From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers. Date: Thu, 23 Jan 2020 12:22:20 +0100 Message-ID: <41e79e4b3fef3e409af9cd283e7f6f2588fbe507.camel@ipfire.org> In-Reply-To: <0DCBA908-028C-4322-8EE2-880073C4EE5D@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7862236910122851186==" List-Id: --===============7862236910122851186== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello Michael, thanks for reviewing and reporting the issue with the RDP parser. During importing the configuration details for the new suricata version, I found, that various protocol parsers are disabled by default and enabled all of them. I assume I simple forget to set the value to "yes" for RDP after I removed the comment that the parser is disabled by default. I'll send an extra patch which will do that. Many thanks, -Stefan > Hello, > > > On 23 Jan 2020, at 09:44, Stefan Schantl > > wrote: > > > > Signed-off-by: Stefan Schantl > > --- > > config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- > > 1 file changed, 21 insertions(+), 4 deletions(-) > > > > diff --git a/config/suricata/suricata.yaml > > b/config/suricata/suricata.yaml > > index af9cb75a9..6a1af48fa 100644 > > --- a/config/suricata/suricata.yaml > > +++ b/config/suricata/suricata.yaml > > @@ -148,7 +148,9 @@ nfq: > > app-layer: > > protocols: > > krb5: > > - enabled: no # Requires rust > > + enabled: yes > > + snmp: > > + enabled: yes > > ikev2: > > enabled: yes > > tls: > > @@ -156,6 +158,12 @@ app-layer: > > detection-ports: > > dp: "[443,444,465,853,993,995]" > > > > + # Generate JA3 fingerprint from client hello. If not > > specified it > > + # will be disabled by default, but enabled if rules require > > it. > > + #ja3-fingerprints: auto > > + # Generate JA3 fingerprint from client hello > > + ja3-fingerprints: no > > + > > # Completely stop processing TLS/SSL session after the > > handshake > > # completed. If bypass is enabled this will also trigger flow > > # bypass. If disabled (the default), TLS/SSL session is still > > @@ -165,6 +173,8 @@ app-layer: > > enabled: yes > > ftp: > > enabled: yes > > + rdp: > > + enabled: no > > Why is RDP disabled? > > This protocol is highly exploitable and I am sure that all rulesets > have plenty of rules for this. > > Ideally the IPS should never see any RDP traffic going out to the > Internet, but lets be honest, people do this. > > > ssh: > > enabled: yes > > smtp: > > @@ -203,9 +213,10 @@ app-layer: > > enabled: yes > > detection-ports: > > dp: 139, 445 > > - # smb2 detection is disabled internally inside the engine. > > - #smb2: > > - # enabled: yes > > + nfs: > > + enabled: yes > > + tftp: > > + enabled: yes > > dns: > > # memcaps. Globally and per flow/state. > > global-memcap: 32mb > > @@ -271,6 +282,12 @@ app-layer: > > double-decode-path: no > > double-decode-query: no > > > > + ntp: > > + enabled: yes > > + dhcp: > > + enabled: yes > > + sip: > > + enabled: yes > > > > # Limit for the maximum number of asn1 frames to decode (default > > 256) > > asn1-max-frames: 256 > > -- > > 2.25.0.rc0 > > --===============7862236910122851186==--