Merge db890b06b6 into 54322f38f8

2026-05-28 04:32:12 -04:00 · 2026-05-27 21:26:59 +00:00 · 2026-05-27 21:26:59 +00:00 · cd0f96bfcd
commit cd0f96bfcd
parent 54322f38f8 db890b06b6
7 changed files with 41 additions and 3 deletions
--- a/doc/userguide/rules/bypass-keyword.rst
+++ b/doc/userguide/rules/bypass-keyword.rst
@ -11,6 +11,11 @@ The ``bypass`` keyword is useful in cases where there is a large flow expected

 The ``bypass`` keyword is considered a post-match keyword.

+.. note::
+
+   ``bypass`` cannot be used in firewall mode, not even with Threat Detection
+   rules, as this could lead to bypassing the firewall altogether.
+
 bypass
 ------

--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@ -912,6 +912,9 @@ the reassembled stream.
 The checksums will be recalculated by Suricata and changed after the
 replace keyword is being used.

+.. note:: ``replace`` cannot be used in firewall rules, nor in firewall mode,
+   even if only in Threat Detection rules.
+
 .. _pcre:

 pcre (Perl Compatible Regular Expressions)
--- a/src/detect-bypass.c
+++ b/src/detect-bypass.c
@ -64,7 +64,7 @@ void DetectBypassRegister(void)
    sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
    sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
    sigmatch_table[DETECT_BYPASS].Free  = NULL;
-    sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT | SIGMATCH_BAN_FIREWALL_MODE;
 }

 static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -331,6 +331,18 @@ static void PrintFeatureList(const SigTableElmt *e, char sep)
        DEBUG_VALIDATE_BUG_ON(flags & (SIGMATCH_INFO_MULTI_UINT | SIGMATCH_INFO_ENUM_UINT |
                                              SIGMATCH_INFO_BITFLAGS_UINT));
    }
+    if (flags & SIGMATCH_BAN_FIREWALL_RULE) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("banned from firewall rules");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_BAN_FIREWALL_MODE) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("banned from firewall mode");
+        prev = 1;
+    }
    if (e->Transform) {
        if (prev == 1)
            printf("%c", sep);
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -350,6 +350,10 @@ extern int DETECT_TBLSIZE_IDX;
 #define SIGMATCH_INFO_ENUM_UINT (1UL << (19))
 /** keyword is an uint with bitflags */
 #define SIGMATCH_INFO_BITFLAGS_UINT (1UL << (20))
+/** keyword cannot be used in firewall rules */
+#define SIGMATCH_BAN_FIREWALL_RULE (1UL << (21))
+/** keyword cannot be used in firewall mode */
+#define SIGMATCH_BAN_FIREWALL_MODE (1UL << (22))

 int SigTableList(const char *keyword);
 void SigTableCleanup(void);
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -968,6 +968,16 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
 #undef URL
    }

+    if (s->init_data->firewall_rule && (st->flags & SIGMATCH_BAN_FIREWALL_RULE) != 0) {
+        SCLogError("keyword \'%s\' is not allowed with firewall rules", optname);
+        goto error;
+    }
+
+    if (EngineModeIsFirewall() && (st->flags & SIGMATCH_BAN_FIREWALL_MODE) != 0) {
+        SCLogError("keyword \'%s\' is not allowed in firewall mode", optname);
+        goto error;
+    }
+
    int setup_ret = 0;

    /* Validate double quoting, trimming trailing white space along the way. */
--- a/src/detect-replace.c
+++ b/src/detect-replace.c
@ -58,14 +58,18 @@ static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,
 void DetectReplaceRegister (void)
 {
    sigmatch_table[DETECT_REPLACE].name = "replace";
-    sigmatch_table[DETECT_REPLACE].desc = "only to be used in IPS-mode. Change the following content into another";
+    sigmatch_table[DETECT_REPLACE].desc =
+            "only to be used in IPS-mode. Banned from firewall rules & firewall mode usage. Change "
+            "the following content into another";
    sigmatch_table[DETECT_REPLACE].url = "/rules/payload-keywords.html#replace";
    sigmatch_table[DETECT_REPLACE].Match = DetectReplacePostMatch;
    sigmatch_table[DETECT_REPLACE].Setup = DetectReplaceSetup;
 #ifdef UNITTESTS
    sigmatch_table[DETECT_REPLACE].RegisterTests = DetectReplaceRegisterTests;
 #endif
-    sigmatch_table[DETECT_REPLACE].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
+    sigmatch_table[DETECT_REPLACE].flags =
+            (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION | SIGMATCH_BAN_FIREWALL_RULE |
+                    SIGMATCH_BAN_FIREWALL_MODE);
 }

 static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,