Re: [PATCH 1/3] suricata: Update config file.

Hello Michael, hello Stefan,

first, thanks for working on this.

While I have no strong opinion on SWF and DNP3 - I have not seen both in production for a long time, but there might be legacy/special setups out there which needs them -, SCADA- related protocol parsers won't probably help the majority of our users, but are very helpful in networks where SCADA is used.

To me, coming to a decision is tricky: I would oppose against making this configurable, since most users won't understand what they are configuring. Truth to be told, we have very little insights into use-cases for IPFire apart from common network setups, so at least I am a bit lost when it comes to set a default for our users.

Thanks, and best regards, Peter Müller

Hello,

I would like to NACK this patch.

Do we need these parsers? I have no idea if we have any users for those. And if that is the case, I would prefer to keep them off to reduce the attack surface of the IPS.

Is there any strong reason that I have missed?

-Michael

...

On 8 Dec 2021, at 17:10, Stefan Schantl stefan.schantl@ipfire.org wrote:

• This will enable swf decompression.
• Enable modbus parser.
• Enable dnp3 parser.
• Enable enip parser.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 0ad36e705..49921db86 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -525,6 +525,20 @@ app-layer: # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto

•       # Decompress SWF files.
  

•       # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
  

•       # compress-depth:
  

•       # Specifies the maximum amount of data to decompress,
  

•       # set 0 for unlimited.
  

•       # decompress-depth:
  

•       # Specifies the maximum amount of decompressed data to obtain,
  

•       # set 0 for unlimited.
  

•       swf-decompression:
  

•         enabled: yes
  

•         type: both
  

•         compress-depth: 0
  

•         decompress-depth: 0
  

•      # Take a random value for inspection sizes around the specified value.
       # This lower the risk of some evasion technics but could lead
       # detection change between runs. It is set to 'yes' by default.
  

@@ -539,6 +553,76 @@ app-layer: double-decode-path: no double-decode-query: no

•       # Can disable LZMA decompression
  

•       #lzma-enabled: yes
  

•       # Memory limit usage for LZMA decompression dictionary
  

•       # Data is decompressed until dictionary reaches this size
  

•       #lzma-memlimit: 1mb
  

•       # Maximum decompressed size with a compression ratio
  

•       # above 2048 (only LZMA can reach this ratio, deflate cannot)
  

•       #compression-bomb-limit: 1mb
  

•       # Maximum time spent decompressing a single transaction in usec
  

•       #decompression-time-limit: 100000
  

•     server-config:
  

•       #- apache:
  

•       #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
  

•       #    personality: Apache_2
  

•       #    # Can be specified in kb, mb, gb.  Just a number indicates
  

•       #    # it's in bytes.
  

•       #    request-body-limit: 4096
  

•       #    response-body-limit: 4096
  

•       #    double-decode-path: no
  

•       #    double-decode-query: no
  

•       #- iis7:
  

•       #    address:
  

•       #      - 192.168.0.0/24
  

•       #      - 192.168.10.0/24
  

•       #    personality: IIS_7_0
  

•       #    # Can be specified in kb, mb, gb.  Just a number indicates
  

•       #    # it's in bytes.
  

•       #    request-body-limit: 4096
  

•       #    response-body-limit: 4096
  

•       #    double-decode-path: no
  

•       #    double-decode-query: no
  

• # Note: Modbus probe parser is minimalist due to the poor significant field
• # Only Modbus message length (greater than Modbus header length)
• # And Protocol ID (equal to 0) are checked in probing parser
• # It is important to enable detection port and define Modbus port
• # to avoid false positive
• modbus:

•  # How many unreplied Modbus requests are considered a flood.
  

•  # If the limit is reached, app-layer-event:modbus.flooded; will match.
  

•  #request-flood: 500
  

•  enabled: yes
  

•  detection-ports:
  

•    dp: 502
  

•  # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
  

•  # is recommended to keep the TCP connection opened with a remote device
  

•  # and not to open and close it for each MODBUS/TCP transaction. In that
  

•  # case, it is important to set the depth of the stream reassembling as
  

•  # unlimited (stream.reassembly.depth: 0)
  

•  # Stream reassembly size for modbus. By default track it completely.
  

•  stream-depth: 0
  

• # DNP3
• dnp3:

•  enabled: yes
  

•  detection-ports:
  

•    dp: 20000
  

• # SCADA EtherNet/IP and CIP protocol support
• enip:

•  enabled: yes
  

•  detection-ports:
  

•    dp: 44818
  

•    sp: 44818
  

• ntp: enabled: yes dhcp:

-- 2.30.2