You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
suricata/rules
Victor Julien 843d0b7a10 stream: support RST getting lost/ignored
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'.
However, the target of the RST may not have received it, or may not
have accepted it. Also, the RST may have been injected, so the supposed
sender may not actually be aware of the RST that was sent in it's name.

In this case the previous behavior was to switch the state to CLOSED and
accept no further TCP updates or stream reassembly.

This patch changes this. It still switches the state to CLOSED, as this
is by far the most likely to be correct. However, it will reconsider
the state if the receiver continues to talk.

To do this on each state change the previous state will be recorded in
TcpSession::pstate. If a non-RST packet is received after a RST, this
TcpSession::pstate is used to try to continue the conversation.

If the (supposed) sender of the RST is also continueing the conversation
as normal, it's highly likely it didn't send the RST. In this case
a stream event is generated.

Ticket: #2501

Reported-By: Kirill Shipulin
7 years ago
..
Makefile.am Add event rules for Kerberos 5 7 years ago
app-layer-events.rules app-layer: protocol change API 9 years ago
decoder-events.rules decoder: implement IEEE802.1AH 8 years ago
dhcp-events.rules dhcp: add dhcp app-layer rules file 7 years ago
dnp3-events.rules rules: add missing classtypes for event.rules 9 years ago
dns-events.rules rules: add missing classtypes for event.rules 9 years ago
files.rules doc: minor updates (tls custom, TODO removal, ftp/smb file rules) 8 years ago
http-events.rules http: set events for too many layers of compression 7 years ago
ipsec-events.rules Add rules for IKEv2 events 8 years ago
kerberos-events.rules Kerberos 5: rename weak crypto to weak encryption, and log it 7 years ago
modbus-events.rules rules: add missing classtypes for event.rules 9 years ago
nfs-events.rules rust/nfs: implement events 8 years ago
ntp-events.rules Add event rules for NTP events 8 years ago
smb-events.rules smb1: set event on empty/malformed dialect 8 years ago
smtp-events.rules app-layer-smtp: fix memory leak 10 years ago
stream-events.rules stream: support RST getting lost/ignored 7 years ago
tls-events.rules tls: increase max number of tls records per packet 9 years ago