stream: add stream.rst_with_data event for RST with data

(cherry picked from commit 9ba55b8a282eca795c21ff53dd54937492bb8cf1)

diff --git a/src/decode-events.c b/src/decode-events.c
index 4e91ba092e55efed08ddc2b22bf14a8206d9a308..be0b2fa13d643a3ebfd04c87b49c85f88578ea0c 100644 (file)
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -783,6 +783,10 @@ const struct DecodeEvents_ DEvents[] = {
             "stream.rst_invalid_ack",
             STREAM_RST_INVALID_ACK,
     },
+    {
+            "stream.rst_with_data",
+            STREAM_RST_WITH_DATA,
+    },
     {
             "stream.pkt_retransmission",
             STREAM_PKT_RETRANSMISSION,

diff --git a/src/decode-events.h b/src/decode-events.h
index 1d582769b1691cbe8628ebafa651ff15acbed423..42634dad8beee479d5d1c362c822313b2c637a29 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -269,6 +269,7 @@ enum {
     STREAM_PKT_INVALID_ACK,
     STREAM_PKT_BROKEN_ACK,
     STREAM_RST_INVALID_ACK,
+    STREAM_RST_WITH_DATA,
     STREAM_PKT_RETRANSMISSION,
     STREAM_PKT_BAD_WINDOW_UPDATE,
 

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index cad45ea7f0883b4f13c8ceba692e299ed340c6d9..ba87496646ebe3b2d7f2ad456e519eacb6c01612 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -5603,6 +5603,21 @@ static int StreamTcpValidateRst(TcpSession *ssn, Packet *p)
         }
     }
 
+    /* RST with data, it's complicated:
+
+         4.2.2.12  RST Segment: RFC-793 Section 3.4
+
+            A TCP SHOULD allow a received RST segment to include data.
+
+            DISCUSSION
+                 It has been suggested that a RST segment could contain
+                 ASCII text that encoded and explained the cause of the
+                 RST.  No standard has yet been established for such
+                 data.
+    */
+    if (p->payload_len)
+        StreamTcpSetEvent(p, STREAM_RST_WITH_DATA);
+
     /* Set up the os_policy to be used in validating the RST packets based on
        target system */
     if (PKT_IS_TOSERVER(p)) {