From 71a0084b70212355b460ab1afb4e0dfdb99373f8 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 1 Aug 2023 07:48:04 +0200 Subject: [PATCH] stream: add stream.rst_with_data event for RST with data (cherry picked from commit 9ba55b8a282eca795c21ff53dd54937492bb8cf1) --- src/decode-events.c | 4 ++++ src/decode-events.h | 1 + src/stream-tcp.c | 15 +++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/src/decode-events.c b/src/decode-events.c index 4e91ba092e..be0b2fa13d 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -783,6 +783,10 @@ const struct DecodeEvents_ DEvents[] = { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, }, + { + "stream.rst_with_data", + STREAM_RST_WITH_DATA, + }, { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, diff --git a/src/decode-events.h b/src/decode-events.h index 1d582769b1..42634dad8b 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -269,6 +269,7 @@ enum { STREAM_PKT_INVALID_ACK, STREAM_PKT_BROKEN_ACK, STREAM_RST_INVALID_ACK, + STREAM_RST_WITH_DATA, STREAM_PKT_RETRANSMISSION, STREAM_PKT_BAD_WINDOW_UPDATE, diff --git a/src/stream-tcp.c b/src/stream-tcp.c index cad45ea7f0..ba87496646 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5603,6 +5603,21 @@ static int StreamTcpValidateRst(TcpSession *ssn, Packet *p) } } + /* RST with data, it's complicated: + + 4.2.2.12 RST Segment: RFC-793 Section 3.4 + + A TCP SHOULD allow a received RST segment to include data. + + DISCUSSION + It has been suggested that a RST segment could contain + ASCII text that encoded and explained the cause of the + RST. No standard has yet been established for such + data. + */ + if (p->payload_len) + StreamTcpSetEvent(p, STREAM_RST_WITH_DATA); + /* Set up the os_policy to be used in validating the RST packets based on target system */ if (PKT_IS_TOSERVER(p)) { -- 2.47.2