This is not compiled in as it slows down detection and is
only really useful for debugging
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will merge rules more aggressively so that the engine
is only processing those that can actually match.
Memory is cheap. People with little memory should not run
suricata anyways.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.
See commit: f5ad510e3c
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.
Partially fixes#11808
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Enable and specify the path to the threshold-file in the suricata.yaml,
otherwise the programm is trying to read it from a build-in default
location and prints the following error message:
Error opening file: "/etc/suricata//threshold.config": No such file or directory
Fixes#11837.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Remove a lot of stuff and options which are deactivated during compiling,
unsupported by the plattform or not used in IPFire.
Add an advice to the full documented suricata-example.yaml file which also
is shipped by IPFire.
More work needs to be done.
See #11808
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Use the gernerated HOME_NET details from
/var/ipfire/suricata/suricata-homenet.yaml which will be
generated by the WUI.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This config file is mostly based on the example configuration shipped
by the suricata project and needs to be enhanched.
See #11808.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
