* [PATCH 1/3] Suricata: Update to 5.0.1
@ 2020-01-23 9:44 Stefan Schantl
2020-01-23 9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
2020-01-23 9:44 ` [PATCH 3/3] ruleset-sources: Update snort dl urls Stefan Schantl
0 siblings, 2 replies; 7+ messages in thread
From: Stefan Schantl @ 2020-01-23 9:44 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2497 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
lfs/suricata | 10 ++++++----
src/initscripts/system/suricata | 10 +++++-----
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/lfs/suricata b/lfs/suricata
index b3d22003b..e17eb5e08 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 4.1.6
+VER = 5.0.1
THISAPP = suricata-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = da5de1e8053f05cbd295793210117d34
+$(DL_FILE)_MD5 = 8ba12183d5d4b086755e6f510f2149e2
install : $(TARGET)
@@ -82,7 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--disable-python \
--with-libjansson-libraries=/usr/lib \
--with-libjansson-includes=/usr/include \
- --disable-suricata-update
+ --disable-suricata-update \
+ --enable-rust
+
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && make install-conf
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5dc408262..29e58a7e2 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -6,7 +6,7 @@
#
# Author : Stefan Schantl <stefan.schantl(a)ipfire.org>
#
-# Version : 01.02
+# Version : 01.03
#
# Notes :
#
@@ -159,11 +159,11 @@ case "$1" in
cpu_count=$(get_cpu_count)
# Numer of NFQUES.
- NFQUEUES=
+ NFQUEUES="-q 0"
- for i in $(seq 0 $((cpu_count-1)) ); do
- NFQUEUES+="-q $i "
- done
+ if [ $cpu_count -gt "1" ]; then
+ NFQUEUES+=":$(($cpu_count-1))"
+ fi
# Check if the IDS should be started.
if [ "$ENABLE_IDS" == "on" ]; then
--
2.25.0.rc0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
2020-01-23 9:44 [PATCH 1/3] Suricata: Update to 5.0.1 Stefan Schantl
@ 2020-01-23 9:44 ` Stefan Schantl
2020-01-23 10:50 ` Michael Tremer
2020-01-23 9:44 ` [PATCH 3/3] ruleset-sources: Update snort dl urls Stefan Schantl
1 sibling, 1 reply; 7+ messages in thread
From: Stefan Schantl @ 2020-01-23 9:44 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index af9cb75a9..6a1af48fa 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -148,7 +148,9 @@ nfq:
app-layer:
protocols:
krb5:
- enabled: no # Requires rust
+ enabled: yes
+ snmp:
+ enabled: yes
ikev2:
enabled: yes
tls:
@@ -156,6 +158,12 @@ app-layer:
detection-ports:
dp: "[443,444,465,853,993,995]"
+ # Generate JA3 fingerprint from client hello. If not specified it
+ # will be disabled by default, but enabled if rules require it.
+ #ja3-fingerprints: auto
+ # Generate JA3 fingerprint from client hello
+ ja3-fingerprints: no
+
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
# bypass. If disabled (the default), TLS/SSL session is still
@@ -165,6 +173,8 @@ app-layer:
enabled: yes
ftp:
enabled: yes
+ rdp:
+ enabled: no
ssh:
enabled: yes
smtp:
@@ -203,9 +213,10 @@ app-layer:
enabled: yes
detection-ports:
dp: 139, 445
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
+ nfs:
+ enabled: yes
+ tftp:
+ enabled: yes
dns:
# memcaps. Globally and per flow/state.
global-memcap: 32mb
@@ -271,6 +282,12 @@ app-layer:
double-decode-path: no
double-decode-query: no
+ ntp:
+ enabled: yes
+ dhcp:
+ enabled: yes
+ sip:
+ enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
--
2.25.0.rc0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 3/3] ruleset-sources: Update snort dl urls.
2020-01-23 9:44 [PATCH 1/3] Suricata: Update to 5.0.1 Stefan Schantl
2020-01-23 9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
@ 2020-01-23 9:44 ` Stefan Schantl
1 sibling, 0 replies; 7+ messages in thread
From: Stefan Schantl @ 2020-01-23 9:44 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 985 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/suricata/ruleset-sources | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index ef8d8482b..814a3e0d1 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -1,8 +1,8 @@
# Ruleset for registered sourcefire users.
-registered = https://www.snort.org/rules/snortrules-snapshot-29150.tar.gz?oinkcode=<oinkcode>
+registered = https://www.snort.org/rules/snortrules-snapshot-29151.tar.gz?oinkcode=<oinkcode>
# Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/rules/snortrules-snapshot-29150.tar.gz?oinkcode=<oinkcode>
+subscripted = https://www.snort.org/rules/snortrules-snapshot-29151.tar.gz?oinkcode=<oinkcode>
# Community rules from sourcefire.
community = https://www.snort.org/rules/community
--
2.25.0.rc0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
2020-01-23 9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
@ 2020-01-23 10:50 ` Michael Tremer
2020-01-23 11:22 ` Stefan Schantl
0 siblings, 1 reply; 7+ messages in thread
From: Michael Tremer @ 2020-01-23 10:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2436 bytes --]
Hello,
> On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index af9cb75a9..6a1af48fa 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -148,7 +148,9 @@ nfq:
> app-layer:
> protocols:
> krb5:
> - enabled: no # Requires rust
> + enabled: yes
> + snmp:
> + enabled: yes
> ikev2:
> enabled: yes
> tls:
> @@ -156,6 +158,12 @@ app-layer:
> detection-ports:
> dp: "[443,444,465,853,993,995]"
>
> + # Generate JA3 fingerprint from client hello. If not specified it
> + # will be disabled by default, but enabled if rules require it.
> + #ja3-fingerprints: auto
> + # Generate JA3 fingerprint from client hello
> + ja3-fingerprints: no
> +
> # Completely stop processing TLS/SSL session after the handshake
> # completed. If bypass is enabled this will also trigger flow
> # bypass. If disabled (the default), TLS/SSL session is still
> @@ -165,6 +173,8 @@ app-layer:
> enabled: yes
> ftp:
> enabled: yes
> + rdp:
> + enabled: no
Why is RDP disabled?
This protocol is highly exploitable and I am sure that all rulesets have plenty of rules for this.
Ideally the IPS should never see any RDP traffic going out to the Internet, but lets be honest, people do this.
> ssh:
> enabled: yes
> smtp:
> @@ -203,9 +213,10 @@ app-layer:
> enabled: yes
> detection-ports:
> dp: 139, 445
> - # smb2 detection is disabled internally inside the engine.
> - #smb2:
> - # enabled: yes
> + nfs:
> + enabled: yes
> + tftp:
> + enabled: yes
> dns:
> # memcaps. Globally and per flow/state.
> global-memcap: 32mb
> @@ -271,6 +282,12 @@ app-layer:
> double-decode-path: no
> double-decode-query: no
>
> + ntp:
> + enabled: yes
> + dhcp:
> + enabled: yes
> + sip:
> + enabled: yes
>
> # Limit for the maximum number of asn1 frames to decode (default 256)
> asn1-max-frames: 256
> --
> 2.25.0.rc0
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
2020-01-23 10:50 ` Michael Tremer
@ 2020-01-23 11:22 ` Stefan Schantl
2020-01-23 11:23 ` Michael Tremer
2020-01-23 11:24 ` [PATCH] suricata: Enable RDP protocol parser Stefan Schantl
0 siblings, 2 replies; 7+ messages in thread
From: Stefan Schantl @ 2020-01-23 11:22 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2989 bytes --]
Hello Michael,
thanks for reviewing and reporting the issue with the RDP parser.
During importing the configuration details for the new suricata
version, I found, that various protocol parsers are disabled by default
and enabled all of them.
I assume I simple forget to set the value to "yes" for RDP after I
removed the comment that the parser is disabled by default.
I'll send an extra patch which will do that.
Many thanks,
-Stefan
> Hello,
>
> > On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org
> > > wrote:
> >
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> > config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
> > 1 file changed, 21 insertions(+), 4 deletions(-)
> >
> > diff --git a/config/suricata/suricata.yaml
> > b/config/suricata/suricata.yaml
> > index af9cb75a9..6a1af48fa 100644
> > --- a/config/suricata/suricata.yaml
> > +++ b/config/suricata/suricata.yaml
> > @@ -148,7 +148,9 @@ nfq:
> > app-layer:
> > protocols:
> > krb5:
> > - enabled: no # Requires rust
> > + enabled: yes
> > + snmp:
> > + enabled: yes
> > ikev2:
> > enabled: yes
> > tls:
> > @@ -156,6 +158,12 @@ app-layer:
> > detection-ports:
> > dp: "[443,444,465,853,993,995]"
> >
> > + # Generate JA3 fingerprint from client hello. If not
> > specified it
> > + # will be disabled by default, but enabled if rules require
> > it.
> > + #ja3-fingerprints: auto
> > + # Generate JA3 fingerprint from client hello
> > + ja3-fingerprints: no
> > +
> > # Completely stop processing TLS/SSL session after the
> > handshake
> > # completed. If bypass is enabled this will also trigger flow
> > # bypass. If disabled (the default), TLS/SSL session is still
> > @@ -165,6 +173,8 @@ app-layer:
> > enabled: yes
> > ftp:
> > enabled: yes
> > + rdp:
> > + enabled: no
>
> Why is RDP disabled?
>
> This protocol is highly exploitable and I am sure that all rulesets
> have plenty of rules for this.
>
> Ideally the IPS should never see any RDP traffic going out to the
> Internet, but lets be honest, people do this.
>
> > ssh:
> > enabled: yes
> > smtp:
> > @@ -203,9 +213,10 @@ app-layer:
> > enabled: yes
> > detection-ports:
> > dp: 139, 445
> > - # smb2 detection is disabled internally inside the engine.
> > - #smb2:
> > - # enabled: yes
> > + nfs:
> > + enabled: yes
> > + tftp:
> > + enabled: yes
> > dns:
> > # memcaps. Globally and per flow/state.
> > global-memcap: 32mb
> > @@ -271,6 +282,12 @@ app-layer:
> > double-decode-path: no
> > double-decode-query: no
> >
> > + ntp:
> > + enabled: yes
> > + dhcp:
> > + enabled: yes
> > + sip:
> > + enabled: yes
> >
> > # Limit for the maximum number of asn1 frames to decode (default
> > 256)
> > asn1-max-frames: 256
> > --
> > 2.25.0.rc0
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers.
2020-01-23 11:22 ` Stefan Schantl
@ 2020-01-23 11:23 ` Michael Tremer
2020-01-23 11:24 ` [PATCH] suricata: Enable RDP protocol parser Stefan Schantl
1 sibling, 0 replies; 7+ messages in thread
From: Michael Tremer @ 2020-01-23 11:23 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3218 bytes --]
Okay, thx.
> On 23 Jan 2020, at 11:22, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>
> Hello Michael,
>
> thanks for reviewing and reporting the issue with the RDP parser.
>
> During importing the configuration details for the new suricata
> version, I found, that various protocol parsers are disabled by default
> and enabled all of them.
>
> I assume I simple forget to set the value to "yes" for RDP after I
> removed the comment that the parser is disabled by default.
>
> I'll send an extra patch which will do that.
>
> Many thanks,
>
> -Stefan
>> Hello,
>>
>>> On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl(a)ipfire.org
>>>> wrote:
>>>
>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> ---
>>> config/suricata/suricata.yaml | 25 +++++++++++++++++++++----
>>> 1 file changed, 21 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/config/suricata/suricata.yaml
>>> b/config/suricata/suricata.yaml
>>> index af9cb75a9..6a1af48fa 100644
>>> --- a/config/suricata/suricata.yaml
>>> +++ b/config/suricata/suricata.yaml
>>> @@ -148,7 +148,9 @@ nfq:
>>> app-layer:
>>> protocols:
>>> krb5:
>>> - enabled: no # Requires rust
>>> + enabled: yes
>>> + snmp:
>>> + enabled: yes
>>> ikev2:
>>> enabled: yes
>>> tls:
>>> @@ -156,6 +158,12 @@ app-layer:
>>> detection-ports:
>>> dp: "[443,444,465,853,993,995]"
>>>
>>> + # Generate JA3 fingerprint from client hello. If not
>>> specified it
>>> + # will be disabled by default, but enabled if rules require
>>> it.
>>> + #ja3-fingerprints: auto
>>> + # Generate JA3 fingerprint from client hello
>>> + ja3-fingerprints: no
>>> +
>>> # Completely stop processing TLS/SSL session after the
>>> handshake
>>> # completed. If bypass is enabled this will also trigger flow
>>> # bypass. If disabled (the default), TLS/SSL session is still
>>> @@ -165,6 +173,8 @@ app-layer:
>>> enabled: yes
>>> ftp:
>>> enabled: yes
>>> + rdp:
>>> + enabled: no
>>
>> Why is RDP disabled?
>>
>> This protocol is highly exploitable and I am sure that all rulesets
>> have plenty of rules for this.
>>
>> Ideally the IPS should never see any RDP traffic going out to the
>> Internet, but lets be honest, people do this.
>>
>>> ssh:
>>> enabled: yes
>>> smtp:
>>> @@ -203,9 +213,10 @@ app-layer:
>>> enabled: yes
>>> detection-ports:
>>> dp: 139, 445
>>> - # smb2 detection is disabled internally inside the engine.
>>> - #smb2:
>>> - # enabled: yes
>>> + nfs:
>>> + enabled: yes
>>> + tftp:
>>> + enabled: yes
>>> dns:
>>> # memcaps. Globally and per flow/state.
>>> global-memcap: 32mb
>>> @@ -271,6 +282,12 @@ app-layer:
>>> double-decode-path: no
>>> double-decode-query: no
>>>
>>> + ntp:
>>> + enabled: yes
>>> + dhcp:
>>> + enabled: yes
>>> + sip:
>>> + enabled: yes
>>>
>>> # Limit for the maximum number of asn1 frames to decode (default
>>> 256)
>>> asn1-max-frames: 256
>>> --
>>> 2.25.0.rc0
>>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] suricata: Enable RDP protocol parser.
2020-01-23 11:22 ` Stefan Schantl
2020-01-23 11:23 ` Michael Tremer
@ 2020-01-23 11:24 ` Stefan Schantl
1 sibling, 0 replies; 7+ messages in thread
From: Stefan Schantl @ 2020-01-23 11:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 498 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/suricata/suricata.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 6a1af48fa..ed71898f4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -174,7 +174,7 @@ app-layer:
ftp:
enabled: yes
rdp:
- enabled: no
+ enabled: yes
ssh:
enabled: yes
smtp:
--
2.25.0.rc0
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-01-23 11:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-23 9:44 [PATCH 1/3] Suricata: Update to 5.0.1 Stefan Schantl
2020-01-23 9:44 ` [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers Stefan Schantl
2020-01-23 10:50 ` Michael Tremer
2020-01-23 11:22 ` Stefan Schantl
2020-01-23 11:23 ` Michael Tremer
2020-01-23 11:24 ` [PATCH] suricata: Enable RDP protocol parser Stefan Schantl
2020-01-23 9:44 ` [PATCH 3/3] ruleset-sources: Update snort dl urls Stefan Schantl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox