git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Thu, 9 Feb 2023 16:11:21 +0000 (17:11 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 16 Feb 2023 16:18:36 +0000 (17:18 +0100)
commit	7bfee147ef6caefe0dd4444a088f451188108e0a
tree	929a3cd8f9d126fc39072f11d70c0098c55baaae	tree
parent	449ed7554708977ddfa7cf60f7328c102c050593	commit \| diff

stream: SYN queue support

Support case where there are multiple SYN retransmits, where
each has a new timestamp.

Before this patch, Suricata would only accept a SYN/ACK that
matches the last timestamp. However, observed behavior is that
the server may choose to only respond to the first. In IPS mode
this could lead to a connection timing out as Suricata drops
the SYN/ACK it considers wrong, and the server continues to
retransmit it.

This patch reuses the SYN/ACK queuing logic to keep a list
of SYN packets and their window, timestamp, wscale and sackok
settings. Then when the SYN/ACK arrives, it is first evaluated
against the normal session state. But if it fails due to a
timestamp mismatch, it will look for queued SYN's and see if
any of them match the timestamp. If one does, the ssn is updated
to use that SYN and the SYN/ACK is accepted.

Bug: #5856.

rules/stream-events.rules		diff \| blob \| blame \| history
src/decode-events.c		diff \| blob \| blame \| history
src/decode-events.h		diff \| blob \| blame \| history
src/stream-tcp-private.h		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history