git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Thu, 2 Feb 2023 13:45:30 +0000 (14:45 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 7 Feb 2023 15:46:08 +0000 (16:46 +0100)
commit	68bd193868366e197d29b5b28e6e4a10a0354c58
tree	b59548a8375d717ac440fa24b7886cf0ba411ff7	tree
parent	d13bb7f5a7e02e51e7628ae92bb4f4e8be12db69	commit \| diff

stream/tcp: allow tcp session reuse on null sessions

When a "stream starter" packet finds an existing TCP flow, the flow will be
evaluated for reuse.

The following scenario wasn't handled well:

1. Suricata starts after a tool has just stopped using lots of connections
   (e.g. ab stress testing a webserver)
2. even though the client is closed already, the server is still doing
   connection cleanup sending many FINs and later RSTs
3. Suricata creates flows for these packets, but no TCP sessions
4. client resumes testing, creating flows that have the same 5 tuple as the
   flows created for the FIN/RST packets
5. Suricata refuses to "reuse" the flows as the condition "tcp flow w/o session"
   is not considered valid for session reuse
6. new TCP connection is not properly tracked and evaluated in parsing and
   detection

There may be other vectors into this, like a flow w/o session because of
memcap issues.

Bug: #5843.
(cherry picked from commit 93c9594dd8158a9d8fa76fdbc7c02e82da2b0ed2)