Project

General

Profile

Actions
Copy link

Bug #8444

open
YD

firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation

Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation

Added by Yash Datre about 8 hours ago. Updated about 4 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Affected Versions:
8.0.4
Effort:
Difficulty:
Label:

Description

When a firewall rule uses accept:flow at an app-layer hook, the IDS/IPS threat detection table ( app:td ) is not evaluated for that flow. IDS rules that would otherwise match the accepted traffic are silently skipped.

Reproduction: A TLS firewall ruleset with accept:flow at tls:client_hello_done and a TD rule matching tls.cert_subject on the server certificate. The TD rule never fires.

Firewall rules:

accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1000;)
accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:established; sid:1001;)
accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:1002;)
accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:1003;)
accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:1004;)
accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:1005;)
accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:1006;)
accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:1007;)
accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:1008;)
accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:1009;)
accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:1010;)
accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:1011;)
accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:1012;)

TD rule:

alert tls any any -> any any (tls.cert_subject; content:"CN=www.google.com"; msg:"TD: server cert seen"; sid:9001;)

Expected: sid:9001 fires (TD evaluates accepted traffic).
Actual: sid:9001 does not fire. Only sid:1003 (the firewall rule) fires.

The pipeline documentation states that after all app-layer states are accepted, the pipeline moves to app:td. With accept:hook at every state, TD rules fire correctly. But accept:flow at any app-layer hook causes the entire app:td evaluation to be skipped for that flow.

Note: accept:tx does not have this issue — TD rules evaluate correctly after accept:tx. The issue is specific to accept:flow (and likely accept:packet) at app-layer hooks.

Actions
Copy link

Also available in: PDF Atom