Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
Date: Thu, 23 Jan 2020 12:22:20 +0100	[thread overview]
Message-ID: <41e79e4b3fef3e409af9cd283e7f6f2588fbe507.camel@ipfire.org> (raw)
In-Reply-To: <0DCBA908-028C-4322-8EE2-880073C4EE5D@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 2989 bytes --]

Hello Michael,

thanks for reviewing and reporting the issue with the RDP parser.

During importing the configuration details for the new suricata
version, I found, that various protocol parsers are disabled by default
and enabled all of them.

I assume I simple forget to set the value to "yes" for RDP after I
removed the comment that the parser is disabled by default.

I'll send an extra patch which will do that.

Many thanks,

-Stefan 
> Hello,
> 
> > On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org
> > > wrote:
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> > config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
> > 1 file changed, 21 insertions(+), 4 deletions(-)
> > 
> > diff --git a/config/suricata/suricata.yaml
> > b/config/suricata/suricata.yaml
> > index af9cb75a9..6a1af48fa 100644
> > --- a/config/suricata/suricata.yaml
> > +++ b/config/suricata/suricata.yaml
> > @@ -148,7 +148,9 @@ nfq:
> > app-layer:
> >   protocols:
> >     krb5:
> > -      enabled: no # Requires rust
> > +      enabled: yes
> > +    snmp:
> > +      enabled: yes
> >     ikev2:
> >       enabled: yes
> >     tls:
> > @@ -156,6 +158,12 @@ app-layer:
> >       detection-ports:
> >         dp: "[443,444,465,853,993,995]"
> > 
> > +      # Generate JA3 fingerprint from client hello. If not
> > specified it
> > +      # will be disabled by default, but enabled if rules require
> > it.
> > +      #ja3-fingerprints: auto
> > +      # Generate JA3 fingerprint from client hello
> > +      ja3-fingerprints: no
> > +
> >       # Completely stop processing TLS/SSL session after the
> > handshake
> >       # completed. If bypass is enabled this will also trigger flow
> >       # bypass. If disabled (the default), TLS/SSL session is still
> > @@ -165,6 +173,8 @@ app-layer:
> >       enabled: yes
> >     ftp:
> >       enabled: yes
> > +    rdp:
> > +      enabled: no
> 
> Why is RDP disabled?
> 
> This protocol is highly exploitable and I am sure that all rulesets
> have plenty of rules for this.
> 
> Ideally the IPS should never see any RDP traffic going out to the
> Internet, but lets be honest, people do this.
> 
> >     ssh:
> >       enabled: yes
> >     smtp:
> > @@ -203,9 +213,10 @@ app-layer:
> >       enabled: yes
> >       detection-ports:
> >         dp: 139, 445
> > -    # smb2 detection is disabled internally inside the engine.
> > -    #smb2:
> > -    #  enabled: yes
> > +    nfs:
> > +      enabled: yes
> > +    tftp:
> > +      enabled: yes
> >     dns:
> >       # memcaps. Globally and per flow/state.
> >       global-memcap: 32mb
> > @@ -271,6 +282,12 @@ app-layer:
> >            double-decode-path: no
> >            double-decode-query: no
> > 
> > +    ntp:
> > +      enabled: yes
> > +    dhcp:
> > +      enabled: yes
> > +    sip:
> > +      enabled: yes
> > 
> > # Limit for the maximum number of asn1 frames to decode (default
> > 256)
> > asn1-max-frames: 256
> > -- 
> > 2.25.0.rc0
> >

next prev parent reply	other threads:[~2020-01-23 11:22 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-23  9:44 [PATCH 1/3] Suricata: Update to 5.0.1 Stefan Schantl
2020-01-23  9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
2020-01-23 10:50   ` Michael Tremer
2020-01-23 11:22     ` Stefan Schantl [this message]
2020-01-23 11:23       ` Michael Tremer
2020-01-23 11:24       ` [PATCH] suricata: Enable RDP protocol parser Stefan Schantl
2020-01-23  9:44 ` [PATCH 3/3] ruleset-sources: Update snort dl urls Stefan Schantl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41e79e4b3fef3e409af9cd283e7f6f2588fbe507.camel@ipfire.org \
    --to=stefan.schantl@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox