suricata: Configure HTTP decoder
authorMichael Tremer <michael.tremer@ipfire.org>
Sat, 2 Mar 2019 17:18:38 +0000 (17:18 +0000)
committerStefan Schantl <stefan.schantl@ipfire.org>
Sun, 3 Mar 2019 09:55:31 +0000 (10:55 +0100)
This will now scan all request and response bodies where possible
and use up to 256MB of RAM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
config/suricata/suricata.yaml

index 767f840..84c4aa2 100644 (file)
@@ -211,7 +211,7 @@ app-layer:
           dp: 53
     http:
       enabled: yes
-      # memcap: 64mb
+      memcap: 256mb
 
       # default-config:           Used when no server-config matches
       #   personality:            List of personalities used by default
@@ -225,32 +225,6 @@ app-layer:
       #                           Limit to how many layers of compression will be
       #                           decompressed. Defaults to 2.
       #
-      # server-config:            List of server configurations to use if address matches
-      #   address:                List of ip addresses or networks for this block
-      #   personalitiy:           List of personalities used by this block
-      #   request-body-limit:     Limit reassembly of request body for inspection
-      #                           by http_client_body & pcre /P option.
-      #   response-body-limit:    Limit reassembly of response body for inspection
-      #                           by file_data, http_server_body & pcre /Q option.
-      #   double-decode-path:     Double decode path section of the URI
-      #   double-decode-query:    Double decode query section of the URI
-      #
-      #   uri-include-all:        Include all parts of the URI. By default the
-      #                           'scheme', username/password, hostname and port
-      #                           are excluded. Setting this option to true adds
-      #                           all of them to the normalized uri as inspected
-      #                           by http_uri, urilen, pcre with /U and the other
-      #                           keywords that inspect the normalized uri.
-      #                           Note that this does not affect http_raw_uri.
-      #                           Also, note that including all was the default in
-      #                           1.4 and 2.0beta1.
-      #
-      #   meta-field-limit:       Hard size limit for request and response size
-      #                           limits. Applies to request line and headers,
-      #                           response line and headers. Does not apply to
-      #                           request or response bodies. Default is 18k.
-      #                           If this limit is reached an event is raised.
-      #
       # Currently Available Personalities:
       #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
       #   IIS_7_0, IIS_7_5, Apache_2
@@ -260,14 +234,8 @@ app-layer:
 
            # Can be specified in kb, mb, gb.  Just a number indicates
            # it's in bytes.
-           request-body-limit: 100kb
-           response-body-limit: 100kb
-
-           # inspection limits
-           request-body-minimal-inspect-size: 32kb
-           request-body-inspect-window: 4kb
-           response-body-minimal-inspect-size: 40kb
-           response-body-inspect-window: 16kb
+           request-body-limit: 0
+           response-body-limit: 0
 
            # response body decompression (0 disables)
            response-body-decompress-layer-limit: 2
@@ -278,41 +246,17 @@ app-layer:
            # Take a random value for inspection sizes around the specified value.
            # This lower the risk of some evasion technics but could lead
            # detection change between runs. It is set to 'yes' by default.
-           #randomize-inspection-sizes: yes
+           randomize-inspection-sizes: yes
            # If randomize-inspection-sizes is active, the value of various
            # inspection size will be choosen in the [1 - range%, 1 + range%]
            # range
            # Default value of randomize-inspection-range is 10.
-           #randomize-inspection-range: 10
+           randomize-inspection-range: 10
 
            # decoding
            double-decode-path: no
            double-decode-query: no
 
-         server-config:
-
-           #- apache:
-           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
-           #    personality: Apache_2
-           #    # Can be specified in kb, mb, gb.  Just a number indicates
-           #    # it's in bytes.
-           #    request-body-limit: 4096
-           #    response-body-limit: 4096
-           #    double-decode-path: no
-           #    double-decode-query: no
-
-           #- iis7:
-           #    address:
-           #      - 192.168.0.0/24
-           #      - 192.168.10.0/24
-           #    personality: IIS_7_0
-           #    # Can be specified in kb, mb, gb.  Just a number indicates
-           #    # it's in bytes.
-           #    request-body-limit: 4096
-           #    response-body-limit: 4096
-           #    double-decode-path: no
-           #    double-decode-query: no
-
     # Note: Modbus probe parser is minimalist due to the poor significant field
     # Only Modbus message length (greater than Modbus header length)
     # And Protocol ID (equal to 0) are checked in probing parser