From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] suricata: Enable new and rust-depended protocol parsers. Date: Thu, 23 Jan 2020 11:23:14 +0000 Message-ID: In-Reply-To: <41e79e4b3fef3e409af9cd283e7f6f2588fbe507.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8649535068068835308==" List-Id: --===============8649535068068835308== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Okay, thx. > On 23 Jan 2020, at 11:22, Stefan Schantl wrot= e: >=20 > Hello Michael, >=20 > thanks for reviewing and reporting the issue with the RDP parser. >=20 > During importing the configuration details for the new suricata > version, I found, that various protocol parsers are disabled by default > and enabled all of them. >=20 > I assume I simple forget to set the value to "yes" for RDP after I > removed the comment that the parser is disabled by default. >=20 > I'll send an extra patch which will do that. >=20 > Many thanks, >=20 > -Stefan=20 >> Hello, >>=20 >>> On 23 Jan 2020, at 09:44, Stefan Schantl >>> wrote: >>>=20 >>> Signed-off-by: Stefan Schantl >>> --- >>> config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- >>> 1 file changed, 21 insertions(+), 4 deletions(-) >>>=20 >>> diff --git a/config/suricata/suricata.yaml >>> b/config/suricata/suricata.yaml >>> index af9cb75a9..6a1af48fa 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -148,7 +148,9 @@ nfq: >>> app-layer: >>> protocols: >>> krb5: >>> - enabled: no # Requires rust >>> + enabled: yes >>> + snmp: >>> + enabled: yes >>> ikev2: >>> enabled: yes >>> tls: >>> @@ -156,6 +158,12 @@ app-layer: >>> detection-ports: >>> dp: "[443,444,465,853,993,995]" >>>=20 >>> + # Generate JA3 fingerprint from client hello. If not >>> specified it >>> + # will be disabled by default, but enabled if rules require >>> it. >>> + #ja3-fingerprints: auto >>> + # Generate JA3 fingerprint from client hello >>> + ja3-fingerprints: no >>> + >>> # Completely stop processing TLS/SSL session after the >>> handshake >>> # completed. If bypass is enabled this will also trigger flow >>> # bypass. If disabled (the default), TLS/SSL session is still >>> @@ -165,6 +173,8 @@ app-layer: >>> enabled: yes >>> ftp: >>> enabled: yes >>> + rdp: >>> + enabled: no >>=20 >> Why is RDP disabled? >>=20 >> This protocol is highly exploitable and I am sure that all rulesets >> have plenty of rules for this. >>=20 >> Ideally the IPS should never see any RDP traffic going out to the >> Internet, but lets be honest, people do this. >>=20 >>> ssh: >>> enabled: yes >>> smtp: >>> @@ -203,9 +213,10 @@ app-layer: >>> enabled: yes >>> detection-ports: >>> dp: 139, 445 >>> - # smb2 detection is disabled internally inside the engine. >>> - #smb2: >>> - # enabled: yes >>> + nfs: >>> + enabled: yes >>> + tftp: >>> + enabled: yes >>> dns: >>> # memcaps. Globally and per flow/state. >>> global-memcap: 32mb >>> @@ -271,6 +282,12 @@ app-layer: >>> double-decode-path: no >>> double-decode-query: no >>>=20 >>> + ntp: >>> + enabled: yes >>> + dhcp: >>> + enabled: yes >>> + sip: >>> + enabled: yes >>>=20 >>> # Limit for the maximum number of asn1 frames to decode (default >>> 256) >>> asn1-max-frames: 256 >>> --=20 >>> 2.25.0.rc0 >>>=20 >=20 --===============8649535068068835308==--