Feature #6063
openexception-policy: stream async policy
Description
For streams that are using async routing, allow applying a separate exception policy.
Async detection would match the logic the async-oneside option uses today:
Client -> Server: SYN followed by ACK matching the 3whs. SEQ of this packet would be ISN+1. If no SYN/ACK has been seen we’d be in async mode.
Server -> Client: SYN/ACK as first packet.
In both cases we'd apply a new exception policy.
Suggested defaults:
- IDS: ignore
- IPS, async-oneside disabled: drop-packet (not drop flow as otherwise an injected packet might trigger a flow drop?)
- IPS, async-oneside enabled: ignore
VJ Updated by Victor Julien almost 3 years ago
- Label Needs backport to 6.0 added
OT Updated by OISF Ticketbot almost 3 years ago
- Subtask #6083 added
OT Updated by OISF Ticketbot almost 3 years ago
- Label deleted (
Needs backport to 6.0)
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-rc2 to 7.0.1
JL Updated by Jamie Lavigne almost 3 years ago
I am curious about this one, could you provide some additional context on how this feature works?
I assume this is related to asymmetrically routed connections (not asynchronous) but I'm interested in how suricata would distinguish those and whether this would support matching connections where the client-to-server side of the connection is seen by suricata but the server-to-client side is not (i.e. what load balancers call "DSR", direct server return).
Today the existing midstream-policy matches on connections that are asymmetrically routed in the opposite way (where suricata doesn't see the SYN) but not this one, so I'm curious if this feature is related to adding support for both directions or if it's something different.
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Target version changed from 7.0.1 to 7.0.2
VJ Updated by Victor Julien over 2 years ago
- Description updated (diff)
JI Updated by Jason Ish over 2 years ago
- Target version changed from 7.0.2 to 7.0.3
VJ Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.3 to 7.0.4
VJ Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.4 to 7.0.5
VJ Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.5 to 7.0.6
VJ Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.6 to 7.0.7
JL Updated by Jamie Lavigne almost 2 years ago
It's important for this feature to include flow logs (or similar) visibility so that users can use the source & dest IPs to track down asymmetric routes in their network when this policy is triggered. Without that visibility it will be a difficult experience to find and fix the routes.
VJ Updated by Victor Julien almost 2 years ago
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
VJ Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.7 to 7.0.8
VJ Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.8 to 7.0.9
JF Updated by Juliana Fajardini Reichow over 1 year ago
- Target version changed from 7.0.9 to 8.0.0-beta1
- Label Needs backport to 7.0 added
As we were lacking a ticket for master, adjusting target and label.
Was mentioned in: https://github.com/OISF/suricata/pull/12167
OT Updated by OISF Ticketbot over 1 year ago
- Subtask #7443 added
OT Updated by OISF Ticketbot over 1 year ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
JL Updated by Jamie Lavigne 7 months ago
Searchable keyword: firewall
JL Updated by Jamie Lavigne 7 months ago
Could we abandon the 7.0 backport task in favor of a 8.0 backport task? This remains something we are waiting to use.
JF Updated by Juliana Fajardini Reichow 7 months ago
- Label Needs backport to 8.0 added
Jamie Lavigne wrote in #note-22:
Could we abandon the 7.0 backport task in favor of a 8.0 backport task? This remains something we are waiting to use.
I think we didn't have a label for backporting to 8 yet because of the branches transition. Added that now.
OT Updated by OISF Ticketbot 7 months ago
- Subtask #7942 added
OT Updated by OISF Ticketbot 7 months ago
- Label deleted (
Needs backport to 8.0)
JF Updated by Juliana Fajardini Reichow 7 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Label Needs backport to 8.0 added
JF Updated by Juliana Fajardini Reichow 7 months ago
- Label deleted (
Needs backport to 8.0)
JF Updated by Juliana Fajardini Reichow 6 months ago
- Related to Documentation #8011: userguide: document behavior/support for stream.async-oneside added
JF Updated by Juliana Fajardini Reichow about 2 months ago
- Status changed from Assigned to In Progress
To be worked on this cycle.
JF Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Feature #8361: stream/tcp: add flags keyword added
JF Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Task #8339: stream/tcp: add counter(s) for stream async added