本文接上一篇配置文件說明1,是了解suricata配置文件的第二篇。suricata版本為4.0.3。
Suricata是一個多線程的程序,當(dāng)它在擁有多核CPU的計算機(jī)上運(yùn)行時會產(chǎn)生多線程以同時處理多個網(wǎng)絡(luò)流量。在前一篇文章中介紹過suricata其實(shí)是有thread,thread-module和queue組成,而thread-module按照功能分為數(shù)據(jù)包獲取、解碼數(shù)據(jù)包和應(yīng)用層流信息、檢測、輸出四種模塊。
下面這個圖是一種典型的運(yùn)行模式表明了模塊間的協(xié)作關(guān)系,1、2、3、4分別代表四種模塊:
Suricata的多個線程通過下面的選項可以選擇是否綁定特定的CPU核心,如果是no則不綁定,每次運(yùn)行的時候每個線程對應(yīng)的CPU核心可能都不是同一個,是yes則每次運(yùn)行的時候指定的線程只能運(yùn)行在特定的核心上。通過綁定線程和CPU核心,能夠提高CPU cache的命中率,減少內(nèi)存訪問的損耗,提高程序的運(yùn)行速度:
set-cpu-affinity: no
下面這幅圖可以很清楚地解釋。上面的是綁定的情況,數(shù)據(jù)包獲取、解密和輸出模塊均在core 0這個核心上,且每個核心都有一個detect線程,但是相對來說其在core 0上的優(yōu)先級比較低,只有當(dāng)core 0的其他線程不工作時才會運(yùn)行,這樣suricata也會把較少的檢測任務(wù)分配給它,而是分配給其他核心上的檢測線程;但是如果是下面哪種未綁定的情況,則是由系統(tǒng)根據(jù)CPU每個核心的負(fù)載程度來分配每個線程運(yùn)行所在的核心:
用戶可以根據(jù)自己的具體情況配置線程和CPU核心的對應(yīng)關(guān)系,下面是一種配置方法,management-, receive-, decode-, stream-, detect-, verdict-, reject-和outputs-set這些字段都是固定的,每個字段擁有cpu、mode和prio三個選項。cpu自然就是選擇線程執(zhí)行的cpu核心編號,數(shù)字從0到3或是all,[0,1]表示core 0和core 1,[1-3]表示core 1,core 2, core 3三個核心。mode可以“balance”或“exclusive”,balance表示可以在所有cpu字段定義的核心中選擇最合理的核心運(yùn)行,比如下面的decode-cpu-set這次可以在core 0上種運(yùn)行,等下個時間片可以在core 1上運(yùn)行;而exclusive則表示固定cpu核心,第一次時間片在core 0上運(yùn)行,直到線程結(jié)束都不能更換核心。prio則是線程在核心中的權(quán)限高低,有l(wèi)ow,medium和high以及default。除此之外在detect-cpu-set中還可以有threads字段直接指定檢測線程的數(shù)量而不是根據(jù)CPU核心數(shù)來計算:
# Tune cpu affinity of threads. Each family of threads can be bound
# on specific CPUs.
#
# These 2 apply to the all runmodes:
# management-cpu-set is used for flow timeout handling, counters
# worker-cpu-set is used for 'worker' threads
#
# Additionally, for autofp these apply:
# receive-cpu-set is used for capture threads
# verdict-cpu-set is used for IPS verdict threads
#
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
#- verdict-cpu-set:
# cpu: [ 0 ]
# prio:
# default: "high"
上面提到的檢測線程的數(shù)量可以直接指定,也可以根據(jù)CPU核心數(shù)計算,而計算的系數(shù)就是由detect-thread-ratio來指定,默認(rèn)系數(shù)是1.0,比如你的CPU是4核,detect-thread-ratio系數(shù)是1.5,那就會有6個檢測線程:
detect-thread-ratio: 1.0
在之前介紹suricata規(guī)則檢測IP頭的時候介紹過,IP協(xié)議可以對較大的數(shù)據(jù)進(jìn)行分片傳輸,然后在目的端進(jìn)行重組,suricata中就有一個叫做defragment-engine的模塊對分片的IP數(shù)據(jù)包進(jìn)行監(jiān)視和重組然后傳給后續(xù)的處理模塊。配置比較簡單,max-frags指出最大的分片數(shù)量,prealloc表明是否在程序啟動時預(yù)分配部分空間,timeout則是超時的時間。因?yàn)樵跀?shù)據(jù)包監(jiān)測及重組的過程中,未處理的數(shù)據(jù)包都會在內(nèi)存中,如果數(shù)量太大或是長時間未進(jìn)行處理就會降低性能:
# Defrag settings:
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
在suricata中flow配置的是網(wǎng)絡(luò)流方面的選項,而stream則專門針對TCP協(xié)議的重組進(jìn)行配置。
flow在概念上比較大,它和一次網(wǎng)絡(luò)連接比較相似。Suricata通過五元組(協(xié)議,源IP,源端口,目的IP,目的端口)來識別流量中的數(shù)據(jù)包是否屬于同一個流:
持續(xù)的跟蹤網(wǎng)絡(luò)中的流需要占用大量的內(nèi)存,為了控制占用的內(nèi)存不至于太大,這里有幾個選項需要配置。memcap表示最大跟蹤流量所使用的內(nèi)存,默認(rèn)為128MB;由于suricata是通過五元組計算出一個hash值判斷數(shù)據(jù)包屬于哪個流,hash_size指的就是這個hash表的大小;Prealloc表示預(yù)先分配的內(nèi)存,這樣在識別流的時候會有更好的性能;emergency-recovery表示的是當(dāng)前占用的內(nèi)存大于memcap時進(jìn)入內(nèi)存緊急模式(emergency-mode),需要刪除的流的百分比(相對于prealloc來說),這里表示需要刪除30%的prealloc設(shè)置的空間的流,而刪除的原則是根據(jù)后面會配置的flow-timeouts也就是超時時間來確定,如果沒有流超時則會設(shè)置更嚴(yán)格的超時時間,如果還是沒用suricata會刪除最久未使用過的流;prune_flows表示處于緊急模式的時候每新增一條流將會刪除掉舊的流的數(shù)量:
# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
# If the memcap is reached, the engine will try to prune flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
# not in use.
# The memcap can be specified in kb, mb, gb. Just a number indicates it's
# in bytes.
flow:
memcap: 128mb # The maximum amount of bytes the flow-engine will make use of.
hash-size: 65536 # Flows will be organized in a hash-table. With this option you can set the.
# size of the hash-table.
prealloc: 10000 # The amount of flows Suricata has to keep ready in memory.
emergency-recovery: 30 # Percentage of 1000 prealloc'd flows.
#managers: 1 # default to one flow manager
#recyclers: 1 # default to one flow recycler thread
上一節(jié)中提到的流的超時時間在此處設(shè)置。由于協(xié)議的不同,因此需要對不同的協(xié)議設(shè)置不同的階段,對應(yīng)的超時時間也會不同。TCP協(xié)議包括新建連接,建立連接和關(guān)閉連接,UDP只有新建連接和建立連接兩個階段。
TCP新建連接就是三次握手,建立連接則是完成三次握手之后,而關(guān)閉連接則是reset數(shù)據(jù)包或是關(guān)閉tcp連接的四次握手。UDP新建連接是只有一方發(fā)送數(shù)據(jù)包,建立連接則是兩方都發(fā)送數(shù)據(jù)包。下面是TCP、UDP、ICMP和default(其他協(xié)議)的超時配置,沒有emergency前綴的是正常模式下的超時,帶有emergency前綴的是在內(nèi)存緊急模式下的超時時間:
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
# protocol. The value of "new" determine the seconds to wait after a hanshake or
# stream startup before the engine free the data of that flow it doesn't
# change the state to established (usually if we don't receive more packets
# of that flow). The value of "established" is the amount of
# seconds that the engine will wait to free the flow if it spend that amount
# without receiving new packets or closing the connection. "closed" is the
# amount of time to wait after a flow is closed (usually zero). "bypassed"
# timeout controls locally bypassed flows. For these flows we don't do any other
# tracking. If no packets have been seen after this timeout, the flow is discarded.
#
# There's an emergency mode that will become active under attack circumstances,
# making the engine to check flow status faster. This configuration variables
# use the prefix "emergency-" and work similar as the normal ones.
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
# icmp.
flow-timeouts:
default:
new: 30 # Time-out in seconds after the last activity in this flow in a New state.
established: 300 # Time-out in seconds after the last activity in this flow in a Established state.
closed: 0
bypassed: 100
emergency-new: 10 # Time-out in seconds after the last activity in this flow in a New state during the emergency mode.
emergency-established: 100 # Time-out in seconds after the last activity in this flow in a Established state in the emergency mode.
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
Stream引擎用于跟蹤TCP連接,它有兩個模塊,分別是TCP數(shù)據(jù)流的跟蹤和數(shù)據(jù)包重組引擎,前者用于監(jiān)視TCP連接的狀態(tài)并確定一個完整的數(shù)據(jù)流,后者則用于將數(shù)據(jù)流進(jìn)行重組以便讓后續(xù)的處理模塊能夠識別。
首先是數(shù)據(jù)流跟蹤模塊的配置,和flow的一樣,這里的memcap也是當(dāng)前模塊能占用內(nèi)存的最大值;checksum_validation設(shè)置是否檢查TCP數(shù)據(jù)包的CRC校驗(yàn)和,這個值用于保證數(shù)據(jù)包的完整性,如果設(shè)為yes則會丟棄那些校驗(yàn)失敗的數(shù)據(jù)包;max_sessions對最大的TCP連接數(shù)進(jìn)行了限制,防止其占用過多的內(nèi)存;prealloc_sessions則是為了提高性能預(yù)先分配的連接數(shù);midstream配置是否允許suricata從一個TCP連接的中間開始跟蹤,出現(xiàn)這種情況幾乎每次都會發(fā)生,因?yàn)楫?dāng)啟動suricata時有部分TCP連接已經(jīng)開始并處于建立連接的狀態(tài)了,若設(shè)為true則表示可以從流中間跟蹤,默認(rèn)為false;async_oneside設(shè)置是否打開異步數(shù)據(jù)包處理,因?yàn)橛袝r一個流可能不是從一個路由器而是多個不同的路由器進(jìn)行傳輸,這樣會導(dǎo)致數(shù)據(jù)包并不同步,true表示處理這種異步情況,默認(rèn)為false。
Stream引擎的第二部分便是數(shù)據(jù)包重組,memcap就不做介紹了;因?yàn)閿?shù)據(jù)包重組的代價比較大,需要的資源較多,為了避免無限制的重組超大數(shù)據(jù)包,depth對其進(jìn)行了限制,默認(rèn)為1MB;toserver_chunk_size和toclient_chunk_size只有超過設(shè)置的大小的原始數(shù)據(jù)包才會調(diào)用重組(字面上是這么理解):
# Stream engine settings. Here the TCP stream tracking and reassembly
# engine is configured.
#
# stream:
# memcap: 32mb # Can be specified in kb, mb, gb. Just a
# # number indicates it's in bytes.
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packet with invalid csum will not
# # be processed by the engine stream/app layer.
# # Warning: locally generated trafic can be
# # generated without checksum due to hardware offload
# # of checksum. You can control the handling of checksum
# # on a per-interface basis via the 'checksum-checks'
# # option
# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
# max-synack-queued: 5 # Max different SYN/ACKs to queue
# bypass: no # Bypass packets when stream.depth is reached
#
# reassembly:
# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
# # This lower the risk of some evasion technics but could lead
# # detection change between runs. It is set to 'yes' by default.
# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
# # calculation for toclient-chunk-size.
# # Default value of randomize-chunk-range is 10.
#
# raw: yes # 'Raw' reassembly enabled or disabled.
# # raw is for content inspection by detection
# # engine.
#
# segment-prealloc: 2048 # number of segments preallocated per thread
#
# check-overlap-different-data: true|false
# # check if a segment contains different data
# # than what we've already seen for that
# # position in the stream.
# # This is enabled automatically if inline mode
# # is used or when stream-event:reassembly_overlap_different_data;
# # is used in a rule.
#
stream:
memcap: 64mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
#raw: yes
#segment-prealloc: 2048
#check-overlap-different-data: true
而inline就看不大懂了,難道是選擇yes就可以在IPS模式下工作,而no就不工作?官方文檔中只提到了IDS和IPS模式下的流跟蹤模塊的不同,可以看到在IDS模式下只有服務(wù)端發(fā)送了ACK包suricata才會將之前監(jiān)視的客戶端數(shù)據(jù)包重組并進(jìn)行下一步處理,而在IPS模式下由于需要實(shí)時監(jiān)控并丟棄符合規(guī)則的包所以采用的是滑動窗口的方式,每當(dāng)客戶端發(fā)送一個數(shù)據(jù)包就會進(jìn)行下一步處理:
IDS模式下
IPS模式下
如果希望Suricata解析應(yīng)用層協(xié)議的數(shù)據(jù)包則需要對其進(jìn)行配置。包括tls、ftp、smtp、ssh、http等。下面是部分默認(rèn)的配置,enable可以選擇yes、no或detection-only,yes表示既解析和檢測數(shù)據(jù)包,detection-only則是只檢測不做額外的解析,no則不檢測也不解析:
# Configure the app-layer parsers. The protocols section details each
# protocol.
#
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
# bypass. If disabled (the default), TLS/SSL session is still
# tracked for Heartbleed and other anomalies.
#no-reassemble: yes
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supercedes all others because it turns the entire
# process on or off
decode-mime: yes
# Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
decode-base64: yes
decode-quoted-printable: yes
# Maximum bytes per header data value stored in the data structure
# (default is 2000)
header-value-depth: 2000
# Extract URLs and save in state data structure
extract-urls: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
body-md5: no
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
# Note: NFS parser depends on Rust support: pass --enable-rust
# to configure.
nfs:
enabled: no
dns:
# memcaps. Globally and per flow/state.
#global-memcap: 16mb
#state-memcap: 512kb
# How many unreplied DNS requests are considered a flood.
# If the limit is reached, app-layer-event:dns.flooded; will match.
#request-flood: 500
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
# memcap: 64mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100kb
response-body-limit: 100kb
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
# Note: Modbus probe parser is minimalist due to the poor significant field
# Only Modbus message length (greater than Modbus header length)
# And Protocol ID (equal to 0) are checked in probing parser
# It is important to enable detection port and define Modbus port
# to avoid false positive
modbus:
# How many unreplied Modbus requests are considered a flood.
# If the limit is reached, app-layer-event:modbus.flooded; will match.
#request-flood: 500
enabled: no
detection-ports:
dp: 502
# According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
# is recommended to keep the TCP connection opened with a remote device
# and not to open and close it for each MODBUS/TCP transaction. In that
# case, it is important to set the depth of the stream reassembling as
# unlimited (stream.reassembly.depth: 0)
# Stream reassembly size for modbus. By default track it completely.
stream-depth: 0
# DNP3
dnp3:
enabled: no
detection-ports:
dp: 20000
# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
# Note: parser depends on experimental Rust support
# with --enable-rust-experimental passed to configure
ntp:
enabled: no
由于http協(xié)議的數(shù)據(jù)包比較復(fù)雜和常用,且它的解析器使用第三方庫,因此下面對其單獨(dú)說明。
Suricata使用libhtp庫對HTTP會話數(shù)據(jù)包進(jìn)行解析。由于http的web服務(wù)器種類非常多導(dǎo)致了suricata必須處理每一種不同服務(wù)器所產(chǎn)生的http流量,用戶在這里可以配置IP地址和web服務(wù)器種類的對應(yīng)關(guān)系。可以選擇的web服務(wù)器包括,默認(rèn)的是IDS模式的服務(wù)器:
Minimal
Generic
IDS (default)
IIS_4_0
IIS_5_0
IIS_5_1
IIS_6_0
IIS_7_0
IIS_7_5
Apache_2
在每一種模式下可以配置IP地址、web服務(wù)器種類以及對request、response數(shù)據(jù)包大小的限制,默認(rèn)的IDS模式表示所有的IP都使用這套配置。一套典型的配置如下,前面幾項配置都容易理解double-decode-path和double-decode-query需要進(jìn)行特殊說明。有些攻擊web服務(wù)器的手法是通過在URI中加入特定的攻擊字段來完成,URI由協(xié)議、主機(jī)名、端口號(大部分http協(xié)議是80端口,因此可省略)、路徑和查詢參數(shù)五部分組成(詳情參考統(tǒng)一資源定位符-維基百科),能夠控制的便是路徑和查詢參數(shù),double-decode-path和double-decode-query就是可以檢查這兩部分是否經(jīng)過了雙重URL編碼(可參考Double Encoding-OWASP):
http:
enabled: yes
# memcap: 64mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100kb
response-body-limit: 100kb
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
Asn1是一種標(biāo)準(zhǔn)的描述數(shù)據(jù)和結(jié)構(gòu)體的標(biāo)準(zhǔn)符號,大量用于通信和計算機(jī)網(wǎng)絡(luò)中解碼和傳輸數(shù)據(jù),詳細(xì)可以參考Abstract Syntax Notation One-維基百科。這里就是配置使用asn1進(jìn)行解碼的數(shù)據(jù)包的最大數(shù)量:
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
更多建議: