Project

General

Profile

Actions
Copy link

Bug #7653

closed
VJ VJ

ips: deconflict pass flow and drop packet rules

Bug #7653: ips: deconflict pass flow and drop packet rules

Added by Victor Julien about 1 year ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

drop tcp [10.0.0.0/16] any -> any any (flow: to_server, established; sid:1;)
pass tls any any -> any any (ssl_state:client_hello; tls.sni; content:"google.com"; dotprefix; nocase; flow: to_server, established; sid:2;)

If on the client hello packet both rules match, the drop action is applied to the packet. However since the match of sid 1 isn't terminating, the flow action from sid 2 is also applied.

I broadly see 2 options:
- just stop after the first drop match
- deconflict, so if a drop rule matched first, ignore pass rules

Subtasks 1 (0 open1 closed)

Bug #7663: ips: deconflict pass flow and drop packet rules (7.0.x backport)ClosedVictor JulienActions

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #1

  • Status changed from Assigned to Resolved
  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #2

  • Subtask #7663 added

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #3

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine 11 months ago Actions
Copy link
 #4

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom