From 9af4d78e99b0251a24a7f5267929fc563ef44473 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 26 May 2026 17:15:18 -0300 Subject: [PATCH 1/4] firewall: allow banning keywords from fw rules Related to Ticket #8551 --- src/detect-engine-register.c | 6 ++++++ src/detect-engine-register.h | 2 ++ src/detect-parse.c | 11 +++++++++++ 3 files changed, 19 insertions(+) diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index a339aaa55b..b62a6173ca 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -331,6 +331,12 @@ static void PrintFeatureList(const SigTableElmt *e, char sep) DEBUG_VALIDATE_BUG_ON(flags & (SIGMATCH_INFO_MULTI_UINT | SIGMATCH_INFO_ENUM_UINT | SIGMATCH_INFO_BITFLAGS_UINT)); } + if (flags & SIGMATCH_BAN_FIREWALL_RULE) { + if (prev == 1) + printf("%c", sep); + printf("banned from firewall rules"); + prev = 1; + } if (e->Transform) { if (prev == 1) printf("%c", sep); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 516dc5b288..910394ffd4 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -350,6 +350,8 @@ extern int DETECT_TBLSIZE_IDX; #define SIGMATCH_INFO_ENUM_UINT (1UL << (19)) /** keyword is an uint with bitflags */ #define SIGMATCH_INFO_BITFLAGS_UINT (1UL << (20)) +/** keyword cannot be used in firewall rules */ +#define SIGMATCH_BAN_FIREWALL_RULE (1UL << (21)) int SigTableList(const char *keyword); void SigTableCleanup(void); diff --git a/src/detect-parse.c b/src/detect-parse.c index 82822ba8bf..04f7c427ed 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -968,6 +968,11 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr, #undef URL } + if (s->init_data->firewall_rule && (st->flags & SIGMATCH_BAN_FIREWALL_RULE) != 0) { + SCLogError("keyword \'%s\' is not allowed with firewall rules", optname); + goto error; + } + int setup_ret = 0; /* Validate double quoting, trimming trailing white space along the way. */ @@ -988,6 +993,12 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr, goto error; } + /** error with firewall rule ban before firewall untested warning */ + if (s->init_data->firewall_rule && (st->flags & SIGMATCH_BAN_FIREWALL_RULE) != 0) { + SCLogError("keyword \'%s\' is not allowed with firewall rules", optname); + goto error; + } + if (s->init_data->firewall_rule && (st->flags & SIGMATCH_SUPPORT_FIREWALL) == 0) { SCLogWarning("keyword \'%s\' has not been tested for firewall rules", optname); } From c4378e6ca983902c5be341b623531df4402e0a41 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Wed, 27 May 2026 15:43:16 -0300 Subject: [PATCH 2/4] detect/parse: allow banning keywords with fw mode Related to Ticket #8551 --- src/detect-engine-register.c | 6 ++++++ src/detect-engine-register.h | 2 ++ src/detect-parse.c | 11 +++++------ 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index b62a6173ca..1b441fc296 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -337,6 +337,12 @@ static void PrintFeatureList(const SigTableElmt *e, char sep) printf("banned from firewall rules"); prev = 1; } + if (flags & SIGMATCH_BAN_FIREWALL_MODE) { + if (prev == 1) + printf("%c", sep); + printf("banned from firewall mode"); + prev = 1; + } if (e->Transform) { if (prev == 1) printf("%c", sep); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 910394ffd4..0538d998a9 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -352,6 +352,8 @@ extern int DETECT_TBLSIZE_IDX; #define SIGMATCH_INFO_BITFLAGS_UINT (1UL << (20)) /** keyword cannot be used in firewall rules */ #define SIGMATCH_BAN_FIREWALL_RULE (1UL << (21)) +/** keyword cannot be used in firewall mode */ +#define SIGMATCH_BAN_FIREWALL_MODE (1UL << (22)) int SigTableList(const char *keyword); void SigTableCleanup(void); diff --git a/src/detect-parse.c b/src/detect-parse.c index 04f7c427ed..b944ba3868 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -973,6 +973,11 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr, goto error; } + if (EngineModeIsFirewall() && (st->flags & SIGMATCH_BAN_FIREWALL_MODE) != 0) { + SCLogError("keyword \'%s\' is not allowed in firewall mode", optname); + goto error; + } + int setup_ret = 0; /* Validate double quoting, trimming trailing white space along the way. */ @@ -993,12 +998,6 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr, goto error; } - /** error with firewall rule ban before firewall untested warning */ - if (s->init_data->firewall_rule && (st->flags & SIGMATCH_BAN_FIREWALL_RULE) != 0) { - SCLogError("keyword \'%s\' is not allowed with firewall rules", optname); - goto error; - } - if (s->init_data->firewall_rule && (st->flags & SIGMATCH_SUPPORT_FIREWALL) == 0) { SCLogWarning("keyword \'%s\' has not been tested for firewall rules", optname); } From 997cddabac0cb0524b1ae637b8ac765c19093f57 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 26 May 2026 17:18:45 -0300 Subject: [PATCH 3/4] detect/replace: ban replace keyword for firewall Ticket #8551 --- doc/userguide/rules/payload-keywords.rst | 3 +++ src/detect-replace.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index dff2fb09ce..65a5363d29 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -912,6 +912,9 @@ the reassembled stream. The checksums will be recalculated by Suricata and changed after the replace keyword is being used. +.. note:: ``replace`` cannot be used in firewall rules, nor in firewall mode, + even if only in Threat Detection rules. + .. _pcre: pcre (Perl Compatible Regular Expressions) diff --git a/src/detect-replace.c b/src/detect-replace.c index e5fb30fa6e..215112c07b 100644 --- a/src/detect-replace.c +++ b/src/detect-replace.c @@ -58,14 +58,18 @@ static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx, void DetectReplaceRegister (void) { sigmatch_table[DETECT_REPLACE].name = "replace"; - sigmatch_table[DETECT_REPLACE].desc = "only to be used in IPS-mode. Change the following content into another"; + sigmatch_table[DETECT_REPLACE].desc = + "only to be used in IPS-mode. Banned from firewall rules & firewall mode usage. Change " + "the following content into another"; sigmatch_table[DETECT_REPLACE].url = "/rules/payload-keywords.html#replace"; sigmatch_table[DETECT_REPLACE].Match = DetectReplacePostMatch; sigmatch_table[DETECT_REPLACE].Setup = DetectReplaceSetup; #ifdef UNITTESTS sigmatch_table[DETECT_REPLACE].RegisterTests = DetectReplaceRegisterTests; #endif - sigmatch_table[DETECT_REPLACE].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION); + sigmatch_table[DETECT_REPLACE].flags = + (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION | SIGMATCH_BAN_FIREWALL_RULE | + SIGMATCH_BAN_FIREWALL_MODE); } static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx, From db890b06b680593ce5a683fab67de44435271989 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Wed, 27 May 2026 17:47:52 -0300 Subject: [PATCH 4/4] detect/bypass: ban bypass keyword for firewall mode Related to Ticket #8551 --- doc/userguide/rules/bypass-keyword.rst | 5 +++++ src/detect-bypass.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/userguide/rules/bypass-keyword.rst b/doc/userguide/rules/bypass-keyword.rst index 86525a8480..6572f72f01 100644 --- a/doc/userguide/rules/bypass-keyword.rst +++ b/doc/userguide/rules/bypass-keyword.rst @@ -11,6 +11,11 @@ The ``bypass`` keyword is useful in cases where there is a large flow expected The ``bypass`` keyword is considered a post-match keyword. +.. note:: + + ``bypass`` cannot be used in firewall mode, not even with Threat Detection + rules, as this could lead to bypassing the firewall altogether. + bypass ------ diff --git a/src/detect-bypass.c b/src/detect-bypass.c index 44af06cd63..61f93c0564 100644 --- a/src/detect-bypass.c +++ b/src/detect-bypass.c @@ -64,7 +64,7 @@ void DetectBypassRegister(void) sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch; sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup; sigmatch_table[DETECT_BYPASS].Free = NULL; - sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT; + sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT | SIGMATCH_BAN_FIREWALL_MODE; } static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)