I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++------------------------------------- 2 files changed, 30 insertions(+), 254 deletions(-)
This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.
It does not make any sense to try to decode the TLS connection with the DNS decoder.
Therefore should 853 (TCP only) be added to the TLS decoder.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4fbd32b85..301a157a3 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -140,7 +140,7 @@ app-layer: tls: enabled: yes detection-ports: - dp: "[443,465,993,995]" + dp: "[443,465,853,993,995]"
# Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow @@ -208,11 +208,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 udp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 http: enabled: yes # memcap: 64mb
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 301a157a3..d94de87f1 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -412,11 +412,7 @@ host-mode: auto # Number of packets preallocated per thread. The default is 1024. A higher number # will make sure each CPU will be more easily kept busy, but may negatively # impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 +max-pending-packets: 1024
# Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
We usually use a MTU of 1500 + Ethernet header
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d94de87f1..dc1163820 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -434,7 +434,7 @@ max-pending-packets: 1024 # Preallocated size for packet. Default is 1514 which is the classical # size for pcap on ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 +default-packet-size: 1514
# Unix command socket can be used to pass commands to suricata. # An external tool can then connect to get information from suricata
This will merge rules more aggressively so that the engine is only processing those that can actually match.
Memory is cheap. People with little memory should not run suricata anyways.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index dc1163820..10dbdc99b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -745,7 +745,7 @@ decoder: # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect: - profile: medium + profile: high custom-values: toclient-groups: 3 toserver-groups: 25
This is not compiled in as it slows down detection and is only really useful for debugging
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 69 ------------------------------------------- 1 file changed, 69 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 10dbdc99b..8dc2a1587 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -860,75 +860,6 @@ threading: # detect-thread-ratio: 1.0
-# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - ## ## Include other configs ##
The file is really large and we should not carry anything we will never use.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 32 -------------------------------- 1 file changed, 32 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 8dc2a1587..e85568803 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -367,29 +367,6 @@ asn1-max-frames: 256 ## ##############################################################################
-## -## Run Options -## - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -859,12 +836,3 @@ threading: # thread will always be created. # detect-thread-ratio: 1.0 - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 9 --------- 1 file changed, 9 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e85568803..4f3ac5744 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -192,10 +192,6 @@ app-layer: # smb2 detection is disabled internally inside the engine. #smb2: # enabled: yes - # Note: NFS parser depends on Rust support: pass --enable-rust - # to configure. - nfs: - enabled: no dns: # memcaps. Globally and per flow/state. #global-memcap: 16mb @@ -352,11 +348,6 @@ app-layer: dp: 44818 sp: 44818
- # Note: parser depends on experimental Rust support - # with --enable-rust-experimental passed to configure - ntp: - enabled: no - # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256
This will now scan all request and response bodies where possible and use up to 256MB of RAM
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 66 ++++--------------------------------------- 1 file changed, 5 insertions(+), 61 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4f3ac5744..b09d5906d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -211,7 +211,7 @@ app-layer: dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb
# default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +225,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +234,8 @@ app-layer:
# Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0
# response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,41 +246,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10
# decoding double-decode-path: no double-decode-query: no
- server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - # Note: Modbus probe parser is minimalist due to the poor significant field # Only Modbus message length (greater than Modbus header length) # And Protocol ID (equal to 0) are checked in probing parser
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index b09d5906d..882dc1bd0 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -194,12 +194,12 @@ app-layer: # enabled: yes dns: # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb + global-memcap: 32mb + state-memcap: 512kb
# How many unreplied DNS requests are considered a flood. # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 + request-flood: 512
tcp: enabled: yes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 34 ---------------------------------- 1 file changed, 34 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 882dc1bd0..4ef0076eb 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -257,40 +257,6 @@ app-layer: double-decode-path: no double-decode-query: no
- # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818
# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4ef0076eb..85d3c70ba 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -343,12 +343,6 @@ legacy: # - reject # - alert
-# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/etc/syslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf index d5f525a0e..b2b548969 100644 --- a/config/etc/syslog.conf +++ b/config/etc/syslog.conf @@ -5,7 +5,7 @@ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # local0.* any dhcpcd log (even debug) in messages -cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.* -/var/log/messages +cron.none;daemon.*;local0.*;local2.*;local5.*;*.info;mail.none;authpriv.* -/var/log/messages
# Log crons #cron.* -/var/log/cron.log
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 85d3c70ba..6015c9e6d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -324,9 +324,8 @@ unix-command: enabled: no #filename: custom.socket
-# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: +# Magic file +magic-file: /usr/share/misc/magic.mgc
legacy: uricontent: enabled
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6015c9e6d..397ddcb25 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -384,27 +384,13 @@ host-os-policy: # Defrag settings:
defrag: - memcap: 32mb + memcap: 64mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60
-# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 397ddcb25..a6be53124 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -412,12 +412,12 @@ defrag: # in bytes.
flow: - memcap: 128mb + memcap: 256mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread + managers: 1 + recyclers: 1
# This option controls the use of vlan ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken)
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index a6be53124..9537e9e12 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -108,7 +108,7 @@ logging: - syslog: enabled: yes facility: local5 - format: "[%i] <%d> -- " + format: "" # type: json
##
This change also ensures that suricata has a decent number of streams preallocated to be able to handle any bursts in traffic.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 9537e9e12..40777f3ad 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -537,7 +537,8 @@ flow-timeouts: # # is used in a rule. # stream: - memcap: 64mb + memcap: 256mb + prealloc-sessions: 4k checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: @@ -546,10 +547,9 @@ stream: toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true + raw: yes + segment-prealloc: 2048 + check-overlap-different-data: true
# Host table: #
This decoder is not very accurate and Teredo has been disabled in Windows by default. Nobody will use this.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 40777f3ad..cedf49589 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -575,7 +575,7 @@ decoder: # Teredo decoder is known to not be completely accurate # it will sometimes detect non-teredo as teredo. teredo: - enabled: true + enabled: false
##
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index cedf49589..f53905b55 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -608,9 +608,10 @@ detect: toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes + delayed-detect: yes
prefilter: # default prefiltering setting. "mpm" only creates MPM/fast_pattern
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f53905b55..12937ab22 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -538,7 +538,7 @@ flow-timeouts: # stream: memcap: 256mb - prealloc-sessions: 4k + prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied - any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++---------------------------
2 files changed, 30 insertions(+), 254 deletions(-)
Hi,
Did you apply all of them in order?
It is not very helpful to only merge half the patchset.
Did you use pwclient?
-Michael
On 1 Mar 2019, at 17:09, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied
- any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++---------------------------
2 files changed, 30 insertions(+), 254 deletions(-)
Hi,
Did you apply all of them in order?
Yes, I did.
The reported two patches did not apply.
However, the changes on the second patch depends on modifications of the first one, but why does the first one does not apply by using "git am" ?
It is not very helpful to only merge half the patchset.
Did you use pwclient?
-Michael
On 1 Mar 2019, at 17:09, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied
- any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++----------------------
2 files changed, 30 insertions(+), 254 deletions(-)
Why are you asking me that?
What does “git am” tell you? There should be a reason why it didn’t work.
Probably there have been other changes in the section?
-Michael
On 1 Mar 2019, at 19:01, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hi,
Did you apply all of them in order?
Yes, I did.
The reported two patches did not apply.
However, the changes on the second patch depends on modifications of the first one, but why does the first one does not apply by using "git am" ?
It is not very helpful to only merge half the patchset.
Did you use pwclient?
-Michael
On 1 Mar 2019, at 17:09, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied
- any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++----------------------
2 files changed, 30 insertions(+), 254 deletions(-)
Hi,
I rebased the whole branch and sent a second patchset with the three remaining patches only.
Hope that helps and merges.
-Michael
On 2 Mar 2019, at 16:52, Michael Tremer michael.tremer@ipfire.org wrote:
Why are you asking me that?
What does “git am” tell you? There should be a reason why it didn’t work.
Probably there have been other changes in the section?
-Michael
On 1 Mar 2019, at 19:01, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hi,
Did you apply all of them in order?
Yes, I did.
The reported two patches did not apply.
However, the changes on the second patch depends on modifications of the first one, but why does the first one does not apply by using "git am" ?
It is not very helpful to only merge half the patchset.
Did you use pwclient?
-Michael
On 1 Mar 2019, at 17:09, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied
- any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++----------------------
2 files changed, 30 insertions(+), 254 deletions(-)
Hello Michael,
thanks for rebasing and resubmitting your patches.
This time everything worked well - merged.
Best regards,
-Stefan
Hi,
I rebased the whole branch and sent a second patchset with the three remaining patches only.
Hope that helps and merges.
-Michael
On 2 Mar 2019, at 16:52, Michael Tremer michael.tremer@ipfire.org wrote:
Why are you asking me that?
What does “git am” tell you? There should be a reason why it didn’t work.
Probably there have been other changes in the section?
-Michael
On 1 Mar 2019, at 19:01, Stefan Schantl < stefan.schantl@ipfire.org> wrote:
Hi,
Did you apply all of them in order?
Yes, I did.
The reported two patches did not apply.
However, the changes on the second patch depends on modifications of the first one, but why does the first one does not apply by using "git am" ?
It is not very helpful to only merge half the patchset.
Did you use pwclient?
-Michael
On 1 Mar 2019, at 17:09, Stefan Schantl < stefan.schantl@ipfire.org> wrote:
Hello Michael,
thanks for working on optimizing the suricata configuration file.
I've merged all of the patches except number "8" and "10" which does not apply with "git am".
When simple adding the changes with "patch" the changes can be applied
- any idea why this happened?
Thanks in advance,
-Stefan
I have worked on suricata's configuration.
My objective was to use more system resources (because suricata did not use much RAM, etc.) to make it faster and to be able to have some deeper decoding and matching.
Please review these changes and let me know what you think.
All in all, suricata should not use more than 1G of RAM which I think is a very good amount. If your system is weaker than that, there is no point in running an IPS.
On my system in my office, this runs with a hand full of rules enabled from the Emerging Threats Community set at around 110MB of RAM.
Michael Tremer (20): Revert "Suricata: detect DNS events on port 853, too" suricata: Set max-pending-packets to 1024 suricata: Set default packet size to 1514 suricata: Set detection profile to high suricata: Drop profiling section from configuration suricata: Drop some commented stuff from configuration suricata: Drop sections that require Rust suricata: Configure HTTP decoder suricata: Allow 32MB of RAM for DNS decoding suricata: Drop parsers I have never heard of suricata: We do not use any IP reputation lists suricata: Log to syslog suricata: Use the correct path for the magic database suricata: Use 64MB of RAM for defragmentation suricata: Use up to 256MB of RAM for the flow cache suricata: Log to syslog like a normal process suricata: Increase memory size for the stream engine suricata: Disable decoding for Teredo suricata: Start capture first and then load rules suricata: Fix syntax error
config/etc/syslog.conf | 2 +- config/suricata/suricata.yaml | 282 +++++----------------
2 files changed, 30 insertions(+), 254 deletions(-)
-
Michael Tremer -
Stefan Schantl