public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
* [PATCH 1/3] suricata: Update config file.
@ 2021-12-08 17:10 Stefan Schantl
  2021-12-08 17:10 ` [PATCH 2/3] suricata: Move default loaded rulefiles to own included file Stefan Schantl
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Stefan Schantl @ 2021-12-08 17:10 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 4350 bytes --]

* This will enable swf decompression.
* Enable modbus parser.
* Enable dnp3 parser.
* Enable enip parser.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ad36e705..49921db86 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -525,6 +525,20 @@ app-layer:
            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
            http-body-inline: auto
 
+           # Decompress SWF files.
+           # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: yes
+             type: both
+             compress-depth: 0
+             decompress-depth: 0
+
            # Take a random value for inspection sizes around the specified value.
            # This lower the risk of some evasion technics but could lead
            # detection change between runs. It is set to 'yes' by default.
@@ -539,6 +553,76 @@ app-layer:
            double-decode-path: no
            double-decode-query: no
 
+           # Can disable LZMA decompression
+           #lzma-enabled: yes
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: yes
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: yes
+      detection-ports:
+        dp: 20000
+
+    # SCADA EtherNet/IP and CIP protocol support
+    enip:
+      enabled: yes
+      detection-ports:
+        dp: 44818
+        sp: 44818
+
     ntp:
       enabled: yes
     dhcp:
-- 
2.30.2


^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-12-09 19:26 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-08 17:10 [PATCH 1/3] suricata: Update config file Stefan Schantl
2021-12-08 17:10 ` [PATCH 2/3] suricata: Move default loaded rulefiles to own included file Stefan Schantl
2021-12-09 16:39   ` Michael Tremer
2021-12-09 19:19   ` Peter Müller
2021-12-09 19:21     ` Peter Müller
2021-12-08 17:10 ` [PATCH 3/3] suricata: Cleanup default loaded rules file Stefan Schantl
2021-12-09 16:39   ` Michael Tremer
2021-12-09 19:18   ` Peter Müller
2021-12-09 16:38 ` [PATCH 1/3] suricata: Update config file Michael Tremer
2021-12-09 19:26   ` Peter Müller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox