git.ipfire.org Git - people/ms/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Thu, 10 May 2018 15:23:05 +0000 (17:23 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 18 Jul 2018 11:16:56 +0000 (13:16 +0200)
commit	843d0b7a10bb45627f94764a6c5d468a24143345
tree	613a29db59ced303d751f98de7dbd9daf70f563d	tree \| snapshot
parent	33614fcae054ee417fe83bf68fd5d8e082d74223	commit \| diff

stream: support RST getting lost/ignored

In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin

rules/stream-events.rules		diff \| blob \| blame \| history
src/decode-events.c		diff \| blob \| blame \| history
src/decode-events.h		diff \| blob \| blame \| history
src/stream-tcp-private.h		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history