Actions
Feature #8714
open
VJ
OD
firewall: clamp protocol to flow
Feature #8714:
firewall: clamp protocol to flow
Effort:
Difficulty:
Label:
Description
The idea here is that some rulesets will want to force a protocol on a flow, and do not want to wait for the full protocol detection to complete. The protocol detection can take a minimum of input bytes to come to a final judgement, and this can leave a (small) window for packets to pass while the flow's alproto remains "unknown".
Something like:
accept:hook tcp:all ... 443 (app-layer-protocol:unknown,tls,*clamp*; ..
This would then have to force the protocol detection of just that protocol on that flow, or alternatively, just assume the flow and call the parser? @Philippe Antoine any ideas on what a good mechanism would be?
LS Updated by Lukas Sismis about 24 hours ago
- Status changed from New to Feedback
- Assignee set to OISF Dev
- Target version changed from TBD to 9.0.0-beta1
Actions