Feature #7704: firewall: allow single packet rule to accept tcp connection - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7704

open

firewall: allow single packet rule to accept tcp connection

Added by Victor Julien 4 days ago.

Status:

Feedback

Priority:

Normal

Assignee:

Victor Julien

Target version:

TBD

Effort:

Difficulty:

Label:

Description

The idea here is to allow a single rule to express:
- accept:hook
- directionality of connection initiator
- tcp state (3whs, established, etc)
- match opposing side as well

Currently we can have

accept:hook tcp:all $HOME_NET any <> ... 22 (flow:not_established;)
accept:hook tcp:all $HOME_NET any <> ... 22 (flow:established;)
But this doesn't enforce the direction of the 3whs.

One can also create a more complex ruleset like

accept:hook tcp:all $HOME_NET any -> any 22 (flags:S;)
accept:hook tcp:all any 22 -> $HOME_NET any (flags:SA;)
accept:hook tcp:all $HOME_NET any -> any 22 (flags:A; flow:not_established;)
accept:hook tcp:all $HOME_NET any <> any 22 (flow:established;)

The idea is to allow proper TCP setup, directionality, bidirectionality, all in one rule. E.g. something like:

accept:hook tcp:all $HOME_NET any \
     => \ # <- similar to txdir
     any 22 \
     (tcp.session:setup,established;) # < allow 3whs, tfo, etc.

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #7704

firewall: allow single packet rule to accept tcp connection

Updated by Victor Julien 3 days ago