Project

General

Profile

Actions
Copy link

Bug #8495

open
VJ VJ

firewall: ruleset can skip hook if only later rules are present

Bug #8495: firewall: ruleset can skip hook if only later rules are present

Added by Victor Julien 3 days ago. Updated 3 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

https://github.com/OISF/suricata-verify/pull/3032/changes#r3111908842

This should have dropped requests due to no dns:request_started accept rule, but it didn't.

# Test dns.opcode keyword in firewall mode
# dns-eve PCAP: 4 DNS queries (3 dropbox, 1 codemonkey.net), all standard queries (opcode 0)
# Accept all UDP packets
accept:hook udp:all any any -> any any (sid:100;)
# Test dns.opcode: match standard query (opcode 0) and alert
accept:hook dns:request_complete any any -> any any (dns.opcode:0; alert; sid:1;)
# Accept response hooks
accept:hook dns:response_started any any -> any any (sid:201;)
accept:hook dns:response_complete any any -> any any (sid:202;)

Subtasks 1 (1 open0 closed)

Bug #8496: firewall: ruleset can skip hook if only later rules are present (8.0.x backport)AssignedVictor JulienActions
Actions
Copy link

Also available in: PDF Atom