Feature #494
closedipv4 or ipv6 only rules
Description
Instead of "alert ip" allow for "alert ipv4" and "alert ip4". Likewise for IPv6.
Interesting question is how this should behave wrt address vars. If HOME_NET contains both ip4 and ip6, how should a rule like "alert ipv4 $HOME_NET..." behave? Error out? Use only the ipv4 part of the addresses?
Files
Updated by Eric Leblond over 12 years ago
I think we should only use the matching subset. But it could trigger some funny things like a null subset. It this case, we should ERROR out.
Updated by Victor Julien over 12 years ago
Agreed. I think the rule analyzer should also display this information.
Updated by Eric Leblond over 12 years ago
Current code uses only the matching part of a variable. It does not fire an error if there is no intersection. It may be enough to have the rule analysers trigger a warning.
Updated by Eric Leblond about 12 years ago
- File 0001-sig-Add-ipv6-and-ipv4-to-list-of-protocols.patch 0001-sig-Add-ipv6-and-ipv4-to-list-of-protocols.patch added
- File 0002-sig-add-l3_proto-keyword.patch 0002-sig-add-l3_proto-keyword.patch added
Adding the patches to the ticket.
Updated by Eric Leblond about 12 years ago
Pull request on github: https://github.com/inliniac/suricata/pull/5
Updated by Victor Julien about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 80 to 100
Merged https://github.com/inliniac/suricata/pull/48
Thanks Eric!