Project

General

Profile

Actions

Feature #8714

open
VJ OD

firewall: clamp protocol to flow

Feature #8714: firewall: clamp protocol to flow

Added by Victor Julien 1 day ago. Updated about 22 hours ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

The idea here is that some rulesets will want to force a protocol on a flow, and do not want to wait for the full protocol detection to complete. The protocol detection can take a minimum of input bytes to come to a final judgement, and this can leave a (small) window for packets to pass while the flow's alproto remains "unknown".

Something like:

accept:hook tcp:all ... 443 (app-layer-protocol:unknown,tls,*clamp*; ..

This would then have to force the protocol detection of just that protocol on that flow, or alternatively, just assume the flow and call the parser? @Philippe Antoine any ideas on what a good mechanism would be?

LS Updated by Lukas Sismis about 22 hours ago Actions #1

  • Status changed from New to Feedback
  • Assignee set to OISF Dev
  • Target version changed from TBD to 9.0.0-beta1
Actions

Also available in: PDF Atom