Project

General

Profile

Actions
Copy link

Feature #8429

closed
VJ JI

Task #8388: firewall: support protocol hooks for all app-layer protocols

Feature #8394: firewall: support NTP hook states for firewall rule evaluation

rules: add ntp.mode keyword

Feature #8429: rules: add ntp.mode keyword

Added by Victor Julien about 2 months ago. Updated 28 days ago.

Status:
Closed
Priority:
High
Assignee:
Jason Ish
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

The proposed states in the ticket (Kiss-o'-Death, broadcast mode, symmetric active/passive, etc.) don't need to be separate hook states — they can all be expressed as keyword matches on the existing hooks. For example, ntp.stratum:0 at ntp:response_complete covers Kiss-o'-Death, ntp.mode:5 covers broadcast, and ntp.mode:1 covers symmetric active. Adding ntp.mode, ntp.version, and ntp.stratum as detection keywords eliminates the need for protocol-specific hook states entirely. These are the same fields that ET Pro rules already inspect via raw byte_test for NTP DDoS/amplification detection — native keywords would replace fragile byte-level matching and benefit both firewall and IDS rule authors.

ntp.mode should probably be a int keyword with name mapping.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #8425: ntp: add ntp transaction loggingClosedJason IshActions

VJ Updated by Victor Julien about 2 months ago Actions
Copy link
 #1

  • Related to Feature #8425: ntp: add ntp transaction logging added

JI Updated by Jason Ish about 2 months ago Actions
Copy link
 #2

  • Assignee set to Jason Ish

JI Updated by Jason Ish about 1 month ago Actions
Copy link
 #3

  • Status changed from New to In Progress

JI Updated by Jason Ish about 1 month ago Actions
Copy link
 #4

  • Status changed from In Progress to In Review

JI Updated by Jason Ish 28 days ago Actions
Copy link
 #5

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom