diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile index b6f36878..cfed4cd5 100644 --- a/docker/suricata/Dockerfile +++ b/docker/suricata/Dockerfile @@ -4,7 +4,8 @@ FROM alpine:edge COPY dist/ /root/dist/ # # Install packages -RUN apk --no-cache -U add \ +RUN apk --no-cache -U upgrade && \ + apk --no-cache -U add \ ca-certificates \ curl \ file \ diff --git a/docker/suricata/dist/capture-filter.bpf b/docker/suricata/dist/capture-filter.bpf index c53c0bb7..1b90d2a3 100644 --- a/docker/suricata/dist/capture-filter.bpf +++ b/docker/suricata/dist/capture-filter.bpf @@ -1,3 +1,5 @@ not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and -not (tcp port 64294) and -not (tcp port 64305) +not (tcp port 64294 or tcp port 64305) and +not (udp port 138 or udp port 5353) and +not (ip broadcast or ip multicast or ip6 multicast) and +not ip proto 2 diff --git a/docker/suricata/dist/suricata.yaml b/docker/suricata/dist/suricata.yaml index beda0779..3b7c9f04 100644 --- a/docker/suricata/dist/suricata.yaml +++ b/docker/suricata/dist/suricata.yaml @@ -5,7 +5,7 @@ # options in this file, full documentation can be found at: # https://docs.suricata.io/en/latest/configuration/suricata-yaml.html -# This configuration file generated by Suricata 7.0.2. +# This configuration file generated by Suricata 7.0.7. suricata-version: "7.0" ## @@ -176,6 +176,7 @@ outputs: - frame: # disabled by default as this is very verbose. enabled: no + # payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log - anomaly: # Anomaly log records describe unexpected conditions such # as truncated packets, packets with invalid IP/UDP/TCP @@ -214,7 +215,7 @@ outputs: extended: yes # enable this for extended logging information # custom allows additional HTTP fields to be included in eve-log. # the example below adds three additional fields when uncommented - custom: [Accept-Encoding, Accept-Language, Authorization, Forwarded, From, Referer, Via] + #custom: [Accept-Encoding, Accept-Language, Authorization] # set this value to one and only one from {both, request, response} # to dump all HTTP headers for every HTTP request and/or response # dump-all-headers: none @@ -251,8 +252,11 @@ outputs: # output TLS transaction where the session is resumed using a # session id #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + ja4: on # custom controls which TLS fields that are included in eve-log - custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s] + custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s, ja4] - files: force-magic: yes # force logging magic on all logged files # force logging of checksums, available hash functions are md5, @@ -291,7 +295,10 @@ outputs: - snmp - rfb - sip - - quic + - quic: + # ja4 hashes in quic records will never be logged unless + # the following is set to on. (Default off) + ja4: on - dhcp: enabled: no # When extended mode is on, all DHCP messages are logged @@ -753,6 +760,7 @@ dpdk: # - auto takes all cores # in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match threads: auto + # interrupt-mode: false # true to switch to interrupt mode promisc: true # promiscuous mode - capture all packets multicast: true # enables also detection on multicast packets checksum-checks: true # if Suricata should validate checksums @@ -892,9 +900,10 @@ app-layer: detection-ports: dp: 443 - # Generate JA3 fingerprint from client hello. If not specified it + # Generate JA3/JA4 fingerprints from client hello. If not specified it # will be disabled by default, but enabled if rules require it. ja3-fingerprints: yes + ja4-fingerprints: yes # What to do when the encrypted communications start: # - default: keep tracking TLS session, check for protocol anomalies, @@ -934,9 +943,13 @@ app-layer: #max-streams: 4096 # Maximum headers table size #max-table-size: 65536 + # Maximum reassembly size for header + continuation frames + #max-reassembly-size: 102400 smtp: enabled: yes raw-extraction: no + # Maximum number of live SMTP transactions per flow + # max-tx: 256 # Configure SMTP-MIME Decoder mime: # Decode MIME messages from SMTP transactions @@ -1084,6 +1097,10 @@ app-layer: #compression-bomb-limit: 1mb # Maximum time spent decompressing a single transaction in usec #decompression-time-limit: 100000 + # Maximum number of live transactions per flow + #max-tx: 512 + # Maximum used number of HTTP1 headers in one request or response + #headers-limit: 1024 server-config: @@ -1290,7 +1307,6 @@ unix-command: # Magic file. The extension .mgc is added to the value here. magic-file: /usr/share/misc/magic.mgc -#magic-file: # GeoIP2 database file. Specify path and filename of GeoIP2 database # if using rules with "geoip" rule option. @@ -1798,6 +1814,10 @@ profiling: enabled: no filename: rule_perf.log append: yes + # Set active to yes to enable rules profiling at start + # if set to no (default), the rules profiling will have to be started + # via unix socket commands. + #active:no # Sort options: ticks, avgticks, checks, matches, maxticks # If commented out all the sort options will be used.