to 6.0 >> ... >> Major changes: >> ... >> New protocols enabled by default: mqtt, rfb >> ..." >> >> 'rfb' is already enabled in our config. If we don't want 'mqtt' we >> should set 'mqtt' to "enabled: no" > > just my two cents: I think it cannot hurt to enable this; if it gets us some > more coverage on malicious IoT activity (a pleonasm, I know), there is a benefit > from it. > > Acked-by: Peter Müller <peter.mueller@ipfire.org> > > @Michael: What is your opinion on that? > > Thanks, and best regards, > Peter Müller > >> >> Best, >> Matthias >> >>> -Michael >>> >>>> On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>>> >>>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >>>> --- >>>> config/suricata/suricata.yaml | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >>>> index 03a7a83af..fb4f9426b 100644 >>>> --- a/config/suricata/suricata.yaml >>>> +++ b/config/suricata/suricata.yaml >>>> @@ -371,7 +371,7 @@ app-layer: >>>> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >>>> # MQTT, disabled by default. >>>> mqtt: >>>> - # enabled: no >>>> + enabled: yes >>>> # max-msg-length: 1mb >>>> krb5: >>>> enabled: yes >>>> -- >>>> 2.34.1
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 03a7a83af..fb4f9426b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -371,7 +371,7 @@ app-layer: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 # MQTT, disabled by default. mqtt: - # enabled: no + enabled: yes # max-msg-length: 1mb krb5: enabled: yes