* 129:18 (stream_tcp) data sent on stream after TCP reset received
* 129:19 (stream_tcp) TCP window closed before receiving data
* 129:20 (stream_tcp) TCP session without 3-way handshake
+ * 129:21 (stream_tcp) TCP max queued reassembly bytes exceeded threshold
+ * 129:22 (stream_tcp) TCP max queued reassembly segments exceeded threshold
Peg counts:
The TCP 3-way handshake was not seen for this TCP session.
+129:21 (stream_tcp) TCP maximum bytes queued limit exceeded
+
+The maximum bytes allowed to be queued for reassembly for an
+endpoint has been exceeded.
+
+129:22 (stream_tcp) TCP maximum segments queued limit exceeded
+
+The maximum number of segments allowed to be queued for reassembly
+for an endpoint has been exceeded.
+
131:1 (dns) obsolete DNS RR types
DNS Response Resource Record Type is Obsolete.
{ EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" },
{ EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" },
{ EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" },
- { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
- { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
+ { EVENT_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, "MAX_QUEUED_BYTES_EXCEEDED" },
+ { EVENT_MAX_QUEUED_SEGS_EXCEEDED, STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED, "MAX_QUEUED_SEGS_EXCEEDED" },
{ 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }
};
#define EVENT_BAD_SEGMENT 0x00020000
#define EVENT_EXCESSIVE_OVERLAP 0x00040000
#define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00080000
+#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00100000
+#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00200000
class TcpEventLogger
{
"TCP window closed before receiving data"
#define STREAM_TCP_NO_3WHS_STR \
"TCP session without 3-way handshake"
+#define STREAM_TCP_MAX_QUEUED_BYTES_STR \
+ "TCP max queued reassembly bytes exceeded threshold"
+#define STREAM_TCP_MAX_QUEUED_SEGS_STR \
+ "TCP max queued reassembly segments exceeded threshold"
static const Parameter stream_tcp_small_params[] =
{
{ STREAM_TCP_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD_STR },
{ STREAM_TCP_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM_STR },
{ STREAM_TCP_NO_3WHS, STREAM_TCP_NO_3WHS_STR },
+ { STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_STR },
+ { STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED, STREAM_TCP_MAX_QUEUED_SEGS_STR },
{ 0, nullptr }
};
#define STREAM_TCP_DATA_AFTER_RST_RCVD 18
#define STREAM_TCP_WINDOW_SLAM 19
#define STREAM_TCP_NO_3WHS 20
+#define STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED 21
+#define STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED 22
#define STREAM_TCP_MAX_EVENTS 32
extern const PegInfo tcp_pegs[];
if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON)
{
tsd.get_pkt()->active->set_drop_reason("stream");
+ tel.set_tcp_event(EVENT_MAX_QUEUED_BYTES_EXCEEDED);
if (PacketTracer::is_active())
PacketTracer::log("Stream: Flow exceeded the configured max byte threshold (%u)\n", tcp_config->max_queued_bytes);
}
if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON)
{
tsd.get_pkt()->active->set_drop_reason("stream");
+ tel.set_tcp_event(EVENT_MAX_QUEUED_SEGS_EXCEEDED);
if (PacketTracer::is_active())
PacketTracer::log("Stream: Flow exceeded the configured max segment threshold (%u)\n", tcp_config->max_queued_segs);
}
listener->normalizer.trim_win_payload(tsd, 0, tsd.is_nap_policy_inline());
return STREAM_UNALIGNED;
}
+
if( listener->get_iss() )
{
tcpStats.zero_win_probes++;
projects / thirdparty / snort3.git / commitdiff
