Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exception policies batch backports - v3 #9279

Closed
wants to merge 15 commits into from
Closed

exception policies batch backports - v3 #9279

wants to merge 15 commits into from

Conversation

jufajardini
Copy link
Contributor

Previous PR: #9167

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6035
https://redmine.openinfosecfoundation.org/issues/5935
https://redmine.openinfosecfoundation.org/issues/6149 (backport ticket not created)
https://redmine.openinfosecfoundation.org/issues/6169 (backport ticket not created)

Describe changes from previous PR:

  • adjust default behavior for 6 to ignore, instead of fail close

SV_BRANCH=pr/1322
OISF/suricata-verify#1322

jufajardini and others added 15 commits July 24, 2023 09:48
@jufajardini
exceptions: add master switch config option
4df3332 
This allows all traffic Exception Policies to be set from one
configuration point. All exception policy options are available in IPS
mode. Bypass, pass and auto (disabled) are also available in iDS mode

Exception Policies set up individually will overwrite this setup for the
given traffic exception.

Task OISF#5219

(cherry picked from commit 0d92890)
@jufajardini
exception: in ids mode, only REJECT the packet
d5ca63e 
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug OISF#6109

(cherry picked from commit 8f324e3)
@jufajardini
defrag: clean up existing stats counters
accebc1 
7a044a9 removed the lines that incremented these defrag
counters, but kept the entities themselves. This commit removes counters
that we judge too complex to maintain, given the current state of the
code, and re-adds incrementing max_hit (memcap related).

Related to
Task OISF#5816

(cherry picked from commit a37a88d)
@jufajardini
misc: fix typos, doc, update copyright years
ca14175 
Updated FlowGetNew documentation, where it said NULL was only returned
in case of error.

(cherry picked from commit f511a4a)
@jufajardini
doc: add midstream scenarios for exception policy
97613ab 
The different interactions between midstream pick-up sessions and the
exception policy can be quite difficult to visualize. Add a section for
that in the userguide.

Related to
Bug OISF#5825

(cherry picked from commit 0c2922f)
@jufajardini
userguide: update exception policy behaviors table
fb34e7c 
Some exception policies can only be applied to the triggering packet or
only make sense considering the whole flow. Highlight such cases in the
table showing each exception policy.

Related to
Bug OISF#5825

(cherry picked from commit c0db25d)
@jufajardini
exception: refactor exception policy parse fn
720dcc0 
Split up ExceptionPolicyParse to try to improve readability.

Related to
Bug OISF#5825

(cherry picked from commit bf22129)
@jufajardini
exception/midstream: parse midstream policy alone
8b631ee 
As the midstream exception policy has its own specific scenarios, have a
dedicated function to parse and process its config values, and check for
midstream enabled when needed.

Related to
Bug OISF#5825

(cherry picked from commit f97af0c)
@jufajardini
exception: parse config values, don't post process
e39a96b 
Get the enum values from the config file. Update the new extracted
functions. Post-process the config values based on runmode and policy.
Also handle 'auto' enum value in these.

Related to
Bug OISF#5825

(cherry picked from commit 7f8536b)
@jufajardini
exception: use mix of logconfig/info/warning
ff85374 
Use a mix of SCLogConfig, Warning and Info.
This mix works as follows: when something unnexpected for the user
happens - for instance, the engine ignoring an invalid config value, we
use warning. For indicating the value for the master switch, which
happens only once, we use Info. For all the other cases, we use
SCLogConfig.

It is possible that SCLogConfig isn't showing at the moment, this is a
possible bug to investigate further.

Related to
Bug OISF#5825

(cherry picked from commit 69311ab)
@jufajardini
exception: extract 'auto' check to function
7f76b48 
Part of
Bug OISF#5825

(cherry picked from commit e849afb)
@jufajardini
stream/tcp: re-enable midstream-policy usage
d995309 
We were always setting it to ignore, due to bug 5825.

The engine will now issue an initialization error if an invalid value
is passed in the configuration file for midstream exception policy.

'pass-packet' or 'drop-packet' are never valid, as the midstream policy
concerns the whole flow, not making sense for just a packet.

If midstream is enabled, only two actual config values are allowed:
'ignore' and 'pass-flow', both in IDS and in IPS mode. In default mode
('auto' or if no policy is defined), midstream-policy is set to
'ignore'. All other values will lead to initialization error.

In IDS mode, 'drop-flow' will also lead to initialization error.

Part of
Bug OISF#5825

(cherry picked from commit 69d3750)
@victorjulien @jufajardini
exception/policy: minor code cleanup
5f969d6 
(cherry picked from commit 479fa60)
@jufajardini
exception: fix 'auto' for master switch in IDS
f5110e9 
If the master exception policy was set to 'auto' in IDS mode, instead of
just setting the master switch to the default in this case, which is
'ignore', the engine would switch a warning saying that auto wasn't a
valid config and then set the policy to ignore.

This makes 'auto' work for the master switch in IDS, removes function
for setting IPS option and handles the valid IDS options directly from
the function that parses the master policy, as this was the only place
where the function was still called.

Bug OISF#6149

(cherry picked from commit feb47f9)
@jufajardini
exception: fix use of master switch with default
53de0e5 
If an exception policy wasn't set up individually, use the GetDefault
function to pick one. This will check for the master switch option and
handle 'auto' cases.

Instead of deciding what the auto value should be when we are parsing
the master switch, leave that for when some of the other policies is to
be set via the master switch, when since this can change for specific
exception policies - like for midstream, for instance.

Update exceptions policies documentation to clarify that the default
configuration in IPS when midstream is enabled is `ignore`, not
`drop-flow`.

Bug OISF#6169

(cherry picked from commit e306bc6)
@jufajardini jufajardini requested review from norg and a team as code owners July 24, 2023 12:57
This was referenced Jul 24, 2023
Closed
Closed
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 15376

This was referenced Jul 28, 2023
Closed
Merged
@victorjulien
Copy link
Member

Merged in #9304, thanks!

@jufajardini jufajardini deleted the eps-backports-batch/v3.1 branch August 2, 2023 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien approved these changes

@norg norg Awaiting requested review from norg norg is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jufajardini @suricata-qa @victorjulien