Project

General

Profile

Bug #8698

Updated by Victor Julien 2 days ago

When non-sequential transactions are used uses (e.g. in http/2) the "apply to packet" logic fails in certain conditions. In the detection engine there is a lot of logic that hangs off the idea of a transaction being the last transaction. If this is the case accept:hook or accept:tx will also be applied to the packet. However in these non-sequential tx spaces, we might have a later tx that is not "updated", so it is skipped for inspection. This also means that the "last tx" logic is not triggered. 

 Can think of several possible solutions: 
 # when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal 
 # instead of trying to determine per tx is actions should be applied to the packet, delay this determination until the last tx has been processed. More intrusive change but avoids the linear scan 
 # still process (somewhat) each inactive (so non-updated) tx. It would then do just enough for that tx to apply accept:hook/accept:tx to the packet.

Back