aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Stream engine: gap handling

Browse Source 
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
remotes/origin/master-1.2.x
Victor Julien 13 years ago
parent 45d86ff58a
commit ddfa5c49c6
4 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
rules/stream-events.rules
Unescape Escape View File

@ -50,4 +50,6 @@ alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp
alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; sid:2210045; rev:1;) alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; sid:2210045; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM RST invalid ack"; stream-event:rst_invalid_ack; sid:2210046; rev:1;) alert tcp any any -> any any (msg:"SURICATA STREAM RST invalid ack"; stream-event:rst_invalid_ack; sid:2210046; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq"; stream-event:reassembly_segment_before_base_seq; sid:2210047; rev:1;) alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq"; stream-event:reassembly_segment_before_base_seq; sid:2210047; rev:1;)
# Sequence gap: missing data in the reassembly engine. Usually due to packet loss. Will be very noisy on a overloaded link / sensor.
#alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048; rev:1;)

2
src/decode-events.h
Unescape Escape View File

@ -177,6 +177,8 @@ enum {
STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ,
STREAM_REASSEMBLY_NO_SEGMENT, STREAM_REASSEMBLY_NO_SEGMENT,
STREAM_REASSEMBLY_SEQ_GAP,
/* SCTP EVENTS */ /* SCTP EVENTS */
SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */ SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */

1
src/detect-engine-event.h
Unescape Escape View File

@ -163,6 +163,7 @@ struct DetectEngineEvents_ {
{ "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, }, { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
{ "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, }, { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
{ "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, }, { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
{ "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
{ NULL, 0 }, { NULL, 0 },
}; };
#endif /* DETECT_EVENTS */ #endif /* DETECT_EVENTS */

2
src/stream-tcp-reassemble.c
Unescape Escape View File

@ -1985,6 +1985,7 @@ static int StreamTcpReassembleInlineAppLayer (ThreadVars *tv,
/* flag reassembly as started, so the to_client part can start */ /* flag reassembly as started, so the to_client part can start */
ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED; ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED;
StreamTcpSetEvent(p, STREAM_REASSEMBLY_SEQ_GAP);
SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca); SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca);
#ifdef DEBUG #ifdef DEBUG
dbg_app_layer_gap++; dbg_app_layer_gap++;
@ -2680,6 +2681,7 @@ static int StreamTcpReassembleAppLayer (ThreadVars *tv,
/* flag reassembly as started, so the to_client part can start */ /* flag reassembly as started, so the to_client part can start */
ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED; ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED;
StreamTcpSetEvent(p, STREAM_REASSEMBLY_SEQ_GAP);
SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca); SCPerfCounterIncr(ra_ctx->counter_tcp_reass_gap, tv->sc_perf_pca);
#ifdef DEBUG #ifdef DEBUG
dbg_app_layer_gap++; dbg_app_layer_gap++;

Write Preview
Loading…
Cancel
Save