Actions
Bug #5380
closedIPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context (6.0.x backport)
Affected Versions:
Effort:
Difficulty:
Label:
Description
Given 2 rules:
pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;) drop ip any any -> any any (msg:"Drop everything else"; sid:2;)
the response packets to the HTTP flow are getting dropped by the
drop
rule, and not being allowed as expected. However, the return packets are passed as expected with the following rule:pass tcp $HOME_NET any -> any 80 (sid:1;)
The different here is that $EXTERNAL_NET
contains a negation, "!any" which means the rule as not processed as a pure IP only rule. Pure IP only rules have are setup such that the pass is applied to the flow. While this should happen for the IP-only-rule-with-negation, this logic is missing for this case.
Updated by Jason Ish over 2 years ago
- Copied from Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context added
Updated by Victor Julien over 2 years ago
- Assignee changed from Jason Ish to Victor Julien
Updated by Victor Julien over 2 years ago
Updated by Victor Julien over 2 years ago
- Status changed from In Progress to Closed
Actions