Project

General

Profile

Actions
Copy link

Bug #8444

open
YD

firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation

Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation

Added by Yash Datre about 8 hours ago. Updated about 4 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Affected Versions:
8.0.4
Effort:
Difficulty:
Label:

Description

When a firewall rule uses accept:flow at an app-layer hook, the IDS/IPS threat detection table ( app:td ) is not evaluated for that flow. IDS rules that would otherwise match the accepted traffic are silently skipped.

Reproduction: A TLS firewall ruleset with accept:flow at tls:client_hello_done and a TD rule matching tls.cert_subject on the server certificate. The TD rule never fires.

Firewall rules:

accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1000;)
accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:established; sid:1001;)
accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:1002;)
accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:1003;)
accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:1004;)
accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:1005;)
accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:1006;)
accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:1007;)
accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:1008;)
accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:1009;)
accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:1010;)
accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:1011;)
accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:1012;)

TD rule:

alert tls any any -> any any (tls.cert_subject; content:"CN=www.google.com"; msg:"TD: server cert seen"; sid:9001;)

Expected: sid:9001 fires (TD evaluates accepted traffic).
Actual: sid:9001 does not fire. Only sid:1003 (the firewall rule) fires.

The pipeline documentation states that after all app-layer states are accepted, the pipeline moves to app:td. With accept:hook at every state, TD rules fire correctly. But accept:flow at any app-layer hook causes the entire app:td evaluation to be skipped for that flow.

Note: accept:tx does not have this issue — TD rules evaluate correctly after accept:tx. The issue is specific to accept:flow (and likely accept:packet) at app-layer hooks.

VJ Updated by Victor Julien about 4 hours ago Actions
Copy link
 #1

I think this works as designed. accept:packet is meant to immediately accept the packet. accept:flow is essentially accept:packet applied to the current and all future packets in this flow.

If it is needed to create something to address this specific case we can look into that, but at least for for TLS the whole session is a tx so accept:tx should work.

Docs should clearly reflect what the scope of the accept is, will look at improving that.

Actions
Copy link

Also available in: PDF Atom