Hello, I would like to NACK this patch. Do we need these parsers? I have no idea if we have any users for those. And if that is the case, I would prefer to keep them off to reduce the attack surface of the IPS. Is there any strong reason that I have missed? -Michael > On 8 Dec 2021, at 17:10, Stefan Schantl wrote: > > * This will enable swf decompression. > * Enable modbus parser. > * Enable dnp3 parser. > * Enable enip parser. > > Signed-off-by: Stefan Schantl > --- > config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++ > 1 file changed, 84 insertions(+) > > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 0ad36e705..49921db86 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -525,6 +525,20 @@ app-layer: > # auto will use http-body-inline mode in IPS mode, yes or no set it statically > http-body-inline: auto > > + # Decompress SWF files. > + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma > + # compress-depth: > + # Specifies the maximum amount of data to decompress, > + # set 0 for unlimited. > + # decompress-depth: > + # Specifies the maximum amount of decompressed data to obtain, > + # set 0 for unlimited. > + swf-decompression: > + enabled: yes > + type: both > + compress-depth: 0 > + decompress-depth: 0 > + > # Take a random value for inspection sizes around the specified value. > # This lower the risk of some evasion technics but could lead > # detection change between runs. It is set to 'yes' by default. > @@ -539,6 +553,76 @@ app-layer: > double-decode-path: no > double-decode-query: no > > + # Can disable LZMA decompression > + #lzma-enabled: yes > + # Memory limit usage for LZMA decompression dictionary > + # Data is decompressed until dictionary reaches this size > + #lzma-memlimit: 1mb > + # Maximum decompressed size with a compression ratio > + # above 2048 (only LZMA can reach this ratio, deflate cannot) > + #compression-bomb-limit: 1mb > + # Maximum time spent decompressing a single transaction in usec > + #decompression-time-limit: 100000 > + > + server-config: > + > + #- apache: > + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] > + # personality: Apache_2 > + # # Can be specified in kb, mb, gb. Just a number indicates > + # # it's in bytes. > + # request-body-limit: 4096 > + # response-body-limit: 4096 > + # double-decode-path: no > + # double-decode-query: no > + > + #- iis7: > + # address: > + # - 192.168.0.0/24 > + # - 192.168.10.0/24 > + # personality: IIS_7_0 > + # # Can be specified in kb, mb, gb. Just a number indicates > + # # it's in bytes. > + # request-body-limit: 4096 > + # response-body-limit: 4096 > + # double-decode-path: no > + # double-decode-query: no > + > + # Note: Modbus probe parser is minimalist due to the poor significant field > + # Only Modbus message length (greater than Modbus header length) > + # And Protocol ID (equal to 0) are checked in probing parser > + # It is important to enable detection port and define Modbus port > + # to avoid false positive > + modbus: > + # How many unreplied Modbus requests are considered a flood. > + # If the limit is reached, app-layer-event:modbus.flooded; will match. > + #request-flood: 500 > + > + enabled: yes > + detection-ports: > + dp: 502 > + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it > + # is recommended to keep the TCP connection opened with a remote device > + # and not to open and close it for each MODBUS/TCP transaction. In that > + # case, it is important to set the depth of the stream reassembling as > + # unlimited (stream.reassembly.depth: 0) > + > + # Stream reassembly size for modbus. By default track it completely. > + stream-depth: 0 > + > + # DNP3 > + dnp3: > + enabled: yes > + detection-ports: > + dp: 20000 > + > + # SCADA EtherNet/IP and CIP protocol support > + enip: > + enabled: yes > + detection-ports: > + dp: 44818 > + sp: 44818 > + > ntp: > enabled: yes > dhcp: > -- > 2.30.2 >