Feature #6063
open
exception-policy: stream async policy
Added by Victor Julien over 1 year ago.
Updated about 1 month ago.
Description
For streams that are using async routing, allow applying a separate exception policy.
Async detection would match the logic the async-oneside option uses today:
Client -> Server: SYN followed by ACK matching the 3whs. SEQ of this packet would be ISN+1. If no SYN/ACK has been seen we’d be in async mode.
Server -> Client: SYN/ACK as first packet.
In both cases we'd apply a new exception policy.
Suggested defaults:
- IDS: ignore
- IPS, async-oneside disabled: drop-packet (not drop flow as otherwise an injected packet might trigger a flow drop?)
- IPS, async-oneside enabled: ignore
- Label Needs backport to 6.0 added
- Label deleted (
Needs backport to 6.0)
- Target version changed from 7.0.0-rc2 to 7.0.1
I am curious about this one, could you provide some additional context on how this feature works?
I assume this is related to asymmetrically routed connections (not asynchronous) but I'm interested in how suricata would distinguish those and whether this would support matching connections where the client-to-server side of the connection is seen by suricata but the server-to-client side is not (i.e. what load balancers call "DSR", direct server return).
Today the existing midstream-policy matches on connections that are asymmetrically routed in the opposite way (where suricata doesn't see the SYN) but not this one, so I'm curious if this feature is related to adding support for both directions or if it's something different.
- Target version changed from 7.0.1 to 7.0.2
- Description updated (diff)
- Target version changed from 7.0.2 to 7.0.3
- Target version changed from 7.0.3 to 7.0.4
- Target version changed from 7.0.4 to 7.0.5
- Target version changed from 7.0.5 to 7.0.6
- Target version changed from 7.0.6 to 7.0.7
It's important for this feature to include flow logs (or similar) visibility so that users can use the source & dest IPs to track down asymmetric routes in their network when this policy is triggered. Without that visibility it will be a difficult experience to find and fix the routes.
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
- Target version changed from 7.0.7 to 7.0.8
- Target version changed from 7.0.8 to 7.0.9
Also available in: Atom
PDF