git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Mon, 1 Sep 2025 12:51:56 +0000 (14:51 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 8 Sep 2025 16:47:16 +0000 (18:47 +0200)
commit	d352b75ac64bd2026d87fe2a95c7d178e66e2922
tree	8eaae83a527ee9e6b50f98351980d9a450ca7415	tree \| snapshot
parent	be6315dba0d9101b11d16e9dacfe2822b3792f1b	commit \| diff

stream: add more liberal timestamp behavior in 3WHS

RFC 7323 forbids a server to respond with a timestamp option in the
SYN/ACK when the SYN didn't have a timestamp option:

   A TCP MAY send the TSopt in an initial <SYN> segment (i.e., segment
   containing a SYN bit and no ACK bit), and MAY send a TSopt in
   <SYN,ACK> only if it received a TSopt in the initial <SYN> segment
   for the connection.

   Once TSopt has been successfully negotiated, that is both <SYN> and
   <SYN,ACK> contain TSopt, the TSopt MUST be sent in every non-<RST>
   segment for the duration of the connection, and SHOULD be sent in an
   <RST> segment (see Section 5.2 for details).

However, in the real world this pattern happens on benign traffic. This
would lead to missing logs and detection, and in IPS mode such sessions
would be blocked.

This patch allows this pattern when the `stream.liberal-timestamps` is
enabled (enabled by default).

Bug #4702.