From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 4/9] suricata: Enable bypassing unhandled streams Date: Tue, 19 Oct 2021 06:03:38 +0200 Message-ID: <6ace88debbaf87d8881a31ab1c6835d4e9d3fed2.camel@ipfire.org> In-Reply-To: <20211018101022.15448-4-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3881235405737959190==" List-Id: --===============3881235405737959190== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Tested-by: Stefan Schantl > If a stream cannot be identified or if suricata has decided that it > cannot do anything useful any more (e.g. TLS sessions after the > handshake), we will allow suricata to bypass any following packets in > that flow >=20 > Signed-off-by: Michael Tremer > --- > =C2=A0config/suricata/suricata.yaml | 19 ++++++++++++++----- > =C2=A01 file changed, 14 insertions(+), 5 deletions(-) >=20 > diff --git a/config/suricata/suricata.yaml > b/config/suricata/suricata.yaml > index f02b93d76..6f37671c8 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -389,11 +389,19 @@ app-layer: > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # will be disabled by default, but ena= bled if rules require > it. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ja3-fingerprints: auto > =C2=A0 > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # Completely stop processing TLS/SSL sessio= n after the > handshake > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # completed. If bypass is enabled this will= also trigger flow > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # bypass. If disabled (the default), TLS/SS= L session is still > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # tracked for Heartbleed and other anomalie= s. > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #no-reassemble: yes > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # What to do when the encrypted communicati= ons start: > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # - default: keep tracking TLS session, che= ck for protocol > anomalies, > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 inspect tls_* keywords. Disables inspection of > unmodified > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 'content' signatures. > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # - bypass:=C2=A0 stop processing this flow= as much as possible. No > further > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 TLS parsing and inspection. Offload flow bypass > to kernel > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 or hardware if possible. > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # - full:=C2=A0=C2=A0=C2=A0 keep tracking a= nd inspection as normal. > Unmodified content > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 keyword signatures are inspected as well. > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # For best performance, select 'bypass'. > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 encryption-handling: bypass > =C2=A0=C2=A0=C2=A0=C2=A0 dcerpc: > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 enabled: yes > =C2=A0=C2=A0=C2=A0=C2=A0 ftp: > @@ -810,6 +818,7 @@ stream: > =C2=A0=C2=A0 prealloc-sessions: 4096 > =C2=A0=C2=A0 checksum-validation: yes=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # rejec= t wrong csums > =C2=A0=C2=A0 inline: auto=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # auto will use inline= mode in IPS > mode, yes or no set it statically > +=C2=A0 bypass: yes=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # Bypass packets when > stream.reassembly.depth is reached. > =C2=A0=C2=A0 reassembly: > =C2=A0=C2=A0=C2=A0=C2=A0 memcap: 256mb > =C2=A0=C2=A0=C2=A0=C2=A0 depth: 1mb=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # reassemble = 1mb into a stream --===============3881235405737959190==--