git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Wed, 16 Jul 2014 22:23:50 +0000 (00:23 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 7 Aug 2014 13:10:25 +0000 (15:10 +0200)
commit	ba7e5aac88b8bd1431531b68537e56a7e25f09b8
tree	3aac5b23986550c793269205e1a377be71689729	tree \| snapshot
parent	c6e83d92d76d3ed847b90f3b0d460f34a410c92f	commit \| diff

stream: detect and filter out bad window updates

Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.

rules/stream-events.rules		diff \| blob \| blame \| history
src/decode-events.h		diff \| blob \| blame \| history
src/detect-engine-event.h		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history