suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

Decouple stream.bypass dependency from TLS encrypted bypass

Open msdean opened this issue 1 year ago • 6 comments

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [x] I have read the contributing guide lines at https://suricata.readthedocs.io/en/latest/devguide/codebase/contributing/contribution-process.html
  • [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
  • [x] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6788 Link to forum discussion: https://forum.suricata.io/t/encrypted-tls-bypass-dependency-on-stream-bypass/3528 Link to previous PR: https://github.com/OISF/suricata/pull/9127

Describe changes:

  • Decouple app.protocols.tls.encryption-handling and stream.bypass. There's no apparent reason why encrypted TLS bypass traffic should depend on stream bypass, as these are unrleated features.

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the pull request number.

Alternatively, SV_BRANCH may also be a link to an OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

msdean avatar Feb 19 '24 15:02 msdean

NOTE: This PR may contain new authors.

github-actions[bot] avatar Feb 19 '24 16:02 github-actions[bot]

So, the major question is the behavior change for SSH which now gets automatically bypassed, even if this is not mentioned in doc or commit messages... What do you think about it ?

If there's a change in behavior, then agreeing that we want a doc update.

jufajardini avatar Apr 25 '24 03:04 jufajardini

@msdean will you work further on this ?

catenacyber avatar Jul 13 '24 19:07 catenacyber

Possibly at some point, but the request of adding an SV test is a bit much for me, as I don't really have the time at the moment to setup a dev environment and onboard to the codebase. I was hoping to get away with a small PR with just this change 😅. If someone can pick up what's left that would be great, as I do think the change is the right way to go, but I'm currently content with using a fork with the fix for my needs, and obviously no expectations from the community to pick up my slack, I'm sure you guys have more pressing matters to attend do. I do hope to get back to it and finish it up proper at some point, just don't see it happening any time soon unfortunately.

msdean avatar Jul 14 '24 06:07 msdean

Thanks for your answer, maybe we will pick it up.

So, the major question is the behavior change for SSH which now gets automatically bypassed, even if this is not mentioned in doc or commit messages... What do you think about it ?

Do you have an opinion about this ?

catenacyber avatar Jul 15 '24 08:07 catenacyber

Thanks for your answer, maybe we will pick it up.

So, the major question is the behavior change for SSH which now gets automatically bypassed, even if this is not mentioned in doc or commit messages... What do you think about it ?

Do you have an opinion about this ?

I think it should either be documented or perhaps reworked in a way that doesn't affect SSH.

msdean avatar Jul 16 '24 06:07 msdean

Followed up on this in https://github.com/OISF/suricata/pull/11801

lukashino avatar Sep 19 '24 09:09 lukashino