Project

General

Profile

Actions
Copy link

Feature #8430

open
VJ JI

Task #8388: firewall: support protocol hooks for all app-layer protocols

Feature #8394: firewall: support NTP hook states for firewall rule evaluation

rules: add ntp.version keyword

Feature #8430: rules: add ntp.version keyword

Added by Victor Julien 27 days ago. Updated 7 days ago.

Status:
In Review
Priority:
High
Assignee:
Jason Ish
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

The proposed states in the ticket (Kiss-o'-Death, broadcast mode, symmetric active/passive, etc.) don't need to be separate hook states — they can all be expressed as keyword matches on the existing hooks. For example, ntp.stratum:0 at ntp:response_complete covers Kiss-o'-Death, ntp.mode:5 covers broadcast, and ntp.mode:1 covers symmetric active. Adding ntp.mode, ntp.version, and ntp.stratum as detection keywords eliminates the need for protocol-specific hook states entirely. These are the same fields that ET Pro rules already inspect via raw byte_test for NTP DDoS/amplification detection — native keywords would replace fragile byte-level matching and benefit both firewall and IDS rule authors.

ntp.version should be a int keyword.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #8425: ntp: add ntp transaction loggingIn ReviewJason IshActions

VJ Updated by Victor Julien 27 days ago Actions
Copy link
 #1

  • Related to Feature #8425: ntp: add ntp transaction logging added

JI Updated by Jason Ish 22 days ago Actions
Copy link
 #2

  • Assignee set to Jason Ish

JI Updated by Jason Ish 9 days ago Actions
Copy link
 #3

  • Status changed from New to In Progress

JI Updated by Jason Ish 7 days ago Actions
Copy link
 #4

  • Status changed from In Progress to In Review
Actions
Copy link

Also available in: PDF Atom