Project

General

Profile

Actions

Bug #5361

closed

IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context

Added by Jason Ish 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0

Description

Given 2 rules:

pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
drop ip any any -> any any (msg:"Drop everything else"; sid:2;)

the response packets to the HTTP flow are getting dropped by the drop rule, and not being allowed as expected. However, the return packets are passed as expected with the following rule:
pass tcp $HOME_NET any -> any 80 (sid:1;)

The different here is that $EXTERNAL_NET contains a negation, "!any" which means the rule as not processed as a pure IP only rule. Pure IP only rules have are setup such that the pass is applied to the flow. While this should happen for the IP-only-rule-with-negation, this logic is missing for this case.


Related issues 1 (0 open1 closed)

Copied to Bug #5380: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context (6.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Jason Ish 5 months ago

  • Status changed from Assigned to In Review
Actions #2

Updated by Jason Ish 4 months ago

  • Label Needs backport to 6.0 added
Actions #3

Updated by Jason Ish 4 months ago

  • Copied to Bug #5380: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context (6.0.x backport) added
Actions #4

Updated by Victor Julien 4 months ago

  • Status changed from In Review to Closed
  • Target version changed from TBD to 7.0rc1
Actions

Also available in: Atom PDF