It appears there may be an issue with the handling of ICMP flows when a non-standard action order is in use. Repro:
Runmode: af-packet
action-order: Drop, Pass, Reject, Alert
Rules:
drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; sid:10002;)
pass ip any any -> any any (msg:"Pass IP"; sid:1004;)
pass tcp any any -> any 22 (sid:1;)
If I run a ping to 8.8.8.8 the first packet is dropped, but the subsequent packets are allowed through.
drop icmp any any → 8.8.8.8 any (msg:“Drop ICMP”; sid:10002;)
Can you add a qualification to the rule and report what happens?
E.g., this adds icode
drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; icode:>0; sid:10002;)
Hey Jeff, thank you for the reply.
We still see the same behavior with the icode condition as you suggested.
drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; icode:>0; sid:10002;)
pass icmp any any -> any any (msg:"Pass any"; sid:10004;)
action-order:
- drop
- pass
- reject
- alert
Continuing our investigation.
Adding a flow condition to the pass icmp rule makes it behave. Both types rules below work as expected.
drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; sid:10002;)
pass icmp any any -> any any (msg:"Pass any"; flow:not_established; sid:10004;)
drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; sid:10002;)
pass icmp any any -> any any (msg:"Pass any"; flow:established; sid:10004;)
flow:to_server and flow:to_client conditions make it work as expected too
Continuing investigation.
thanks @bravo_bravo, I have created a ticket here Bug #4670: rules: mix of drop and pass rules issues - Suricata - Open Information Security Foundation
I’m proposing a fix here
Test cases I’ve been using are here