Task #8478
openfirewall: reconsider built-in hooks for UDP protocols
Description
Most, if not all, UDP app-layer parsers in Suricata use a simple transaction state machine, where the state value of 1 indicates a tx direction is completed.
In firewall mode, the default 0 state is exposed as "<proto>:request_started" and "<proto>:response_started". However this is misleading, as the 0 state actually means nothing has been started. It is actually not a reachable state it seems, as for these protocols having a tx in a direction means the tx is complete in this direction.
So perhaps it is worth reconsidering this and skip the 0 state and simply only expose "<proto>:request_complete", or even a shorthand "<proto>:request".
Needs some thought and discussion, perhaps I'm overlooking some edge cases.
VJ Updated by Victor Julien 2 days ago
- Related to Optimization #8468: firewall: summarize warnings for missing hooks added
- Related to Feature #8395: firewall: support SNMP hook states for firewall rule evaluation added
- Related to Feature #8394: firewall: support NTP hook states for firewall rule evaluation added
VJ Updated by Victor Julien 2 days ago
I guess one complexity would be that if we're adding unique behavior for UDP, we'd have to come up with how to handle DNS. For TCP we'd need
dns:request_started - to match on partial data
dns:request_complete - to match complete dns request
While for UDP, just
dns:request_complete?
JI Updated by Jason Ish about 9 hours ago
Note that NFS can be done over UDP and would be more stateful than NTP, DNS. QUIC as well.
VJ Updated by Victor Julien about 9 hours ago
Yeah, needs more review. Perhaps for the protocols that have the simplest state machines, we just set the <proto>:request_started hook to a default accep:hook action.