From patchwork Fri Mar 1 01:28:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2101 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id BEAE588B0B9 for ; Thu, 28 Feb 2019 14:28:46 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKV07Ffz5KvHS; Thu, 28 Feb 2019 14:28:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364126; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=+b2I8S+3dyEhlPyxpbEEO1Stw0yf4ywUaaaJh6UYdA8=; b=eXX6KFcArvM8r7OpT7IiWSIgVYxj6nhqrUB3C9tj9TAze/NhtBDTFJ8QgI8vTfyQzydGFu zg46aYKWARmmaJuPjxZ43px9YBYiO2Qkd4kqUPxwheumdqyOYq04E5Gqp/tlZSqTxCHYcJ BrAYO5JRIC/qsUVynQsSvBf/JX1vZXeQrWLBYy+xcqGc8zE3RCT/FZZmhBncaqOMYLIYu0 9AWU9NjvPAEszpSw4YmOfiVdaWIW+04GVJQkI132wnf18usEeWDimoJqa7QkUd44Hk9WXa FXSFt+hVPezycaj5ShncgA8HXO/mowW851tDe9dhbA94ZYPsNBT61Uex9BdxfQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKK5DW4z5KvHK; Thu, 28 Feb 2019 14:28:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364117; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=+b2I8S+3dyEhlPyxpbEEO1Stw0yf4ywUaaaJh6UYdA8=; b=WYDc4s178pKbSBPVrb5JO64XNtiGwAmC4EHDEdspni1sKGSGKE09kAWxkmIbh58KfoUuaR FIPIfeKGv4FzuVvQALBQqa6+oiI+SyzwQ1O/j4ocQEihsWWot5jIC80aD/0fPg0HKfj8eg j47GmbgrHcNrud4gnQxXfkgzdeair14qqs3aiQGeDvvhgymDw1RwDxvSV2tSB185nQFnhC hp9XFEI3xk3FdQ4TU9UsO+tvFPXV/bl6MGD8mm602b3ZuRkdxqEDQUjbp+CKbWkO5ZA6Bf bs33OucA8EDrAz1O36mwzk2lwWgPvB6pMaeBiOZR9n4jckhfSGCrsedFe1WmNg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 01/20] Revert "Suricata: detect DNS events on port 853, too" Date: Thu, 28 Feb 2019 14:28:06 +0000 Message-Id: <20190228142825.5153-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.84 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.74)[-0.914,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.84 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae. It does not make any sense to try to decode the TLS connection with the DNS decoder. Therefore should 853 (TCP only) be added to the TLS decoder. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4fbd32b85..301a157a3 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -140,7 +140,7 @@ app-layer: tls: enabled: yes detection-ports: - dp: "[443,465,993,995]" + dp: "[443,465,853,993,995]" # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow @@ -208,11 +208,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 udp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 http: enabled: yes # memcap: 64mb From patchwork Fri Mar 1 01:28:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2102 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 30CED88B0B9 for ; Thu, 28 Feb 2019 14:28:52 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKb3Ztgz5KvHp; Thu, 28 Feb 2019 14:28:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364131; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=mWUgJ+VeoY1bk2gKjKQocRGtZ6tExJVyE8uekXKLMcg=; b=x0SKBWmmgIR97IcszOT7B4uBn7veOZgWOvbk+imFXSGGzcw3RMe7R4uFH10YA01SAS6Mdj 8wJGPsoXykf1m/2dHc+sTIkYDPr1hW0ACFNL5ARtfOWEDbMCPbXLKpJjMfkvzeBVtgaKvG EzC+Lw7yilmBjuz4EUCZbttlcyNbiPIKV61r5RIE6FldqO1iedSDTqYQBYmX+ZDR7z1yZV aD6G6hsuKkRJw0NFLMp8Gxan+0SCeMJbnhWdNelFwTpf1mv3gnGoj4zEoz9CJy4X/h5y8H lahCFAvW8714ox/PQ6n/NDYpw6uoasLRYfx+iZBDZQLTWmdW7RBVrAtpxt2wjQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKL2Cv4z5KvGj; Thu, 28 Feb 2019 14:28:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364118; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=mWUgJ+VeoY1bk2gKjKQocRGtZ6tExJVyE8uekXKLMcg=; b=p9JJKkiemqvM7H0JOmapGBHL2Bn8NP8plepgsTUKeonuUHCSMLVWecO1BMfjLAhhI+nVh1 phE3VtfZ0mAtrMKLuJJup5rorSynYSXIAgyGG0NznWHRGI5DhxX1cfeoLfU/ue/vQPqJ6u hh/fbqAumMeOMdXuoW2bx25r6U7WW9murO4hERlEBxxszMJBMNFEsOqJxAp564w72zelbT alnlGkWBGlvRvdjcSICkD+wYeQ7LJeKlB9IIJW11OnUdznrBP8lBpsnYxnLscSDtxC8NEa gHnpRfo7XzyWtJZ9cm7UqDLAyreaCz5Sv7CMX+bazdz10TISMWeBgq7lUFfaTg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 02/20] suricata: Set max-pending-packets to 1024 Date: Thu, 28 Feb 2019 14:28:07 +0000 Message-Id: <20190228142825.5153-3-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.79 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.69)[-0.898,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.79 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 301a157a3..d94de87f1 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -412,11 +412,7 @@ host-mode: auto # Number of packets preallocated per thread. The default is 1024. A higher number # will make sure each CPU will be more easily kept busy, but may negatively # impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 +max-pending-packets: 1024 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned From patchwork Fri Mar 1 01:28:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2103 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 4783488B0B9 for ; Thu, 28 Feb 2019 14:28:57 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKh5RKmz5KvHh; Thu, 28 Feb 2019 14:28:56 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364136; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=amvPLRQBgxCCgGL5egwP+X3BDtG60gocRgWidbBRAc8=; b=Y2C/z6YvwwgWw4r9Z8lM4B1lnrmo2p9pUUvYyvqn2SG0O1VYE9Ga4czFBqXIbvh6Kb3qgv fCLHTuNAaIcuToAkBPLKqR1HTregEAPUc6AqU0aBYPGr2Eg1v3nPzk+2eU2XNmHqzmNrPK I2rT+c945xNm3cP6BzGalK9ihHjbiVGx5RWqztuaavowvwLgi4ePWmn82IRfgrjLNAVWCM OiNMC8adn1U+peDPS5f/8Y5b4NK8ZbNTOTl6iPuxzpcRPDWzgHVxY60gH2bKmck6UqeaMh +Fqd27WRoeMeE/3+fmA9YVX0n1hZAGx1ijLERIFpBMUGOA2DSVCneBeAjO1W1g== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKL6VvFz5KvHC; Thu, 28 Feb 2019 14:28:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364119; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=amvPLRQBgxCCgGL5egwP+X3BDtG60gocRgWidbBRAc8=; b=pMBWWojOkoTFSKGTQLTdzOujNPAq/8YPrI0QVZrsOHvlP/pFXqEUh42dHxTVUjWRxvrzw4 6AecLKuvc5rTlbI2QY9XPfZ8dctsGiP+ldYCccNVhH6QS9/lNoTK5r5gfgcQ0Xbvpd9sR+ lBtodv4m9bX9PAj6gLA8JushwhwseWsJlLRGLv+tKBbd7lBC6dbRncejy1i6SaXxt0POER CUGWa56Uu7xzk2f+Z6vc1058DydXwJvYa7eppDBf7k7JktScJ0v+Wg2sRoQi16M65Us19a 3aK0ewjRma5R7PUgl5eeYfmNQygyt/hrb5Sz0xe+rIO7hQDukmQMFZeIIkaRVw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 03/20] suricata: Set default packet size to 1514 Date: Thu, 28 Feb 2019 14:28:08 +0000 Message-Id: <20190228142825.5153-4-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.79 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.69)[-0.896,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.79 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" We usually use a MTU of 1500 + Ethernet header Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d94de87f1..dc1163820 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -434,7 +434,7 @@ max-pending-packets: 1024 # Preallocated size for packet. Default is 1514 which is the classical # size for pcap on ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 +default-packet-size: 1514 # Unix command socket can be used to pass commands to suricata. # An external tool can then connect to get information from suricata From patchwork Fri Mar 1 01:28:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2104 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 5BF3288B0B9 for ; Thu, 28 Feb 2019 14:29:02 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKn61j1z5KvHS; Thu, 28 Feb 2019 14:29:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364142; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=THxvw9D9lL/67RQcSOOMKLfzP+gGcVwsogZ1OPjeRPs=; b=wvZsd7KqGoJ8RBwo8t/AAjxlpLAhw3cszTyzm2tTDMFaGvJwtKMQQJpsIbbRC+4E9bsRru PkAjbMXlOoGCK9ld/Ch0TOYC4wAOy0da+MDCYC35gF5rBCed4OCBzaL7xsbDzVfI4+ImCY 1Sa38osf4HWIw7tSaMUWaTmUhUMAD5li3stAhyjdYhCCQPB8CFNVM/g//8SruLnnlhqaie C1mX0p+eGJHv7vO6E7Avv59A4oaj9d5S0pQ6PGt1FL1vtRNhm0xPasCQn9zlGzSBXXmBf3 pmMBirTfhZPqYMmNQBWBRG3hphiCpTJO1V6C/tWiMnWa3Zewz251pZMVkovktg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKM3fy2z5KvHQ; Thu, 28 Feb 2019 14:28:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364120; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=THxvw9D9lL/67RQcSOOMKLfzP+gGcVwsogZ1OPjeRPs=; b=R2UwYf6IX4+VUO/7YSU3xmT5M4oG2Lz362/yQSvcGdZ1vSPm5gAHRUgdHeajUODCI2whTt In4fg/wecqTLqyHLAWdnfZUSVrrKJfGu+5mQzZM+KAYdikzaLxJzvX/5fuG15q39QW5WgP EfsEMDVonHkxl4sY7AN3Om1zUXIS+s5AUiiTBFpm7nfjfgox8hhAH3y/Cv58zAGnQSkvkN DA4QmrO1+AwTebx5oQenZQv8JA5pDSFxHm+AhJVS8x/e9jl+dkdnjX0mlGrVCYwTeHy4G3 LFUakSpQvu8hERGqn231NB6lQ1ADyuWIxrGHr/dchPszNQyjwyku041XsoXxTA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 04/20] suricata: Set detection profile to high Date: Thu, 28 Feb 2019 14:28:09 +0000 Message-Id: <20190228142825.5153-5-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.79 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.69)[-0.896,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.79 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This will merge rules more aggressively so that the engine is only processing those that can actually match. Memory is cheap. People with little memory should not run suricata anyways. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index dc1163820..10dbdc99b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -745,7 +745,7 @@ decoder: # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect: - profile: medium + profile: high custom-values: toclient-groups: 3 toserver-groups: 25 From patchwork Fri Mar 1 01:28:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2105 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 2548688B0B9 for ; Thu, 28 Feb 2019 14:29:08 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FKv4XWCz51j5t; Thu, 28 Feb 2019 14:29:07 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364147; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=a/mdxXH1zxitwzzFbUOQlFgEMKPpgrbVxMTjvR7iNmw=; b=CgcyQs1nk+LvtRs/ETjc+VKN5stYVtmhPoAInSGYcESE0KkORh3DDZG8gDx3geJTOBDqpX I6DvpIPU48fawn3XeZi3vLUIk3NYfWgHAJIeASc5CgEMKjljxk6MK/mc6vjAst/z0RFoNK SZDwaqrD8nlnPfeTC7B/bsqdELRZRuF+o++PfCAnrbUz21hNNsYYmlx8I3AukaAUJVlmao jBib1n6o+2197x+8ccPnq4YqvCtKta47ikUdWzotdQK4zyge/ejY6U5mk43QSl1avPcNOD EuCvlFDzIZRjw+1A+pOZLiBpsR+ffwk1f393Rz8bTROYghucgUsF9kr27dci6w== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKN3jm9z5KvHN; Thu, 28 Feb 2019 14:28:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364121; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=a/mdxXH1zxitwzzFbUOQlFgEMKPpgrbVxMTjvR7iNmw=; b=vOgtjRpEvtSL4ySbcS5Pz3OF574jLiNKrayB04D+8yWwiJ2oeq0/KY7gJt/+Nekbeq/QoJ y8/HTa71/KtHSrJJl8WzCAvpF+nhZmYxq4DnEsQEdlV1jqiJgGFldW45PHzxLy7aOKRWdA fTMx91S6vi6D3vIG2SJz4ah+3r5XBUJvNc9FC7wt1KhR3F3THrMUWiCy0pGO+mekYs9ej0 qMMVUS0qLm3N102NOHpz+7lK1n7eULefkYqWepIN1I0VVeXzdP8x1zd0B4oFZ3ZrvNAq2E mWT4OYBuTFd8uijyOw76i+0bqBWtMacq4UZd9SO3j5fIV+9e1C61WhDXXaklfw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 05/20] suricata: Drop profiling section from configuration Date: Thu, 28 Feb 2019 14:28:10 +0000 Message-Id: <20190228142825.5153-6-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.81 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.71)[-0.904,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.81 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This is not compiled in as it slows down detection and is only really useful for debugging Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 69 ------------------------------------------- 1 file changed, 69 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 10dbdc99b..8dc2a1587 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -860,75 +860,6 @@ threading: # detect-thread-ratio: 1.0 -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - ## ## Include other configs ## From patchwork Fri Mar 1 01:28:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2106 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 0F6EA88B0B9 for ; Thu, 28 Feb 2019 14:29:13 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FL03mWkz5KvHp; Thu, 28 Feb 2019 14:29:12 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364152; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=H/v8vp7LIySdzmelIIej09Tnt1G94gDS7YiN0vjSELg=; b=Hh3B3TT6CzxiNixYPk/bSNUzCB7jEYZ2ZTruNcS3ZpX/L3G8E0ywXZvtHWMIv33j0f/01P RJ1yCO9hr7YVieIi4vvwYTRDJpxDnm1gMN2/36LOCn4DWfnrieARIR2oyJ0kef5bun0nOP mWcng6cG6VlK06/TOo9X3DMRWGgo4qlwPIS776IilxF2Dy0IL+Bdl19GQAmOW+zchrPdST kMcuxkMRMk2dkGi3KaCRZWQNU0jNTCLIKum3OtPOvvr3lkI4JK50JAscor90D/OGGt2n30 FuPbfnNTe92IfK+yOMOxlJAGU0XTAYtCl44jiOqqVNsdY7mA1/Vi1zFBNW5zmg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKP3KsFz5KvHQ; Thu, 28 Feb 2019 14:28:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364121; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=H/v8vp7LIySdzmelIIej09Tnt1G94gDS7YiN0vjSELg=; b=pLb8Srdg9htm8xLxs7tUYKUSm4j5UzxZUrlnVUP+T03iKfYgZpXL9rn/zLYIZ36JL4mSf/ gBqxtgXqOUTvWCNZKcoMzCM2E0gtBKd4ubVGTPUcSDAvcrRYC7K6IWTfgUwyNQ+0cSYfwE ShoGCdjA6+3xSn1KiTiri6KjjYZj5J3eptb8j7/AH9VzTbe5iCgy7y+Yu70ecN6BuSrapi vqj7MKJKv1FnxDs7hV8Dh84s+nBVs5enrwEclLNs3gjxKL2vurxy59uSV/e7meJaJsv3li hKEnthXSD+TH3gDQ6xeD6VbrlxAkMjxl2ip0Ma2WUrqUWZEbKs9eZ+0LBhgisQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 06/20] suricata: Drop some commented stuff from configuration Date: Thu, 28 Feb 2019 14:28:11 +0000 Message-Id: <20190228142825.5153-7-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.81 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.71)[-0.903,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.81 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The file is really large and we should not carry anything we will never use. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 8dc2a1587..e85568803 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -367,29 +367,6 @@ asn1-max-frames: 256 ## ############################################################################## -## -## Run Options -## - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -859,12 +836,3 @@ threading: # thread will always be created. # detect-thread-ratio: 1.0 - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml From patchwork Fri Mar 1 01:28:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2107 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id CCC1A88B0B9 for ; Thu, 28 Feb 2019 14:29:17 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FL524kCz51hd9; Thu, 28 Feb 2019 14:29:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364157; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=M/y7msVxqEQYABkR5Z3feSaMgWSSU9D/elUJzHhB0A8=; b=EfD51yY0ZNHdag2CxmhBLjUF/+aTuTexTfvpI2TRE1qpLpGBXQKCsvwuVh3b30tLDugA88 8raFuysOMq39WG7YExSZynMsAozivLs6uO4F7kjyZ0vyvSHidakw5mfWTB0fOdjr7pOC23 6T8ya5+5NRE0K0Ib2P5EfwlilnycHesBjAvWsS8u51I6EzL/wTIjsWKzRZzXNSxJMxAhxm kyPgsBybhsxpDmHwhxTLzytqH3KX1BElWi8Gy8S83l60JGCrQhgxIVF9P9hEaEhvA0ZD/E XKKdg4dRnOtTk/JlN2Z71jM3g9zJ+hmwpdndvvk69Zgxc48pywnLG1zDfhREGQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKQ0Nr1z5KvHN; Thu, 28 Feb 2019 14:28:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364122; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=M/y7msVxqEQYABkR5Z3feSaMgWSSU9D/elUJzHhB0A8=; b=YQlYyWk+3kxNlGFoXzMlhrdEJvtY9hS0q8KjMp3ZsGOlSJEIyZjdoJvumh7iAJTI3IDmhe Lt59cTDVk1D/SSSTQu9KMqjooM7H+Qy7vpAnv6KdB9G9LcJ4rpIBuxD34IOuUcaZjNSQiH BJEcvTveR7Q6fP6zuk8HRJkFlcuF/MwMyWpPg6+hKs0/15z9dpp/sBMWPD42Tip4Uv7ACS lKTlt1UjvA3XkyIoS/qW7xRBDqa+Hskte/ucY1jXy1XPfVr2ZoUdYvFlUNWOORwBspxR9F 1RVhMD1ADk7ENb8D7e4ZROZl79H3YM8bF+emjC8Vi7gDBodNPHwgEA5q/JMOjQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 07/20] suricata: Drop sections that require Rust Date: Thu, 28 Feb 2019 14:28:12 +0000 Message-Id: <20190228142825.5153-8-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.82 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.72)[-0.905,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.82 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e85568803..4f3ac5744 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -192,10 +192,6 @@ app-layer: # smb2 detection is disabled internally inside the engine. #smb2: # enabled: yes - # Note: NFS parser depends on Rust support: pass --enable-rust - # to configure. - nfs: - enabled: no dns: # memcaps. Globally and per flow/state. #global-memcap: 16mb @@ -352,11 +348,6 @@ app-layer: dp: 44818 sp: 44818 - # Note: parser depends on experimental Rust support - # with --enable-rust-experimental passed to configure - ntp: - enabled: no - # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 From patchwork Fri Mar 1 01:28:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2108 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 94DE188B0B9 for ; Thu, 28 Feb 2019 14:29:22 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLB0YQcz5JKXV; Thu, 28 Feb 2019 14:29:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364162; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=Z4DWzM4kkledxJwL4KOdcvF85ROVOA+Ium3L2u92fzs=; b=0ST6QrJ2+FmEJnwh3bUuX116UTqhMd0MF6TLlwCeKoqDVecK8pZ7x4r7UkfwZqHr1gl9u6 jsXejZSMLt1UERDA6O5pyuBalFSWerik/qGpBfa4hVJxAhrXGDSitPhe1B5ohzNeSZD5Cn BkN8M9qyeqtcPPWU9gV8PSGA/B0vlR/wXtVy4mPapm/blgyB/zAeVi79mPtS2be0fnupHx f7Nje45OCOIsGXVc8ZcTDXdFYT1Nd91bvWO+hRnXf0ebtmdHaUS0GGj2lrRaEu37MtLvKY cdw3uGckfrP4LNsKTmogZ1LOY7vWupOepeTDbNzewfFMQsNKA8MxICuQ6CvG6w== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKQ5Jbtz5KvHW; Thu, 28 Feb 2019 14:28:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364123; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=Z4DWzM4kkledxJwL4KOdcvF85ROVOA+Ium3L2u92fzs=; b=A+vsC+ESqRxMTiPD2S95Dr1+/+J7liSnwkS1SO+aEGkwXFmT3mW/K0F1U3cd9cO17R5Fx8 pM7xoQZqfq+S2ymY5zOBR2qpSqXD1FQ1HH9gEcu32xVhBczNQJ/riICKET6YnQmEH4KoH6 Y2qDUh3g1luERwBQScM7RO9CYK/mADjwyTo1YHGAFO4KeqBSneIOfF82m7ntNTM9Q+0Cwb hAHWt7yrNPlD4moS/Mqx9qONhXuksNTQqDG/jDuQecJR0uYoScDeWYazmyPvv0gbGpnYMs YFPIVk8GSgFOrsyrUgLhmf3wgjPAFoYLHpBsc4niV+LCf2ceH1mY0ExjHrgyEg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 08/20] suricata: Configure HTTP decoder Date: Thu, 28 Feb 2019 14:28:13 +0000 Message-Id: <20190228142825.5153-9-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.83 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.73)[-0.911,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.83 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This will now scan all request and response bodies where possible and use up to 256MB of RAM Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 66 ++++--------------------------------------- 1 file changed, 5 insertions(+), 61 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4f3ac5744..b09d5906d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -211,7 +211,7 @@ app-layer: dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +225,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +234,8 @@ app-layer: # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0 # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,41 +246,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field # Only Modbus message length (greater than Modbus header length) # And Protocol ID (equal to 0) are checked in probing parser From patchwork Fri Mar 1 01:28:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2109 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 493BA88B0B9 for ; Thu, 28 Feb 2019 14:29:27 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLG5XPDz5KgVR; Thu, 28 Feb 2019 14:29:26 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364166; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=SVIe6o+yUmtA5POIzjGYmmaP59NKUmM5GQg1BQ4ZO9A=; b=SPy9M09V4BTMPZKwcpk8zPlcSiu8rrULjEc1LTbo9dBF4awzIkVzs1XJmzZRDI6CRPKHyo GcaJ+eba8RJFN/zDU37bLc28OXvJKckiqdQOuj0TK9ZG0OErSsUBKsV1ZO0TSw62MfnAnV 73/YZG69f2uThsN3UANswXmwmzQmceA5a06ubjEtot928v/bUEHN/gHAOwLv73aXsHTzoE If3qo62XP+oUPylo6rTIHoy4e2Vl2R2/5IMC59CUenWCfQQZCz1oq3zzcleXLBvWrZBETT dyjhIpD91DOESlfkj++B+GP12+cBmQogoU5lLd5hZP7zTI9xW3Q4BxfMKVwpoA== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKR3LwKz5KvHQ; Thu, 28 Feb 2019 14:28:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364123; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=SVIe6o+yUmtA5POIzjGYmmaP59NKUmM5GQg1BQ4ZO9A=; b=uu2EiGfdMZ5jCjgAUN25kLo4nPWuIyInFsdr6J+siomEO6/hMbNQ2hqvx0T1X0GyCb5e+s K740v32Y+P/uXkxmQnXkNTrlb4mprTbmjKpbocyudiUda4UecKS/jK7sRgS1BE04SREQLF 99UDvrCGsAlFoXd1yQi1rNWraKorOv5+jPxx4fpNQJCkat07Ko50mlxMqHwyN5rSKMsZaM YDMwIhOmvxUy11TNKw0RkfW3xLSxjnfRm8zv2/S0GOlHfsMoQmixL5ptKdCRPldK1PNIU5 mNJcGDJTvHBKX8tZtBsDO6b3LZx7dZ+tab1dOFsdAVc9epbEQir9MQuS2HRRNQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 09/20] suricata: Allow 32MB of RAM for DNS decoding Date: Thu, 28 Feb 2019 14:28:14 +0000 Message-Id: <20190228142825.5153-10-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.80 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.70)[-0.899,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.80 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index b09d5906d..882dc1bd0 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -194,12 +194,12 @@ app-layer: # enabled: yes dns: # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb + global-memcap: 32mb + state-memcap: 512kb # How many unreplied DNS requests are considered a flood. # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 + request-flood: 512 tcp: enabled: yes From patchwork Fri Mar 1 01:28:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2110 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id C413D88B0B9 for ; Thu, 28 Feb 2019 14:29:31 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLM20Rmz5KgVH; Thu, 28 Feb 2019 14:29:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364171; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=/A8RilQwnwhHRh+giIT8Gyxag8NFlW1Yo/gOp1BUARw=; b=qBNTHqTSxGJ3ceeBVBOiXJd3NvGCJAtKagFXyUhT3sRCwfTXZ67Albp3HbFMeZtlM2c+wD TxV/kifP5yPDL+HadHp3ZDCLBDP8xvi2v1y2oGRaPl2aXfLbHb4esF3XS0LwGIklwiGEro /2UOEnmHOhhTFNH02kCwvJ5ooa3S+GcWfKBMZRIwWFerfeUQGByx/cZ+yKmCn4FS3LHD7/ QbqGIK4J8LNyb9sYY4C0dPuSFMRX9swphWyh1jj7zG4a66k+pjQU6Rmmj0Mjl6EXQFKaLy oVtou9tAWIB33rJFtP3Cv4eh4i6e1WwKK2XB3uGQ2rVQPslzlfmsf8WvWo1ccQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKS2dB5z5KvHZ; Thu, 28 Feb 2019 14:28:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364124; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=/A8RilQwnwhHRh+giIT8Gyxag8NFlW1Yo/gOp1BUARw=; b=ydLAGxYDiIc/ymGh7ZRMk59oQmxiMNsCF0rQX2TRttesFOgkBGiSe6JHJRQTbZEgjc46d0 4JCYJg5pTwjNm71+jZTcX3grcrhX9DqQUSXW9PmbwCfSGJ+haq2C9r+Z/6cLFMGWzj16wr De0jraoHHPXvCJyopOvDer7HDPv45LQT/LmbftdgGED8zQ/w+bw47WivDkU+7D0zaB7Kx9 d0kZhZ8HXres41sxKkpfmAsfNxFaU2Q3vdeEDLPasb1ra5qoB7HIZYo8HQUNFXV4vm0zX8 z8JV5wUffKQK5nI0YYtHxoJQaj6jdzpTTcH+r5Uev5zc3wBs8P+wgXqMgOmC+w== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 10/20] suricata: Drop parsers I have never heard of Date: Thu, 28 Feb 2019 14:28:15 +0000 Message-Id: <20190228142825.5153-11-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.81 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.71)[-0.903,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.81 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 882dc1bd0..4ef0076eb 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -257,40 +257,6 @@ app-layer: double-decode-path: no double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 From patchwork Fri Mar 1 01:28:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2111 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D784788B0B9 for ; Thu, 28 Feb 2019 14:29:37 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLT2WKjz5KgVR; Thu, 28 Feb 2019 14:29:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364177; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=NJXCirsuLN7mZXurV9OhcyZ67CY1XVkg8Sp9TlwpSd0=; b=jnJGnlZUK7XUaP3WRlIpQZrwbftTz9EZkeBzSwm+fsGJiQfAUO6p1Qpeqk5gOUWVRavRzQ 6VgrQdNH7wBndn31cajSncSunPyyfYomKwnJohcsbYGQRvWi6x78p8xcakvUa1Np9dojJC y7bkJZo4L8GLurZX94tjfwVZHPkWtaGw95Cxp/tuWKdemQpE3FwofILI+/45XiOAbIKuLl aWrpJxCW/L80+phyyX929IaJ6xeR0GXSdqToFgQksZx/enzD1jC59hQjlhjh3XVGER5nfC h4tancYkcmXrbQr1BPRHbFaRRmpLghSfrI0Sq5/aqMF9GDvpx90cHFVrckgwGg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKT2HRkz5KvHQ; Thu, 28 Feb 2019 14:28:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364125; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=NJXCirsuLN7mZXurV9OhcyZ67CY1XVkg8Sp9TlwpSd0=; b=ibecjvEds/R2qFbnMdsfOUSDRJYPyDUifa5jawjktaJ9EFYQnuI9mB2VxmZW+anuShw/ls hvVACRPD7nXzSucCOmO2/Gt84DFSg2cp43yO9KT9ExzTJiki8djM6EIR0kwANeA0U+4GJz ypv37DSAjsOZg9/i4MRRLZWU1d1CQMnH1duUvi2fpt0tWdJ79dgUz92/RRVhD0iAl5Hg08 pV8ZVbFIz0Ao1TO9vaf9Lfx4xGpQNobTsKVAbjSKjWguWZD+XG5IIgdoxtzdpswdKf2Nvb nUKzgCy6hzuhuFojlxXey2XDaen0PPeZopospRqXmWgKtwlvuhjT7h69VoMJXA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 11/20] suricata: We do not use any IP reputation lists Date: Thu, 28 Feb 2019 14:28:16 +0000 Message-Id: <20190228142825.5153-12-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.77 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.67)[-0.889,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.77 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4ef0076eb..85d3c70ba 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -343,12 +343,6 @@ legacy: # - reject # - alert -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir From patchwork Fri Mar 1 01:28:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2112 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 5518788B0B9 for ; Thu, 28 Feb 2019 14:29:42 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLY5xSyz5KgVW; Thu, 28 Feb 2019 14:29:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364181; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=WnBaMovyu1+0w08j7mCVZN3B4GCg2YGYFUOENTcF2V4=; b=LOji3foHcP3shCOS2espCLNJ/uKClqeag9Zq2aPDeTvz7PKUl2b+2rvR3ZtFUwtTGgnoeD qzrLFvZTkWBa3h9O6W2bYrly5S72FGrNgeIUYfNJqT2O4q/C4AbaTe871boWhEyrKvhd88 aWDpHMz8mtYZw+rq/Ytou3zghFlBxFmeY96a4PkvjfSgdlh9bprTxIbNOf9+h3LnLPn0u3 6hbpXMNSe4sSM3Aj4tQ/Uhl4Qm/axkvlX7EKn53YL++keAcPf9GsJBCbn1gQTYFP2uvYEv v1wwxJOOfzKHRzD9Tj8BN+NDVFY0U7gKn1zRYXU8km0xWuKn7ejBrYIySmbJoQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKV01C2z5KvHZ; Thu, 28 Feb 2019 14:28:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364126; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=WnBaMovyu1+0w08j7mCVZN3B4GCg2YGYFUOENTcF2V4=; b=IkDUFudnON+3AHO6yBA5e8/JFX030mOV72j10IRZNYBSPoqr3nJ4qgLbApzRHjx+yWqCbF qRglHTEGCx6Ha5V9JPzK904RWBk5DI+PABkzswIPc8lLr4mOUsTZ+gfHx6QMPUMvMyfUzB FcX7PQdNbQFiEPftkKdHVSD2+nkq7fcusEN7HwHsTsr5yHOx5XDiH5Rqere2uQcOJAVTwj Z1L1CJ0+11FtG/x38tx0h/LppSrv2Gs+H74MamnP9nHbBGxvYD5vpoJZNJ4oqB8Ve6u9y8 kHvjdf11GQnu4N2nlVWCuaG23X6TZbqLEEsBWlDnfnE/XW7UCtBxLeRI2Mulsw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 12/20] suricata: Log to syslog Date: Thu, 28 Feb 2019 14:28:17 +0000 Message-Id: <20190228142825.5153-13-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.77 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.67)[-0.889,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.77 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/etc/syslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf index d5f525a0e..b2b548969 100644 --- a/config/etc/syslog.conf +++ b/config/etc/syslog.conf @@ -5,7 +5,7 @@ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # local0.* any dhcpcd log (even debug) in messages -cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.* -/var/log/messages +cron.none;daemon.*;local0.*;local2.*;local5.*;*.info;mail.none;authpriv.* -/var/log/messages # Log crons #cron.* -/var/log/cron.log From patchwork Fri Mar 1 01:28:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2113 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id B703188B0B9 for ; Thu, 28 Feb 2019 14:29:46 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLf1qGhz5KgVk; Thu, 28 Feb 2019 14:29:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364186; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=JkYAmajuSuAvx3gsVHnAOZTeFYcFtum+Qn6mQ3KelJk=; b=dy+c9umisswDtpYaUCPZwEleFLUier0iIsGx7pZPKuzPll8uRr+dmMM/zSHtQvYAO799Uz m9v0iRQqXI2EGyjsfv0+pCu7DyXcFW7afifAmlfJ/W3bC4ac+FSpiFLcsvwls/NaLcy3qZ ClFeatViMS4iDNs2CGiIx0Cj/Nczna/dzMf5zqB7OZTaWmGkHRHpknC7wz41JLbf+gmaKs 6FZy1IXso5mizLOnSunU4CGkzAHKq3eP0FIGBrBPQNJu0HChhTTjxr+lMq3pMCT4d8v9fM ExWyc4vehhEzaAUf1vkbNbLL02TWbhC7GU3qycTtS2B3Jm3ZF3/SkMwDByBl5A== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKV5Y4lz5KvHY; Thu, 28 Feb 2019 14:28:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364127; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=JkYAmajuSuAvx3gsVHnAOZTeFYcFtum+Qn6mQ3KelJk=; b=Hf4PZfV2KUP//Vw+dzydu7etYaoh7Z2eexEnaJTk1NCvUM1+ZRwLQaLO7mqv3xou3a0Y38 E46RoYMpooV7ImWenC6I5kXySNCFNrSPNvgYiffMunujKx+JcuE8NurY+83HE918Pgtp8/ GIcIlW70c3Q6Xa+DNT99OWXO2829ZlMqCSOEo0mGUMO/XSYAa0y5W5OeQv9EEhIW1YTeeh fUfICf68sn4WkDa1oCvelHDkH2EI/KNHUcZ8j+RUQ5EPqc3MXCNX7/i/P90epCoVrkiwVe zDhQH8My6BatpdW5SQOYCzxwhO+ZI4S+mug8LNhqcjHqZDxJbsz2IY2OFXPnhQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 13/20] suricata: Use the correct path for the magic database Date: Thu, 28 Feb 2019 14:28:18 +0000 Message-Id: <20190228142825.5153-14-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.76 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.66)[-0.886,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.76 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 85d3c70ba..6015c9e6d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -324,9 +324,8 @@ unix-command: enabled: no #filename: custom.socket -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: +# Magic file +magic-file: /usr/share/misc/magic.mgc legacy: uricontent: enabled From patchwork Fri Mar 1 01:28:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2114 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 4059588B0B9 for ; Thu, 28 Feb 2019 14:29:51 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLk5BHVz5KgVl; Thu, 28 Feb 2019 14:29:50 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364190; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=PejB95XBP+oe69xZ4aiCrNqMDST7lj4n/4NS7hDxUeI=; b=gbvzn4+YMzhtvQlZQq/iU3CUMvdp07rAZm9teQCZ4bpye9GU+EhIfHcNPUTasA2x9EkpVx A8cWp4Z+5Jyh2nZvrup34jIb7V8VhgHmb7rkyTfINsgjlGvUtJzOa2QfuzlEBs8MAd+UsC YdRoIivnkttCwRhcTtI0t7rq8e/zgGNj49PknUtMsQHACde4LW+FnWZsdGqP/yi32Tbcjq Sq4fLfZmsGJOZFtO5FQx7DERiZLL/bqMNoroKjuecQqI1YTw7800BhXwIBMZdEfeg0VoGA z/2r8/VKqDBa180efGH/GP5DNILIJ0xl1RcRdfWi8L4zlIY2CPSm1xwwukQ/Dw== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKW5LDXz5KvHN; Thu, 28 Feb 2019 14:28:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364128; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=PejB95XBP+oe69xZ4aiCrNqMDST7lj4n/4NS7hDxUeI=; b=ReFNEWqcdn/lXhhVqGiJoR8gZJxduF4quNKxMzZxAaHtJmLw5LI9lR20G2WFc5cd0StpQM pnrX2oREJGbineXOLBVdTl8oeDGRTbYmqRUzUejyAqDUXlpYKPHO7ngssu0vRJRQ/rCdDo nY7/c/1A13q/OYgXq7N6nYqKGPv5IuWfWBn34VWUh52qiWRUakzdNycEVBctBdW22wTM5s 8JAJ+MXtN9zOGmhlAkvEEzy9+oyHtmz4ges+vCR0W7siY7J0+oCCpNmMY2EG5n+HGcZ75z z5PE1tQNeSClPEJ3177lGYMHzVLcnnSylpFX5F+7srpWgfg7qgHZ00NYhaYSpQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 14/20] suricata: Use 64MB of RAM for defragmentation Date: Thu, 28 Feb 2019 14:28:19 +0000 Message-Id: <20190228142825.5153-15-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.82 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.72)[-0.907,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.82 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6015c9e6d..397ddcb25 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -384,27 +384,13 @@ host-os-policy: # Defrag settings: defrag: - memcap: 32mb + memcap: 64mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow From patchwork Fri Mar 1 01:28:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2115 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id B958F88B0B9 for ; Thu, 28 Feb 2019 14:29:55 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLq1lJbz5KgW0; Thu, 28 Feb 2019 14:29:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364195; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=roLbMFafNBo0RPMdG+VNOBNKCs/jwNFMSkFrAfxF66o=; b=jPGpOZG3H9w2/K1EcDx2wv4kzmRjaIhIY9DBhAOoEUg/5p2N0IBf+5IeWqZTMd1dW0JOol YCjnFiXef7SxN98miBloLYuazcqrbEz8CD0pY9mFhnYgac741+lpgUFNSKO9ryTyjxxFR5 o8l0WyWV2AA2JJTD5HTiw2+XxKx188flrKmIIG2dmoF9biRkGraraO6fBxaM9JsOrW7706 ZsE2Mn4/gJPfDCI4K/JTkXIeFn93RgaD9F1XzZHRZDj+QpZ5xz4b3RWxLg2Y5q9Gm1SzUU CMWBKXD9JrjMRK53QOxMk0MGzDfLxpS8XQlvBJSxSRJkvIK7oHQKoFamJIwQgQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKX3MP9z5KvHZ; Thu, 28 Feb 2019 14:28:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364128; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=roLbMFafNBo0RPMdG+VNOBNKCs/jwNFMSkFrAfxF66o=; b=gTURbAA79lDuMj2uYCvspHCLc66qvfnHACANp9oIS0lTV7iodz2LCpnAPEHNB8jQ9llodY aetJKjF+5qWPl0YfJRxputoj1NDFj1EpUfGXRpU0Cx0eDwuz28OCCiDR9kLOwRE++Ccydn Aa6V4dqVEz8AQpIzt4HrDQjqk/vfOezJA3leRpCswmEtWlBio0c3zm78JlzjlVZjb5qNNC zbharc5qCK5GEZq1ThQV9Lq+cvlH1O5UQbNh1off2BdTjgmu8kAz9RWNPWr/RYLgzdOZB5 FevmDbVpyv53PvZ5JrTlvUDuqk+sZMHLW4Epl+MVYQUF/z+la/MAg5E16j0ylQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 15/20] suricata: Use up to 256MB of RAM for the flow cache Date: Thu, 28 Feb 2019 14:28:20 +0000 Message-Id: <20190228142825.5153-16-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.79 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.69)[-0.897,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.79 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 397ddcb25..a6be53124 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -412,12 +412,12 @@ defrag: # in bytes. flow: - memcap: 128mb + memcap: 256mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread + managers: 1 + recyclers: 1 # This option controls the use of vlan ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) From patchwork Fri Mar 1 01:28:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2116 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 3656F88B0B9 for ; Thu, 28 Feb 2019 14:30:00 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FLv55JDz5KgW2; Thu, 28 Feb 2019 14:29:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364199; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=ZmtmCqp1zIAdkpGRpey5qgVleuhZ/Aj/xlhVXtdf/Hk=; b=bo9bcaqJB7yzZ2JaqODo8aCYVkOzekyxisea+Dz5aprFCD2XWUXUJRoz8tgoNqfY+enjwY Y3SGymEDRwooIi0lC4e2oC0D/iE3+GrkQts7emRUO/WUCf+KQkWezpUyGEyKkB80vsGmy7 TTf0eakq7s6RBXeUj6lbHnwuNezDclW3AjmUtYJqVAzLv3AdTuWcVhNHzRvm8ESlnVrg/k 7BkFz7bi/jWnL1eYcNh7duEYKzfpHoLevauEa+d+Sj1u8q++/gip2SsVE2DmJG6/kKLuXS Wds1r7lzkANgqTWBXz7uKXS+6PqBSqrL1hh36zHLjHjWaxPpiTfg6WqCvFc5ZQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKY21LQz5KvHl; Thu, 28 Feb 2019 14:28:49 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364129; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=ZmtmCqp1zIAdkpGRpey5qgVleuhZ/Aj/xlhVXtdf/Hk=; b=Y6wSitKRo0+AMsmv26fvwEMrzhxUuz94UmP5pls9PDvPAkhH+aP4PiTbASSoqlCRG9qkNa iWabo1kkw8qdUBI82tEOZL/ePxHm11owfw6gxJv1bu6ZcbiDoo0sidS1OLqoG6S0B7hmX7 XllvsYNcuE8r34beUr2L4UyB7qnH61nnu/aN4RLmcb7zVYh1Q/V+ZOMhQFp/yYdpVEzhlV AoPUASVviRNC5ejcDSnQbuTqQZqP55ZNf/+ixKX03OapIDbl7wwb/xWanFmoNew+WuGzML +hHLYCCf0L7H/kTD29Fknu8o/jv9jF2cIE/in796ZC41X26NDTkTDRVx0yShPA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 16/20] suricata: Log to syslog like a normal process Date: Thu, 28 Feb 2019 14:28:21 +0000 Message-Id: <20190228142825.5153-17-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.73 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.63)[-0.877,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.73 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index a6be53124..9537e9e12 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -108,7 +108,7 @@ logging: - syslog: enabled: yes facility: local5 - format: "[%i] <%d> -- " + format: "" # type: json ## From patchwork Fri Mar 1 01:28:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2117 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D1A4088B0B9 for ; Thu, 28 Feb 2019 14:30:06 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FM22DL6z5KgVw; Thu, 28 Feb 2019 14:30:06 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364206; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=WWB9FZCpigrTh0BoZa7+/wk5pHtg0XuXqUGfEc/91u4=; b=h1xrUVCLDIDLkNuEZR0rCM8JE71Mef0gkTDZBrNs1AOeV8XK39G2hld5nG4gr+AMJEHxtC cY3khg3s5U0Paaj4t3Xs4n+Icq3jhES823gUhZOrW63ioxUO5XB56iUIGjFbu+AxMoNUZu 9/aNn7d2CR8cDUkRS1VJMQ9qRcN+OMtGCVqUrEZSDGrJiQ7GS27UgV+19/VsqS83+UA3jh WjTbeVBl7STRSmpauHmshbh3N6JQoDVJjr+euyIUG6SPJnk4j+U+w5Tp5rOzJ05Ca7lruj RtB8XkxXIaCJjD07SejaFl0r08BXyfP5YCLGrdi62WV2p/w3PSsMej0hOAuk2w== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKZ0zB8z5KvHm; Thu, 28 Feb 2019 14:28:50 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364131; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=WWB9FZCpigrTh0BoZa7+/wk5pHtg0XuXqUGfEc/91u4=; b=hzt6tGnnix8pCNyrSFfTFhEvtYMd/pmS3ROZqpBa72AWBSllWwDkSgj0wD+L6DREAeTSyI ZDmP5Ia1mZlzKjQrB9R1fMUdYv5BFjbAzH9SGEhtoEuIhQ84EDpMhnRyXMSsCcWRdfQfE2 NpujmkjhRtvKWp1erNqjclbTuNyNJ194NNNudG/elZTA3i6FXC3iLClQttyLgVI5kr/+OZ RIFhXn4A6nQRlZG+MUTBFySvPyBFKfBviX9Lvfz+LkGVTgc+C9Ud7X2GDzTAp9QSUT4w0E XIdTBGM5pcLx08IXCUExZwU+RlaXw3gSxYmoc22LZTOQLcOEE3L9v/yeYbgbxw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 17/20] suricata: Increase memory size for the stream engine Date: Thu, 28 Feb 2019 14:28:22 +0000 Message-Id: <20190228142825.5153-18-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.81 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.71)[-0.903,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.81 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This change also ensures that suricata has a decent number of streams preallocated to be able to handle any bursts in traffic. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 9537e9e12..40777f3ad 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -537,7 +537,8 @@ flow-timeouts: # # is used in a rule. # stream: - memcap: 64mb + memcap: 256mb + prealloc-sessions: 4k checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: @@ -546,10 +547,9 @@ stream: toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true + raw: yes + segment-prealloc: 2048 + check-overlap-different-data: true # Host table: # From patchwork Fri Mar 1 01:28:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2118 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 5915488B0B9 for ; Thu, 28 Feb 2019 14:30:11 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FM66342z5KgVs; Thu, 28 Feb 2019 14:30:10 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364211; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=UOeJcF1BDi1lhVBMoBXonqkRnkgwvkj7qaNVCaVSdx4=; b=mc+n/UFnAxTfNNXUx8oEyFQbm8i0UURbFScJ2lLJlpNmNBB3cWrzQDW1chFgzbuD/Q9PKu 7L2KbIoC77pvWZslVZfam0lsRskfsJd0BPUT9fG4zoSGFuYYVCHR9jDeeiGydDU0HaNgD8 bQYrVeDj1IQg2CIyMsw6KIjM49A/liPPuKRxv6epu0ggQu9CDdA9xrR5GaiLx1rGlZGot2 C517SYatR7x0nExm+s8ByExqZXYQ0OmnQwR+Gur65K6y6y0GTqordWvMJc9aPkI5NSlvYP 0g/G+Gawfr8SQn4ivhyrjhdXGXoXECnklzwXv8btX/qF/UWJpGEhNG9L5yF+jA== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKb52Vkz5KvHT; Thu, 28 Feb 2019 14:28:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364132; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=UOeJcF1BDi1lhVBMoBXonqkRnkgwvkj7qaNVCaVSdx4=; b=ycqY6k2+e31dFOa9pwDHeMaKXW9qN6HHPh2Bv6hOwmkmHng7NbnqstQwrMPX4hXmQ1CP8B cb5U52vD4DqkJnkTtjNv8LoAtN7jqFUYu0qpBtFiJpfRL42k8urxJGgBU2f48C6cr2u93v KBDk3PiOMTnR2jlsDuS84QzMNxyRL/KoGXPV9PNACDVw0o97hc5pAgot0PxoX5Y4votE1P OAsdoBAK94PqqNGv3K2IfDFU5eMoLmzIN+1O0JTiqA1LqoCJ+z32FTJGR4vvl7FXznisM/ oGnj9glplutKKqRl0zMHHabqEZUORbcYZ2oLm+Nn2pybjt3qKp8Mw+JmaC2OgA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 18/20] suricata: Disable decoding for Teredo Date: Thu, 28 Feb 2019 14:28:23 +0000 Message-Id: <20190228142825.5153-19-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.77 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.67)[-0.889,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.77 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This decoder is not very accurate and Teredo has been disabled in Windows by default. Nobody will use this. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 40777f3ad..cedf49589 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -575,7 +575,7 @@ decoder: # Teredo decoder is known to not be completely accurate # it will sometimes detect non-teredo as teredo. teredo: - enabled: true + enabled: false ## From patchwork Fri Mar 1 01:28:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2119 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id C527788B0B9 for ; Thu, 28 Feb 2019 14:30:15 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FMC2C89z5KgW0; Thu, 28 Feb 2019 14:30:15 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364215; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=0wYSPlywLJHqmHgHoKGOPC6mwET+Emud1iQ8M9sh3ic=; b=W8IP6DVLOFFn8+ObgqxZ9vzClm93dc7ztQlXkh+4/WIZtb1OoxhjVGQ9mYSZn6hW9BkUPH XP1XwZWy+fnDIxugA04qXEwSP/cLkTLVoMvK8sSZrqoL9bpEUwJSKdcPWskRmAIfR+thp9 r62hX1T34KAwoTfPzwdznwVp0rT2mvveiZrK5gxF7iKGeNpZGzCfEoMbhcPzN6SeNNJviL bnTij3dPgS6uTGbe35x1rG/9JhkMqAH3wifH3ItRgUlgv0+2R5/n2Csnbo1dU6mWP6KIP6 QOZcaOAX5Wd3yZA2ZXijoqdeTy2DJbpyWi9kS60Cj2zvFOt1nd/7+kcWKhjy9A== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKc3N0pz5KvHY; Thu, 28 Feb 2019 14:28:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364132; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=0wYSPlywLJHqmHgHoKGOPC6mwET+Emud1iQ8M9sh3ic=; b=ioCJDQ5q4wt+vCFlyvZjalKFJFIX2EUIjS7iYyO+VgjAGrW7tRPdA8CYGgjMUoOooYBKoP 1AHSSf7/4kypFrfLcSfSEbXCNli5qAAo/lQ9auVXimHOTS0xMNZVoTnUCZlQNVcor5KPEz pxWGZkGdWZsfOFyuQr14Dv0lvWexHCl0Z7CdTqdhE8FnlpvUKhswAmi+DNyNlsqKtt9yYV POH1mXltyFsLxEqgv7h7eAfjkWEPUlMncmMBEQ0td4IWy2fmN4qXAErAhWFVv3uuxESuqF 2yPyZl1rKVua/Zv1sgAmurBFGZG31I5pqJ87j8IVkLZU7j+CS7LUpLj5kfBBvA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 19/20] suricata: Start capture first and then load rules Date: Thu, 28 Feb 2019 14:28:24 +0000 Message-Id: <20190228142825.5153-20-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.78 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.68)[-0.894,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.78 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index cedf49589..f53905b55 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -608,9 +608,10 @@ detect: toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes + delayed-detect: yes prefilter: # default prefiltering setting. "mpm" only creates MPM/fast_pattern From patchwork Fri Mar 1 01:28:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2120 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 42F9A88B0B9 for ; Thu, 28 Feb 2019 14:30:20 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449FMH5Y3zz5KgVp; Thu, 28 Feb 2019 14:30:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364219; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=uECmmLfFZuASwCLVazmxyHiOQKgSoZXd609nfA4XxX4=; b=TeQSnzVmmiCxrbKa010VLQHaIFykJIwgl+nmy0KR1VdK/Hor8h/lIwieDxIdFB2T7JNUoz OLtJFF7oppwk2DaagWgI755is+Tz3kynYHZs/S/EjffDOQuty7161QqlC4uHR4LuhmG6OJ Di+RqfYEZE0bCocs2rnv14KUcbOljZKs3UnQXbWaoKRnoW8nSDqF7GwfZ9uHNNtxIYjM3u 0YsWNXiuWtbyMXw8oiMEXYMGiXIY66L97oaxTZd/D5ny8krbbg8mQap8e0bCj/YG9wMN9W x/WPqIK+mmiieMxuR/6VCDj5rBgFJZN0xeZtmWY8BC0CFpAmjxNH9Jv1vwq5Ng== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449FKd0dFJz5KvHT; Thu, 28 Feb 2019 14:28:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551364133; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=uECmmLfFZuASwCLVazmxyHiOQKgSoZXd609nfA4XxX4=; b=VA5FkUyFttVGH4iuX/wmuw41etGCRX5Aks17UeUlCJFNzRJJYZiqLgxlTF5KOLqyLqV3sr OhlvJZ/PaMpND4t8vQjrGCeTt2LsJh4XoTNr+1b2tvhNoMqJTdOiNXgNnkZLtzUM/2Y7Zy 8K+nRLzHlAiiE6E0ifM6omEQKLr95YcIaNzXI8p/l8BbwTkjwLIKOXHWtFuJZArdqb/xAr 6hr8mr0qOXpoaDgaTyOD7Bn94zgDdsiEeMshJe6GKcUB9g/5n0keEjJXQvHJzrLciCM3e7 wzn9qUKzyqob5AGafxpmxkATSWGk4piTOK5Re5HTYLehSxFGT70oWmrBZYT1sw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 20/20] suricata: Fix syntax error Date: Thu, 28 Feb 2019 14:28:25 +0000 Message-Id: <20190228142825.5153-21-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> References: <20190228142825.5153-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.76 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.66)[-0.886,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-8.76 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f53905b55..12937ab22 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -538,7 +538,7 @@ flow-timeouts: # stream: memcap: 256mb - prealloc-sessions: 4k + prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: