From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
Date: Thu, 23 Jan 2020 10:50:00 +0000
Message-ID: <0DCBA908-028C-4322-8EE2-880073C4EE5D@ipfire.org>
In-Reply-To: <20200123094428.3295-2-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1892379408187997030=="
List-Id: <development.lists.ipfire.org>

--===============1892379408187997030==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org> wrot=
e:
>=20
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>=20
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index af9cb75a9..6a1af48fa 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -148,7 +148,9 @@ nfq:
> app-layer:
>   protocols:
>     krb5:
> -      enabled: no # Requires rust
> +      enabled: yes
> +    snmp:
> +      enabled: yes
>     ikev2:
>       enabled: yes
>     tls:
> @@ -156,6 +158,12 @@ app-layer:
>       detection-ports:
>         dp: "[443,444,465,853,993,995]"
>=20
> +      # Generate JA3 fingerprint from client hello. If not specified it
> +      # will be disabled by default, but enabled if rules require it.
> +      #ja3-fingerprints: auto
> +      # Generate JA3 fingerprint from client hello
> +      ja3-fingerprints: no
> +
>       # Completely stop processing TLS/SSL session after the handshake
>       # completed. If bypass is enabled this will also trigger flow
>       # bypass. If disabled (the default), TLS/SSL session is still
> @@ -165,6 +173,8 @@ app-layer:
>       enabled: yes
>     ftp:
>       enabled: yes
> +    rdp:
> +      enabled: no

Why is RDP disabled?

This protocol is highly exploitable and I am sure that all rulesets have plen=
ty of rules for this.

Ideally the IPS should never see any RDP traffic going out to the Internet, b=
ut lets be honest, people do this.

>     ssh:
>       enabled: yes
>     smtp:
> @@ -203,9 +213,10 @@ app-layer:
>       enabled: yes
>       detection-ports:
>         dp: 139, 445
> -    # smb2 detection is disabled internally inside the engine.
> -    #smb2:
> -    #  enabled: yes
> +    nfs:
> +      enabled: yes
> +    tftp:
> +      enabled: yes
>     dns:
>       # memcaps. Globally and per flow/state.
>       global-memcap: 32mb
> @@ -271,6 +282,12 @@ app-layer:
>            double-decode-path: no
>            double-decode-query: no
>=20
> +    ntp:
> +      enabled: yes
> +    dhcp:
> +      enabled: yes
> +    sip:
> +      enabled: yes
>=20
> # Limit for the maximum number of asn1 frames to decode (default 256)
> asn1-max-frames: 256
> --=20
> 2.25.0.rc0
>=20


--===============1892379408187997030==--