Project

General

Profile

Actions
Copy link

Feature #7705

open

firewall: allow single rule to accept protocol detection in progress and the final protocol

Added by Victor Julien 3 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently 2 rules are needed to accept packet rules that enforce that a protocol is running on a port.

e.g.

# allow all packets while protocol detection is running
accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown; alert; sid:1000;)
# then when detected a protocol, only allow ssh
accept:hook tcp:all any any <> any 22 (app-layer-protocol:ssh; alert; sid:1001;)

It would be good to be able to express this in a single rule.

e.g. something like:

accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown,ssh; alert; sid:1000;)

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7704: firewall: allow single packet rule to accept tcp connectionFeedbackVictor JulienActions
Actions
Copy link

Also available in: Atom PDF