Commit Graph

11 Commits (1f69da80bf067abc456782804c10cf84086b6217)

Author SHA1 Message Date
Victor Julien 4c6463f378 stream: handle extra different SYN/ACK
Until now, when processing the TCP 3 way handshake (3whs), retransmissions
of SYN/ACKs are silently accepted, unless they are different somehow. If
the SEQ or ACK values are different they are considered wrong and events
are set. The stream events rules will match on this.

In some cases, this is wrong. If the client missed the SYN/ACK, the server
may send a different one with a different SEQ. This commit deals with this.

As it is impossible to predict which one the client will accept, each is
added to a list. Then on receiving the final ACK from the 3whs, the list
is checked and the state is updated according to the queued SYN/ACK.
12 years ago
Victor Julien e1321f9ae6 stream: change how retransmissions are handled and detected. 12 years ago
Victor Julien 3f6ecff260 stream: disable retransmission packet before last ack sig as it is fairly common in regular traffic 12 years ago
Victor Julien bc37cb6b8e stream: detect retransmissions on closewait and finwait2 states 12 years ago
Victor Julien 9094eb4783 stream: ignore ack value if ack flag is not set. Add stream.pkt_broken_ack event for when ack value is not 0 and ack flag not set. 12 years ago
Victor Julien 6f76ac176d stream: add option to match on overlapping data
Set event on overlapping data segments that have different data.

Add stream-events option stream-event:reassembly_overlap_different_data and
add an example rule.

Issue 603.
12 years ago
Victor Julien c44f4c13fc stream: improve TCP flags handling 12 years ago
Victor Julien 887b4e0b6a Disable some stream rules by default, fix sid no typo. 13 years ago
Victor Julien ddfa5c49c6 Stream engine: gap handling
Set a stream event for stream gaps.
Add a (disabled by default) signature to the stream-event.rules.
13 years ago
Victor Julien d9ad1b00b3 Clean up SID allocation for decoder and stream rules. 13 years ago
Eric Leblond 552c6731b2 Add signature file for stream events.
This patch adds a rules/stream-events.rules file which contains
alert related to all stream events.
13 years ago