Project

General

Profile

Actions
Copy link

Task #8478

open
VJ

firewall: reconsider built-in hooks for UDP protocols

Task #8478: firewall: reconsider built-in hooks for UDP protocols

Added by Victor Julien 2 days ago. Updated about 10 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Most, if not all, UDP app-layer parsers in Suricata use a simple transaction state machine, where the state value of 1 indicates a tx direction is completed.

In firewall mode, the default 0 state is exposed as "<proto>:request_started" and "<proto>:response_started". However this is misleading, as the 0 state actually means nothing has been started. It is actually not a reachable state it seems, as for these protocols having a tx in a direction means the tx is complete in this direction.

So perhaps it is worth reconsidering this and skip the 0 state and simply only expose "<proto>:request_complete", or even a shorthand "<proto>:request".

Needs some thought and discussion, perhaps I'm overlooking some edge cases.

Related issues 3 (3 open0 closed)

Related to Suricata - Optimization #8468: firewall: summarize warnings for missing hooksNewActions
Related to Suricata - Feature #8395: firewall: support SNMP hook states for firewall rule evaluationResolvedPhilippe AntoineActions
Related to Suricata - Feature #8394: firewall: support NTP hook states for firewall rule evaluationIn ReviewJason IshActions
Actions
Copy link

Also available in: PDF Atom