From patchwork Fri Feb 8 04:38:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2072 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 20BE385D3E5 for ; Thu, 7 Feb 2019 17:38:40 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 43wQXH1GVzz5HDMt; Thu, 7 Feb 2019 17:38:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561119; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=UdpyQe4qgSjFHSjCBwee+CLNaIRwkD1bhi/yXLsVYeY=; b=HGM34LgSxJY+o5UTKG5fIR0RItB+aUkE5mOE4KJB6IRg1TmkCeUagZLpyTvrWL8HPyiHi6 FEfdWscW3DSy40dUj4lkG43iqo3PM6mIih6jbeBFt5vRZ4XKTwLm7lcFTUnYDHCRO1XM1/ RFwoibie75SuCVqR1suTop37TL9bLcyc8ed+auEF4gIa/yPZiSoX21cE3q+/vEfXftAoXo iP2mQBSGUp/Vbd9SB4adHuiTA/IwMqO5ec/RL8lP07NFohjvFOX+KbdGlHjf4K2C0tihlr NiNeUbmDjxx5BL3uRzTnY1OniwCN/WwjUMV0ZRzMtaJR5a+oyGeDq252o2+3XQ== Received: from [127.0.0.1] (unknown [141.255.162.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 43wQXD35Sxz5HDLh for ; Thu, 7 Feb 2019 17:38:36 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561116; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=UdpyQe4qgSjFHSjCBwee+CLNaIRwkD1bhi/yXLsVYeY=; b=Qw4o/wuJyr0T4lZ3TPADiEd9DUArtoEpsDj9wpSjp1SN0KV110MUrOx0xX9dxP4NP0GyJj 9jvgavbDNeDGOPYaMmrliHzJvKGXGInH+6bbGxrgYPDLsvaHW2LwXzoNEsi/8S6Uz9WuJM wbFDLknh1f8cEHOFgW2CSz8pGXbHx5F4uzT7Rd9KsTfapctcuGHfeEOqRfTTcBb+ewPO8K awZ9SJc2v26a/PKOqTV2MdPMoTg/FZ/l7RANjOzyrDG3vm7pVnuMMrvo0bp9kpjQvAQAsZ EeLKf3Pum1Op8+EOaHzDrHPP0OgSUKlCL9Be9/440JAbhHESsmPGOxHdSC/1BQ== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Organization: IPFire.org Subject: [PATCH 1/3] Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well Message-ID: Date: Thu, 07 Feb 2019 17:38:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-Spamd-Result: default: False [-5.88 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.78)[-0.926,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51852, ipnet:141.255.160.0/21, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-5.88 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Partially fixes #11808 Signed-off-by: Peter Müller Cc: Stefan Schantl --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 48035a67e..dd7e53584 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -140,7 +140,7 @@ app-layer: tls: enabled: yes detection-ports: - dp: 443 + dp: "[443,465,993,995]" # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow From patchwork Fri Feb 8 04:41:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2073 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 06B7C85D3E5 for ; Thu, 7 Feb 2019 17:41:26 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 43wQbT22Rhz57GmY; Thu, 7 Feb 2019 17:41:25 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561285; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=MyxGreUMwOeuV6WIxRMjhpUIn5pUiq2PTWgKPx08qyY=; b=YuBRV7Gy9D4RsPN0AdelkiufWopasYgG/rA/9ZQvSuImC2obrUEcW0zl8D/enb14njFYQI cPOAeQOYyPqSEr2IJ2LLgb7MyW9GyZ9nnc4MbSi87vK5DENYwEScMum3jADvfhEs0IFDVq SHD0G0+QTCcasZNCKMCr42s+FCMwmLEmNCF/M8g45Dv+Tni9/B828bMSk85wJ8bSsOtK0f jBLXFBkulndnJZwU1HHZIbSUQDQPaEz3ucbpS+jOH6WM8bbgt/4R25SzTDpljAm5BrRaRE WhGd4UEYJX4SNUF5kpPS3U/szHUpEYmpiE+y+oTN6OfWu1EpuuLzYhsqpDogAg== Received: from [127.0.0.1] (unknown [141.255.162.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 43wQbQ1Vc7z5HDMt for ; Thu, 7 Feb 2019 17:41:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561282; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=MyxGreUMwOeuV6WIxRMjhpUIn5pUiq2PTWgKPx08qyY=; b=Rta+ai75ZunZ/hsy8psnd+rqdV2ZrVQpzr6Qq+eXZTcBApV40e7jysSdI4R71ILhE7iUxZ 7gwoSkh1kS2f4cancaxNA5008FDqlyK/2P7MRUDIT0ehJ2WkLvd9YXgP8tkhxG0kH/sFpo Tm3wT0D7uPaZJdnISD9qHTDkOZUT8couYRoXy6hfNve92gKO/V1DblzTiwIyXKj+AwX/nC v/060PCHDVVGFuGTauudzidlnaeCDg0/uavIPtAuYwF+nvK0Y8wO2capACtdRn83d2MWA9 b7wgK94/pkWmKj2bpVDr0YKFTf8EHFYfArA5DeAWkKlwL+2bckFSP63dYF7iMg== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Organization: IPFire.org Subject: [PATCH 2/3] Suricata: enable full detection for missing protocols Message-ID: <859c3571-3175-fc8c-9418-f59cd991385e@ipfire.org> Date: Thu, 07 Feb 2019 17:41:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-Spamd-Result: default: False [-5.87 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.77)[-0.924,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51852, ipnet:141.255.160.0/21, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-5.87 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These are IMAP and MSN, which can be safely enabled. Partially fixes #11808 Signed-off-by: Peter Müller Cc: Stefan Schantl --- config/suricata/suricata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index dd7e53584..d7302788c 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -182,9 +182,9 @@ app-layer: content-inspect-min-size: 32768 content-inspect-window: 4096 imap: - enabled: detection-only + enabled: yes msn: - enabled: detection-only + enabled: yes smb: enabled: yes detection-ports: From patchwork Fri Feb 8 04:47:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2074 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 968B088B628 for ; Thu, 7 Feb 2019 17:47:48 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 43wQkq4Xlyz57GmY; Thu, 7 Feb 2019 17:47:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561667; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=fxKgj1l1YKKVXRcSjAVueNs3qvc5AoGt1BZtvAopjOY=; b=MDpPU3s5VkUpSEVYZhC2JVPz9s9aorldPJaEppp11b7sYHLiV1e7a4kQ+buiGGY3aI4lhr dMOCAB6dHRTNGsHFBjyetJxmCk5Hv8BnZdCgKkL9sBDAP0Df5pZiEOgcpnV/o9EpYgdrpe GnHXxSaSefgOxfC+40Qp3ooUhkaB2J1qUx0HNQ1b0TrgFXJap3oIpsm0Wr4NipbOoX5OVO N3atD+XqV0Wm8Q/MH/kXXdws2+ouRflOlLRuujxHCCjYtgNj75Aaqe+/t9YMLfNPCZhJA7 G58r+IJCW8PIsjUS8eE9hHV6OO0nciyRTns2MNeBaI+UU2wPHE/ITk8kc9drDw== Received: from [127.0.0.1] (unknown [141.255.162.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 43wQkl4kKkz5HDMv for ; Thu, 7 Feb 2019 17:47:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549561663; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=fxKgj1l1YKKVXRcSjAVueNs3qvc5AoGt1BZtvAopjOY=; b=z4LhliivXZPu4dRvmx74K2pHgFUMqiF13ZoWNHIl0QntrfeRtUl+FPVrIqVuxrHBlP5J0m FdFMdrh3eulk1Ac31QY8b2KWMxPS5qeQFSfFJwG1FgUHa6B9KdxSLaHX8dqjxy2tW064jG cCitoOxzfkqV89dk8qCTt+YcL4YO6jlqGA3n+7bH5eFnr/2b7mJtpjIxKjvTHtMhBaJqQe ZtVffpTy9obiQnkdPJP8n+P/6BnLxaqM0+JtxulbEgoFDyYQ8onNXD+glCmu6Z0yIkXjGJ Ip5116Uf6hgbCFF0WJ6Qi/v+2u3oTU0qAhnxpCDDoBpLJscrhMDLbe/dbbac4g== From: =?utf-8?q?Peter_M=C3=BCller?= Organization: IPFire.org To: "IPFire: Development-List" Subject: [PATCH 3/3] Suricata: detect DNS events on port 853, too Message-ID: <35331b2c-281e-f72f-fdd9-de8bfa592717@ipfire.org> Date: Thu, 07 Feb 2019 17:47:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-Spamd-Result: default: False [-5.87 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.77)[-0.925,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51852, ipnet:141.255.160.0/21, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-5.87 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" As DNS over TLS popularity is increasing, port 853 becomes more interesting for an attacker as a bypass method. Enabling this port for DNS monitoring makes sense in order to avoid unusual activity (non-DNS traffic) as well as "normal" DNS attacks. Partially fixes #11808 Signed-off-by: Peter Müller Cc: Stefan Schantl --- config/suricata/suricata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d7302788c..67b9e8a7d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -208,11 +208,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" udp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" http: enabled: yes # memcap: 64mb