Feature #7705: firewall: allow single rule to accept protocol detection in progress and the final protocol - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7705

open

firewall: allow single rule to accept protocol detection in progress and the final protocol

Added by Victor Julien 3 days ago.

Status:

Feedback

Priority:

Normal

Assignee:

Victor Julien

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Currently 2 rules are needed to accept packet rules that enforce that a protocol is running on a port.

e.g.

# allow all packets while protocol detection is running
accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown; alert; sid:1000;)
# then when detected a protocol, only allow ssh
accept:hook tcp:all any any <> any 22 (app-layer-protocol:ssh; alert; sid:1001;)

It would be good to be able to express this in a single rule.

e.g. something like:

accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown,ssh; alert; sid:1000;)

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Updated by Victor Julien 3 days ago

Related to Feature #7704: firewall: allow single packet rule to accept tcp connection added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #7705

firewall: allow single rule to accept protocol detection in progress and the final protocol

Updated by Victor Julien 3 days ago