I couldn’t find an explanation myself.
For the following rules
drop ssh $home_net any -> $external_net 22 (sid: 600;)
pass tcp $home_net any <> any 22 (flow: not_established; sid: 700;)
drop ip any any <> any any (sid: 100;)
I would not be able to ssh into $external_net
But for the following rules
pass tcp $home_net any <> any 22 (flow: not_established; sid: 700;)
drop ip any any <> any any (sid: 100;)
I would be able to ssh into $external_net
Again for the following rules
drop ssh $home_net any -> $external_net 22 (sid: 600;)
pass tcp $home_net any <> any 22 (flow: not_established; sid: 700;)
pass ip any any <> any any (sid: 100;)
I would be able to ssh into $external_net
I was told Suricata always evaluates pass rules first.
Initially what I am thinking is we need to allow initial TCP traffic for handshake, once Suricata detects that the traffic is ssh, it would take the more specific rules and ignore the less specific rules, that is why in the first example above, it drops ssh traffic to $external_net.For the second example, the traffic goes through because there aren’t more specific rules, so it is allowed as ssh traffic technically is also TCP port 22 traffic. But how do I explain the third examples now? IP is less specific than TCP and SSH traffics? why the traffic can go through?