From patchwork Sun Mar 3 04:18:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2122 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 2C9B588B0AC for ; Sat, 2 Mar 2019 17:18:56 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44BY0v27K3z5HMKr; Sat, 2 Mar 2019 17:18:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547135; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=DBH5WsiRSaXYMzrA5Rvw2pF0BWIj3iTRuvsH1m2369U=; b=uZml+4OYL9HOrBa1mGaoMYS7Kd79qJey7A2JdaCt60neo4CLgQQyRTyHnu8UsSk+mW92Z7 NgVtbLSZtFdRIiUaFYsjc9olssDZlzJAuRqdPfD8n+sMslI5z5upTGllg6bXIwNuPsayeX ou/bYKZPAcTNp2EVMAVvsoD68oaroB+t/Vu3LUqv6Th6qLPDHG7idYYAMOdK4SGozIk6Gz yrXzPAaq9QJUca1M38NH82z6fyY+VWBU38P8WcWx/XfHUOMru+PWjYnNZ2LnADjpBZ8Fyg A9zwdolIw2XyUAO1yrSMGEN9JHUW1i3DGSKobwe9TOhXmtxBbq3qJDDr8K3/sA== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44BY0m1T0Kz57Jh3; Sat, 2 Mar 2019 17:18:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547128; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=DBH5WsiRSaXYMzrA5Rvw2pF0BWIj3iTRuvsH1m2369U=; b=e11TvJIFbOgHrJT1kEQWZPGLbT4wZKyyJDHWYBLOZmfged2g5FMj0eKKb8u+lx3cEpw3C7 wBkMn1wIYeISiM9e6dJnK0gstYRc2VAWMY2OBI1wSW5Ikd/SRavS/yFZPBYn1g8u1ehjY/ t5CS1AW+aSTM/lBEDWBsuumEkjlHIYANwA50/4BHxYk+49G1mAALGoLHIlf/Whrh5xrg/c +bhnM9DNlh3vjECBxIGxnuDKQ2ELJXbVamVmt55auiQezWdNENooeYSnHhWPtvlM7CivNK P7Qdt7EYt9GRdBA/I1y85e+Ma385SuxUl+AeLqCLxdzqpYTAhCbCJEC16tBngA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH v2 1/3] Revert "Suricata: detect DNS events on port 853, too" Date: Sat, 2 Mar 2019 17:18:37 +0000 Message-Id: <20190302171839.16341-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-4.47 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.41)[-0.802,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-2.96)[99.85%] X-Spam-Status: No, score=-4.47 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae. It does not make any sense to try to decode the TLS connection with the DNS decoder. Therefore should 853 (TCP only) be added to the TLS decoder. Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d3ebbcfe4..767f84074 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -140,7 +140,7 @@ app-layer: tls: enabled: yes detection-ports: - dp: "[443,444,465,993,995]" + dp: "[443,444,465,853,993,995]" # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow @@ -204,11 +204,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 udp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 http: enabled: yes # memcap: 64mb From patchwork Sun Mar 3 04:18:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2123 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 41F9288B0AC for ; Sat, 2 Mar 2019 17:18:59 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44BY0y60Jjz5HLYG; Sat, 2 Mar 2019 17:18:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547139; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=ZiL4TqG4sL4AU1ecKcw2BY56nN69AyAYXgBDn9y/Mmk=; b=uxQAzQ+1qcmau2jtGr7E0N8F6jDqQnhOKrifKFfn18pkvm5QvQrsK/AWD7fNbugjlCGq0C lXVYLLXI3HZX/BuI+N+tmqwzZpbplDxMQt4cmKh/r7MOSvTCQzHiZjMvojd8WbRVcchlJ5 iLtQbJYU+IOd42tyaherxRgrcqTlcipG4r6kjaQ7XMPzwgKFqaLIOtV8SRIMtzUoYbWyfM aTN4+Oi3FL1eBpkKjk0mmbzoEL9mPjFqxSt1E73xSglYh3MbU0+5cKkt42+eznQ3adEtQG KM0jt55pU4cWmgD8g9N2CLGeYmh0Sapa2s2EtpVdE0UWW4B5SNts22tEMw9Ltg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44BY0r6Pkqz57Jj5; Sat, 2 Mar 2019 17:18:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547133; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=ZiL4TqG4sL4AU1ecKcw2BY56nN69AyAYXgBDn9y/Mmk=; b=aT4gu3bObGRg9ptoHuSWoNGH+zZLpApLZvcmmc0T8diMre0BY8pnhpObg9+WPe4+X5tA7i G528gkybVnSXgMXq1SfrRDf/m4PC2MpbKnuq5segwYa2K/Tuu7UZIdLrV3O5yJLPe9FAzt XAUS+MGzbTUJkmkKeKqMtTlQXqqP/SuqvLp1so9YO9eVdPywWsrkB9/k1COraf0qbta07z N3nmtTrJHTlZ8ez8gt6zpWR90wvPUc99V8NnZJnd5Wd5sFvoPYNHJ2YBCHQ7y9MgT0Pajf RrhWoYoJWmMNW3XWwWLrS2twWbU3h0sb1f4ILIEiRwWaxlbpUoMMp/87cYdLOw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH v2 2/3] suricata: Configure HTTP decoder Date: Sat, 2 Mar 2019 17:18:38 +0000 Message-Id: <20190302171839.16341-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190302171839.16341-1-michael.tremer@ipfire.org> References: <20190302171839.16341-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.83 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.73)[-0.911,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[99.99%] X-Spam-Status: No, score=-8.83 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This will now scan all request and response bodies where possible and use up to 256MB of RAM Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 66 ++++--------------------------------------- 1 file changed, 5 insertions(+), 61 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 767f84074..84c4aa2a7 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -211,7 +211,7 @@ app-layer: dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +225,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +234,8 @@ app-layer: # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0 # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,41 +246,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field # Only Modbus message length (greater than Modbus header length) # And Protocol ID (equal to 0) are checked in probing parser From patchwork Sun Mar 3 04:18:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2124 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D4C3588B0AC for ; Sat, 2 Mar 2019 17:19:02 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44BY122nRpz5HyH6; Sat, 2 Mar 2019 17:19:02 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547142; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=yQmEoP+aUllaggbCkrZG8SC9z/9/ySCDBU/CmPoz3G4=; b=fzRyV3D8iFDB/mzt/pvA2cbQjIxWD+yFlFJidCiVoZBdhx+E2xPaEj4wc8S++QGeMnrvhc unUDGvYWlskirOL72LYr131a2pooF/WPhij2uKedDX/9ijvyu2auIyiQAAkedJOFV4XgW6 7Zs4iXJ63Vi0iyNU6pUkS+rhoy7dzPZLEUDmgHxmjDqqPGBHrCz7JYNOsfhaBF3lEbw2qa fP7PFxvo2FaMElW+RYu4kLptrPr0DjMvhaxQHnbOonGCc08tZEuhS/We7JGi7ef99/e4iN S0nuEgqTupL40v9sWnxEBDT/fqqZW+3OL2MLqC0uKRlKaWLI0jFsCyxfXj/Nfg== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44BY0s36Gvz5HLY3; Sat, 2 Mar 2019 17:18:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551547133; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=yQmEoP+aUllaggbCkrZG8SC9z/9/ySCDBU/CmPoz3G4=; b=Ec55A7rcnJ4YowhulEj2oZS8dorsm8q4DOTuERa3olsEn8X0uttoQHhrsaTDypqleaxssO bTy4eDlsnUSKRRc7G2EKX3wDzWcxi3lP8n5WXY5foBF2LFtYhKbqRYqPyJyAVP/3yH0fui JVChXfhNhq+K0cbP96WmbYlsb/1dUDmKWsMwHZE90C4I+tuhMnA08CTJXLyuDTZFiqJS5K TVdWPDA34rbsyH8DyXibHioFqSOR7XDL+QIc+yYt6n+RfT+xNHzdVp3HMmIi4nJC3tqUd9 1sFAjHCa44/8+q68Wkm99P/NZs3q0+xFUGM5ez6h6p15BJkgY5wWaA2VJ2tyzg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH v2 3/3] suricata: Drop parsers I have never heard of Date: Sat, 2 Mar 2019 17:18:39 +0000 Message-Id: <20190302171839.16341-3-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190302171839.16341-1-michael.tremer@ipfire.org> References: <20190302171839.16341-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-8.34 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.71)[-0.903,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-2.53)[97.90%] X-Spam-Status: No, score=-8.34 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 84c4aa2a7..8b4ab8c3b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -257,40 +257,6 @@ app-layer: double-decode-path: no double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256