This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, master has been updated via b7da97fd59f010ea8fa7bca845d18e52ca89bc5a (commit) via b4847c387a9692a09b0921b87198d411f548d0ed (commit) via 763c7f67fa93f4a2f0284a6a65fb39a13d76844b (commit) via 76a451809154ae1aa338e2ec38b820283a68b788 (commit) via 64e057aaa5ac0eb45094773709e481b535891ec4 (commit) via 4d24d99461e3aa79ab8565ba2d96ced1ec3f6b83 (commit) via a4ade63ef1823a6f5e657f0c0ebb60be5fd3ad33 (commit) from 69031f7674295d6d95219a97063c718beecc1052 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 16:01:20 2024 +0000

suricata: Disable Landlock support

See #13645 for details.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b4847c387a9692a09b0921b87198d411f548d0ed Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 16:00:41 2024 +0000

suricata: Update require paths for Landlock

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 763c7f67fa93f4a2f0284a6a65fb39a13d76844b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 14:57:49 2024 +0000

suricata: Enable midstream scanning

We require this because Suricata might be restarted due to development or rule refreshment purposes. We should then try to resume any decoders/app-layers wherever possible.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 76a451809154ae1aa338e2ec38b820283a68b788 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 5 21:26:40 2024 +0200

suricata: Set midstream-policy to pass-packet

Set this value to the same as the exception-policy to keep in sync and hopefully have the same behaviour. In case this option is not set an ugly message about a not correctly set value will be logged to syslog during startup.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 64e057aaa5ac0eb45094773709e481b535891ec4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 5 21:26:39 2024 +0200

suricata: Enable landlock security feature

This will limit the suricata process to only read and write to a certain files/directories.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 4d24d99461e3aa79ab8565ba2d96ced1ec3f6b83 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 5 21:26:38 2024 +0200

suricata: Set exception-policy to pass-packet

This simply will skip processing a packet that caused an exception and will allow Suricata to process all following packets of a flow.

Reference: #13638

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a4ade63ef1823a6f5e657f0c0ebb60be5fd3ad33 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 5 21:26:37 2024 +0200

suricata: Update suricata.yaml

Updata the configuration file for suricata 7.

This includes: * Default values for newly introduced features and parsers * Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent * Update of URL for documentation * Fixes of various typos and other clarifications

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/suricata/suricata.yaml | 562 ++++++++++++++++++++++++++++++++---------- 1 file changed, 427 insertions(+), 135 deletions(-)

Difference in files: diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 5bec5cd01..dc142d690 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -40,6 +40,9 @@ vars: MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544

## ## Ruleset specific options. @@ -58,21 +61,24 @@ threshold-file: /usr/share/suricata/threshold.config ## default-log-dir: /var/log/suricata/

-# global stats configuration +# Global stats configuration stats: enabled: no - # The interval field (in seconds) controls at what interval - # the loggers are invoked. + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. interval: 8 - - # Add decode events as stats. + # Add decode events to stats. #decoder-events: true # Decoder event prefix in stats. Has been 'decoder' before, but that leads # to missing events in the eve.stats records. See issue #2225. - decoder-events-prefix: "decoder.event" + #decoder-events-prefix: "decoder.event" # Add stream events as stats. #stream-events: false

+# Plugins -- Experimental -- specify the filename for each plugin shared object +plugins: +# - /path/to/plugin.so + # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log @@ -96,12 +102,16 @@ outputs: enabled: no filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json + # Enable for multi-threaded eve.json output; output files are amended with + # an identifier, e.g., eve.9.json + #threaded: false #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" #facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug + #ethernet: no # log ethernet header in events when available #redis: # server: 127.0.0.1 # port: 6379 @@ -113,10 +123,10 @@ outputs: # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. + # so this setting should be reserved to high traffic Suricata deployments. # pipelining: # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer + # batch-size: 10 ## number of entries to keep in buffer

# Include top level metadata. Default yes. #metadata: no @@ -126,8 +136,8 @@ outputs:

# Community Flow ID # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. + # records a predictable flow ID that can be used to match records to + # output of other tools such as Zeek (Bro). # # Takes a 'seed' that needs to be same across sensors and tools # to make the id less predictable. @@ -144,13 +154,13 @@ outputs: # or forward proxied. xff: enabled: no - # Two operation modes are available, "extra-data" and "overwrite". + # Two operation modes are available: "extra-data" and "overwrite". mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In + # Two proxy deployments are supported: "reverse" and "forward". In # a "reverse" deployment the IP address used is the last one, in a # "forward" deployment the first IP address is used. deployment: reverse - # Header name where the actual IP address will be reported, if more + # Header name where the actual IP address will be reported. If more # than one IP address is present, the last IP address will be the # one taken into consideration. header: X-Forwarded-For @@ -162,12 +172,20 @@ outputs: # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) # metadata: no # enable inclusion of app layer metadata with alert. Default yes - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format

# Enable the logging of tagged packets for rules using the # "tag" keyword. tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - frame: + # disabled by default as this is very verbose. + enabled: no - anomaly: # Anomaly log records describe unexpected conditions such # as truncated packets, packets with invalid IP/UDP/TCP @@ -190,9 +208,9 @@ outputs: # specific conditions that are unexpected, invalid or are # unexpected given the application monitoring state. # - # By default, anomaly logging is disabled. When anomaly + # By default, anomaly logging is enabled. When anomaly # logging is enabled, applayer anomaly reporting is - # enabled. + # also enabled. enabled: yes # # Choose one or more types of anomaly logging and whether to enable @@ -204,16 +222,16 @@ outputs: #packethdr: no - http: extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log + # custom allows additional HTTP fields to be included in eve-log. # the example below adds three additional fields when uncommented #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response + # set this value to one and only one from {both, request, response} + # to dump all HTTP headers for every HTTP request and/or response # dump-all-headers: none - dns: # This configuration uses the new DNS logging format, # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dn... + # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-fo...

# As of Suricata 5.0, version 2 of the eve dns output # format is the default. @@ -235,7 +253,7 @@ outputs: # Default: all #formats: [detailed, grouped]

- # Types to log, based on the query type. + # DNS record types to log, based on the query type. # Default: all. #types: [a, aaaa, cname, mx, ns, ptr, txt] - tls: @@ -243,8 +261,7 @@ outputs: # output TLS transaction where the session is resumed using a # session id #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log + # custom controls which TLS fields that are included in eve-log #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - files: force-magic: no # force logging magic on all logged files @@ -255,6 +272,9 @@ outputs: # alerts: yes # log alerts that caused drops # flows: all # start or all: 'start' logs only a single drop # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes - smtp: #extended: yes # enable this for extended logging information # this includes: bcc, message-id, subject, x_mailer, user-agent @@ -274,12 +294,14 @@ outputs: - nfs - smb - tftp - - ikev2 + - ike - dcerpc - krb5 + - bittorrent-dht - snmp - rfb - sip + - quic - dhcp: enabled: yes # When extended mode is on, all DHCP messages are logged @@ -290,10 +312,10 @@ outputs: - ssh - mqtt: # passwords: yes # enable output of passwords - # HTTP2 logging. HTTP2 support is currently experimental and - # disabled by default. To enable, uncomment the following line - # and be sure to enable http2 in the app-layer section. - #- http2 + - http2 + - pgsql: + enabled: no + # passwords: yes # enable output of passwords. Disabled by default - stats: totals: yes # stats for all threads merged together threads: no # per thread stats @@ -308,22 +330,47 @@ outputs: # flowints. #- metadata

+ # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets + logging: - # The default log level, can be overridden in an output section. + # The default log level: can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # - # This value is overriden by the SC_LOG_LEVEL env var. + # This value is overridden by the SC_LOG_LEVEL env var. default-log-level: Info

+ # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " + # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # - # This value is overriden by the SC_LOG_OP_FILTER env var. + # This value is overridden by the SC_LOG_OP_FILTER env var. default-output-filter:

+ # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. + # disabled you will get the default: console output. outputs: - console: enabled: no @@ -332,11 +379,13 @@ logging: enabled: no level: info filename: /var/log/suricata/suricata.log + # format: "[%i - %m] %z %d: %S: %M" # type: json - syslog: enabled: yes facility: local5 format: "" + #format: "[%i] <%d> -- " # type: json

## @@ -357,27 +406,40 @@ nfq: ## Step 5: App Layer Protocol Configuration ##

-# Configure the app-layer parsers. The protocols section details each -# protocol. +# Configure the app-layer parsers. +# +# The error-policy setting applies to all app-layer parsers. Values can be +# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or +# "ignore" (the default). +# +# The protocol's section details each protocol. # # The option "enabled" takes 3 values - "yes", "no", "detection-only". # "yes" enables both detection and the parser, "no" disables both, and # "detection-only" enables protocol detection only (parser disabled). app-layer: + # error-policy: ignore protocols: + telnet: + enabled: yes rfb: enabled: yes detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 - # MQTT, disabled by default. mqtt: enabled: yes # max-msg-length: 1mb + # subscribe-topic-match-limit: 100 + # unsubscribe-topic-match-limit: 100 + # Maximum number of live MQTT transactions per flow + # max-tx: 4096 krb5: enabled: yes + bittorrent-dht: + enabled: yes snmp: enabled: yes - ikev2: + ike: enabled: yes tls: enabled: yes @@ -401,29 +463,47 @@ app-layer: # For best performance, select 'bypass'. # encryption-handling: bypass + + pgsql: + enabled: no + # Stream reassembly size for PostgreSQL. By default, track it completely. + stream-depth: 0 + # Maximum number of live PostgreSQL transactions per flow + # max-tx: 1024 dcerpc: enabled: yes + # Maximum number of live DCERPC transactions per flow + # max-tx: 1024 ftp: enabled: yes + # memcap: 64mb rdp: enabled: yes ssh: enabled: yes #hassh: yes - # HTTP2: Experimental HTTP 2 support. Disabled by default. http2: - enabled: no + enabled: yes + # Maximum number of live HTTP2 streams in a flow + #max-streams: 4096 + # Maximum headers table size + #max-table-size: 65536 + # Maximum reassembly size for header + continuation frames + #max-reassembly-size: 102400 smtp: enabled: yes + raw-extraction: no + # Maximum number of live SMTP transactions per flow + # max-tx: 256 # Configure SMTP-MIME Decoder mime: # Decode MIME messages from SMTP transactions # (may be resource intensive) - # This field supercedes all others because it turns the entire + # This field supersedes all others because it turns the entire # process on or off decode-mime: yes

- # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) decode-base64: yes decode-quoted-printable: yes

@@ -433,6 +513,12 @@ app-layer:

# Extract URLs and save in state data structure extract-urls: yes + # Scheme of URLs to extract + # (default is [http]) + #extract-urls-schemes: [http, https, ftp, mailto] + # Log the scheme of URLs that are extracted + # (default is no) + #log-url-scheme: yes # Set to yes to compute the md5 of the mail body. You will then # be able to journalize it. body-md5: no @@ -443,14 +529,19 @@ app-layer: content-inspect-window: 4096 imap: enabled: yes - msn: - enabled: yes smb: enabled: yes detection-ports: dp: 139, 445 + # Maximum number of live SMB transactions per flow + # max-tx: 1024 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + nfs: enabled: yes + # max-tx: 1024 tftp: enabled: yes dns: @@ -474,17 +565,29 @@ app-layer: enabled: yes memcap: 256mb

+ # Byte Range Containers default settings + # byterange: + # memcap: 100mb + # timeout: 60 + + # memcap: Maximum memory capacity for HTTP + # Default is unlimited, values can be 64mb, e.g. + # default-config: Used when no server-config matches # personality: List of personalities used by default # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # response-body-decompress-layer-limit: - # Limit to how many layers of compression will be - # decompressed. Defaults to 2. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personality: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, @@ -495,8 +598,14 @@ app-layer:

# Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 0 - response-body-limit: 0 + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb

# response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -504,28 +613,79 @@ app-layer: # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto

- # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] + # Decompress SWF files. Disabled by default. + # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: no + type: both + compress-depth: 100kb + decompress-depth: 100kb + + # Use a random value for inspection sizes around the specified value. + # This lowers the risk of some evasion techniques but could lead + # to detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If "randomize-inspection-sizes" is active, the value of various + # inspection size will be chosen from the [1 - range%, 1 + range%] # range - # Default value of randomize-inspection-range is 10. - randomize-inspection-range: 10 + # Default value of "randomize-inspection-range" is 10. + #randomize-inspection-range: 10

# decoding double-decode-path: no double-decode-query: no

- # Note: Modbus probe parser is minimalist due to the poor significant field + # Can enable LZMA decompression + #lzma-enabled: false + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + # Maximum number of live transactions per flow + #max-tx: 512 + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the limited usage in the field. # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser + # and protocol ID (equal to 0) are checked in probing parser # It is important to enable detection port and define Modbus port - # to avoid false positive + # to avoid false positives modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. + # How many unanswered Modbus requests are considered a flood. + # If the limit is reached, the app-layer-event:modbus.flooded; will match. #request-flood: 500

enabled: no @@ -555,14 +715,37 @@ app-layer:

ntp: enabled: yes + + quic: + enabled: yes + dhcp: enabled: yes + sip: - enabled: yes + #enabled: yes

# Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256

+# Datasets default settings +datasets: + # Default fallback memcap and hashsize values for datasets in case these + # were not explicitly defined. + defaults: + #memcap: 100mb + #hashsize: 2048 + + rules: + # Set to true to allow absolute filenames and filenames that use + # ".." components to reference parent directories in rules that specify + # their filenames. + #allow-absolute-filenames: false + + # Allow datasets in rules write access for "save" and + # "state". This is enabled by default, however write access is + # limited to the data directory. + #allow-write: true

############################################################################## ## @@ -574,11 +757,52 @@ asn1-max-frames: 256 ## Run Options ##

-# Run suricata as user and group. +# Run Suricata with a specific user-id and group-id: run-as: user: suricata group: suricata

+security: + # if true, prevents process creation from Suricata by calling + # setrlimit(RLIMIT_NPROC, 0) + limit-noproc: true + # Use landlock security module under Linux + landlock: + enabled: no + directories: + write: + - /run + # /usr and /etc folders are added to read list to allow + # file magic to be used. + read: + - /usr/share/misc/magic.mgc + - /usr/share/suricata + - /var/ipfire/suricata + - /var/lib/suricata + + lua: + # Allow Lua rules. Disabled by default. + #allow-rules: false + +# Some logging modules will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. +pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -591,9 +815,9 @@ run-as: coredump: max-dump: unlimited

-# If suricata box is a router for the sniffed networks, set it to 'router'. If +# If the Suricata box is a router for the sniffed networks, set it to 'router'. If # it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode +# If set to auto, the variable is internally switched to 'router' in IPS mode # and 'sniffer-only' in IDS mode. # This feature is currently only used by the reject* keywords. host-mode: auto @@ -601,32 +825,31 @@ host-mode: auto # Number of packets preallocated per thread. The default is 1024. A higher number # will make sure each CPU will be more easily kept busy, but may negatively # impact caching. -max-pending-packets: 1024 +#max-pending-packets: 1024

# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). +# runmodes for each packet acquisition method. Default depends on selected capture +# method. 'workers' generally gives best performance. runmode: workers

# Specifies the kind of flow load balancer used by the flow pinned autofp mode. # # Supported schedulers are: # -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. +# hash - Flow assigned to threads using the 5-7 tuple hash. +# ippair - Flow assigned to threads using addresses only. +# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that +# ftp-data flows will be handled by the same thread # -#autofp-scheduler: active-packets +#autofp-scheduler: hash

-# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest +# Preallocated size for each packet. Default is 1514 which is the classical +# size for pcap on Ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. -default-packet-size: 1514 +#default-packet-size: 1514

-# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata +# Unix command socket that can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata # or trigger some modifications of the engine. Set enabled to yes # to activate the feature. In auto mode, the feature will only be # activated in live capture mode. You can use the filename variable to set @@ -645,7 +868,7 @@ legacy: ## Detection settings ##

-# Set the order of alerts bassed on actions +# Set the order of alerts based on actions # The default order is pass, drop, reject, alert # action-order: # - pass @@ -653,6 +876,22 @@ legacy: # - reject # - alert

+# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + +# Exception Policies +# +# Define a common behavior for all exception policies. +# In IPS mode, the default is drop-flow. For cases when that's not possible, the +# engine will fall to drop-packet. To fallback to old behavior (setting each of +# them individually, or ignoring all), set this to ignore. +# All values available for exception policies can be used, and there is one +# extra option: auto - which means drop-flow or drop-packet (as explained above) +# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet, +# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). +exception-policy: pass-packet + # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir @@ -694,8 +933,11 @@ host-os-policy:

# Defrag settings:

+# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or +# "ignore" (which is the default). defrag: memcap: 64mb + # memcap-policy: ignore hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) @@ -706,44 +948,53 @@ defrag: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside +# The hash-size determines the size of the hash used to identify flows inside # the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better +# At startup, the engine can preallocate a number of flows, to get better # performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). +# emergency-recovery is the percentage of flows that the engine needs to +# prune before clearing the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing new flows to be created, but +# pruning them with the emergency timeouts (they are defined below). # If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. +# If that doesn't work, then it will try to kill the oldest flows using +# last time seen flows. # The memcap can be specified in kb, mb, gb. Just a number indicates it's # in bytes. +# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore" +# (which is the default).

flow: memcap: 256mb + #memcap-policy: ignore hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - managers: 1 - recyclers: 1 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread

-# This option controls the use of vlan ids in the flow (and defrag) +# This option controls the use of VLAN ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. +# setups where both sides of a flow are not tagged with the same VLAN +# tag, we can ignore the VLAN id's in the flow hashing. vlan: use-for-tracking: true

+# This option controls the use of livedev ids in the flow (and defrag) +# hashing. This is enabled by default and should be disabled if +# multiple live devices are used to capture traffic from the same network +livedev: + use-for-tracking: true + # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't +# protocol. The value of "new" determines the seconds to wait after a handshake or +# stream startup before the engine frees the data of that flow it doesn't # change the state to established (usually if we don't receive more packets # of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount +# seconds that the engine will wait to free the flow if that time elapses # without receiving new packets or closing the connection. "closed" is the # amount of time to wait after a flow is closed (usually zero). "bypassed" # timeout controls locally bypassed flows. For these flows we don't do any other @@ -794,28 +1045,42 @@ flow-timeouts: # engine is configured. # # stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# memcap: 64mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not +# # "yes", then packets with invalid csum values will not # # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be +# # Warning: locally generated traffic can be # # generated without checksum due to hardware offload # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' # # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread # midstream: false # don't allow midstream session pickups +# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-syn-queued: 10 # Max different SYNs to queue # max-synack-queued: 5 # Max different SYN/ACKs to queue -# bypass: no # Bypass packets when stream.depth is reached +# bypass: no # Bypass packets when stream.reassembly.depth is reached. +# # Warning: first side to reach this triggers +# # the bypass. +# liberal-timestamps: false # Treat all timestamps as if the Linux policy applies. This +# # means it's slightly more permissive. Enabled by default. # # reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# memcap: 256mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least @@ -825,8 +1090,8 @@ flow-timeouts: # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. +# # This lowers the risk of some evasion techniques but could lead +# # to detection change between runs. It is set to 'yes' by default. # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same @@ -850,22 +1115,27 @@ flow-timeouts: stream: memcap: 256mb prealloc-sessions: 4096 - checksum-validation: yes # reject wrong csums + #memcap-policy: ignore + checksum-validation: yes # reject incorrect csums + midstream: true + midstream-policy: pass-packet inline: auto # auto will use inline mode in IPS mode, yes or no set it statically bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: memcap: 256mb + #memcap-policy: ignore depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes + #randomize-chunk-range: 10 raw: yes segment-prealloc: 2048 check-overlap-different-data: true

# Host table: # -# Host table is used by tagging and per host thresholding subsystems. +# Host table is used by the tagging and per host thresholding subsystems. # host: hash-size: 4096 @@ -885,20 +1155,37 @@ host:

decoder: # Teredo decoder is known to not be completely accurate - # it will sometimes detect non-teredo as teredo. + # as it will sometimes detect non-teredo as teredo. teredo: enabled: false + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 4789 is enabled. + vxlan: + enabled: true + ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. + + # Geneve decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 6081 is enabled. + geneve: + enabled: true + ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.

+ # maximum number of decoder layers for a packet + # max-layers: 16

## ## Performance tuning and profiling ##

# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. +# allows us to specify the profile to use for them, to manage memory in an +# efficient way keeping good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom, +# make sure to define the values in the "custom-values" section. # Usually you would prefer medium/high/low. # # "sgh mpm-context", indicates how the staging should allot mpm contexts for @@ -912,15 +1199,14 @@ decoder: # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. +# default limit. When a value is not specified, there are no limits on the recursion. detect: - profile: custom + profile: medium custom-values: - toclient-groups: 200 - toserver-groups: 200 + toclient-groups: 3 + toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. delayed-detect: yes @@ -932,7 +1218,7 @@ detect: default: mpm

# the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. + # direction. Port whitelisting forces that port to get its own group. # Very common ports will benefit, as well as ports with many expensive # rules. grouping: @@ -956,7 +1242,6 @@ detect: # The supported algorithms are: # "ac" - Aho-Corasick, default implementation # "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-cuda" - Aho-Corasick, CUDA implementation # "ac-ks" - Aho-Corasick, "Ken Steele" variant # "hs" - Hyperscan, available when built with Hyperscan support # @@ -967,12 +1252,8 @@ detect: # signature groups, specified by the conf - "detect.sgh-mpm-context". # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. +# ruleset is small enough to fit in memory, in which case one can +# use "full" with "ac". The rest of the mpms can be run in "full" mode.

mpm-algo: auto

@@ -989,7 +1270,7 @@ spm-algo: auto threading: set-cpu-affinity: no # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. + # to specific CPUs. # # These 2 apply to the all runmodes: # management-cpu-set is used for flow timeout handling, counters @@ -1001,21 +1282,24 @@ threading: # cpu-affinity: - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings + cpu: [ 0 ] # include only these CPUs in affinity settings - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings + cpu: [ 0 ] # include only these CPUs in affinity settings - worker-cpu-set: cpu: [ "all" ] mode: "exclusive" + # Use explicitly 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will @@ -1026,3 +1310,11 @@ threading: # thread will always be created. # detect-thread-ratio: 1.0 + # + # By default, the per-thread stack size is left to its default setting. If + # the default thread stack size is too small, use the following configuration + # setting to change the size. Note that if any thread's stack size cannot be + # set to this value, a fatal error occurs. + # + # Generally, the per-thread stack-size should not exceed 8MB. + #stack-size: 8mb

hooks/post-receive -- IPFire 2.x development tree