From patchwork Sat Feb 23 07:16:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2090
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id D7E2588B0A0
	for <patchwork@web07.i.ipfire.org>;
	Fri, 22 Feb 2019 20:16:46 +0000 (GMT)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 445jKn6Qbwz5GwMp;
	Fri, 22 Feb 2019 20:16:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1550866606;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=Gvr1nGio+hfmCgv/2lNNrp9rU6++6nlKBaQImyGbOck=;
	b=SiTXnV5y0HTD0+pQrXBSBH1wskUhctTVNOKANPq5KOlDO6w5DZ53yk5sUMbezoDU9tM9tD
	GfY/GlEzujrrgiJnXTI+2/shblNzFlzY0P2ze5z146/s+M2qS01kaoQ2j2KPiY5u2TDNoZ
	9N14MNTNzildueT3ZTWpDs8N8ONPIIwp2wddUgRBxIHbko2amXzqgC/SAO9zXXIyvkWrWe
	eufl7Vr90gxLnYCaoa0DqdLxHD39d5HrBpI4oFzDSzzy4ACMKf2OirgYx/CawzG1EeCOdZ
	rC80xI38fcB4wflkzfRLjMH/1vEO2uH8uLQJXideZhrWx66g4YvaiHpKPmlbGg==
Received: from [127.0.0.1] (exit04.brasshorncomms.uk [IPv6:2a06:3000::120:3])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 445jKk2WmQz5GwMm;
	Fri, 22 Feb 2019 20:16:42 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1550866602;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references; bh=Gvr1nGio+hfmCgv/2lNNrp9rU6++6nlKBaQImyGbOck=;
	b=kwNNRPHP3m8GAH+0M7JUulDht8sfyb61nMFlRzFXstR4ea5tjp+dn/P5VB4WS/CUG6oHPJ
	nlyq8vNRnFfI7vhKixUoXpZMRGQ5vTtv9Xe4M07CMVlUqUq9LKPEZAz+IlTVeKN3yzmy8M
	GYd94yyjljMl4g/5lvo40bfiNyklWjFjsLmmjQ+sTLZGzZRzinxIlvKRfFbGsyjaV/eR30
	5cXQagOnlWjMbeg9Xf89KOjJkRuOBau+i0NfmtNARU2gPNwJxWaKnPf/JbwBypcchYVhVD
	VlGDR0qsLYMvw2D+Fe2oh42qra/zrLvNJSfgWKAYS4y8sik7uoQNVJfiej8TxQ==
To: Stefan Schantl <stefan.schantl@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] Suricata: detect TLS traffic on port 444, too
Organization: IPFire.org
Message-ID: <407990e1-b28c-546a-d1b5-d99901eaee8e@ipfire.org>
Date: Fri, 22 Feb 2019 20:16:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
X-Spamd-Result: default: False [-5.31 / 11.00]; ARC_NA(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[];
	RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM(-2.21)[-0.738,0];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:28715, ipnet:2a06:3000::/29, country:GB];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-5.31
X-Rspamd-Server: mail01.i.ipfire.org
Cc: "IPFire: Development-List" <development@lists.ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This is the default port for IPFire's administrative web interface
and should be monitored by Suricata, too.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
c: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4fbd32b85..0ff06f4ae 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: "[443,465,993,995]"
+        dp: "[443,444,465,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow