git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Thu, 10 May 2018 15:23:05 +0000 (17:23 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 16 Jul 2018 11:30:50 +0000 (13:30 +0200)
commit	23e93b126466f118965c1ba82a1fb80ee0ebef10
tree	53105b833c5b04d5a0f497a62e06c2dbf0b7feee	tree
parent	f4d5af76a8e27b7914f1c1df210c722d7f826707	commit \| diff

stream: support RST getting lost/ignored

In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin

rules/stream-events.rules		diff \| blob \| blame \| history
src/decode-events.c		diff \| blob \| blame \| history
src/decode-events.h		diff \| blob \| blame \| history
src/stream-tcp-private.h		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history