* [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes @ 2022-09-29 20:35 Matthias Fischer 0 siblings, 0 replies; 3+ messages in thread From: Matthias Fischer @ 2022-09-29 20:35 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 596 bytes --] Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 03a7a83af..fb4f9426b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -371,7 +371,7 @@ app-layer: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 # MQTT, disabled by default. mqtt: - # enabled: no + enabled: yes # max-msg-length: 1mb krb5: enabled: yes -- 2.34.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <09f7cd7a-d66d-5c8b-141e-bac37770d1db@ipfire.org>]
* Re: [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes [not found] <09f7cd7a-d66d-5c8b-141e-bac37770d1db@ipfire.org> @ 2022-10-02 11:07 ` Peter Müller 2022-10-04 8:40 ` Michael Tremer 0 siblings, 1 reply; 3+ messages in thread From: Peter Müller @ 2022-10-02 11:07 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3387 bytes --] Hello *, > On 30.09.2022 06:57, Michael Tremer wrote: >> Good morning, > > Hi, > >> Why would we need this change? > > I'm not sure if we *really* need this change. My first thought was to > enable it to avoid this "ERRCODE"-message during startup: > > ... > [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable > status not set, so enabling by default. This behavior will change in > Suricata 7, so please update your config. See ticket #4744 for more details. > ... > > v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to > detect and avoid mqtt flooding attacks. Current standard action is 'alert'. > > => > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : > > What is 'mqtt'? > > => https://www.opc-router.com/what-is-mqtt/ : > > "MQTT – Message Queuing Telemetry Transport > > MQTT (Message Queuing Telemetry Transport) is a messaging protocol for > restricted low-bandwidth networks and extremely high-latency IoT > devices. Since Message Queuing Telemetry Transport is specialized for > low-bandwidth, high-latency environments, it is an ideal protocol for > machine-to-machine (M2M) communication. > > MQTT works on the publisher / subscriber principle and is operated via a > central broker. This means that the sender and receiver have no direct > connection. The data sources report their data via a publish and all > recipients with interest in certain messages (“marked by the topic”) get > the data delivered because they have registered as subscribers. In IoT > and IIoT, MQTT is used all the way to connecting cloud environments..." > > I wanted to test v6.0.8 in its (new) standard config, so I activated > this protocol. > > Until now, I found no information what "this behavioir will change in > Suricata 7" really means. > > The only information I just found: > => > https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 > > "Upgrading 5.0 to 6.0 > ... > Major changes: > ... > New protocols enabled by default: mqtt, rfb > ..." > > 'rfb' is already enabled in our config. If we don't want 'mqtt' we > should set 'mqtt' to "enabled: no" just my two cents: I think it cannot hurt to enable this; if it gets us some more coverage on malicious IoT activity (a pleonasm, I know), there is a benefit from it. Acked-by: Peter Müller <peter.mueller(a)ipfire.org> @Michael: What is your opinion on that? Thanks, and best regards, Peter Müller > > Best, > Matthias > >> -Michael >> >>> On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote: >>> >>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> >>> --- >>> config/suricata/suricata.yaml | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >>> index 03a7a83af..fb4f9426b 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -371,7 +371,7 @@ app-layer: >>> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >>> # MQTT, disabled by default. >>> mqtt: >>> - # enabled: no >>> + enabled: yes >>> # max-msg-length: 1mb >>> krb5: >>> enabled: yes >>> -- >>> 2.34.1 >>> >> > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes 2022-10-02 11:07 ` Peter Müller @ 2022-10-04 8:40 ` Michael Tremer 0 siblings, 0 replies; 3+ messages in thread From: Michael Tremer @ 2022-10-04 8:40 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3705 bytes --] Hello, MQTT seems to be getting more and more popular and I have seen this in a couple of networks. So I do not see any reason not to enable this. -Michael > On 2 Oct 2022, at 12:07, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello *, > > >> On 30.09.2022 06:57, Michael Tremer wrote: >>> Good morning, >> >> Hi, >> >>> Why would we need this change? >> >> I'm not sure if we *really* need this change. My first thought was to >> enable it to avoid this "ERRCODE"-message during startup: >> >> ... >> [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable >> status not set, so enabling by default. This behavior will change in >> Suricata 7, so please update your config. See ticket #4744 for more details. >> ... >> >> v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to >> detect and avoid mqtt flooding attacks. Current standard action is 'alert'. >> >> => >> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : >> >> What is 'mqtt'? >> >> => https://www.opc-router.com/what-is-mqtt/ : >> >> "MQTT – Message Queuing Telemetry Transport >> >> MQTT (Message Queuing Telemetry Transport) is a messaging protocol for >> restricted low-bandwidth networks and extremely high-latency IoT >> devices. Since Message Queuing Telemetry Transport is specialized for >> low-bandwidth, high-latency environments, it is an ideal protocol for >> machine-to-machine (M2M) communication. >> >> MQTT works on the publisher / subscriber principle and is operated via a >> central broker. This means that the sender and receiver have no direct >> connection. The data sources report their data via a publish and all >> recipients with interest in certain messages (“marked by the topic”) get >> the data delivered because they have registered as subscribers. In IoT >> and IIoT, MQTT is used all the way to connecting cloud environments..." >> >> I wanted to test v6.0.8 in its (new) standard config, so I activated >> this protocol. >> >> Until now, I found no information what "this behavioir will change in >> Suricata 7" really means. >> >> The only information I just found: >> => >> https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 >> >> "Upgrading 5.0 to 6.0 >> ... >> Major changes: >> ... >> New protocols enabled by default: mqtt, rfb >> ..." >> >> 'rfb' is already enabled in our config. If we don't want 'mqtt' we >> should set 'mqtt' to "enabled: no" > > just my two cents: I think it cannot hurt to enable this; if it gets us some > more coverage on malicious IoT activity (a pleonasm, I know), there is a benefit > from it. > > Acked-by: Peter Müller <peter.mueller(a)ipfire.org> > > @Michael: What is your opinion on that? > > Thanks, and best regards, > Peter Müller > >> >> Best, >> Matthias >> >>> -Michael >>> >>>> On 29 Sep 2022, at 21:35, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote: >>>> >>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> >>>> --- >>>> config/suricata/suricata.yaml | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >>>> index 03a7a83af..fb4f9426b 100644 >>>> --- a/config/suricata/suricata.yaml >>>> +++ b/config/suricata/suricata.yaml >>>> @@ -371,7 +371,7 @@ app-layer: >>>> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >>>> # MQTT, disabled by default. >>>> mqtt: >>>> - # enabled: no >>>> + enabled: yes >>>> # max-msg-length: 1mb >>>> krb5: >>>> enabled: yes >>>> -- >>>> 2.34.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-04 8:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-29 20:35 [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes Matthias Fischer
[not found] <09f7cd7a-d66d-5c8b-141e-bac37770d1db@ipfire.org>
2022-10-02 11:07 ` Peter Müller
2022-10-04 8:40 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox