Okay, thx. > On 23 Jan 2020, at 11:22, Stefan Schantl wrote: > > Hello Michael, > > thanks for reviewing and reporting the issue with the RDP parser. > > During importing the configuration details for the new suricata > version, I found, that various protocol parsers are disabled by default > and enabled all of them. > > I assume I simple forget to set the value to "yes" for RDP after I > removed the comment that the parser is disabled by default. > > I'll send an extra patch which will do that. > > Many thanks, > > -Stefan >> Hello, >> >>> On 23 Jan 2020, at 09:44, Stefan Schantl >>> wrote: >>> >>> Signed-off-by: Stefan Schantl >>> --- >>> config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- >>> 1 file changed, 21 insertions(+), 4 deletions(-) >>> >>> diff --git a/config/suricata/suricata.yaml >>> b/config/suricata/suricata.yaml >>> index af9cb75a9..6a1af48fa 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -148,7 +148,9 @@ nfq: >>> app-layer: >>> protocols: >>> krb5: >>> - enabled: no # Requires rust >>> + enabled: yes >>> + snmp: >>> + enabled: yes >>> ikev2: >>> enabled: yes >>> tls: >>> @@ -156,6 +158,12 @@ app-layer: >>> detection-ports: >>> dp: "[443,444,465,853,993,995]" >>> >>> + # Generate JA3 fingerprint from client hello. If not >>> specified it >>> + # will be disabled by default, but enabled if rules require >>> it. >>> + #ja3-fingerprints: auto >>> + # Generate JA3 fingerprint from client hello >>> + ja3-fingerprints: no >>> + >>> # Completely stop processing TLS/SSL session after the >>> handshake >>> # completed. If bypass is enabled this will also trigger flow >>> # bypass. If disabled (the default), TLS/SSL session is still >>> @@ -165,6 +173,8 @@ app-layer: >>> enabled: yes >>> ftp: >>> enabled: yes >>> + rdp: >>> + enabled: no >> >> Why is RDP disabled? >> >> This protocol is highly exploitable and I am sure that all rulesets >> have plenty of rules for this. >> >> Ideally the IPS should never see any RDP traffic going out to the >> Internet, but lets be honest, people do this. >> >>> ssh: >>> enabled: yes >>> smtp: >>> @@ -203,9 +213,10 @@ app-layer: >>> enabled: yes >>> detection-ports: >>> dp: 139, 445 >>> - # smb2 detection is disabled internally inside the engine. >>> - #smb2: >>> - # enabled: yes >>> + nfs: >>> + enabled: yes >>> + tftp: >>> + enabled: yes >>> dns: >>> # memcaps. Globally and per flow/state. >>> global-memcap: 32mb >>> @@ -271,6 +282,12 @@ app-layer: >>> double-decode-path: no >>> double-decode-query: no >>> >>> + ntp: >>> + enabled: yes >>> + dhcp: >>> + enabled: yes >>> + sip: >>> + enabled: yes >>> >>> # Limit for the maximum number of asn1 frames to decode (default >>> 256) >>> asn1-max-frames: 256 >>> -- >>> 2.25.0.rc0 >>> >