From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 2/3] suricata: Configure HTTP decoder
Date: Sat, 02 Mar 2019 17:18:38 +0000 [thread overview]
Message-ID: <20190302171839.16341-2-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20190302171839.16341-1-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5551 bytes --]
This will now scan all request and response bodies where possible
and use up to 256MB of RAM
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/suricata/suricata.yaml | 66 ++++---------------------------------------
1 file changed, 5 insertions(+), 61 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 767f84074..84c4aa2a7 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -211,7 +211,7 @@ app-layer:
dp: 53
http:
enabled: yes
- # memcap: 64mb
+ memcap: 256mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
@@ -225,32 +225,6 @@ app-layer:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
@@ -260,14 +234,8 @@ app-layer:
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-limit: 0
+ response-body-limit: 0
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
@@ -278,41 +246,17 @@ app-layer:
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
+ randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
+ randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
# Note: Modbus probe parser is minimalist due to the poor significant field
# Only Modbus message length (greater than Modbus header length)
# And Protocol ID (equal to 0) are checked in probing parser
--
2.12.2
next prev parent reply other threads:[~2019-03-02 17:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-02 17:18 [PATCH v2 1/3] Revert "Suricata: detect DNS events on port 853, too" Michael Tremer
2019-03-02 17:18 ` Michael Tremer [this message]
2019-03-02 17:18 ` [PATCH v2 3/3] suricata: Drop parsers I have never heard of Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190302171839.16341-2-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox