git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Wed, 16 Jul 2014 22:23:50 +0000 (00:23 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 7 Aug 2014 13:31:35 +0000 (15:31 +0200)
commit	6b0ff0193d9e3a7f4c2c909ef463d8a9c858c42b
tree	546c73ce7312d58a068d2a8da9f6aa1f642ffed5	tree
parent	7cc63918c365a8aecde09455a22a026b5f75beae	commit \| diff

stream: detect and filter out bad window updates

Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.

rules/stream-events.rules		diff \| blob \| blame \| history
src/decode-events.h		diff \| blob \| blame \| history
src/detect-engine-event.h		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history