stream: improve TCP flags handling

13 years ago · c44f4c13fc
parent 09e709d1c5
commit c44f4c13fc
4 changed files with 1791 additions and 1948 deletions
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@ -50,8 +50,11 @@ alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq";
 alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT invalid ack"; stream-event:timewait_invalid_ack; sid:2210043; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp"; stream-event:pkt_invalid_timestamp; sid:2210044; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; sid:2210045; rev:1;)
-alert tcp any any -> any any (msg:"SURICATA STREAM RST invalid ack"; stream-event:rst_invalid_ack; sid:2210046; rev:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack"; stream-event:rst_invalid_ack; sid:2210046; rev:1;)
+# SYN (re)send during shutdown (closing, closewait, finwait1, finwait2, lastack, timewait states)
+#alert tcp any any -> any any (msg:"SURICATA STREAM SYN resend"; stream-event:shutdown_syn_resend; sid:2210049; rev:1;)
 #alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq"; stream-event:reassembly_segment_before_base_seq; sid:2210047; rev:1;)
 # Sequence gap: missing data in the reassembly engine. Usually due to packet loss. Will be very noisy on a overloaded link / sensor.
 #alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048; rev:1;)
+# next sid 2210050

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -173,6 +173,7 @@ enum {
    STREAM_RST_BUT_NO_SESSION,
    STREAM_TIMEWAIT_ACK_WRONG_SEQ,
    STREAM_TIMEWAIT_INVALID_ACK,
+    STREAM_SHUTDOWN_SYN_RESEND,
    STREAM_PKT_INVALID_TIMESTAMP,
    STREAM_PKT_INVALID_ACK,
    STREAM_RST_INVALID_ACK,
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@ -163,6 +163,7 @@ struct DetectEngineEvents_ {
    { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, },
    { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, },
    { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
+    { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
    { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
    { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
    { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c