]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 531d99f)
exception: in ids mode, only REJECT the packet
authorJuliana Fajardini <jufajardini@oisf.net>
Mon, 5 Jun 2023 16:02:26 +0000 (13:02 -0300)
committerVictor Julien <vjulien@oisf.net>
Thu, 8 Jun 2023 17:18:01 +0000 (19:18 +0200)
In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug #6109

src/util-exception-policy.c patch | blob | blame | history

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 3716447015462893bb1ba1bce129ffe2c6d44a9d..4513bbb0f2ae6d744898e95744fe7dbd374baf87 100644 (file)
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -72,6 +72,9 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
         case EXCEPTION_POLICY_REJECT:
             SCLogDebug("EXCEPTION_POLICY_REJECT");
             PacketDrop(p, ACTION_REJECT, drop_reason);
+            if (!EngineModeIsIPS()) {
+                break;
+            }
             /* fall through */
         case EXCEPTION_POLICY_DROP_FLOW:
             SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");
Mirror of https://github.com/OISF/suricata.git