::
- # In IPS mode, the default is drop-packet/drop-flow. To fallback to old
- # behavior (setting each of them individually, or ignoring all), set this
- # to ignore.
+ # The default is ``ignore``.
+ #
# All values available for exception policies can be used, and there is one
- # extra option: auto - which means drop-packet/drop-flow in IPS mode and
- # ignore in IDS mode).
+ # extra option: auto - same as ``ignore``.
# Exception policy values are: drop-packet, drop-flow, reject, bypass,
# pass-packet, pass-flow, ignore (disable).
exception-policy: auto
+.. note::
+
+ The default/``auto`` value changes to ``drop-flow`` in Suricata 7.0, for IPS mode.
+
This value will be overwritten by specific exception policies whose settings are
also defined in the yaml file.
Auto
''''
-**In IPS mode**, the default behavior for all exception policies is to drop
-packets and/or flows. It is possible to disable this default, by setting the
-exception policies "master switch" yaml config option to ``ignore``.
+The default behavior is to ``ignore`` exception policies. This behavior changes
+with Suricata 7.0, where **in IPS mode**, the default for most of the exception
+policies is to fail close, that is, ``drop-flow``, or ``drop-packet`` if the
+flow action is not supported. For the midstream exception policy, the default
+will be ``ignore`` if midstream flows are accepted.
**In IDS mode**, setting auto mode actually means disabling the
``master-swtich``, or ignoring the exception policies.
return policy;
}
+/* 'auto' means ignore, for now */
static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool support_flow)
{
- enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
- if (!midstream_enabled && EngineModeIsIPS()) {
- if (support_flow) {
- policy = EXCEPTION_POLICY_DROP_FLOW;
- } else {
- policy = EXCEPTION_POLICY_DROP_PACKET;
- }
- }
- return policy;
+ return EXCEPTION_POLICY_NOT_SET;
}
static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value)
{
enum ExceptionPolicy policy = ExceptionPolicyConfigValueParse("exception-policy", value);
- if (policy == EXCEPTION_POLICY_AUTO) {
- policy = ExceptionPolicyPickAuto(false, true);
- } else if (!EngineModeIsIPS() &&
- (policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) {
+ if (!EngineModeIsIPS() &&
+ (policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) {
policy = EXCEPTION_POLICY_NOT_SET;
}
g_eps_have_exception_policy = true;
enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET;
if (g_eps_have_exception_policy) {
p = GetMasterExceptionPolicy(option);
+
+ if (p == EXCEPTION_POLICY_AUTO) {
+ p = ExceptionPolicyPickAuto(midstream, support_flow);
+ SCLogConfig("%s: %s (defined via 'exception-policy' master switch). "
+ "Warning: this will change to drop-flow or drop-packet in Suricata 7.",
+ option, ExceptionPolicyEnumToString(p));
+ return p;
+ }
+
if (!support_flow) {
p = PickPacketAction(option, p);
}
SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option,
ExceptionPolicyEnumToString(p));
return p;
- } else if (EngineModeIsIPS() && !midstream) {
- p = EXCEPTION_POLICY_DROP_FLOW;
}
- SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option,
- ExceptionPolicyEnumToString(p), EngineModeIsIPS() ? "IPS" : "IDS");
+
+ /* If we don't have the master switch set, default is `not_set` */
+
+ SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode). "
+ "Warning: this will change to drop-flow or drop-packet in Suricata 7.",
+ option, ExceptionPolicyEnumToString(p), EngineModeIsIPS() ? "IPS" : "IDS");
return p;
}
}
}
} else {
- policy = ExceptionPolicyGetDefault("midstream-policy", true, midstream_enabled);
+ policy = ExceptionPolicyGetDefault("stream.midstream-policy", true, midstream_enabled);
}
if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) {
projects / thirdparty / suricata.git / commitdiff
