Task #8478
openfirewall: reconsider built-in hooks for UDP protocols
Description
Most, if not all, UDP app-layer parsers in Suricata use a simple transaction state machine, where the state value of 1 indicates a tx direction is completed.
In firewall mode, the default 0 state is exposed as "<proto>:request_started" and "<proto>:response_started". However this is misleading, as the 0 state actually means nothing has been started. It is actually not a reachable state it seems, as for these protocols having a tx in a direction means the tx is complete in this direction.
So perhaps it is worth reconsidering this and skip the 0 state and simply only expose "<proto>:request_complete", or even a shorthand "<proto>:request".
Needs some thought and discussion, perhaps I'm overlooking some edge cases.
VJ Updated by Victor Julien 2 days ago
- Related to Optimization #8468: firewall: summarize warnings for missing hooks added
- Related to Feature #8395: firewall: support SNMP hook states for firewall rule evaluation added
- Related to Feature #8394: firewall: support NTP hook states for firewall rule evaluation added
VJ Updated by Victor Julien 2 days ago
I guess one complexity would be that if we're adding unique behavior for UDP, we'd have to come up with how to handle DNS. For TCP we'd need
dns:request_started - to match on partial data
dns:request_complete - to match complete dns request
While for UDP, just
dns:request_complete?
JI Updated by Jason Ish about 10 hours ago
Note that NFS can be done over UDP and would be more stateful than NTP, DNS. QUIC as well.
VJ Updated by Victor Julien about 10 hours ago
Yeah, needs more review. Perhaps for the protocols that have the simplest state machines, we just set the <proto>:request_started hook to a default accep:hook action.