stream: add liberal timetamps option

Linux is slightly more permissive wrt timestamps than many
other OS'. To avoid many events/issues with linux hosts, add an
option to allow for this slightly more permissive behavior.

Ideally the host-os config would be used, but in practice this
setting is rarely set up correctly, if at all.

This option is enabled by default.

src/stream-tcp.c

@@ -656,6 +656,15 @@ void StreamTcpInitConfig(bool quiet)
     if (!quiet)
         SCLogConfig("stream.reassembly.raw: %s", enable_raw ? "enabled" : "disabled");
 
+    /* default to true. Not many ppl (correctly) set up host-os policies, so be permissive. */
+    stream_config.liberal_timestamps = true;
+    int liberal_timestamps = 0;
+    if (ConfGetBool("stream.liberal-timestamps", &liberal_timestamps) == 1) {
+        stream_config.liberal_timestamps = liberal_timestamps;
+    }
+    if (!quiet)
+        SCLogConfig("stream.liberal-timestamps: %s", liberal_timestamps ? "enabled" : "disabled");
+
     /* init the memcap/use tracking */
     StreamTcpInitMemuse();
     StatsRegisterGlobalCounter("tcp.memuse", StreamTcpMemuseCounter);
@@ -5997,7 +6006,7 @@ static int StreamTcpValidateTimestamp (TcpSession *ssn, Packet *p)
 
             SCLogDebug("ts %"PRIu32", last_ts %"PRIu32"", ts, last_ts);
 
-            if (receiver_stream->os_policy == OS_POLICY_LINUX) {
+            if (receiver_stream->os_policy == OS_POLICY_LINUX || stream_config.liberal_timestamps) {
                 /* Linux accepts TS which are off by one.*/
                 result = (int32_t) ((ts - last_ts) + 1);
             } else {
@@ -6139,7 +6148,7 @@ static int StreamTcpHandleTimestamp (TcpSession *ssn, Packet *p)
 
             SCLogDebug("ts %"PRIu32", last_ts %"PRIu32"", ts, sender_stream->last_ts);
 
-            if (receiver_stream->os_policy == OS_POLICY_LINUX) {
+            if (receiver_stream->os_policy == OS_POLICY_LINUX || stream_config.liberal_timestamps) {
                 /* Linux accepts TS which are off by one.*/
                 result = (int32_t) ((ts - sender_stream->last_ts) + 1);
             } else {

src/stream-tcp.h

@@ -70,6 +70,9 @@ typedef struct TcpStreamCnf_ {
     enum ExceptionPolicy reassembly_memcap_policy;
     enum ExceptionPolicy midstream_policy;
 
+    /* default to "LINUX" timestamp behavior if true*/
+    bool liberal_timestamps;
+
     StreamingBufferConfig sbcnf;
 } TcpStreamCnf;
 

suricata.yaml.in

@@ -1499,6 +1499,8 @@ flow-timeouts:
 #   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.
 #                               # Warning: first side to reach this triggers
 #                               # the bypass.
+#   liberal-timestamps: false   # Treat all timestamps as if the Linux policy applies. This
+#                               # means it's slightly more permissive. Enabled by default.
 #
 #   reassembly:
 #     memcap: 256mb             # Can be specified in kb, mb, gb.  Just a number