Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify bypass behavior under different traffic profiles v3 #2114

Closed
wants to merge 2 commits into from
Closed

Verify bypass behavior under different traffic profiles v3 #2114

wants to merge 2 commits into from

Conversation

lukashino
Copy link

Follow-up of #2078

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6788

Note:

  • min-version changes between tests between 7 and 8, the ones with min-version == 7 are where behavior is not expected to change, and the others are where the behavior changes (TLS bypass decoupling, SSH bypass).

Describe changes:
v3:

  • rebased

This was referenced Nov 3, 2024
Closed
Closed
@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Nov 18, 2024
catenacyber
catenacyber reviewed Dec 3, 2024
View reviewed changes
tests/ssh-hassh/test.yaml
@@ -4,7 +4,7 @@ features:
- RUST

args:
- -k none --set stream.bypass=yes
- -k none --set stream.bypass=yes --set app-layer.protocols.ssh.encryption-handling=bypass
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this change ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

behavior change

  • Encrypted SSH traffic bypass is now independently controlled through
    app-layer.protocols.ssh.encryption-handling setting. The setting can either
    be bypass, default or full.
    To retain the previous behavior of encrypted traffic bypass
    combined with stream depth bypass, set
    app-layer.protocols.ssh.encryption-handling to bypass (while also
    setting app-layer.protocols.tls.encryption-handling to bypass and
    stream.bypass to true).

Previously SSH was bypassed after the session turned encrypted, now we need to be more explicit.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re

Previously SSH was bypassed after the session turned encrypted, now we need to be more explicit.

So previously when the SSH session turned encrypted and stream bypass was allowed then it bypassed the flow. This was not related to reaching the stream depth but only to the session state.
Currently, you can replicate the behavior with setting encryption handling to bypass.

catenacyber
catenacyber reviewed Dec 3, 2024
View reviewed changes
tests/bypass-tls-enabled/test.yaml
@@ -0,0 +1,18 @@
requires:
min-version: 8

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it reusing a pcap ?

@lukashino lukashino mentioned this pull request Dec 8, 2024
Closed
@lukashino
Copy link
Author

cont in #2170

P's comment is mentioned in the PR

@lukashino lukashino closed this Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lukashino @catenacyber