Project

General

Profile

Actions

Feature #3122

open

action missing in packet delivered in Bypass Callback

Added by Phil Young about 2 years ago. Updated about 1 year ago.

Status:
Feedback
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

When the bypass callback is made to the capture method as the result of a rule, the packet structure delivered in the callback does not include the action. For example I have the following rule defined:

drop tcp 10.0.2.15 any -> any any (msg: "Bypass Test Rule"; classtype:protocol-command-decode; bypass; sid:1000013; rev:2;)

I get a call to my bypass-callback in the capture method when a packet matches this rule. However, the action field in the packet is always zero.

The use-case I'm trying to implement is to either block or shunt traffic - in an inline configuration - based on a particular signature. E.g. if the rule is drop/bypass the hardware will drop packets matching the sig. Similarly if the rule is pass/bypass the hardware will shut traffic to the output port without sending them to the host. I need to know the signature action in order to implement this.


Files

test.pcap (2.66 KB) test.pcap Phil Young, 09/12/2019 04:06 PM
Actions

Also available in: Atom PDF