Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exception policies batch backports - v3 #9279

Closed
wants to merge 15 commits into from
Closed

exception policies batch backports - v3 #9279

wants to merge 15 commits into from

Commits on Jul 24, 2023

  1. exceptions: add master switch config option 

    This allows all traffic Exception Policies to be set from one
configuration point. All exception policy options are available in IPS
mode. Bypass, pass and auto (disabled) are also available in iDS mode

Exception Policies set up individually will overwrite this setup for the
given traffic exception.

Task OISF#5219

(cherry picked from commit 0d92890)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    4df3332 View commit details
    Browse the repository at this point in the history

  2. exception: in ids mode, only REJECT the packet 

    In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug OISF#6109

(cherry picked from commit 8f324e3)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    d5ca63e View commit details
    Browse the repository at this point in the history

  3. defrag: clean up existing stats counters 

    7a044a9 removed the lines that incremented these defrag
counters, but kept the entities themselves. This commit removes counters
that we judge too complex to maintain, given the current state of the
code, and re-adds incrementing max_hit (memcap related).

Related to
Task OISF#5816

(cherry picked from commit a37a88d)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    accebc1 View commit details
    Browse the repository at this point in the history

  4. misc: fix typos, doc, update copyright years 

    Updated FlowGetNew documentation, where it said NULL was only returned
in case of error.

(cherry picked from commit f511a4a)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    ca14175 View commit details
    Browse the repository at this point in the history

  5. doc: add midstream scenarios for exception policy 

    The different interactions between midstream pick-up sessions and the
exception policy can be quite difficult to visualize. Add a section for
that in the userguide.

Related to
Bug OISF#5825

(cherry picked from commit 0c2922f)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    97613ab View commit details
    Browse the repository at this point in the history

  6. userguide: update exception policy behaviors table 

    Some exception policies can only be applied to the triggering packet or
only make sense considering the whole flow. Highlight such cases in the
table showing each exception policy.

Related to
Bug OISF#5825

(cherry picked from commit c0db25d)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    fb34e7c View commit details
    Browse the repository at this point in the history

  7. exception: refactor exception policy parse fn 

    Split up ExceptionPolicyParse to try to improve readability.

Related to
Bug OISF#5825

(cherry picked from commit bf22129)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    720dcc0 View commit details
    Browse the repository at this point in the history

  8. exception/midstream: parse midstream policy alone 

    As the midstream exception policy has its own specific scenarios, have a
dedicated function to parse and process its config values, and check for
midstream enabled when needed.

Related to
Bug OISF#5825

(cherry picked from commit f97af0c)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    8b631ee View commit details
    Browse the repository at this point in the history

  9. exception: parse config values, don't post process 

    Get the enum values from the config file. Update the new extracted
functions. Post-process the config values based on runmode and policy.
Also handle 'auto' enum value in these.

Related to
Bug OISF#5825

(cherry picked from commit 7f8536b)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    e39a96b View commit details
    Browse the repository at this point in the history

  10. exception: use mix of logconfig/info/warning 

    Use a mix of SCLogConfig, Warning and Info.
This mix works as follows: when something unnexpected for the user
happens - for instance, the engine ignoring an invalid config value, we
use warning. For indicating the value for the master switch, which
happens only once, we use Info. For all the other cases, we use
SCLogConfig.

It is possible that SCLogConfig isn't showing at the moment, this is a
possible bug to investigate further.

Related to
Bug OISF#5825

(cherry picked from commit 69311ab)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    ff85374 View commit details
    Browse the repository at this point in the history

  11. exception: extract 'auto' check to function 

    Part of
Bug OISF#5825

(cherry picked from commit e849afb)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    7f76b48 View commit details
    Browse the repository at this point in the history

  12. stream/tcp: re-enable midstream-policy usage 

    We were always setting it to ignore, due to bug 5825.

The engine will now issue an initialization error if an invalid value
is passed in the configuration file for midstream exception policy.

'pass-packet' or 'drop-packet' are never valid, as the midstream policy
concerns the whole flow, not making sense for just a packet.

If midstream is enabled, only two actual config values are allowed:
'ignore' and 'pass-flow', both in IDS and in IPS mode. In default mode
('auto' or if no policy is defined), midstream-policy is set to
'ignore'. All other values will lead to initialization error.

In IDS mode, 'drop-flow' will also lead to initialization error.

Part of
Bug OISF#5825

(cherry picked from commit 69d3750)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    d995309 View commit details
    Browse the repository at this point in the history

  13. exception/policy: minor code cleanup 

    (cherry picked from commit 479fa60)
    @victorjulien @jufajardini
    victorjulien authored and jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    5f969d6 View commit details
    Browse the repository at this point in the history

  14. exception: fix 'auto' for master switch in IDS 

    If the master exception policy was set to 'auto' in IDS mode, instead of
just setting the master switch to the default in this case, which is
'ignore', the engine would switch a warning saying that auto wasn't a
valid config and then set the policy to ignore.

This makes 'auto' work for the master switch in IDS, removes function
for setting IPS option and handles the valid IDS options directly from
the function that parses the master policy, as this was the only place
where the function was still called.

Bug OISF#6149

(cherry picked from commit feb47f9)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    f5110e9 View commit details
    Browse the repository at this point in the history

  15. exception: fix use of master switch with default 

    If an exception policy wasn't set up individually, use the GetDefault
function to pick one. This will check for the master switch option and
handle 'auto' cases.

Instead of deciding what the auto value should be when we are parsing
the master switch, leave that for when some of the other policies is to
be set via the master switch, when since this can change for specific
exception policies - like for midstream, for instance.

Update exceptions policies documentation to clarify that the default
configuration in IPS when midstream is enabled is `ignore`, not
`drop-flow`.

Bug OISF#6169

(cherry picked from commit e306bc6)
    @jufajardini
    jufajardini committed Jul 24, 2023
    Configuration menu
    Copy the full SHA
    53de0e5 View commit details
    Browse the repository at this point in the history