Suricata will print a warning on startup if the collection of stats
is enabled but no stats logger, which will print them out is enabled.
Acctually we do not use any stats so this safely can be disabled.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will prevent suricata from displaying a warning on startup and
anyway would be the log level which suricata switches in such a case.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
All of them are disabled by default, but may be needed in some
environments and so easily can be enabled there.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The selected rulesfiles of a provider now will be written to an own
provider exclusive yaml file, which will be included dynamically when
the provider is enabled or not.
This allows very easy handling to enable or disable a provider, in this
case the file which keeps the enabled providers rulesets only needs to
be included in the main file or even not.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
* Enable RDP and SIP parsers.
* Enable new introduced parsers for RFB and DCERPC.
Because HTTP2 support and parser currently is experimental the suricata
developers decided to disable it at default - we keep this default
setting for now.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
With this commit suricata reads the HTTP port declarations from a newly
introduced external file
(/var/ipfire/suricata/suricata-http-ports.yaml).
This file dynamically will be generated. HTTP ports always are the
default port "80" and "81" for update Accelerator and HTTP access to the
WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent
Proxy port also will be declared as a HTTP port and written to that file.
In case one of the proxy ports will be changed, the HTTP port file will
be re-generated and suricate restarted if launched. Also if an old
backup with snort will be restored the convert script handles the
generation of the HTTP ports file.
Finally the suricata-generate-http-ports-file as a tiny script which
simply generates the http ports file and needs to be launched during the
installation of a core update. (The script will no be required
anymore, so it could be deleted afterwards.)
Fixes#12308.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.
Fixes#12166.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This log is mainly needed for debugging the IPS. It writes some stats
every couple of seconds and will create some load on SD cards and other
cheap storage that we do not need.
Fixes#12056.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will tie the detection threads to a certain CPU and
slightly increases throughput on my system.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch does not have any effect (yet) and is untested
because suricata needs to be built against libcap-ng which
is currently not being packaged for IPFire.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will now scan all request and response bodies where possible
and use up to 256MB of RAM
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This reverts commit ad99f959e2.
It does not make any sense to try to decode the TLS connection
with the DNS decoder.
Therefore should 853 (TCP only) be added to the TLS decoder.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.
Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This decoder is not very accurate and Teredo has been
disabled in Windows by default. Nobody will use this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This change also ensures that suricata has a decent number
of streams preallocated to be able to handle any bursts in traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is not compiled in as it slows down detection and is
only really useful for debugging
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will merge rules more aggressively so that the engine
is only processing those that can actually match.
Memory is cheap. People with little memory should not run
suricata anyways.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.
See commit: f5ad510e3c
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
