Bug #75
closedDrop verdict should override alert verdict in inline mode.
Description
If a packet matches on more than one rule the last verdict parsed is the verdict that is set. For example with this request.
http://www.google.com/applesoranges
I get the following two alerts.
01/28/10-03:44:00.772119 [**] [1:2000:0] apples [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:40674 -> 74.125.95.147:80
01/28/10-03:44:00.772119 [**] [1:2001:0] oranges [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:40674 -> 74.125.95.147:80
If the following rules are loaded in this order then no packets are dropped.
drop tcp any any -> any any (msg:"apples"; uricontent:"apples"; sid:2000;)
alert tcp any any -> any any (msg:"oranges"; uricontent:"oranges"; sid:2001;)
If rules are loaded in this order
alert tcp any any -> any any (msg:"oranges"; uricontent:"oranges"; sid:2001;)
drop tcp any any -> any any (msg:"apples"; uricontent:"apples"; sid:2000;)
The packet is indeed dropped. The default mode of operation should be that drop/reject/sdrop overrides alert. Perhaps we can add an option to make this order user configurable.
Files
Updated by Victor Julien almost 15 years ago
I'm thinking the action would probably better be implemented as a flags field where "drop", "alert", "reject", etc are flags that can be set simultaneously.
Updated by Pablo Rincon almost 15 years ago
- File 0001-Changing-the-veredict-actions-to-flags-to-allow-simu.patch 0001-Changing-the-veredict-actions-to-flags-to-allow-simu.patch added
Adapting to bit level flags instead of enums.
Updated by Pablo Rincon almost 15 years ago
- File 0002-Adapting-ipfw-to-use-cations-as-flags-not-as-enums.patch 0002-Adapting-ipfw-to-use-cations-as-flags-not-as-enums.patch added
Adding patch for the next ipfw support (if apply)
Updated by Victor Julien almost 15 years ago
- Status changed from Assigned to Closed
- % Done changed from 80 to 100
Couldn't get the 0002 patch to apply so did the changes manually. 0001 is applied, 0002's changes are as well. Thanks Pablo.