[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 833d42fed0d733952a95b98e016d0560b5142e1d

9 Apr 2024

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  833d42fed0d733952a95b98e016d0560b5142e1d (commit)
       via  ee13f80e5938cc4e16304810a356462647f46c3c (commit)
       via  b7da97fd59f010ea8fa7bca845d18e52ca89bc5a (commit)
       via  b4847c387a9692a09b0921b87198d411f548d0ed (commit)
       via  763c7f67fa93f4a2f0284a6a65fb39a13d76844b (commit)
       via  76a451809154ae1aa338e2ec38b820283a68b788 (commit)
       via  64e057aaa5ac0eb45094773709e481b535891ec4 (commit)
       via  4d24d99461e3aa79ab8565ba2d96ced1ec3f6b83 (commit)
       via  a4ade63ef1823a6f5e657f0c0ebb60be5fd3ad33 (commit)
      from  11a778d832105c7cfe2b3bee894e18b501b7751d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 833d42fed0d733952a95b98e016d0560b5142e1d
Merge: 11a778d832 ee13f80e59
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Tue Apr 9 06:52:42 2024 +0200
Merge remote-tracking branch 'origin/master' into next
-----------------------------------------------------------------------
Summary of changes:
 config/suricata/suricata.yaml | 562 ++++++++++++++++++++++++++++++++----------
 lfs/configroot                |   4 +-
 2 files changed, 430 insertions(+), 136 deletions(-)
Difference in files:

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 5bec5cd01..dc142d690 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -40,6 +40,9 @@ vars:
     MODBUS_PORTS: 502
     FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
     FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
##
 ## Ruleset specific options.
@@ -58,21 +61,24 @@ threshold-file: /usr/share/suricata/threshold.config
 ##
 default-log-dir: /var/log/suricata/
-# global stats configuration
+# Global stats configuration
 stats:
   enabled: no
-  # The interval field (in seconds) controls at what interval
-  # the loggers are invoked.
+  # The interval field (in seconds) controls the interval at
+  # which stats are updated in the log.
   interval: 8
-
-  # Add decode events as stats.
+  # Add decode events to stats.
   #decoder-events: true
   # Decoder event prefix in stats. Has been 'decoder' before, but that leads
   # to missing events in the eve.stats records. See issue #2225.
-  decoder-events-prefix: "decoder.event"
+  #decoder-events-prefix: "decoder.event"
   # Add stream events as stats.
   #stream-events: false
+# Plugins -- Experimental -- specify the filename for each plugin shared object
+plugins:
+#   - /path/to/plugin.so
+
 # Configure the type of alert (and other) logging you would like.
 outputs:
   # a line based alerts log similar to Snort's fast.log
@@ -96,12 +102,16 @@ outputs:
       enabled: no
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
+      # Enable for multi-threaded eve.json output; output files are amended with
+      # an identifier, e.g., eve.9.json
+      #threaded: false
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
       #identity: "suricata"
       #facility: local5
       #level: Info ## possible levels: Emergency, Alert, Critical,
                    ## Error, Warning, Notice, Info, Debug
+      #ethernet: no  # log ethernet header in events when available
       #redis:
       #  server: 127.0.0.1
       #  port: 6379
@@ -113,10 +123,10 @@ outputs:
       # Redis pipelining set up. This will enable to only do a query every
       # 'batch-size' events. This should lower the latency induced by network
       # connection at the cost of some memory. There is no flushing implemented
-      # so this setting as to be reserved to high traffic suricata.
+      # so this setting should be reserved to high traffic Suricata deployments.
       #  pipelining:
       #    enabled: yes ## set enable to yes to enable query pipelining
-      #    batch-size: 10 ## number of entry to keep in buffer
+      #    batch-size: 10 ## number of entries to keep in buffer
# Include top level metadata. Default yes.
       #metadata: no
@@ -126,8 +136,8 @@ outputs:
# Community Flow ID
       # Adds a 'community_id' field to EVE records. These are meant to give
-      # a records a predictable flow id that can be used to match records to
-      # output of other tools such as Bro.
+      # records a predictable flow ID that can be used to match records to
+      # output of other tools such as Zeek (Bro).
       #
       # Takes a 'seed' that needs to be same across sensors and tools
       # to make the id less predictable.
@@ -144,13 +154,13 @@ outputs:
       # or forward proxied.
       xff:
         enabled: no
-        # Two operation modes are available, "extra-data" and "overwrite".
+        # Two operation modes are available: "extra-data" and "overwrite".
         mode: extra-data
-        # Two proxy deployments are supported, "reverse" and "forward". In
+        # Two proxy deployments are supported: "reverse" and "forward". In
         # a "reverse" deployment the IP address used is the last one, in a
         # "forward" deployment the first IP address is used.
         deployment: reverse
-        # Header name where the actual IP address will be reported, if more
+        # Header name where the actual IP address will be reported. If more
         # than one IP address is present, the last IP address will be the
         # one taken into consideration.
         header: X-Forwarded-For
@@ -162,12 +172,20 @@ outputs:
             # payload-printable: yes   # enable dumping payload in printable (lossy) format
             # packet: yes              # enable dumping of packet (without stream segments)
             # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
-            # http-body: yes           # Requires metadata; enable dumping of http body in Base64
-            # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
+            # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
+            # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
             # "tag" keyword.
             tagged-packets: yes
+            # Enable logging the final action taken on a packet by the engine
+            # (e.g: the alert may have action 'allowed' but the verdict be
+            # 'drop' due to another alert. That's the engine's verdict)
+            # verdict: yes
+        # app layer frames
+        - frame:
+            # disabled by default as this is very verbose.
+            enabled: no
         - anomaly:
             # Anomaly log records describe unexpected conditions such
             # as truncated packets, packets with invalid IP/UDP/TCP
@@ -190,9 +208,9 @@ outputs:
             # specific conditions that are unexpected, invalid or are
             # unexpected given the application monitoring state.
             #
-            # By default, anomaly logging is disabled. When anomaly
+            # By default, anomaly logging is enabled. When anomaly
             # logging is enabled, applayer anomaly reporting is
-            # enabled.
+            # also enabled.
             enabled: yes
             #
             # Choose one or more types of anomaly logging and whether to enable
@@ -204,16 +222,16 @@ outputs:
             #packethdr: no
         - http:
             extended: yes     # enable this for extended logging information
-            # custom allows additional http fields to be included in eve-log
+            # custom allows additional HTTP fields to be included in eve-log.
             # the example below adds three additional fields when uncommented
             #custom: [Accept-Encoding, Accept-Language, Authorization]
-            # set this value to one and only one among {both, request, response}
-            # to dump all http headers for every http request and/or response
+            # set this value to one and only one from {both, request, response}
+            # to dump all HTTP headers for every HTTP request and/or response
             # dump-all-headers: none
         - dns:
             # This configuration uses the new DNS logging format,
             # the old configuration is still available:
-            # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dn...
+            # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-fo...
# As of Suricata 5.0, version 2 of the eve dns output
             # format is the default.
@@ -235,7 +253,7 @@ outputs:
             # Default: all
             #formats: [detailed, grouped]
-            # Types to log, based on the query type.
+            # DNS record types to log, based on the query type.
             # Default: all.
             #types: [a, aaaa, cname, mx, ns, ptr, txt]
         - tls:
@@ -243,8 +261,7 @@ outputs:
             # output TLS transaction where the session is resumed using a
             # session id
             #session-resumption: no
-            # custom allows to control which tls fields that are included
-            # in eve-log
+            # custom controls which TLS fields that are included in eve-log
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
         - files:
             force-magic: no   # force logging magic on all logged files
@@ -255,6 +272,9 @@ outputs:
         #    alerts: yes      # log alerts that caused drops
         #    flows: all       # start or all: 'start' logs only a single drop
         #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
         - smtp:
             #extended: yes # enable this for extended logging information
             # this includes: bcc, message-id, subject, x_mailer, user-agent
@@ -274,12 +294,14 @@ outputs:
         - nfs
         - smb
         - tftp
-        - ikev2
+        - ike
         - dcerpc
         - krb5
+        - bittorrent-dht
         - snmp
         - rfb
         - sip
+        - quic
         - dhcp:
             enabled: yes
             # When extended mode is on, all DHCP messages are logged
@@ -290,10 +312,10 @@ outputs:
         - ssh
         - mqtt:
             # passwords: yes           # enable output of passwords
-        # HTTP2 logging. HTTP2 support is currently experimental and
-        # disabled by default. To enable, uncomment the following line
-        # and be sure to enable http2 in the app-layer section.
-        #- http2
+        - http2
+        - pgsql:
+            enabled: no
+            # passwords: yes           # enable output of passwords. Disabled by default
         - stats:
             totals: yes       # stats for all threads merged together
             threads: no       # per thread stats
@@ -308,22 +330,47 @@ outputs:
         # flowints.
         #- metadata
+        # EXPERIMENTAL per packet output giving TCP state tracking details
+        # including internal state, flags, etc.
+        # This output is experimental, meant for debugging and subject to
+        # change in both config and output without any notice.
+        #- stream:
+        #   all: false                      # log all TCP packets
+        #   event-set: false                # log packets that have a decoder/stream event
+        #   state-update: false             # log packets triggering a TCP state update
+        #   spurious-retransmission: false  # log spurious retransmission packets
+
 logging:
-  # The default log level, can be overridden in an output section.
+  # The default log level: can be overridden in an output section.
   # Note that debug level logging will only be emitted if Suricata was
   # compiled with the --enable-debug configure option.
   #
-  # This value is overriden by the SC_LOG_LEVEL env var.
+  # This value is overridden by the SC_LOG_LEVEL env var.
   default-log-level: Info
+  # The default output format.  Optional parameter, should default to
+  # something reasonable if not provided.  Can be overridden in an
+  # output section.  You can leave this out to get the default.
+  #
+  # This console log format value can be overridden by the SC_LOG_FORMAT env var.
+  #default-log-format: "%D: %S: %M"
+  #
+  # For the pre-7.0 log format use:
+  #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- "
+
   # A regex to filter output.  Can be overridden in an output section.
   # Defaults to empty (no filter).
   #
-  # This value is overriden by the SC_LOG_OP_FILTER env var.
+  # This value is overridden by the SC_LOG_OP_FILTER env var.
   default-output-filter:
+  # Requires libunwind to be available when Suricata is configured and built.
+  # If a signal unexpectedly terminates Suricata, displays a brief diagnostic
+  # message with the offending stacktrace if enabled.
+  #stacktrace-on-signal: on
+
   # Define your logging outputs.  If none are defined, or they are all
-  # disabled you will get the default - console output.
+  # disabled you will get the default: console output.
   outputs:
   - console:
       enabled: no
@@ -332,11 +379,13 @@ logging:
       enabled: no
       level: info
       filename: /var/log/suricata/suricata.log
+      # format: "[%i - %m] %z %d: %S: %M"
       # type: json
   - syslog:
       enabled: yes
       facility: local5
       format: ""
+      #format: "[%i] <%d> -- "
       # type: json
##
@@ -357,27 +406,40 @@ nfq:
 ## Step 5: App Layer Protocol Configuration
 ##
-# Configure the app-layer parsers. The protocols section details each
-# protocol.
+# Configure the app-layer parsers.
+#
+# The error-policy setting applies to all app-layer parsers. Values can be
+# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
+# "ignore" (the default).
+#
+# The protocol's section details each protocol.
 #
 # The option "enabled" takes 3 values - "yes", "no", "detection-only".
 # "yes" enables both detection and the parser, "no" disables both, and
 # "detection-only" enables protocol detection only (parser disabled).
 app-layer:
+  # error-policy: ignore
   protocols:
+    telnet:
+      enabled: yes
     rfb:
       enabled: yes
       detection-ports:
         dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
-    # MQTT, disabled by default.
     mqtt:
       enabled: yes
       # max-msg-length: 1mb
+      # subscribe-topic-match-limit: 100
+      # unsubscribe-topic-match-limit: 100
+      # Maximum number of live MQTT transactions per flow
+      # max-tx: 4096
     krb5:
       enabled: yes
+    bittorrent-dht:
+      enabled: yes
     snmp:
       enabled: yes
-    ikev2:
+    ike:
       enabled: yes
     tls:
       enabled: yes
@@ -401,29 +463,47 @@ app-layer:
       # For best performance, select 'bypass'.
       #
       encryption-handling: bypass
+
+    pgsql:
+      enabled: no
+      # Stream reassembly size for PostgreSQL. By default, track it completely.
+      stream-depth: 0
+      # Maximum number of live PostgreSQL transactions per flow
+      # max-tx: 1024
     dcerpc:
       enabled: yes
+      # Maximum number of live DCERPC transactions per flow
+      # max-tx: 1024
     ftp:
       enabled: yes
+      # memcap: 64mb
     rdp:
       enabled: yes
     ssh:
       enabled: yes
       #hassh: yes
-    # HTTP2: Experimental HTTP 2 support. Disabled by default.
     http2:
-      enabled: no
+      enabled: yes
+      # Maximum number of live HTTP2 streams in a flow
+      #max-streams: 4096
+      # Maximum headers table size
+      #max-table-size: 65536
+      # Maximum reassembly size for header + continuation frames
+      #max-reassembly-size: 102400
     smtp:
       enabled: yes
+      raw-extraction: no
+      # Maximum number of live SMTP transactions per flow
+      # max-tx: 256
       # Configure SMTP-MIME Decoder
       mime:
         # Decode MIME messages from SMTP transactions
         # (may be resource intensive)
-        # This field supercedes all others because it turns the entire
+        # This field supersedes all others because it turns the entire
         # process on or off
         decode-mime: yes
-        # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
+        # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
         decode-base64: yes
         decode-quoted-printable: yes
@@ -433,6 +513,12 @@ app-layer:
# Extract URLs and save in state data structure
         extract-urls: yes
+        # Scheme of URLs to extract
+        # (default is [http])
+        #extract-urls-schemes: [http, https, ftp, mailto]
+        # Log the scheme of URLs that are extracted
+        # (default is no)
+        #log-url-scheme: yes
         # Set to yes to compute the md5 of the mail body. You will then
         # be able to journalize it.
         body-md5: no
@@ -443,14 +529,19 @@ app-layer:
         content-inspect-window: 4096
     imap:
       enabled: yes
-    msn:
-      enabled: yes
     smb:
       enabled: yes
       detection-ports:
         dp: 139, 445
+      # Maximum number of live SMB transactions per flow
+      # max-tx: 1024
+
+      # Stream reassembly size for SMB streams. By default track it completely.
+      #stream-depth: 0
+
     nfs:
       enabled: yes
+      # max-tx: 1024
     tftp:
       enabled: yes
     dns:
@@ -474,17 +565,29 @@ app-layer:
       enabled: yes
       memcap: 256mb
+      # Byte Range Containers default settings
+      # byterange:
+      #   memcap: 100mb
+      #   timeout: 60
+
+      # memcap:                   Maximum memory capacity for HTTP
+      #                           Default is unlimited, values can be 64mb, e.g.
+
       # default-config:           Used when no server-config matches
       #   personality:            List of personalities used by default
       #   request-body-limit:     Limit reassembly of request body for inspection
       #                           by http_client_body & pcre /P option.
       #   response-body-limit:    Limit reassembly of response body for inspection
       #                           by file_data, http_server_body & pcre /Q option.
-      #   double-decode-path:     Double decode path section of the URI
-      #   double-decode-query:    Double decode query section of the URI
-      #   response-body-decompress-layer-limit:
-      #                           Limit to how many layers of compression will be
-      #                           decompressed. Defaults to 2.
+      #
+      #   For advanced options, see the user guide
+
+
+      # server-config:            List of server configurations to use if address matches
+      #   address:                List of IP addresses or networks for this block
+      #   personality:            List of personalities used by this block
+      #
+      #                           Then, all the fields from default-config can be overloaded
       #
       # Currently Available Personalities:
       #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
@@ -495,8 +598,14 @@ app-layer:
# Can be specified in kb, mb, gb.  Just a number indicates
            # it's in bytes.
-           request-body-limit: 0
-           response-body-limit: 0
+           request-body-limit: 100kb
+           response-body-limit: 100kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
# response body decompression (0 disables)
            response-body-decompress-layer-limit: 2
@@ -504,28 +613,79 @@ app-layer:
            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
            http-body-inline: auto
-           # Take a random value for inspection sizes around the specified value.
-           # This lower the risk of some evasion technics but could lead
-           # detection change between runs. It is set to 'yes' by default.
-           randomize-inspection-sizes: yes
-           # If randomize-inspection-sizes is active, the value of various
-           # inspection size will be choosen in the [1 - range%, 1 + range%]
+           # Decompress SWF files. Disabled by default.
+           # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: no
+             type: both
+             compress-depth: 100kb
+             decompress-depth: 100kb
+
+           # Use a random value for inspection sizes around the specified value.
+           # This lowers the risk of some evasion techniques but could lead
+           # to detection change between runs. It is set to 'yes' by default.
+           #randomize-inspection-sizes: yes
+           # If "randomize-inspection-sizes" is active, the value of various
+           # inspection size will be chosen from the [1 - range%, 1 + range%]
            # range
-           # Default value of randomize-inspection-range is 10.
-           randomize-inspection-range: 10
+           # Default value of "randomize-inspection-range" is 10.
+           #randomize-inspection-range: 10
# decoding
            double-decode-path: no
            double-decode-query: no
-    # Note: Modbus probe parser is minimalist due to the poor significant field
+           # Can enable LZMA decompression
+           #lzma-enabled: false
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+           # Maximum number of live transactions per flow
+           #max-tx: 512
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+    # Note: Modbus probe parser is minimalist due to the limited usage in the field.
     # Only Modbus message length (greater than Modbus header length)
-    # And Protocol ID (equal to 0) are checked in probing parser
+    # and protocol ID (equal to 0) are checked in probing parser
     # It is important to enable detection port and define Modbus port
-    # to avoid false positive
+    # to avoid false positives
     modbus:
-      # How many unreplied Modbus requests are considered a flood.
-      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      # How many unanswered Modbus requests are considered a flood.
+      # If the limit is reached, the app-layer-event:modbus.flooded; will match.
       #request-flood: 500
enabled: no
@@ -555,14 +715,37 @@ app-layer:
ntp:
       enabled: yes
+
+    quic:
+      enabled: yes
+
     dhcp:
       enabled: yes
+
     sip:
-      enabled: yes
+      #enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
+# Datasets default settings
+datasets:
+  # Default fallback memcap and hashsize values for datasets in case these
+  # were not explicitly defined.
+  defaults:
+    #memcap: 100mb
+    #hashsize: 2048
+
+  rules:
+    # Set to true to allow absolute filenames and filenames that use
+    # ".." components to reference parent directories in rules that specify
+    # their filenames.
+    #allow-absolute-filenames: false
+
+    # Allow datasets in rules write access for "save" and
+    # "state". This is enabled by default, however write access is
+    # limited to the data directory.
+    #allow-write: true
##############################################################################
 ##
@@ -574,11 +757,52 @@ asn1-max-frames: 256
 ## Run Options
 ##
-# Run suricata as user and group.
+# Run Suricata with a specific user-id and group-id:
 run-as:
   user: suricata
   group: suricata
+security:
+  # if true, prevents process creation from Suricata by calling
+  # setrlimit(RLIMIT_NPROC, 0)
+  limit-noproc: true
+  # Use landlock security module under Linux
+  landlock:
+    enabled: no
+    directories:
+      write:
+        - /run
+      # /usr and /etc folders are added to read list to allow
+      # file magic to be used.
+      read:
+        - /usr/share/misc/magic.mgc
+        - /usr/share/suricata
+        - /var/ipfire/suricata
+        - /var/lib/suricata
+
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
+# Some logging modules will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
+# Default location of the pid file. The pid file is only used in
+# daemon mode (start Suricata with -D). If not running in daemon mode
+# the --pidfile command line option must be used to create a pid file.
+pid-file: /var/run/suricata.pid
+
+# Daemon working directory
+# Suricata will change directory to this one if provided
+# Default: "/"
+#daemon-directory: "/"
+
+# Umask.
+# Suricata will use this umask if it is provided. By default it will use the
+# umask passed on by the shell.
+#umask: 022
+
 # Suricata core dump configuration. Limits the size of the core dump file to
 # approximately max-dump. The actual core dump size will be a multiple of the
 # page size. Core dumps that would be larger than max-dump are truncated. On
@@ -591,9 +815,9 @@ run-as:
 coredump:
   max-dump: unlimited
-# If suricata box is a router for the sniffed networks, set it to 'router'. If
+# If the Suricata box is a router for the sniffed networks, set it to 'router'. If
 # it is a pure sniffing setup, set it to 'sniffer-only'.
-# If set to auto, the variable is internally switch to 'router' in IPS mode
+# If set to auto, the variable is internally switched to 'router' in IPS mode
 # and 'sniffer-only' in IDS mode.
 # This feature is currently only used by the reject* keywords.
 host-mode: auto
@@ -601,32 +825,31 @@ host-mode: auto
 # Number of packets preallocated per thread. The default is 1024. A higher number 
 # will make sure each CPU will be more easily kept busy, but may negatively 
 # impact caching.
-max-pending-packets: 1024
+#max-pending-packets: 1024
# Runmode the engine should use. Please check --list-runmodes to get the available
-# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
-# load balancing).
+# runmodes for each packet acquisition method. Default depends on selected capture
+# method. 'workers' generally gives best performance.
 runmode: workers
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
 #
 # Supported schedulers are:
 #
-# round-robin       - Flows assigned to threads in a round robin fashion.
-# active-packets    - Flows assigned to threads that have the lowest number of
-#                     unprocessed packets (default).
-# hash              - Flow alloted usihng the address hash. More of a random
-#                     technique. Was the default in Suricata 1.2.1 and older.
+# hash     - Flow assigned to threads using the 5-7 tuple hash.
+# ippair   - Flow assigned to threads using addresses only.
+# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that
+#            ftp-data flows will be handled by the same thread
 #
-#autofp-scheduler: active-packets
+#autofp-scheduler: hash
-# Preallocated size for packet. Default is 1514 which is the classical
-# size for pcap on ethernet. You should adjust this value to the highest
+# Preallocated size for each packet. Default is 1514 which is the classical
+# size for pcap on Ethernet. You should adjust this value to the highest
 # packet size (MTU + hardware header) on your system.
-default-packet-size: 1514
+#default-packet-size: 1514
-# Unix command socket can be used to pass commands to suricata.
-# An external tool can then connect to get information from suricata
+# Unix command socket that can be used to pass commands to Suricata.
+# An external tool can then connect to get information from Suricata
 # or trigger some modifications of the engine. Set enabled to yes
 # to activate the feature. In auto mode, the feature will only be
 # activated in live capture mode. You can use the filename variable to set
@@ -645,7 +868,7 @@ legacy:
 ## Detection settings
 ##
-# Set the order of alerts bassed on actions
+# Set the order of alerts based on actions
 # The default order is pass, drop, reject, alert
 # action-order:
 #   - pass
@@ -653,6 +876,22 @@ legacy:
 #   - reject
 #   - alert
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+#packet-alert-max: 15
+
+# Exception Policies
+#
+# Define a common behavior for all exception policies.
+# In IPS mode, the default is drop-flow. For cases when that's not possible, the
+# engine will fall to drop-packet. To fallback to old behavior (setting each of
+# them individually, or ignoring all), set this to ignore.
+# All values available for exception policies can be used, and there is one
+# extra option: auto - which means drop-flow or drop-packet (as explained above)
+# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
+# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
+exception-policy: pass-packet
+
 # When run with the option --engine-analysis, the engine will read each of
 # the parameters below, and print reports for each of the enabled sections
 # and exit.  The reports are printed to a file in the default log dir
@@ -694,8 +933,11 @@ host-os-policy:
# Defrag settings:
+# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or
+# "ignore" (which is the default).
 defrag:
   memcap: 64mb
+  # memcap-policy: ignore
   hash-size: 65536
   trackers: 65535 # number of defragmented flows to follow
   max-frags: 65535 # number of fragments to keep (higher than trackers)
@@ -706,44 +948,53 @@ defrag:
 # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 # for flow allocation inside the engine. You can change this value to allow
 # more memory usage for flows.
-# The hash-size determine the size of the hash used to identify flows inside
+# The hash-size determines the size of the hash used to identify flows inside
 # the engine, and by default the value is 65536.
-# At the startup, the engine can preallocate a number of flows, to get a better
+# At startup, the engine can preallocate a number of flows, to get better
 # performance. The number of flows preallocated is 10000 by default.
-# emergency-recovery is the percentage of flows that the engine need to
-# prune before unsetting the emergency state. The emergency state is activated
-# when the memcap limit is reached, allowing to create new flows, but
-# prunning them with the emergency timeouts (they are defined below).
+# emergency-recovery is the percentage of flows that the engine needs to
+# prune before clearing the emergency state. The emergency state is activated
+# when the memcap limit is reached, allowing new flows to be created, but
+# pruning them with the emergency timeouts (they are defined below).
 # If the memcap is reached, the engine will try to prune flows
-# with the default timeouts. If it doens't find a flow to prune, it will set
-# the emergency bit and it will try again with more agressive timeouts.
-# If that doesn't work, then it will try to kill the last time seen flows
-# not in use.
+# with the default timeouts. If it doesn't find a flow to prune, it will set
+# the emergency bit and it will try again with more aggressive timeouts.
+# If that doesn't work, then it will try to kill the oldest flows using
+# last time seen flows.
 # The memcap can be specified in kb, mb, gb.  Just a number indicates it's
 # in bytes.
+# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore"
+# (which is the default).
flow:
   memcap: 256mb
+  #memcap-policy: ignore
   hash-size: 65536
   prealloc: 10000
   emergency-recovery: 30
-  managers: 1
-  recyclers: 1
+  #managers: 1 # default to one flow manager
+  #recyclers: 1 # default to one flow recycler thread
-# This option controls the use of vlan ids in the flow (and defrag)
+# This option controls the use of VLAN ids in the flow (and defrag)
 # hashing. Normally this should be enabled, but in some (broken)
-# setups where both sides of a flow are not tagged with the same vlan
-# tag, we can ignore the vlan id's in the flow hashing.
+# setups where both sides of a flow are not tagged with the same VLAN
+# tag, we can ignore the VLAN id's in the flow hashing.
 vlan:
   use-for-tracking: true
+# This option controls the use of livedev ids in the flow (and defrag)
+# hashing. This is enabled by default and should be disabled if
+# multiple live devices are used to capture traffic from the same network
+livedev:
+  use-for-tracking: true
+
 # Specific timeouts for flows. Here you can specify the timeouts that the
 # active flows will wait to transit from the current state to another, on each
-# protocol. The value of "new" determine the seconds to wait after a hanshake or
-# stream startup before the engine free the data of that flow it doesn't
+# protocol. The value of "new" determines the seconds to wait after a handshake or
+# stream startup before the engine frees the data of that flow it doesn't
 # change the state to established (usually if we don't receive more packets
 # of that flow). The value of "established" is the amount of
-# seconds that the engine will wait to free the flow if it spend that amount
+# seconds that the engine will wait to free the flow if that time elapses
 # without receiving new packets or closing the connection. "closed" is the
 # amount of time to wait after a flow is closed (usually zero). "bypassed"
 # timeout controls locally bypassed flows. For these flows we don't do any other
@@ -794,28 +1045,42 @@ flow-timeouts:
 # engine is configured.
 #
 # stream:
-#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
+#   memcap: 64mb                # Can be specified in kb, mb, gb.  Just a
 #                               # number indicates it's in bytes.
+#   memcap-policy: ignore       # Can be "drop-flow", "pass-flow", "bypass",
+#                               # "drop-packet", "pass-packet", "reject" or
+#                               # "ignore" default is "ignore"
 #   checksum-validation: yes    # To validate the checksum of received
 #                               # packet. If csum validation is specified as
-#                               # "yes", then packet with invalid csum will not
+#                               # "yes", then packets with invalid csum values will not
 #                               # be processed by the engine stream/app layer.
-#                               # Warning: locally generated trafic can be
+#                               # Warning: locally generated traffic can be
 #                               # generated without checksum due to hardware offload
 #                               # of checksum. You can control the handling of checksum
 #                               # on a per-interface basis via the 'checksum-checks'
 #                               # option
-#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
+#   prealloc-sessions: 2048     # 2k sessions prealloc'd per stream thread
 #   midstream: false            # don't allow midstream session pickups
+#   midstream-policy: ignore    # Can be "drop-flow", "pass-flow", "bypass",
+#                               # "drop-packet", "pass-packet", "reject" or
+#                               # "ignore" default is "ignore"
 #   async-oneside: false        # don't enable async stream handling
 #   inline: no                  # stream inline mode
 #   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
+#   max-syn-queued: 10          # Max different SYNs to queue
 #   max-synack-queued: 5        # Max different SYN/ACKs to queue
-#   bypass: no                  # Bypass packets when stream.depth is reached
+#   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.
+#                               # Warning: first side to reach this triggers
+#                               # the bypass.
+#   liberal-timestamps: false   # Treat all timestamps as if the Linux policy applies. This
+#                               # means it's slightly more permissive. Enabled by default.
 #
 #   reassembly:
-#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
+#     memcap: 256mb             # Can be specified in kb, mb, gb.  Just a number
 #                               # indicates it's in bytes.
+#     memcap-policy: ignore     # Can be "drop-flow", "pass-flow", "bypass",
+#                               # "drop-packet", "pass-packet", "reject" or
+#                               # "ignore" default is "ignore"
 #     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
 #                               # indicates it's in bytes.
 #     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
@@ -825,8 +1090,8 @@ flow-timeouts:
 #                               # this size.  Can be specified in kb, mb,
 #                               # gb.  Just a number indicates it's in bytes.
 #     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
-#                               # This lower the risk of some evasion technics but could lead
-#                               # detection change between runs. It is set to 'yes' by default.
+#                               # This lowers the risk of some evasion techniques but could lead
+#                               # to detection change between runs. It is set to 'yes' by default.
 #     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
 #                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
 #                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
@@ -850,22 +1115,27 @@ flow-timeouts:
 stream:
   memcap: 256mb
   prealloc-sessions: 4096
-  checksum-validation: yes      # reject wrong csums
+  #memcap-policy: ignore
+  checksum-validation: yes      # reject incorrect csums
+  midstream: true
+  midstream-policy: pass-packet
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
   bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
+    #memcap-policy: ignore
     depth: 1mb                  # reassemble 1mb into a stream
     toserver-chunk-size: 2560
     toclient-chunk-size: 2560
     randomize-chunk-size: yes
+    #randomize-chunk-range: 10
     raw: yes
     segment-prealloc: 2048
     check-overlap-different-data: true
# Host table:
 #
-# Host table is used by tagging and per host thresholding subsystems.
+# Host table is used by the tagging and per host thresholding subsystems.
 #
 host:
   hash-size: 4096
@@ -885,20 +1155,37 @@ host:
decoder:
   # Teredo decoder is known to not be completely accurate
-  # it will sometimes detect non-teredo as teredo.
+  # as it will sometimes detect non-teredo as teredo.
   teredo:
     enabled: false
+    # ports to look for Teredo. Max 4 ports. If no ports are given, or
+    # the value is set to 'any', Teredo detection runs on _all_ UDP packets.
+    ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
+
+  # VXLAN decoder is assigned to up to 4 UDP ports. By default only the
+  # IANA assigned port 4789 is enabled.
+  vxlan:
+    enabled: true
+    ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
+
+  # Geneve decoder is assigned to up to 4 UDP ports. By default only the
+  # IANA assigned port 6081 is enabled.
+  geneve:
+    enabled: true
+    ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
+  # maximum number of decoder layers for a packet
+  # max-layers: 16
##
 ## Performance tuning and profiling
 ##
# The detection engine builds internal groups of signatures. The engine
-# allow us to specify the profile to use for them, to manage memory on an
-# efficient way keeping a good performance. For the profile keyword you
-# can use the words "low", "medium", "high" or "custom". If you use custom
-# make sure to define the values at "- custom-values" as your convenience.
+# allows us to specify the profile to use for them, to manage memory in an
+# efficient way keeping good performance. For the profile keyword you
+# can use the words "low", "medium", "high" or "custom". If you use custom,
+# make sure to define the values in the "custom-values" section.
 # Usually you would prefer medium/high/low.
 #
 # "sgh mpm-context", indicates how the staging should allot mpm contexts for
@@ -912,15 +1199,14 @@ decoder:
 # in the content inspection code.  For certain payload-sig combinations, we
 # might end up taking too much time in the content inspection code.
 # If the argument specified is 0, the engine uses an internally defined
-# default limit.  On not specifying a value, we use no limits on the recursion.
+# default limit.  When a value is not specified, there are no limits on the recursion.
 detect:
-  profile: custom
+  profile: medium
   custom-values:
-    toclient-groups: 200
-    toserver-groups: 200
+    toclient-groups: 3
+    toserver-groups: 25
   sgh-mpm-context: auto
   inspection-recursion-limit: 3000
-
   # If set to yes, the loading of signatures will be made after the capture
   # is started. This will limit the downtime in IPS mode.
   delayed-detect: yes
@@ -932,7 +1218,7 @@ detect:
     default: mpm
# the grouping values above control how many groups are created per
-  # direction. Port whitelisting forces that port to get it's own group.
+  # direction. Port whitelisting forces that port to get its own group.
   # Very common ports will benefit, as well as ports with many expensive
   # rules.
   grouping:
@@ -956,7 +1242,6 @@ detect:
 # The supported algorithms are:
 # "ac"      - Aho-Corasick, default implementation
 # "ac-bs"   - Aho-Corasick, reduced memory implementation
-# "ac-cuda" - Aho-Corasick, CUDA implementation
 # "ac-ks"   - Aho-Corasick, "Ken Steele" variant
 # "hs"      - Hyperscan, available when built with Hyperscan support
 #
@@ -967,12 +1252,8 @@ detect:
 # signature groups, specified by the conf - "detect.sgh-mpm-context".
 # Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
 # to be set to "single", because of ac's memory requirements, unless the
-# ruleset is small enough to fit in one's memory, in which case one can
-# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
-#
-# There is also a CUDA pattern matcher (only available if Suricata was
-# compiled with --enable-cuda: b2g_cuda. Make sure to update your
-# max-pending-packets setting above as well if you use b2g_cuda.
+# ruleset is small enough to fit in memory, in which case one can
+# use "full" with "ac".  The rest of the mpms can be run in "full" mode.
mpm-algo: auto
@@ -989,7 +1270,7 @@ spm-algo: auto
 threading:
   set-cpu-affinity: no
   # Tune cpu affinity of threads. Each family of threads can be bound
-  # on specific CPUs.
+  # to specific CPUs.
   #
   # These 2 apply to the all runmodes:
   # management-cpu-set is used for flow timeout handling, counters
@@ -1001,21 +1282,24 @@ threading:
   #
   cpu-affinity:
     - management-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ 0 ]  # include only these CPUs in affinity settings
     - receive-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ 0 ]  # include only these CPUs in affinity settings
     - worker-cpu-set:
         cpu: [ "all" ]
         mode: "exclusive"
+        # Use explicitly 3 threads and don't compute number by using
+        # detect-thread-ratio variable:
+        # threads: 3
         prio:
           low: [ 0 ]
           medium: [ "1-2" ]
           high: [ 3 ]
           default: "medium"
-    - verdict-cpu-set:
-        cpu: [ 0 ]
-        prio:
-          default: "high"
+    #- verdict-cpu-set:
+    #    cpu: [ 0 ]
+    #    prio:
+    #      default: "high"
   #
   # By default Suricata creates one "detect" thread per available CPU/CPU core.
   # This setting allows controlling this behaviour. A ratio setting of 2 will
@@ -1026,3 +1310,11 @@ threading:
   # thread will always be created.
   #
   detect-thread-ratio: 1.0
+  #
+  # By default, the per-thread stack size is left to its default setting. If
+  # the default thread stack size is too small, use the following configuration
+  # setting to change the size. Note that if any thread's stack size cannot be
+  # set to this value, a fatal error occurs.
+  #
+  # Generally, the per-thread stack-size should not exceed 8MB.
+  #stack-size: 8mb
diff --git a/lfs/configroot b/lfs/configroot
index 66efe04b5..9f6c1ff8c 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2023  IPFire Team  info@ipfire.org                     #
+# Copyright (C) 2007-2024  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -133,6 +133,8 @@ $(TARGET) :
    echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
    echo  "DROPSPOOFEDMARTIAN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
    echo  "DROPHOSTILE=on"		>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "LOGDROPHOSTILEIN=on"		>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "LOGDROPHOSTILEOUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
    echo  "LOGDROPCTINVALID=on"	>> $(CONFIG_ROOT)/optionsfw/settings
    echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
    echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
hooks/post-receive
--
IPFire 2.x development tree

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 833d42fed0d733952a95b98e016d0560b5142e1d