stream: no more stream events after known issue

No longer set stream events after a gap or wrong thread. We know
we lost sync and are now in 'lets make the best of it'-mode. No
point in flooding the system with stream events.

Ticket #2484

diff --git a/src/decode.h b/src/decode.h
index 675d141ab1a5477599b46f2145048fa79a977a94..d4d4595cc85ee02d81007b65b6744b595d93a395 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -1131,6 +1131,9 @@ void DecodeUnregisterCounters(void);
 
 #define PKT_PSEUDO_DETECTLOG_FLUSH      (1<<27)     /**< Detect/log flush for protocol upgrade */
 
+/** Packet is part of stream in known bad condition (loss, wrong thread),
+ *  so flag it for not setting stream events */
+#define PKT_STREAM_NO_EVENTS            (1<<28)
 
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \

diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index 0a338e7deda1557e3af202cda65e36674d676de8..899dafa5dd6427f849f5c77bc8e490ceb08fe36a 100644 (file)
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -243,9 +243,15 @@ enum
     } while(0); \
 }
 
-#define StreamTcpSetEvent(p, e) { \
-    SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")", (e), p, (p)->pcap_cnt); \
-    ENGINE_SET_EVENT((p), (e)); \
+#define StreamTcpSetEvent(p, e) {                                           \
+    if ((p)->flags & PKT_STREAM_NO_EVENTS) {                                \
+        SCLogDebug("not setting event %"PRIu8" on pkt %p (%"PRIu64"), "     \
+                   "stream in known bad condition", (e), p, (p)->pcap_cnt); \
+    } else {                                                                \
+        SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")",          \
+                    (e), p, (p)->pcap_cnt);                                 \
+        ENGINE_SET_EVENT((p), (e));                                         \
+    }                                                                       \
 }
 
 typedef struct TcpSession_ {

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 0be74760a97bbb997dc18e4a521a5fca1c059032..3f389900bd28da31bbd72c2108a02eb8af8dd999 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4765,6 +4765,15 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
             goto skip;
         }
 
+        if (p->flow->flags & FLOW_WRONG_THREAD ||
+            ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP ||
+            ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP)
+        {
+            /* Stream and/or session in known bad condition. Block events
+             * from being set. */
+            p->flags |= PKT_STREAM_NO_EVENTS;
+        }
+
         /* check if the packet is in right direction, when we missed the
            SYN packet and picked up midstream session. */
         if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK)