From: Davis McPherson -X (davmcphe - XORIANT CORPORATION at Cisco) Date: Thu, 8 Feb 2024 19:09:27 +0000 (+0000) Subject: Pull request #4195: stream_tcp: add alerts for exceeding thresholds for max queued... X-Git-Tag: 3.1.81.0~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ef41ac7254420fb2abda6f29fc4724746d320ab;p=thirdparty%2Fsnort3.git Pull request #4195: stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments Merge in SNORT/snort3 from ~DAVMCPHE/snort3:alert_on_queue_limit_events to master Squashed commit of the following: commit ef3d7c1d48fefc50bef5b28006206968d1b07ee4 Author: davis mcpherson Date: Mon Jan 29 15:08:15 2024 -0500 stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments update snort_reference document to include descriptions of new 129 builtin rules --- diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 84cdfde1e..1417fe629 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -5880,6 +5880,8 @@ Rules: * 129:18 (stream_tcp) data sent on stream after TCP reset received * 129:19 (stream_tcp) TCP window closed before receiving data * 129:20 (stream_tcp) TCP session without 3-way handshake + * 129:21 (stream_tcp) TCP max queued reassembly bytes exceeded threshold + * 129:22 (stream_tcp) TCP max queued reassembly segments exceeded threshold Peg counts: @@ -14586,6 +14588,16 @@ TCP window was closed before receiving data. The TCP 3-way handshake was not seen for this TCP session. +129:21 (stream_tcp) TCP maximum bytes queued limit exceeded + +The maximum bytes allowed to be queued for reassembly for an +endpoint has been exceeded. + +129:22 (stream_tcp) TCP maximum segments queued limit exceeded + +The maximum number of segments allowed to be queued for reassembly +for an endpoint has been exceeded. + 131:1 (dns) obsolete DNS RR types DNS Response Resource Record Type is Obsolete. diff --git a/src/stream/tcp/tcp_event_logger.cc b/src/stream/tcp/tcp_event_logger.cc index 57b59d45a..c3de7576d 100644 --- a/src/stream/tcp/tcp_event_logger.cc +++ b/src/stream/tcp/tcp_event_logger.cc @@ -67,8 +67,8 @@ struct tcp_event_sid tcp_event_sids[] = { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" }, { EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" }, { EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" }, - { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, - { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, + { EVENT_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, "MAX_QUEUED_BYTES_EXCEEDED" }, + { EVENT_MAX_QUEUED_SEGS_EXCEEDED, STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED, "MAX_QUEUED_SEGS_EXCEEDED" }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr } }; diff --git a/src/stream/tcp/tcp_event_logger.h b/src/stream/tcp/tcp_event_logger.h index b72a20035..eb346a9af 100644 --- a/src/stream/tcp/tcp_event_logger.h +++ b/src/stream/tcp/tcp_event_logger.h @@ -45,6 +45,8 @@ #define EVENT_BAD_SEGMENT 0x00020000 #define EVENT_EXCESSIVE_OVERLAP 0x00040000 #define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00080000 +#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00100000 +#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00200000 class TcpEventLogger { diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc index cd461e6cd..93e8fdb0f 100644 --- a/src/stream/tcp/tcp_module.cc +++ b/src/stream/tcp/tcp_module.cc @@ -161,6 +161,10 @@ THREAD_LOCAL TcpStats tcpStats; "TCP window closed before receiving data" #define STREAM_TCP_NO_3WHS_STR \ "TCP session without 3-way handshake" +#define STREAM_TCP_MAX_QUEUED_BYTES_STR \ + "TCP max queued reassembly bytes exceeded threshold" +#define STREAM_TCP_MAX_QUEUED_SEGS_STR \ + "TCP max queued reassembly segments exceeded threshold" static const Parameter stream_tcp_small_params[] = { @@ -256,6 +260,8 @@ static const RuleMap stream_tcp_rules[] = { STREAM_TCP_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD_STR }, { STREAM_TCP_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM_STR }, { STREAM_TCP_NO_3WHS, STREAM_TCP_NO_3WHS_STR }, + { STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_STR }, + { STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED, STREAM_TCP_MAX_QUEUED_SEGS_STR }, { 0, nullptr } }; diff --git a/src/stream/tcp/tcp_module.h b/src/stream/tcp/tcp_module.h index 3332e2b5c..07a6c1a0d 100644 --- a/src/stream/tcp/tcp_module.h +++ b/src/stream/tcp/tcp_module.h @@ -47,6 +47,8 @@ #define STREAM_TCP_DATA_AFTER_RST_RCVD 18 #define STREAM_TCP_WINDOW_SLAM 19 #define STREAM_TCP_NO_3WHS 20 +#define STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED 21 +#define STREAM_TCP_MAX_QUEUED_SEGS_EXCEEDED 22 #define STREAM_TCP_MAX_EVENTS 32 extern const PegInfo tcp_pegs[]; diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index ddd516545..14c427758 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -359,6 +359,7 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd) if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON) { tsd.get_pkt()->active->set_drop_reason("stream"); + tel.set_tcp_event(EVENT_MAX_QUEUED_BYTES_EXCEEDED); if (PacketTracer::is_active()) PacketTracer::log("Stream: Flow exceeded the configured max byte threshold (%u)\n", tcp_config->max_queued_bytes); } @@ -394,6 +395,7 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd) if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON) { tsd.get_pkt()->active->set_drop_reason("stream"); + tel.set_tcp_event(EVENT_MAX_QUEUED_SEGS_EXCEEDED); if (PacketTracer::is_active()) PacketTracer::log("Stream: Flow exceeded the configured max segment threshold (%u)\n", tcp_config->max_queued_segs); } @@ -502,6 +504,7 @@ int TcpSession::process_tcp_data(TcpSegmentDescriptor& tsd) listener->normalizer.trim_win_payload(tsd, 0, tsd.is_nap_policy_inline()); return STREAM_UNALIGNED; } + if( listener->get_iss() ) { tcpStats.zero_win_probes++;