Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- lfs/suricata | 10 ++++++---- src/initscripts/system/suricata | 10 +++++----- 2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/lfs/suricata b/lfs/suricata index b3d22003b..e17eb5e08 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 4.1.6 +VER = 5.0.1
THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = da5de1e8053f05cbd295793210117d34 +$(DL_FILE)_MD5 = 8ba12183d5d4b086755e6f510f2149e2
install : $(TARGET)
@@ -82,7 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-python \ --with-libjansson-libraries=/usr/lib \ --with-libjansson-includes=/usr/include \ - --disable-suricata-update + --disable-suricata-update \ + --enable-rust + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install cd $(DIR_APP) && make install-conf diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5dc408262..29e58a7e2 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl stefan.schantl@ipfire.org # -# Version : 01.02 +# Version : 01.03 # # Notes : # @@ -159,11 +159,11 @@ case "$1" in cpu_count=$(get_cpu_count)
# Numer of NFQUES. - NFQUEUES= + NFQUEUES="-q 0"
- for i in $(seq 0 $((cpu_count-1)) ); do - NFQUEUES+="-q $i " - done + if [ $cpu_count -gt "1" ]; then + NFQUEUES+=":$(($cpu_count-1))" + fi
# Check if the IDS should be started. if [ "$ENABLE_IDS" == "on" ]; then
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index af9cb75a9..6a1af48fa 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -148,7 +148,9 @@ nfq: app-layer: protocols: krb5: - enabled: no # Requires rust + enabled: yes + snmp: + enabled: yes ikev2: enabled: yes tls: @@ -156,6 +158,12 @@ app-layer: detection-ports: dp: "[443,444,465,853,993,995]"
+ # Generate JA3 fingerprint from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + # Generate JA3 fingerprint from client hello + ja3-fingerprints: no + # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow # bypass. If disabled (the default), TLS/SSL session is still @@ -165,6 +173,8 @@ app-layer: enabled: yes ftp: enabled: yes + rdp: + enabled: no ssh: enabled: yes smtp: @@ -203,9 +213,10 @@ app-layer: enabled: yes detection-ports: dp: 139, 445 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes + nfs: + enabled: yes + tftp: + enabled: yes dns: # memcaps. Globally and per flow/state. global-memcap: 32mb @@ -271,6 +282,12 @@ app-layer: double-decode-path: no double-decode-query: no
+ ntp: + enabled: yes + dhcp: + enabled: yes + sip: + enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256
Hello,
On 23 Jan 2020, at 09:44, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index af9cb75a9..6a1af48fa 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -148,7 +148,9 @@ nfq: app-layer: protocols: krb5:
enabled: no # Requires rust
enabled: yes- snmp:
enabled: yes@@ -156,6 +158,12 @@ app-layer: detection-ports: dp: "[443,444,465,853,993,995]"
# Generate JA3 fingerprint from client hello. If not specified it# will be disabled by default, but enabled if rules require it.#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no# Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow # bypass. If disabled (the default), TLS/SSL session is still@@ -165,6 +173,8 @@ app-layer: enabled: yes ftp: enabled: yes
- rdp:
enabled: no
Why is RDP disabled?
This protocol is highly exploitable and I am sure that all rulesets have plenty of rules for this.
Ideally the IPS should never see any RDP traffic going out to the Internet, but lets be honest, people do this.
ssh: enabled: yes smtp:@@ -203,9 +213,10 @@ app-layer: enabled: yes detection-ports: dp: 139, 445
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
- nfs:
enabled: yes- tftp:
enabled: yes@@ -271,6 +282,12 @@ app-layer: double-decode-path: no double-decode-query: no
- ntp:
enabled: yes- dhcp:
enabled: yes- sip:
enabled: yes# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 -- 2.25.0.rc0
Hello Michael,
thanks for reviewing and reporting the issue with the RDP parser.
During importing the configuration details for the new suricata version, I found, that various protocol parsers are disabled by default and enabled all of them.
I assume I simple forget to set the value to "yes" for RDP after I removed the comment that the parser is disabled by default.
I'll send an extra patch which will do that.
Many thanks,
-Stefan
Hello,
On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl@ipfire.org
wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index af9cb75a9..6a1af48fa 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -148,7 +148,9 @@ nfq: app-layer: protocols: krb5:
enabled: no # Requires rust
enabled: yes- snmp:
enabled: yes@@ -156,6 +158,12 @@ app-layer: detection-ports: dp: "[443,444,465,853,993,995]"
# Generate JA3 fingerprint from client hello. If notspecified it
# will be disabled by default, but enabled if rules requireit.
#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no# Completely stop processing TLS/SSL session after thehandshake # completed. If bypass is enabled this will also trigger flow # bypass. If disabled (the default), TLS/SSL session is still @@ -165,6 +173,8 @@ app-layer: enabled: yes ftp: enabled: yes
- rdp:
enabled: noWhy is RDP disabled?
This protocol is highly exploitable and I am sure that all rulesets have plenty of rules for this.
Ideally the IPS should never see any RDP traffic going out to the Internet, but lets be honest, people do this.
ssh: enabled: yes smtp:@@ -203,9 +213,10 @@ app-layer: enabled: yes detection-ports: dp: 139, 445
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
- nfs:
enabled: yes- tftp:
enabled: yes@@ -271,6 +282,12 @@ app-layer: double-decode-path: no double-decode-query: no
- ntp:
enabled: yes- dhcp:
enabled: yes- sip:
enabled: yes# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 -- 2.25.0.rc0
Okay, thx.
On 23 Jan 2020, at 11:22, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
thanks for reviewing and reporting the issue with the RDP parser.
During importing the configuration details for the new suricata version, I found, that various protocol parsers are disabled by default and enabled all of them.
I assume I simple forget to set the value to "yes" for RDP after I removed the comment that the parser is disabled by default.
I'll send an extra patch which will do that.
Many thanks,
-Stefan
Hello,
On 23 Jan 2020, at 09:44, Stefan Schantl <stefan.schantl@ipfire.org
wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index af9cb75a9..6a1af48fa 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -148,7 +148,9 @@ nfq: app-layer: protocols: krb5:
enabled: no # Requires rust
enabled: yes- snmp:
enabled: yes@@ -156,6 +158,12 @@ app-layer: detection-ports: dp: "[443,444,465,853,993,995]"
# Generate JA3 fingerprint from client hello. If notspecified it
# will be disabled by default, but enabled if rules requireit.
#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no- # Completely stop processing TLS/SSL session after the
handshake # completed. If bypass is enabled this will also trigger flow # bypass. If disabled (the default), TLS/SSL session is still @@ -165,6 +173,8 @@ app-layer: enabled: yes ftp: enabled: yes
- rdp:
enabled: noWhy is RDP disabled?
This protocol is highly exploitable and I am sure that all rulesets have plenty of rules for this.
Ideally the IPS should never see any RDP traffic going out to the Internet, but lets be honest, people do this.
ssh: enabled: yes smtp: @@ -203,9 +213,10 @@ app-layer: enabled: yes detection-ports: dp: 139, 445
- # smb2 detection is disabled internally inside the engine.
- #smb2:
- # enabled: yes
- nfs:
enabled: yes- tftp:
enabled: yes@@ -271,6 +282,12 @@ app-layer: double-decode-path: no double-decode-query: no
- ntp:
enabled: yes- dhcp:
enabled: yes- sip:
enabled: yes# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 -- 2.25.0.rc0
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6a1af48fa..ed71898f4 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -174,7 +174,7 @@ app-layer: ftp: enabled: yes rdp: - enabled: no + enabled: yes ssh: enabled: yes smtp:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/ruleset-sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index ef8d8482b..814a3e0d1 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -1,8 +1,8 @@ # Ruleset for registered sourcefire users. -registered = https://www.snort.org/rules/snortrules-snapshot-29150.tar.gz?oinkcode=<oinkcode> +registered = https://www.snort.org/rules/snortrules-snapshot-29151.tar.gz?oinkcode=<oinkcode>
# Ruleset for registered sourcefire users with valid subscription. -subscripted = https://www.snort.org/rules/snortrules-snapshot-29150.tar.gz?oinkcode=<oinkcode> +subscripted = https://www.snort.org/rules/snortrules-snapshot-29151.tar.gz?oinkcode=<oinkcode>
# Community rules from sourcefire. community = https://www.snort.org/rules/community
-
Michael Tremer -
Stefan Schantl