Project

General

Profile

Actions
Copy link

Bug #75

closed

Drop verdict should override alert verdict in inline mode.

Added by Will Metcalf almost 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
0.8.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

If a packet matches on more than one rule the last verdict parsed is the verdict that is set. For example with this request.

http://www.google.com/applesoranges

I get the following two alerts.

01/28/10-03:44:00.772119 [**] [1:2000:0] apples [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:40674 -> 74.125.95.147:80
01/28/10-03:44:00.772119 [**] [1:2001:0] oranges [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:40674 -> 74.125.95.147:80

If the following rules are loaded in this order then no packets are dropped.

drop tcp any any -> any any (msg:"apples"; uricontent:"apples"; sid:2000;)
alert tcp any any -> any any (msg:"oranges"; uricontent:"oranges"; sid:2001;)

If rules are loaded in this order

alert tcp any any -> any any (msg:"oranges"; uricontent:"oranges"; sid:2001;)
drop tcp any any -> any any (msg:"apples"; uricontent:"apples"; sid:2000;)

The packet is indeed dropped. The default mode of operation should be that drop/reject/sdrop overrides alert. Perhaps we can add an option to make this order user configurable.

Files

Download all files
0001-Changing-the-veredict-actions-to-flags-to-allow-simu.patch (7.71 KB) 0001-Changing-the-veredict-actions-to-flags-to-allow-simu.patch Adapting to bit level flags instead of enums. Pablo Rincon, 02/05/2010 04:20 PM
0002-Adapting-ipfw-to-use-cations-as-flags-not-as-enums.patch (1.32 KB) 0002-Adapting-ipfw-to-use-cations-as-flags-not-as-enums.patch Adding patch for the next ipfw support (if apply) Pablo Rincon, 02/05/2010 04:21 PM
Actions
Copy link

Also available in: Atom PDF