Project

General

Profile

Actions
Copy link

Task #8491

open
VJ OD

firewall: support multi hook rules

Task #8491: firewall: support multi hook rules

Added by Victor Julien about 2 months ago. Updated 11 days ago.

Status:
Triaged
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Define how multi-hook rules work in firewall mode.

accept:?? http:??? any any -> any any (http.uri; content:"/index.html"; http.user_agent; content:"Mozilla"; sid:1;)

As in the current single hook rules we specify the explicit hook, one question is how to specify the hook or hooks, and what should happen to the hooks in between (if any).

Should also define what actions are supported, like does accept:hook make sense for multi-hook rules.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #8472: firewall: Auto-Accept Prior States syntax for firewall mode intent rulesResolvedVictor JulienActions

VJ Updated by Victor Julien 22 days ago Actions
Copy link
 #1

Following the syntax in #8472, here it could look like

accept:flow http1:request_line..request_headers ... http.uri; ... http.user_agent; ...
accept:flow http1:request_line<>request_headers ... http.uri; ... http.user_agent; ...

Every hook would act as accept:hook, expect the final match, that would implement the full accept:flow.

VJ Updated by Victor Julien 22 days ago Actions
Copy link
 #2

  • Related to Feature #8472: firewall: Auto-Accept Prior States syntax for firewall mode intent rules added

JF Updated by Juliana Fajardini Reichow 11 days ago Actions
Copy link
 #3

  • Status changed from New to Triaged
  • Assignee set to OISF Dev
Actions
Copy link

Also available in: PDF Atom