From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 29 Jul 2022 15:46:54 +0000 (+0200)
Subject: ipfire-tor.rules: Silence 3way handshake with ack in wrong dir alerts.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba9fa2bd6a393079d32dab5d36b8ddeaba717d55;p=people%2Fstevee%2Fipfire-2.x.git

ipfire-tor.rules: Silence 3way handshake with ack in wrong dir alerts.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/tor/ipfire-tor.rules b/config/tor/ipfire-tor.rules
index fb548d2778..cbff073648 100644
--- a/config/tor/ipfire-tor.rules
+++ b/config/tor/ipfire-tor.rules
@@ -2,3 +2,4 @@ pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip
 pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200001; rev:1;)
 pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200002; rev:1;)
 pass ip $EXTERNAL_NET any -> $HOME_NET [$TOR_RELAY_PORT,$TOR_SOCKS_PORT] (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:1200003; rev:1;)
+pass tcp $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for 3way handshake with ack in wrong dir"; flowbits:noalert; stream-event:3whs_ack_in_wrong_dir; classtype:protocol-command-decode; sid:1200004; rev:1;)