From ddfa5c49c6c7559e6f02ee463e90d884ea11cce8 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 1 Dec 2011 11:55:07 +0100
Subject: [PATCH] Stream engine: gap handling

Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
---
 rules/stream-events.rules   | 2 ++
 src/decode-events.h         | 2 ++
 src/detect-engine-event.h   | 1 +
 src/stream-tcp-reassemble.c | 2 ++
 4 files changed, 7 insertions(+)

diff --git a/rules/stream-events.rules b/rules/stream-events.rules
index e8b1585d26..250506aecc 100644
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -50,4 +50,6 @@ alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp
 alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; sid:2210045; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM RST invalid ack"; stream-event:rst_invalid_ack; sid:2210046; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq"; stream-event:reassembly_segment_before_base_seq; sid:2210047; rev:1;)
+# Sequence gap: missing data in the reassembly engine. Usually due to packet loss. Will be very noisy on a overloaded link / sensor.
+#alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048; rev:1;)
 
diff --git a/src/decode-events.h b/src/decode-events.h
index 256c78d5b3..b820bb0b65 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -177,6 +177,8 @@ enum {
     STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ,
     STREAM_REASSEMBLY_NO_SEGMENT,
 
+    STREAM_REASSEMBLY_SEQ_GAP,
+
     /* SCTP EVENTS */
     SCTP_PKT_TOO_SMALL,              /**< sctp packet smaller than minimum size */
 
diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h
index 70dd43d592..f6f3e77f45 100644
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -163,6 +163,7 @@ struct DetectEngineEvents_ {
     { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
     { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
     { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
+    { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
     { NULL, 0 },
 };
 #endif /* DETECT_EVENTS */
diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 86f4420976..a151b2e5df 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -1985,6 +1985,7 @@ static int StreamTcpReassembleInlineAppLayer (ThreadVars *tv,
                 /* flag reassembly as started, so the to_client part can start */
                 ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED;
 
+                StreamTcpSetEvent(p, STREAM_REASSEMBLY_SEQ_GAP);
                 SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca);
 #ifdef DEBUG
                 dbg_app_layer_gap++;
@@ -2680,6 +2681,7 @@ static int StreamTcpReassembleAppLayer (ThreadVars *tv,
                 /* flag reassembly as started, so the to_client part can start */
                 ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED;
 
+                StreamTcpSetEvent(p, STREAM_REASSEMBLY_SEQ_GAP);
                 SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca);
 #ifdef DEBUG
                 dbg_app_layer_gap++;