From: Victor Julien <vjulien@oisf.net>
Date: Thu, 2 Mar 2023 10:51:37 +0000 (+0100)
Subject: stream: flag zero window probe packets
X-Git-Tag: suricata-7.0.0-rc2~482
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=277751051bd1ec7271aa3f843bed39f0d946b54c;p=thirdparty%2Fsuricata.git

stream: flag zero window probe packets
---

diff --git a/src/output-eve-stream.c b/src/output-eve-stream.c
index 0d0d134a06..56ce0b5762 100644
--- a/src/output-eve-stream.c
+++ b/src/output-eve-stream.c
@@ -353,6 +353,8 @@ static int EveStreamLogger(ThreadVars *tv, void *thread_data, const Packet *p)
             jb_append_string(js, "ack_unseen_data");
         if (p->tcpvars.stream_pkt_flags & STREAM_PKT_FLAG_TCP_PORT_REUSE)
             jb_append_string(js, "tcp_port_reuse");
+        if (p->tcpvars.stream_pkt_flags & STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE)
+            jb_append_string(js, "zero_window_probe");
         jb_close(js);
     }
     jb_close(js);
diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index d1a33989ba..1b40022a28 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -314,6 +314,7 @@ typedef struct TcpSession_ {
 #define STREAM_PKT_FLAG_DSACK                   BIT_U16(8)
 #define STREAM_PKT_FLAG_ACK_UNSEEN_DATA         BIT_U16(9)
 #define STREAM_PKT_FLAG_TCP_PORT_REUSE          BIT_U16(10)
+#define STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE      BIT_U16(11)
 
 #define STREAM_PKT_FLAG_SET(p, f) (p)->tcpvars.stream_pkt_flags |= (f)
 
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index a7503501dc..20b92e7845 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -2615,6 +2615,7 @@ static int HandleEstablishedPacketToServer(
     if (p->payload_len == 1 && TCP_GET_SEQ(p) == ssn->client.next_seq && ssn->client.window == 0) {
         SCLogDebug("ssn %p: zero window probe", ssn);
         zerowindowprobe = 1;
+        STREAM_PKT_FLAG_SET(p, STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE);
 
     } else if (SEQ_GEQ(TCP_GET_SEQ(p) + p->payload_len, ssn->client.next_seq)) {
         StreamTcpUpdateNextSeq(ssn, &ssn->client, (TCP_GET_SEQ(p) + p->payload_len));
@@ -2755,6 +2756,7 @@ static int HandleEstablishedPacketToClient(
     if (p->payload_len == 1 && TCP_GET_SEQ(p) == ssn->server.next_seq && ssn->server.window == 0) {
         SCLogDebug("ssn %p: zero window probe", ssn);
         zerowindowprobe = 1;
+        STREAM_PKT_FLAG_SET(p, STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE);
 
     } else if (SEQ_GEQ(TCP_GET_SEQ(p) + p->payload_len, ssn->server.next_seq)) {
         StreamTcpUpdateNextSeq(ssn, &ssn->server, (TCP_GET_SEQ(p) + p->payload_len));