From: Victor Julien <victor@inliniac.net>
Date: Fri, 2 Nov 2018 16:27:59 +0000 (+0100)
Subject: stream: no more stream events after known issue
X-Git-Tag: suricata-5.0.0-beta1~215
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a3cb32071adf68276ea612a376889442dc8c6e7;p=thirdparty%2Fsuricata.git

stream: no more stream events after known issue

No longer set stream events after a gap or wrong thread. We know
we lost sync and are now in 'lets make the best of it'-mode. No
point in flooding the system with stream events.

Ticket #2484
---

diff --git a/src/decode.h b/src/decode.h
index 675d141ab1..d4d4595cc8 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -1131,6 +1131,9 @@ void DecodeUnregisterCounters(void);
 
 #define PKT_PSEUDO_DETECTLOG_FLUSH      (1<<27)     /**< Detect/log flush for protocol upgrade */
 
+/** Packet is part of stream in known bad condition (loss, wrong thread),
+ *  so flag it for not setting stream events */
+#define PKT_STREAM_NO_EVENTS            (1<<28)
 
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index 0a338e7ded..899dafa5dd 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -243,9 +243,15 @@ enum
     } while(0); \
 }
 
-#define StreamTcpSetEvent(p, e) { \
-    SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")", (e), p, (p)->pcap_cnt); \
-    ENGINE_SET_EVENT((p), (e)); \
+#define StreamTcpSetEvent(p, e) {                                           \
+    if ((p)->flags & PKT_STREAM_NO_EVENTS) {                                \
+        SCLogDebug("not setting event %"PRIu8" on pkt %p (%"PRIu64"), "     \
+                   "stream in known bad condition", (e), p, (p)->pcap_cnt); \
+    } else {                                                                \
+        SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")",          \
+                    (e), p, (p)->pcap_cnt);                                 \
+        ENGINE_SET_EVENT((p), (e));                                         \
+    }                                                                       \
 }
 
 typedef struct TcpSession_ {
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 0be74760a9..3f389900bd 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4765,6 +4765,15 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
             goto skip;
         }
 
+        if (p->flow->flags & FLOW_WRONG_THREAD ||
+            ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP ||
+            ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP)
+        {
+            /* Stream and/or session in known bad condition. Block events
+             * from being set. */
+            p->flags |= PKT_STREAM_NO_EVENTS;
+        }
+
         /* check if the packet is in right direction, when we missed the
            SYN packet and picked up midstream session. */
         if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK)