Project

General

Profile

Actions
Copy link

Bug #5380

closed

IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context (6.0.x backport)

Added by Jason Ish almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
6.0.6
Affected Versions:
6.0.5
Effort:
Difficulty:
Label:

Description

Given 2 rules:

pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
drop ip any any -> any any (msg:"Drop everything else"; sid:2;)

the response packets to the HTTP flow are getting dropped by the drop rule, and not being allowed as expected. However, the return packets are passed as expected with the following rule:
pass tcp $HOME_NET any -> any 80 (sid:1;)

The different here is that $EXTERNAL_NET contains a negation, "!any" which means the rule as not processed as a pure IP only rule. Pure IP only rules have are setup such that the pass is applied to the flow. While this should happen for the IP-only-rule-with-negation, this logic is missing for this case.

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS contextClosedJason IshActions
Actions
Copy link
 #1

Updated by Jason Ish almost 2 years ago

  • Copied from Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context added
Actions
Copy link
 #2

Updated by Victor Julien almost 2 years ago

  • Assignee changed from Jason Ish to Victor Julien
Actions
Copy link
 #4

Updated by Victor Julien almost 2 years ago

  • Status changed from In Progress to Closed
Actions
Copy link

Also available in: Atom PDF