New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exception: in ids mode, only REJECT the packet - v1 #8970
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #8970 +/- ##
==========================================
- Coverage 82.42% 82.41% -0.01%
==========================================
Files 969 969
Lines 273476 273478 +2
==========================================
- Hits 225410 225392 -18
- Misses 48066 48086 +20
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 14247 |
"reject-flow" would depend on https://redmine.openinfosecfoundation.org/issues/960 We don't have this. |
I think the code looks good, but the commit message needs to be fearless :) |
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior regardless of being in IDS or IPS mode. This meant that (at least) the 'flow.action' was changed to drop when we hit an exception policy in IDS mode. Bug OISF#6109
😅 roger that. |
oh! (best part is that I am subscribed to that ticket, and had no recollection of that >__<') |
Does this one work? eb69e10 |
Information: ERROR: QA failed on SURI_TLPW1_files_sha256.
Pipeline 14293 |
WARNING:
Pipeline 14320 |
Merged in #8994, thanks! |
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior regardless of being in IDS or IPS mode.
This meant that at least the 'flow.action' was changed to drop when we hit an exception policy in IDS mode. This minor fix makes the SV test pass, but I'm afraid the bug can mean more than that.
Bug #6109
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6109
Describe changes:
This fix 6109 test, but... is that enough?
I'm not confident about how REJECT works as a whole, so I feel this might not be enough to ensure that we'll still reject things properly. Also not sure if this would be the right approach in cases where we should reject the flow in IDS mode.
Makes me wonder if we should have REJECT for flow or packet, like we have for DROP and PASS.
OISF/suricata-verify#1229