firewall: apply action again for stateful matches

For "stateful rules", don't drop packets after the initial match as long as the tx state doesn't change. An example of how this could happen was: accept:hook ssh:request_started any any -> any any (alert; sid:2000;) accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;) accept:hook ssh:request_banner_done any any -> any any ( \ ssh.software; content:"OpenSSH_8.2p1"; alert; sid:2002;) As the ssh session reached the request_banner_done state, it would remain in this state. So additional packets would again review the rules for this state. The rule 2002 is stored in the tx state as fully matched, and would be skipped for the additional packets. This meant that the `accept:hook` action was not applied and the default drop policy was triggered. This is addressed by updating the stateful logic: If an accept rule has the DE_STATE_FLAG_FULL_INSPECT flag set, and the tx progress is not progressed beyond the rule, apply the rule accept acction.
7 months ago · 6ee32cba3b
parent b1f955ef5a
commit 6ee32cba3b
1 changed files with 23 additions and 2 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -1867,8 +1867,29 @@ static void DetectRunTx(ThreadVars *tv,
                    tx.tx_ptr, tx.tx_id, s->id, s->num, inspect_flags ? *inspect_flags : 0);

            if (inspect_flags) {
-                if (*inspect_flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) {
-                    SCLogDebug("%p/%"PRIu64" inspecting: sid %u (%u), flags %08x ALREADY COMPLETE",
+                if (*inspect_flags & DE_STATE_FLAG_FULL_INSPECT) {
+                    SCLogDebug("%p/%" PRIu64
+                               " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_FULL_INSPECT",
+                            tx.tx_ptr, tx.tx_id, s->id, s->num, *inspect_flags);
+
+                    /* if we're still in the same progress state as an earlier full
+                     * match, we need to apply the same accept */
+                    if (have_fw_rules && (s->flags & SIG_FLAG_FIREWALL) &&
+                            (s->action & ACTION_ACCEPT) && s->app_progress_hook == tx.tx_progress) {
+                        const bool fw_accept_to_packet = ApplyAcceptToPacket(total_txs, &tx, s);
+                        break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state,
+                                fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook,
+                                &skip_before_progress);
+                        if (fw_accept_to_packet)
+                            DetectRunAppendDefaultAccept(det_ctx, p);
+                        if (break_out_of_app_filter)
+                            break;
+                    }
+                    continue;
+                }
+                if (*inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+                    SCLogDebug("%p/%" PRIu64
+                               " inspecting: sid %u (%u), flags %08x DE_STATE_FLAG_SIG_CANT_MATCH",
                            tx.tx_ptr, tx.tx_id, s->id, s->num, *inspect_flags);
                    continue;
                }