From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes Date: Tue, 04 Oct 2022 09:40:15 +0100 Message-ID: In-Reply-To: <3237b8ad-e91c-60a2-4604-a528d06cde8e@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7453408731500477217==" List-Id: --===============7453408731500477217== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, MQTT seems to be getting more and more popular and I have seen this in a coup= le of networks. So I do not see any reason not to enable this. -Michael > On 2 Oct 2022, at 12:07, Peter M=C3=BCller wro= te: >=20 > Hello *, >=20 >=20 >> On 30.09.2022 06:57, Michael Tremer wrote: >>> Good morning, >>=20 >> Hi, >>=20 >>> Why would we need this change? >>=20 >> I'm not sure if we *really* need this change. My first thought was to >> enable it to avoid this "ERRCODE"-message during startup: >>=20 >> ... >> [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable >> status not set, so enabling by default. This behavior will change in >> Suricata 7, so please update your config. See ticket #4744 for more detail= s. >> ... >>=20 >> v6.0.8 comes with a new rules file for app-layer-events: 'mqtt.rules' to >> detect and avoid mqtt flooding attacks. Current standard action is 'alert'. >>=20 >> =3D> >> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer : >>=20 >> What is 'mqtt'? >>=20 >> =3D> https://www.opc-router.com/what-is-mqtt/ : >>=20 >> "MQTT =E2=80=93 Message Queuing Telemetry Transport >>=20 >> MQTT (Message Queuing Telemetry Transport) is a messaging protocol for >> restricted low-bandwidth networks and extremely high-latency IoT >> devices. Since Message Queuing Telemetry Transport is specialized for >> low-bandwidth, high-latency environments, it is an ideal protocol for >> machine-to-machine (M2M) communication. >>=20 >> MQTT works on the publisher / subscriber principle and is operated via a >> central broker. This means that the sender and receiver have no direct >> connection. The data sources report their data via a publish and all >> recipients with interest in certain messages (=E2=80=9Cmarked by the topic= =E2=80=9D) get >> the data delivered because they have registered as subscribers. In IoT >> and IIoT, MQTT is used all the way to connecting cloud environments..." >>=20 >> I wanted to test v6.0.8 in its (new) standard config, so I activated >> this protocol. >>=20 >> Until now, I found no information what "this behavioir will change in >> Suricata 7" really means. >>=20 >> The only information I just found: >> =3D> >> https://suricata.readthedocs.io/en/latest/upgrade.html#upgrading-6-0-to-7-0 >>=20 >> "Upgrading 5.0 to 6.0 >> ... >> Major changes: >> ... >> New protocols enabled by default: mqtt, rfb >> ..." >>=20 >> 'rfb' is already enabled in our config. If we don't want 'mqtt' we >> should set 'mqtt' to "enabled: no" >=20 > just my two cents: I think it cannot hurt to enable this; if it gets us some > more coverage on malicious IoT activity (a pleonasm, I know), there is a be= nefit > from it. >=20 > Acked-by: Peter M=C3=BCller >=20 > @Michael: What is your opinion on that? >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >>=20 >> Best, >> Matthias >>=20 >>> -Michael >>>=20 >>>> On 29 Sep 2022, at 21:35, Matthias Fischer wrote: >>>>=20 >>>> Signed-off-by: Matthias Fischer >>>> --- >>>> config/suricata/suricata.yaml | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>=20 >>>> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.ya= ml >>>> index 03a7a83af..fb4f9426b 100644 >>>> --- a/config/suricata/suricata.yaml >>>> +++ b/config/suricata/suricata.yaml >>>> @@ -371,7 +371,7 @@ app-layer: >>>> dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 >>>> # MQTT, disabled by default. >>>> mqtt: >>>> - # enabled: no >>>> + enabled: yes >>>> # max-msg-length: 1mb >>>> krb5: >>>> enabled: yes >>>> --=20 >>>> 2.34.1 --===============7453408731500477217==--