Merge in SNORT/snort3 from ~JALIIMRA/snort3:zwp_mismatch to master
Squashed commit of the following:
commit
9888d121ef1596f5c26466f0510f36480566d56b
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date: Thu Jan 15 11:31:30 2026 -0500
stream_tcp: default to overwrite upon zwp mismatch instead of session block
return false;
}
-void TcpNormalizer::session_blocker(
- TcpNormalizerState&, TcpSegmentDescriptor& tsd)
-{
- Packet *p = tsd.get_pkt();
- DetectionEngine::disable_all(p);
- p->active->block_session(p, true);
- p->active->set_drop_reason("stream");
- if (PacketTracer::is_active())
- PacketTracer::log("stream_tcp: TCP normalizer - Zero Window Probe byte data mismatch\n");
-}
-
bool TcpNormalizer::packet_dropper(
TcpNormalizerState& tns, TcpSegmentDescriptor& tsd, NormFlags f)
{
virtual NormStatus apply_normalizations(
State&, TcpSegmentDescriptor&, uint32_t seq, bool stream_is_inorder);
- virtual void session_blocker(State&, TcpSegmentDescriptor&);
virtual bool packet_dropper(State&, TcpSegmentDescriptor&, NormFlags);
virtual bool trim_syn_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
virtual void trim_rst_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
TcpNormalizer::NormStatus apply_normalizations(TcpSegmentDescriptor& tsd, uint32_t seq, bool stream_is_inorder)
{ return norm->apply_normalizations(tns, tsd, seq, stream_is_inorder); }
- void session_blocker(TcpSegmentDescriptor& tsd)
- { norm->session_blocker(tns, tsd); }
-
bool packet_dropper(TcpSegmentDescriptor& tsd, NormFlags nflags)
{ return norm->packet_dropper(tns, tsd, nflags); }
if ( tos.tcp_ips_data == NORM_MODE_ON )
{
unsigned offset = tos.right->start_seq() - tos.tsd->get_seq();
- if ( !offset && zwp_data_mismatch(tos, *tos.tsd, tos.right->length))
- {
- tos.seglist.tracker->normalizer.session_blocker(*tos.tsd);
- tos.keep_segment = false;
- return;
- }
-
tos.tsd->rewrite_payload(offset, tos.right->payload(), tos.right->length);
}
full_right_overlap_truncate_new(tos);
}
-bool TcpOverlapResolver::zwp_data_mismatch(TcpOverlapState& tos, TcpSegmentDescriptor& tsd, uint32_t overlap)
-{
- if ( overlap == MAX_ZERO_WIN_PROBE_LEN
- and tos.right->start_seq() == tos.seglist.tracker->normalizer.get_zwp_seq()
- and (tos.right->data[0] != tsd.get_pkt()->data[0]) )
- {
- return tsd.is_nap_policy_inline();
- }
-
- return false;
-}
-
class TcpOverlapResolverFirst : public TcpOverlapResolver
{
public:
protected:
virtual bool is_segment_retransmit(TcpOverlapState&, bool*);
virtual void drop_old_segment(TcpOverlapState&);
- virtual bool zwp_data_mismatch(TcpOverlapState&, TcpSegmentDescriptor&, uint32_t);
virtual void left_overlap_keep_first(TcpOverlapState&);
virtual void left_overlap_trim_first(TcpOverlapState&);
projects / thirdparty / snort3.git / commitdiff
