Project

General

Profile

Actions
Copy link

Feature #8394

open
YD JI

Task #8388: firewall: support protocol hooks for all app-layer protocols

firewall: support NTP hook states for firewall rule evaluation

Feature #8394: firewall: support NTP hook states for firewall rule evaluation

Added by Yash Datre 26 days ago. Updated 13 days ago.

Status:
New
Priority:
High
Assignee:
Jason Ish
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

NTP is a fundamental network protocol present in virtually all environments. In Suricata 8.0.4, NTP app-layer hook states are not registered for firewall mode. Attempting to use any ntp:* hook in a firewall rule fails with the error: "protocol ntp does not support hook" .

Without NTP hooks, NTP traffic on UDP port 123 can only be controlled at the packet layer. While packet-layer rules (accept:hook udp:all any any <> any 123) can accept NTP packets, the app-layer parser still engages and the flow may be subject to default_app_policy behavior. Registering NTP hooks would allow the firewall engine to make explicit accept/drop decisions at the application layer, consistent with how other protocols (DNS, TLS, HTTP1) are handled.

Potential NTP states:
  • Client request sent
  • Server response received
  • Synchronized
  • Kiss-o'-Death received
  • Unsynchronized
  • Symmetric active/passive
  • Broadcast mode

These states should be mapped to firewall hook points. At minimum, a request/response pair would enable basic firewall control. Additional hooks for Kiss-o'-Death and broadcast mode would allow more granular policy enforcement.

Subtasks 3 (3 open0 closed)

Feature #8429: rules: add ntp.mode keywordNewJason IshActions
Feature #8430: rules: add ntp.version keywordNewJason IshActions
Feature #8431: rules: add ntp.stratum keywordNewJason IshActions

VJ Updated by Victor Julien 25 days ago Actions
Copy link
 #1

  • Tracker changed from Bug to Feature
  • Subject changed from Firewall mode: Register NTP hook states for firewall rule evaluation to firewall: support NTP hook states for firewall rule evaluation
  • Assignee set to OISF Dev
  • Priority changed from Normal to High
  • Target version changed from TBD to 9.0.0-beta1
  • Affected Versions deleted (8.0.4)

VJ Updated by Victor Julien 25 days ago Actions
Copy link
 #2

  • Parent task set to #8388

YD Updated by Yash Datre 18 days ago · Edited Actions
Copy link
 #3

The proposed states in the ticket (Kiss-o'-Death, broadcast mode, symmetric active/passive, etc.) don't need to be separate hook states — they can all be expressed as keyword matches on the existing hooks. For example, ntp.stratum:0 at ntp:response_complete covers Kiss-o'-Death, ntp.mode:5 covers broadcast, and ntp.mode:1 covers symmetric active. Adding ntp.mode, ntp.version, and ntp.stratum as detection keywords eliminates the need for protocol-specific hook states entirely. These are the same fields that ET Pro rules already inspect via raw byte_test for NTP DDoS/amplification detection — native keywords would replace fragile byte-level matching and benefit both firewall and IDS rule authors.

VJ Updated by Victor Julien 17 days ago Actions
Copy link
 #4

  • Subtask #8429 added

VJ Updated by Victor Julien 17 days ago Actions
Copy link
 #5

  • Subtask #8430 added

VJ Updated by Victor Julien 17 days ago Actions
Copy link
 #6

  • Subtask #8431 added

JI Updated by Jason Ish 13 days ago Actions
Copy link
 #7

  • Assignee changed from OISF Dev to Jason Ish
Actions
Copy link

Also available in: PDF Atom