From 7fd6d6cfbb12d47958fefc3a3228b7853e104530 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 29 Jul 2022 17:45:34 +0200
Subject: [PATCH] ipfire-tor.rules: Also silence first Data in wrong direction
 alerts on the relay port.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/tor/ipfire-tor.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/tor/ipfire-tor.rules b/config/tor/ipfire-tor.rules
index 82d065b6d9..fb548d2778 100644
--- a/config/tor/ipfire-tor.rules
+++ b/config/tor/ipfire-tor.rules
@@ -1,4 +1,4 @@
 pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip decompression failed"; flowbits:noalert; flow:established; app-layer-event:http.gzip_decompression_failed; sid:1200000; rev:1;)
 pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200001; rev:1;)
 pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:1200002; rev:1;)
-pass ip $EXTERNAL_NET any -> $HOME_NET $TOR_SOCKS_PORT (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:1000003; rev:1;)
+pass ip $EXTERNAL_NET any -> $HOME_NET [$TOR_RELAY_PORT,$TOR_SOCKS_PORT] (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:1200003; rev:1;)
-- 
2.39.5