https://redmine.openinfosecfoundation.org/
https://redmine.openinfosecfoundation.org/favicon.ico?1701117002
2019-07-10T20:42:08Z
Open Information Security Foundation
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=12928
2019-07-10T20:42:08Z
Andreas Herz
oisf@herzandreas.de
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Support</i></li><li><strong>Assignee</strong> set to <i>Community Ticket</i></li><li><strong>Target version</strong> set to <i>70</i></li></ul><p>Did you try the netmap mode setting?</p>
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=12944
2019-07-10T22:52:13Z
Ralston Champagnie
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>Did you try the netmap mode setting?</p>
</blockquote>
<p>When you say try the Netmap mode setting, do you mean this: sysctl dev.netmap.admode = 1?</p>
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=12968
2019-07-12T16:38:38Z
Ralston Champagnie
<ul></ul><p>Shell Output - cat /var/log/system.log | grep netmap<br />Jul 7 13:24:50 NollipfSense kernel: netmap: loaded module<br />Jul 9 00:30:55 NollipfSense kernel: 255.614367 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 9 00:30:55 NollipfSense kernel: 255.616438 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 10 00:31:00 NollipfSense kernel: 660.148513 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 10 00:31:25 NollipfSense kernel: 685.365819 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 10 00:31:25 NollipfSense kernel: 685.367894 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 11 00:30:12 NollipfSense kernel: 012.950971 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 11 00:30:38 NollipfSense kernel: 038.259726 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 11 00:30:38 NollipfSense kernel: 038.261782 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 12 00:30:10 NollipfSense kernel: 410.784723 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 12 00:30:36 NollipfSense kernel: 436.134532 [ 760] generic_netmap_dtor Restored native NA 0<br />Jul 12 00:30:36 NollipfSense kernel: 436.136610 [ 760] generic_netmap_dtor Restored native NA 0</p>
<p>%YAML 1.1<br />---</p>
<p>max-pending-packets: 1024</p>
<ol>
<li>Runmode the engine should use.<br />runmode: autofp</li>
</ol>
<ol>
<li>If set to auto, the variable is internally switched to 'router' in IPS </li>
<li>mode and 'sniffer-only' in IDS mode.<br />host-mode: auto</li>
</ol>
<ol>
<li>Specifies the kind of flow load balancer used by the flow pinned autofp mode.<br />autofp-scheduler: active-packets</li>
</ol>
<ol>
<li>Daemon working directory<br />daemon-directory: /usr/local/etc/suricata/suricata_23163_bge0</li>
</ol>
<p>default-packet-size: 1514</p>
<ol>
<li>The default logging directory.<br />default-log-dir: /var/log/suricata/suricata_bge023163</li>
</ol>
<ol>
<li>global stats configuration<br />stats:<br /> enabled: no<br /> interval: 10<br /> #decoder-events: true<br /> decoder-events-prefix: "decoder.event" <br /> #stream-events: false</li>
</ol>
<ol>
<li>Configure the type of alert (and other) logging.<br />outputs:
<ol>
<li>alert-pf blocking plugin<br /> - alert-pf:<br /> enabled: no<br /> kill-state: yes<br /> block-drops-only: no<br /> pass-list: /usr/local/etc/suricata/suricata_23163_bge0/passlist<br /> block-ip: BOTH<br /> pf-table: snort2c</li>
</ol>
<ol>
<li>a line based alerts log similar to Snort's fast.log<br /> - fast:<br /> enabled: yes<br /> filename: alerts.log<br /> append: yes<br /> filetype: regular</li>
</ol>
<ol>
<li>alert output for use with Barnyard2<br /> - unified2-alert:<br /> enabled: no<br /> filename: unified2.alert<br /> limit: 32mb<br /> sensor-id: 0<br /> xff:<br /> enabled: no</li>
</ol>
<p>- http-log:<br /> enabled: yes<br /> filename: http.log<br /> append: yes<br /> extended: yes<br /> filetype: regular</p>
<p>- pcap-log:<br /> enabled: no<br /> filename: log.pcap<br /> limit: 32mb<br /> max-files: 1000<br /> mode: normal</p>
<p>- tls-log:<br /> enabled: no<br /> filename: tls.log<br /> extended: yes</p>
<p>- tls-store:<br /> enabled: no<br /> certs-log-dir: certs</p>
<p>- stats:<br /> enabled: yes<br /> filename: stats.log<br /> append: no<br /> totals: yes<br /> threads: no<br /> #null-values: yes</p>
<p>- syslog:<br /> enabled: no<br /> identity: suricata<br /> facility: local1<br /> level: notice</p>
<p>- drop:<br /> enabled: no<br /> filename: drop.log<br /> append: yes<br /> filetype: regular</p>
<p>- file-store:<br /> version: 2<br /> enabled: no<br /> log-dir: files<br /> force-magic: no<br /> #force-hash: [md5]<br /> #waldo: file.waldo</p>
<p>- file-log:<br /> enabled: no<br /> filename: files-json.log<br /> append: yes<br /> filetype: regular<br /> force-magic: no<br /> #force-hash: [md5]</p>
<p>- eve-log:<br /> enabled: no<br /> filetype: regular<br /> filename: eve.json<br /> redis: <br /> server: 127.0.0.1<br /> port: 6379<br /> mode: list<br /> key: "suricata" <br /> identity: "suricata" <br /> facility: local1<br /> level: notice<br /> xff:<br /> enabled: no<br /> mode: extra-data<br /> deployment: reverse<br /> header: X-Forwarded-For<br /> types: <br /> - alert:<br /> payload: yes # enable dumping payload in Base64<br /> payload-buffer-size: 4kb # max size of payload buffer to output in eve-log<br /> payload-printable: yes # enable dumping payload in printable (lossy) format<br /> packet: yes # enable dumping of packet (without stream segments)<br /> http-body: yes # enable dumping of http body in Base64<br /> http-body-printable: yes # enable dumping of http body in printable format<br /> tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword<br /> - http:<br /> extended: yes<br /> custom: [accept, accept-charset, accept-datetime, accept-encoding, accept-language, accept-range, age, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, dnt, etags, from, last-modified, link, location, max-forwards, origin, pragma, proxy-authenticate, proxy-authorization, range, referrer, refresh, retry-after, server, set-cookie, te, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate, x-authenticated-user, x-flash-version, x-forwarded-proto, x-requested-with]<br /> - dns:<br /> version: 2<br /> query: yes<br /> answer: yes<br /> - tls:<br /> extended: yes<br /> - dhcp:<br /> extended: no<br /> - files:<br /> force-magic: no<br /> - ssh<br /> - nfs<br /> - smb<br /> - krb5<br /> - ikev2<br /> - tftp<br /> - smtp:<br /> extended: yes<br /> custom: [bcc, received, reply-to, x-mailer, x-originating-ip]<br /> md5: [subject]<br /> - drop:<br /> alerts: yes<br /> flows: all</p></li>
</ol>
<ol>
<li>Magic file. The extension .mgc is added to the value here.<br />magic-file: /usr/share/misc/magic</li>
</ol>
<ol>
<li>GeoLite2 IP geo-location database file path and filename.<br />geoip-database: /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb</li>
</ol>
<ol>
<li>Specify a threshold config file<br />threshold-file: /usr/local/etc/suricata/suricata_23163_bge0/threshold.config</li>
</ol>
<p>detect-engine:<br /> - profile: high<br /> - sgh-mpm-context: auto<br /> - inspection-recursion-limit: 3000<br /> - delayed-detect: no</p>
<ol>
<li>Suricata is multi-threaded. Here the threading can be influenced.<br />threading:<br /> set-cpu-affinity: no<br /> detect-thread-ratio: 1.0</li>
</ol>
<ol>
<li>Luajit has a strange memory requirement, it's 'states' need to be in the</li>
<li>first 2G of the process' memory.
#</li>
<li>'luajit.states' is used to control how many states are preallocated.</li>
<li>State use: per detect script: 1 per detect thread. Per output script: 1 per</li>
<li>script.<br />luajit:<br /> states: 128</li>
</ol>
<ol>
<li>Multi pattern algorithm</li>
<li>The default mpm-algo value of "auto" will use "hs" if Hyperscan is</li>
<li>available, "ac" otherwise.<br />mpm-algo: auto</li>
</ol>
<ol>
<li>Single pattern algorithm</li>
<li>The default of "auto" will use "hs" if available, otherwise "bm".<br />spm-algo: auto</li>
</ol>
<ol>
<li>Defrag settings:<br />defrag:<br /> memcap: 33554432<br /> hash-size: 65536<br /> trackers: 65535<br /> max-frags: 65535<br /> prealloc: yes<br /> timeout: 60</li>
</ol>
<ol>
<li>Flow settings:<br />flow:<br /> memcap: 33554432<br /> hash-size: 65536<br /> prealloc: 10000<br /> emergency-recovery: 30<br /> prune-flows: 5</li>
</ol>
<ol>
<li>This option controls the use of vlan ids in the flow (and defrag)</li>
<li>hashing.<br />vlan:<br /> use-for-tracking: true</li>
</ol>
<ol>
<li>Specific timeouts for flows.<br />flow-timeouts:<br /> default:<br /> new: 30<br /> established: 300<br /> closed: 0<br /> emergency-new: 10<br /> emergency-established: 100<br /> emergency-closed: 0<br /> tcp:<br /> new: 60<br /> established: 3600<br /> closed: 120<br /> emergency-new: 10<br /> emergency-established: 300<br /> emergency-closed: 20<br /> udp:<br /> new: 30<br /> established: 300<br /> emergency-new: 10<br /> emergency-established: 100<br /> icmp:<br /> new: 30<br /> established: 300<br /> emergency-new: 10<br /> emergency-established: 100</li>
</ol>
<p>stream:<br /> memcap: 512000000<br /> checksum-validation: no<br /> inline: auto<br /> prealloc-sessions: 32768<br /> midstream: false<br /> async-oneside: false<br /> max-synack-queued: 5<br /> reassembly:<br /> memcap: 67108864<br /> depth: 1048576<br /> toserver-chunk-size: 2560<br /> toclient-chunk-size: 2560</p>
<ol>
<li>Host table is used by tagging and per host thresholding subsystems.<br />host:<br /> hash-size: 4096<br /> prealloc: 1000<br /> memcap: 33554432</li>
</ol>
<ol>
<li>Host specific policies for defragmentation and TCP stream reassembly.<br />host-os-policy:<br /> bsd: [0.0.0.0/0]</li>
</ol>
<ol>
<li>Logging configuration. This is not about logging IDS alerts, but</li>
<li>IDS output about what its doing, errors, etc.<br />logging:
<ol>
<li>This value is overriden by the SC_LOG_LEVEL env var.<br /> default-log-level: info<br /> default-log-format: "%t - <%d> -- "</li>
</ol>
<ol>
<li>Define your logging outputs.<br /> outputs:<br /> - console:<br /> enabled: yes<br /> - file:<br /> enabled: yes<br /> filename: /var/log/suricata/suricata_bge023163/suricata.log<br /> - syslog:<br /> enabled: no<br /> facility: off<br /> format: "[%i] <%d> -- "</li>
</ol></li>
</ol>
<ol>
<li>IPS Mode Configuration</li>
<li>Netmap<br />netmap:<br /> - interface: default<br /> threads: auto<br /> copy-mode: ips<br /> disable-promisc: no<br /> checksum-checks: auto<br /> - interface: bge0<br /> copy-iface: bge0+<br /> - interface: bge0+<br /> copy-iface: bge0</li>
</ol>
<p>legacy:<br /> uricontent: enabled</p>
<p>default-rule-path: /usr/local/etc/suricata/suricata_23163_bge0/rules<br />rule-files:<br /> - suricata.rules</p>
<p>classification-file: /usr/local/etc/suricata/suricata_23163_bge0/classification.config<br />reference-config-file: /usr/local/etc/suricata/suricata_23163_bge0/reference.config</p>
<ol>
<li>Holds variables that would be used by the engine.<br />vars:
<ol>
<li>Holds the address group vars that would be passed in a Signature.<br /> address-groups:<br /> HOME_NET: "[10.10.10.1/32,68.226.180.1/32,68.226.181.34/32,127.0.0.1/32,192.168.1.0/24,208.67.220.220/32,208.67.222.222/32,::1/128,fe80::aa60:b6ff:fe23:1134/128,fe80::ca2a:14ff:fe57:d2dc/128]" <br /> EXTERNAL_NET: "[!10.10.10.1/32,!68.226.180.1/32,!68.226.181.34/32,!127.0.0.1/32,!192.168.1.0/24,!208.67.220.220/32,!208.67.222.222/32,::1/128,fe80::aa60:b6ff:fe23:1134/128,fe80::ca2a:14ff:fe57:d2dc/128]" <br /> DNS_SERVERS: "$HOME_NET" <br /> SMTP_SERVERS: "$HOME_NET" <br /> HTTP_SERVERS: "$HOME_NET" <br /> SQL_SERVERS: "$HOME_NET" <br /> TELNET_SERVERS: "$HOME_NET" <br /> DNP3_SERVER: "$HOME_NET" <br /> DNP3_CLIENT: "$HOME_NET" <br /> MODBUS_SERVER: "$HOME_NET" <br /> MODBUS_CLIENT: "$HOME_NET" <br /> ENIP_SERVER: "$HOME_NET" <br /> ENIP_CLIENT: "$HOME_NET" <br /> FTP_SERVERS: "$HOME_NET" <br /> SSH_SERVERS: "$HOME_NET" <br /> AIM_SERVERS: "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" <br /> SIP_SERVERS: "$HOME_NET"</li>
</ol>
<ol>
<li>Holds the port group vars that would be passed in a Signature.<br /> port-groups:<br /> FTP_PORTS: "21" <br /> HTTP_PORTS: "80" <br /> ORACLE_PORTS: "1521" <br /> SSH_PORTS: "22" <br /> SHELLCODE_PORTS: "!80" <br /> DNP3_PORTS: "20000" <br /> FILE_DATA_PORTS: "$HTTP_PORTS,110,143" <br /> SIP_PORTS: "5060,5061,5600"</li>
</ol></li>
</ol>
<ol>
<li>Set the order of alerts based on actions<br />action-order:<br /> - pass<br /> - drop<br /> - reject<br /> - alert</li>
</ol>
<ol>
<li>IP Reputation</li>
</ol>
<ol>
<li>Limit for the maximum number of asn1 frames to decode (default 256)<br />asn1-max-frames: 256</li>
</ol>
<p>engine-analysis:<br /> rules-fast-pattern: yes<br /> rules: yes</p>
<p>#recursion and match limits for PCRE where supported<br />pcre:<br /> match-limit: 3500<br /> match-limit-recursion: 1500</p>
<ol>
<li>Holds details on the app-layer. The protocols section details each protocol.<br />app-layer:<br /> protocols:<br /> dcerpc:<br /> enabled: yes<br /> dhcp:<br /> enabled: yes<br /> dnp3:<br /> enabled: yes<br /> detection-ports:<br /> dp: 20000<br /> dns:<br /> global-memcap: 16777216<br /> state-memcap: 524288<br /> request-flood: 500<br /> tcp:<br /> enabled: yes<br /> detection-ports:<br /> dp: 53<br /> udp:<br /> enabled: yes<br /> detection-ports:<br /> dp: 53<br /> ftp:<br /> enabled: yes<br /> http:<br /> enabled: yes<br /> memcap: 67108864<br /> ikev2:<br /> enabled: yes<br /> imap:<br /> enabled: detection-only<br /> krb5:<br /> enabled: yes<br /> modbus:<br /> enabled: yes<br /> request-flood: 500<br /> detection-ports:<br /> dp: 502<br /> stream-depth: 0<br /> msn:<br /> enabled: detection-only<br /> nfs:<br /> enabled: yes<br /> ntp:<br /> enabled: yes<br /> tls:<br /> enabled: yes<br /> detection-ports:<br /> dp: 443<br /> ja3-fingerprints: off<br /> encrypt-handling: default<br /> smb:<br /> enabled: yes<br /> detection-ports:<br /> dp: 139, 445<br /> smtp:<br /> enabled: yes<br /> mime:<br /> decode-mime: no<br /> decode-base64: yes<br /> decode-quoted-printable: yes<br /> header-value-depth: 2000<br /> extract-urls: yes<br /> body-md5: no<br /> inspected-tracker:<br /> content-limit: 100000<br /> content-inspect-min-size: 32768<br /> content-inspect-window: 4096<br /> ssh:<br /> enabled: yes<br /> tftp:<br /> enabled: yes</li>
</ol>
###########################################################################
<ol>
<li>Configure libhtp.<br />libhtp:<br /> default-config:<br /> personality: IDS<br /> request-body-limit: 4096<br /> response-body-limit: 4096<br /> double-decode-path: no<br /> double-decode-query: no<br /> uri-include-all: no</li>
</ol>
<p>coredump:<br /> max-dump: unlimited</p>
<ol>
<li>Suricata user pass through configuration</li>
</ol>
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=12996
2019-07-18T17:52:08Z
Ralston Champagnie
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>Did you try the netmap mode setting?</p>
</blockquote>
<p>Please close this report/case as it's not a bug...thank you!</p>
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=13031
2019-07-19T21:42:24Z
Andreas Herz
oisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Would still be helpful if you add the explanation as well :)</p>
Suricata - Support #3079: Suricata Getting Updates
https://redmine.openinfosecfoundation.org/issues/3079?journal_id=13034
2019-07-22T10:13:10Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Target version</strong> deleted (<del><i>70</i></del>)</li></ul>