From: Victor Julien <vjulien@oisf.net>
Date: Wed, 22 Feb 2023 14:17:53 +0000 (+0100)
Subject: stream: add liberal timetamps option
X-Git-Tag: suricata-7.0.0-rc2~555
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01b7ccc224f573ca2106731b07ea845b27f89661;p=thirdparty%2Fsuricata.git

stream: add liberal timetamps option

Linux is slightly more permissive wrt timestamps than many
other OS'. To avoid many events/issues with linux hosts, add an
option to allow for this slightly more permissive behavior.

Ideally the host-os config would be used, but in practice this
setting is rarely set up correctly, if at all.

This option is enabled by default.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index d136367421..d0e4942513 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -656,6 +656,15 @@ void StreamTcpInitConfig(bool quiet)
     if (!quiet)
         SCLogConfig("stream.reassembly.raw: %s", enable_raw ? "enabled" : "disabled");
 
+    /* default to true. Not many ppl (correctly) set up host-os policies, so be permissive. */
+    stream_config.liberal_timestamps = true;
+    int liberal_timestamps = 0;
+    if (ConfGetBool("stream.liberal-timestamps", &liberal_timestamps) == 1) {
+        stream_config.liberal_timestamps = liberal_timestamps;
+    }
+    if (!quiet)
+        SCLogConfig("stream.liberal-timestamps: %s", liberal_timestamps ? "enabled" : "disabled");
+
     /* init the memcap/use tracking */
     StreamTcpInitMemuse();
     StatsRegisterGlobalCounter("tcp.memuse", StreamTcpMemuseCounter);
@@ -5997,7 +6006,7 @@ static int StreamTcpValidateTimestamp (TcpSession *ssn, Packet *p)
 
             SCLogDebug("ts %"PRIu32", last_ts %"PRIu32"", ts, last_ts);
 
-            if (receiver_stream->os_policy == OS_POLICY_LINUX) {
+            if (receiver_stream->os_policy == OS_POLICY_LINUX || stream_config.liberal_timestamps) {
                 /* Linux accepts TS which are off by one.*/
                 result = (int32_t) ((ts - last_ts) + 1);
             } else {
@@ -6139,7 +6148,7 @@ static int StreamTcpHandleTimestamp (TcpSession *ssn, Packet *p)
 
             SCLogDebug("ts %"PRIu32", last_ts %"PRIu32"", ts, sender_stream->last_ts);
 
-            if (receiver_stream->os_policy == OS_POLICY_LINUX) {
+            if (receiver_stream->os_policy == OS_POLICY_LINUX || stream_config.liberal_timestamps) {
                 /* Linux accepts TS which are off by one.*/
                 result = (int32_t) ((ts - sender_stream->last_ts) + 1);
             } else {
diff --git a/src/stream-tcp.h b/src/stream-tcp.h
index 315c4b142f..33538bf102 100644
--- a/src/stream-tcp.h
+++ b/src/stream-tcp.h
@@ -70,6 +70,9 @@ typedef struct TcpStreamCnf_ {
     enum ExceptionPolicy reassembly_memcap_policy;
     enum ExceptionPolicy midstream_policy;
 
+    /* default to "LINUX" timestamp behavior if true*/
+    bool liberal_timestamps;
+
     StreamingBufferConfig sbcnf;
 } TcpStreamCnf;
 
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 9b139ea087..34126d7355 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1499,6 +1499,8 @@ flow-timeouts:
 #   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.
 #                               # Warning: first side to reach this triggers
 #                               # the bypass.
+#   liberal-timestamps: false   # Treat all timestamps as if the Linux policy applies. This
+#                               # means it's slightly more permissive. Enabled by default.
 #
 #   reassembly:
 #     memcap: 256mb             # Can be specified in kb, mb, gb.  Just a number