Actions
Bug #5361
closed
JI
JI
IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context
Bug #5361:
IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 6.0
Description
Given 2 rules:
pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;) drop ip any any -> any any (msg:"Drop everything else"; sid:2;)
the response packets to the HTTP flow are getting dropped by the
drop rule, and not being allowed as expected. However, the return packets are passed as expected with the following rule:pass tcp $HOME_NET any -> any 80 (sid:1;)
The different here is that $EXTERNAL_NET contains a negation, "!any" which means the rule as not processed as a pure IP only rule. Pure IP only rules have are setup such that the pass is applied to the flow. While this should happen for the IP-only-rule-with-negation, this logic is missing for this case.
JI Updated by Jason Ish almost 4 years ago
- Status changed from Assigned to In Review
Draft for review: https://github.com/OISF/suricata/pull/7402
JI Updated by Jason Ish almost 4 years ago
- Label Needs backport to 6.0 added
JI Updated by Jason Ish almost 4 years ago
- Copied to Bug #5380: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context (6.0.x backport) added
VJ Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Closed
- Target version changed from TBD to 7.0.0-beta1
Actions