Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Go to file
Victor Julien fb1b03c471 flow: handle TCP session reuse in flow engine
Until now, TCP session reuse was handled in the TCP stream engine.
If the state was TCP_CLOSED, a new SYN packet was received and a few
other conditions were met, the flow was 'reset' and reused for the
'new' TCP session.

There are a number of problems with this approach:
- it breaks the normal flow lifecycle wrt timeout, detection, logging
- new TCP sessions could come in on different threads due to mismatches
  in timeouts between suricata and flow balancing hw/nic/drivers
- cleanup code was often causing problems
- it complicated locking because of the possible thread mismatch

This patch implements a different solution, where a new TCP session also
gets a new flow. To do this 2 main things needed to be done:

1. the flow engine needed to be aware of when the TCP reuse case was
   happening
2. the flow engine needs to be able to 'skip' the old flow once it was
   replaced by a new one

To handle (1), a new function TcpSessionPacketSsnReuse() is introduced
to check for the TCP reuse conditions. It's called from 'FlowCompare()'
for TCP packets / TCP flows that are candidates for reuse. FlowCompare
returns FALSE for the 'old' flow in the case of TCP reuse.

This in turn will lead to the flow engine not finding a flow for the TCP
SYN packet, resulting in the creation of a new flow.

To handle (2), FlowCompare flags the 'old' flow. This flag causes future
FlowCompare calls to always return FALSE on it. In other words, the flow
can't be found anymore. It can only be accessed by:

1. existing packets with a reference to it
2. flow timeout handling as this logic gets the flows from walking the
   hash directly
3. flow timeout pseudo packets, as they are set up by (2)

The old flow will time out normally, as governed by the "tcp closed"
flow timeout setting. At timeout, the normal detection, logging and
cleanup code will process it.

The flagging of a flow making it 'unfindable' in the flow hash is a bit
of a hack. The reason for this approach over for example putting the
old flow into a forced timeout queue where it could be timed out, is
that such a queue could easily become a contention point. The TCP
session reuse case can easily be created by an attacker. In case of
multiple packet handlers, this could lead to contention on such a flow
timeout queue.
11 years ago
benches Initial add of the files. 17 years ago
contrib Add option on Tile-Gx for logging for fast.log alerts over PCIe 12 years ago
doc Update docs from wiki 13 years ago
lua output-lua: add SCPacketTimeString 11 years ago
m4 Prelude plugin: add detection in configure script 16 years ago
qa Suppress ARM valgrind warning 11 years ago
rules ipv6: check for MLD messages with HL not 1 11 years ago
scripts suricatasc: exit with error if command returns NOK 11 years ago
src flow: handle TCP session reuse in flow engine 11 years ago
.gitignore unittest: make check use a qa/log dir for logging 13 years ago
.travis.yml travis-ci: use make check 12 years ago
COPYING Initial add of the files. 17 years ago
ChangeLog Update changelog for 2.1beta3 11 years ago
LICENSE import of gplv2 LICENSE 16 years ago
Makefile.am Respect DESTDIR in install-conf and install-rules. 11 years ago
Makefile.cvs Initial add of the files. 17 years ago
acsite.m4 Added C99 defs/macros to acsite.m4 for CentOS 17 years ago
autogen.sh OpenBSD 5.2 build fixes, Unit test fix. 13 years ago
classification.config Import of classification.config 16 years ago
config.rpath Add file needed for some autotools version. 13 years ago
configure.ac netmap support 11 years ago
doxygen.cfg doxygen: add source browser 12 years ago
reference.config Update reference.config 11 years ago
suricata.yaml.in netmap support 11 years ago
threshold.config threshold: improve comments of shipped threshold.config, add links to wiki. 13 years ago