Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
Date: Thu, 23 Jan 2020 11:23:14 +0000	[thread overview]
Message-ID: <A2F53B4E-0A38-4CA3-B9FD-297D1F1B4920@ipfire.org> (raw)
In-Reply-To: <41e79e4b3fef3e409af9cd283e7f6f2588fbe507.camel@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 3218 bytes --]

Okay, thx.

> On 23 Jan 2020, at 11:22, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for reviewing and reporting the issue with the RDP parser.
> 
> During importing the configuration details for the new suricata
> version, I found, that various protocol parsers are disabled by default
> and enabled all of them.
> 
> I assume I simple forget to set the value to "yes" for RDP after I
> removed the comment that the parser is disabled by default.
> 
> I'll send an extra patch which will do that.
> 
> Many thanks,
> 
> -Stefan 
>> Hello,
>> 
>>> On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org
>>>> wrote:
>>> 
>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> ---
>>> config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
>>> 1 file changed, 21 insertions(+), 4 deletions(-)
>>> 
>>> diff --git a/config/suricata/suricata.yaml
>>> b/config/suricata/suricata.yaml
>>> index af9cb75a9..6a1af48fa 100644
>>> --- a/config/suricata/suricata.yaml
>>> +++ b/config/suricata/suricata.yaml
>>> @@ -148,7 +148,9 @@ nfq:
>>> app-layer:
>>>  protocols:
>>>    krb5:
>>> -      enabled: no # Requires rust
>>> +      enabled: yes
>>> +    snmp:
>>> +      enabled: yes
>>>    ikev2:
>>>      enabled: yes
>>>    tls:
>>> @@ -156,6 +158,12 @@ app-layer:
>>>      detection-ports:
>>>        dp: "[443,444,465,853,993,995]"
>>> 
>>> +      # Generate JA3 fingerprint from client hello. If not
>>> specified it
>>> +      # will be disabled by default, but enabled if rules require
>>> it.
>>> +      #ja3-fingerprints: auto
>>> +      # Generate JA3 fingerprint from client hello
>>> +      ja3-fingerprints: no
>>> +
>>>      # Completely stop processing TLS/SSL session after the
>>> handshake
>>>      # completed. If bypass is enabled this will also trigger flow
>>>      # bypass. If disabled (the default), TLS/SSL session is still
>>> @@ -165,6 +173,8 @@ app-layer:
>>>      enabled: yes
>>>    ftp:
>>>      enabled: yes
>>> +    rdp:
>>> +      enabled: no
>> 
>> Why is RDP disabled?
>> 
>> This protocol is highly exploitable and I am sure that all rulesets
>> have plenty of rules for this.
>> 
>> Ideally the IPS should never see any RDP traffic going out to the
>> Internet, but lets be honest, people do this.
>> 
>>>    ssh:
>>>      enabled: yes
>>>    smtp:
>>> @@ -203,9 +213,10 @@ app-layer:
>>>      enabled: yes
>>>      detection-ports:
>>>        dp: 139, 445
>>> -    # smb2 detection is disabled internally inside the engine.
>>> -    #smb2:
>>> -    #  enabled: yes
>>> +    nfs:
>>> +      enabled: yes
>>> +    tftp:
>>> +      enabled: yes
>>>    dns:
>>>      # memcaps. Globally and per flow/state.
>>>      global-memcap: 32mb
>>> @@ -271,6 +282,12 @@ app-layer:
>>>           double-decode-path: no
>>>           double-decode-query: no
>>> 
>>> +    ntp:
>>> +      enabled: yes
>>> +    dhcp:
>>> +      enabled: yes
>>> +    sip:
>>> +      enabled: yes
>>> 
>>> # Limit for the maximum number of asn1 frames to decode (default
>>> 256)
>>> asn1-max-frames: 256
>>> -- 
>>> 2.25.0.rc0
>>> 
>

next prev parent reply	other threads:[~2020-01-23 11:23 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-23  9:44 [PATCH 1/3] Suricata: Update to 5.0.1 Stefan Schantl
2020-01-23  9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
2020-01-23 10:50   ` Michael Tremer
2020-01-23 11:22     ` Stefan Schantl
2020-01-23 11:23       ` Michael Tremer [this message]
2020-01-23 11:24       ` [PATCH] suricata: Enable RDP protocol parser Stefan Schantl
2020-01-23  9:44 ` [PATCH 3/3] ruleset-sources: Update snort dl urls Stefan Schantl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A2F53B4E-0A38-4CA3-B9FD-297D1F1B4920@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox