tweaking:

- bump suricata to 7.0.7, update config, remove broadcast, multicast, netbios, igmp and mdns using capture-filter.bpf
simily00 · Dec 4, 2024 · 2747719 · 2747719
1 parent 486c973
commit 2747719
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 9 deletions.
diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile
@@ -4,7 +4,8 @@ FROM alpine:edge
 COPY dist/ /root/dist/
 #
 # Install packages
-RUN apk --no-cache -U add \
+RUN apk --no-cache -U upgrade && \
+    apk --no-cache -U add \
 		ca-certificates \
 		curl \
 		file \

diff --git a/docker/suricata/dist/capture-filter.bpf b/docker/suricata/dist/capture-filter.bpf
@@ -1,3 +1,5 @@
 not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
-not (tcp port 64294) and
-not (tcp port 64305)
+not (tcp port 64294 or tcp port 64305) and
+not (udp port 138 or udp port 5353) and
+not (ip broadcast or ip multicast or ip6 multicast) and
+not ip proto 2
diff --git a/docker/suricata/dist/suricata.yaml b/docker/suricata/dist/suricata.yaml
@@ -5,7 +5,7 @@
 # options in this file, full documentation can be found at:
 # https://docs.suricata.io/en/latest/configuration/suricata-yaml.html
 
-# This configuration file generated by Suricata 7.0.2.
+# This configuration file generated by Suricata 7.0.7.
 suricata-version: "7.0"
 
 ##
@@ -176,6 +176,7 @@ outputs:
         - frame:
             # disabled by default as this is very verbose.
             enabled: no
+            # payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
         - anomaly:
             # Anomaly log records describe unexpected conditions such
             # as truncated packets, packets with invalid IP/UDP/TCP
@@ -214,7 +215,7 @@ outputs:
             extended: yes     # enable this for extended logging information
             # custom allows additional HTTP fields to be included in eve-log.
             # the example below adds three additional fields when uncommented
-            custom: [Accept-Encoding, Accept-Language, Authorization, Forwarded, From, Referer, Via]
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
             # set this value to one and only one from {both, request, response}
             # to dump all HTTP headers for every HTTP request and/or response
             # dump-all-headers: none
@@ -251,8 +252,11 @@ outputs:
             # output TLS transaction where the session is resumed using a
             # session id
             #session-resumption: no
+            # ja4 hashes in tls records will never be logged unless
+            # the following is set to on. (Default off)
+            ja4: on
             # custom controls which TLS fields that are included in eve-log
-            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s]
+            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s, ja4]
         - files:
             force-magic: yes   # force logging magic on all logged files
             # force logging of checksums, available hash functions are md5,
@@ -291,7 +295,10 @@ outputs:
         - snmp
         - rfb
         - sip
-        - quic
+        - quic:
+            # ja4 hashes in quic records will never be logged unless
+            # the following is set to on. (Default off)
+            ja4: on
         - dhcp:
             enabled: no
             # When extended mode is on, all DHCP messages are logged
@@ -753,6 +760,7 @@ dpdk:
       # - auto takes all cores
       # in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match
       threads: auto
+      # interrupt-mode: false # true to switch to interrupt mode 
       promisc: true # promiscuous mode - capture all packets
       multicast: true # enables also detection on multicast packets
       checksum-checks: true # if Suricata should validate checksums
@@ -892,9 +900,10 @@ app-layer:
       detection-ports:
         dp: 443
 
-      # Generate JA3 fingerprint from client hello. If not specified it
+      # Generate JA3/JA4 fingerprints from client hello. If not specified it
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: yes
+      ja4-fingerprints: yes
 
       # What to do when the encrypted communications start:
       # - default: keep tracking TLS session, check for protocol anomalies,
@@ -934,9 +943,13 @@ app-layer:
       #max-streams: 4096
       # Maximum headers table size
       #max-table-size: 65536
+      # Maximum reassembly size for header + continuation frames
+      #max-reassembly-size: 102400
     smtp:
       enabled: yes
       raw-extraction: no
+      # Maximum number of live SMTP transactions per flow
+      # max-tx: 256
       # Configure SMTP-MIME Decoder
       mime:
         # Decode MIME messages from SMTP transactions
@@ -1084,6 +1097,10 @@ app-layer:
            #compression-bomb-limit: 1mb
            # Maximum time spent decompressing a single transaction in usec
            #decompression-time-limit: 100000
+           # Maximum number of live transactions per flow
+           #max-tx: 512
+           # Maximum used number of HTTP1 headers in one request or response
+           #headers-limit: 1024
 
          server-config:
 
@@ -1290,7 +1307,6 @@ unix-command:
 
 # Magic file. The extension .mgc is added to the value here.
 magic-file: /usr/share/misc/magic.mgc
-#magic-file: 
 
 # GeoIP2 database file. Specify path and filename of GeoIP2 database
 # if using rules with "geoip" rule option.
@@ -1798,6 +1814,10 @@ profiling:
     enabled: no
     filename: rule_perf.log
     append: yes
+    # Set active to yes to enable rules profiling at start
+    # if set to no (default), the rules profiling will have to be started
+    # via unix socket commands.
+    #active:no
 
     # Sort options: ticks, avgticks, checks, matches, maxticks
     # If commented out all the sort options will be used.