Message ID | 35331b2c-281e-f72f-fdd9-de8bfa592717@ipfire.org |
---|---|
State | Accepted |
Commit | ad99f959e2b83dd9f1275c1d385140271c8926ae |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 968B088B628 for <patchwork@web07.i.ipfire.org>; Thu, 7 Feb 2019 17:47:48 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 43wQkq4Xlyz57GmY; Thu, 7 Feb 2019 17:47:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561667; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=fxKgj1l1YKKVXRcSjAVueNs3qvc5AoGt1BZtvAopjOY=; b=MDpPU3s5VkUpSEVYZhC2JVPz9s9aorldPJaEppp11b7sYHLiV1e7a4kQ+buiGGY3aI4lhr dMOCAB6dHRTNGsHFBjyetJxmCk5Hv8BnZdCgKkL9sBDAP0Df5pZiEOgcpnV/o9EpYgdrpe GnHXxSaSefgOxfC+40Qp3ooUhkaB2J1qUx0HNQ1b0TrgFXJap3oIpsm0Wr4NipbOoX5OVO N3atD+XqV0Wm8Q/MH/kXXdws2+ouRflOlLRuujxHCCjYtgNj75Aaqe+/t9YMLfNPCZhJA7 G58r+IJCW8PIsjUS8eE9hHV6OO0nciyRTns2MNeBaI+UU2wPHE/ITk8kc9drDw== Received: from [127.0.0.1] (unknown [141.255.162.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 43wQkl4kKkz5HDMv for <development@lists.ipfire.org>; Thu, 7 Feb 2019 17:47:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561663; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=fxKgj1l1YKKVXRcSjAVueNs3qvc5AoGt1BZtvAopjOY=; b=z4LhliivXZPu4dRvmx74K2pHgFUMqiF13ZoWNHIl0QntrfeRtUl+FPVrIqVuxrHBlP5J0m FdFMdrh3eulk1Ac31QY8b2KWMxPS5qeQFSfFJwG1FgUHa6B9KdxSLaHX8dqjxy2tW064jG cCitoOxzfkqV89dk8qCTt+YcL4YO6jlqGA3n+7bH5eFnr/2b7mJtpjIxKjvTHtMhBaJqQe ZtVffpTy9obiQnkdPJP8n+P/6BnLxaqM0+JtxulbEgoFDyYQ8onNXD+glCmu6Z0yIkXjGJ Ip5116Uf6hgbCFF0WJ6Qi/v+2u3oTU0qAhnxpCDDoBpLJscrhMDLbe/dbbac4g== From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Organization: IPFire.org To: "IPFire: Development-List" <development@lists.ipfire.org> Subject: [PATCH 3/3] Suricata: detect DNS events on port 853, too Message-ID: <35331b2c-281e-f72f-fdd9-de8bfa592717@ipfire.org> Date: Thu, 07 Feb 2019 17:47:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-Spamd-Result: default: False [-5.87 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.77)[-0.925,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51852, ipnet:141.255.160.0/21, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-5.87 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/3] Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP portsas, well
|
|
Commit Message
Peter Müller
Feb. 8, 2019, 4:47 a.m. UTC
As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.
Partially fixes #11808
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/suricata/suricata.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Merged. Best regards, -Stefan > As DNS over TLS popularity is increasing, port 853 becomes > more interesting for an attacker as a bypass method. Enabling > this port for DNS monitoring makes sense in order to avoid > unusual activity (non-DNS traffic) as well as "normal" DNS > attacks. > > Partially fixes #11808 > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > Cc: Stefan Schantl <stefan.schantl@ipfire.org> > --- > config/suricata/suricata.yaml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/config/suricata/suricata.yaml > b/config/suricata/suricata.yaml > index d7302788c..67b9e8a7d 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -208,11 +208,11 @@ app-layer: > tcp: > enabled: yes > detection-ports: > - dp: 53 > + dp: "[53,853]" > udp: > enabled: yes > detection-ports: > - dp: 53 > + dp: "[53,853]" > http: > enabled: yes > # memcap: 64mb
Do we expect any plain DNS traffic on this port? I am not sure if any rules would match the TLS traffic here. > On 7 Feb 2019, at 20:34, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Merged. > > Best regards, > > -Stefan >> As DNS over TLS popularity is increasing, port 853 becomes >> more interesting for an attacker as a bypass method. Enabling >> this port for DNS monitoring makes sense in order to avoid >> unusual activity (non-DNS traffic) as well as "normal" DNS >> attacks. >> >> Partially fixes #11808 >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> Cc: Stefan Schantl <stefan.schantl@ipfire.org> >> --- >> config/suricata/suricata.yaml | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/config/suricata/suricata.yaml >> b/config/suricata/suricata.yaml >> index d7302788c..67b9e8a7d 100644 >> --- a/config/suricata/suricata.yaml >> +++ b/config/suricata/suricata.yaml >> @@ -208,11 +208,11 @@ app-layer: >> tcp: >> enabled: yes >> detection-ports: >> - dp: 53 >> + dp: "[53,853]" >> udp: >> enabled: yes >> detection-ports: >> - dp: 53 >> + dp: "[53,853]" >> http: >> enabled: yes >> # memcap: 64mb
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d7302788c..67b9e8a7d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -208,11 +208,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" udp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" http: enabled: yes # memcap: 64mb