aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8924653cd4'
${ noResults }
suricata/src/stream-tcp.h

203 lines
6.7 KiB
C
Raw Normal View History Unescape Escape

GPL and Copyright header updates.
15 years ago
/* Copyright (C) 2007-2010 Open Information Security Foundation
Import of GPLv2 Header 050410
16 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
*/
Large update: pcap support, threading fixes, initial stream tracking, time handling, pool support, runmodes, decoders added, autojunk update.
16 years ago
#ifndef __STREAM_TCP_H__
#define __STREAM_TCP_H__
Applayer to flow fixes and cleanups.
15 years ago
#include "stream-tcp-private.h"
dce stub content keywords support using dcepayload.c support for all dce related content keywords
15 years ago
#include "stream.h"
#include "stream-tcp-reassemble.h"
New function for task3
16 years ago
#define STREAM_VERBOSE FALSE
support for several tcp evasion attacks. Thanks to Judy Novak and G2 Inc for reporting them
15 years ago
/* Flag to indicate that the checksum validation for the stream engine
has been enabled */
#define STREAMTCP_INIT_FLAG_CHECKSUM_VALIDATION 0x01
New function for task3
16 years ago
/*global flow data*/
typedef struct TcpStreamCnf_ {
Initial version of a inline raw reassembly function that reassembles in a sliding window. Introduce new unittest helpers for stream reassembly.
15 years ago
/** stream tracking
*
* max stream mem usage
*/
Convert stream memcaps to u64. Bug #332.
14 years ago
uint64_t memcap;
uint64_t reassembly_memcap; /**< max memory usage for stream reassembly */
Initial version of a inline raw reassembly function that reassembles in a sliding window. Introduce new unittest helpers for stream reassembly.
15 years ago
stream: add option to disable raw reassembly Raw reassembly is used only by the detection engine. For users only caring about logging it's a significant overhead, both in cpu and memory usage. The option is called 'raw' and lives under the stream.reassembly options. stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 raw: false # <- new option
12 years ago
uint32_t ssn_init_flags; /**< new ssn flags will be initialized to this */
uint8_t segment_init_flags; /**< new seg flags will be initialized to this */
Stream: use per thread ssn pool Use per thread pools to store and retrieve SSN's from. Uses PoolThread API. Remove max-sessions setting. Pools are set to unlimited, but TCP memcap limits the amount of sessions. The prealloc_session settings now applies to each thread, so lowered the default from 32k to 2k.
12 years ago
uint32_t prealloc_sessions; /**< ssns to prealloc per stream thread */
async stream handling support
16 years ago
int midstream;
int async_oneside;
support for enforcing the depth until when the reassembly will be performed
15 years ago
uint32_t reassembly_depth; /**< Depth until when we reassemble the stream */
Initial version of a inline raw reassembly function that reassembles in a sliding window. Introduce new unittest helpers for stream reassembly.
15 years ago
Enforce configurable minimum chunk size in raw stream reassembly. Minor stream cleanups, unittest updates.
15 years ago
uint16_t reassembly_toserver_chunk_size;
uint16_t reassembly_toclient_chunk_size;
stream-tcp: enable bypass setting This permits to enable/disable in suricata.yaml and the bypass function will be called when stream.depth is reached.
9 years ago
int bypass;
stream: add option to match on overlapping data Set event on overlapping data segments that have different data. Add stream-events option stream-event:reassembly_overlap_different_data and add an example rule. Issue 603.
13 years ago
support for several tcp evasion attacks. Thanks to Judy Novak and G2 Inc for reporting them
15 years ago
uint8_t flags;
stream: handle extra different SYN/ACK Until now, when processing the TCP 3 way handshake (3whs), retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this. In some cases, this is wrong. If the client missed the SYN/ACK, the server may send a different one with a different SEQ. This commit deals with this. As it is impossible to predict which one the client will accept, each is added to a list. Then on receiving the final ACK from the 3whs, the list is checked and the state is updated according to the queued SYN/ACK.
13 years ago
uint8_t max_synack_queued;
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
StreamingBufferConfig sbcnf;
New function for task3
16 years ago
} TcpStreamCnf;
We now inspect timed out streams + streams not processed as yet, at engine shutdown
14 years ago
typedef struct StreamTcpThread_ {
Stream: use per thread ssn_pool_id instead of thread id.
12 years ago
int ssn_pool_id;
We now inspect timed out streams + streams not processed as yet, at engine shutdown
14 years ago
/** queue for pseudo packet(s) that were created in the stream
* process and need further handling. Currently only used when
* receiving (valid) RST packets */
PacketQueue pseudo_queue;
uint16_t counter_tcp_sessions;
/** sessions not picked up because memcap was reached */
uint16_t counter_tcp_ssn_memcap;
/** pseudo packets processed */
uint16_t counter_tcp_pseudo;
stream: add counter for failed pseudo setups Stream pseudo packets are taken from the packet pool, which can be empty. In this case a pseudo packet will not be created and processed. This patch adds a counter "tcp.pseudo_failed" to track this.
11 years ago
/** pseudo packets failed to setup */
uint16_t counter_tcp_pseudo_failed;
Implement a counter for TCP packets with invalid checksums: tcp.invalid_checksum. Bug #311.
14 years ago
/** packets rejected because their csum is invalid */
uint16_t counter_tcp_invalid_checksum;
Add stream engine counters Added stream counters: - tcp.reassembly_memuse -- current memory use by reassembly in bytes - tcp.memuse -- current memory use by stream tracking in bytes - tcp.reused_ssn -- ssn reused by new session with identical tuple - tcp.no_flow -- TCP packets with no flow - indicating flow engine memory at its limits
14 years ago
/** TCP packets with no associated flow */
uint16_t counter_tcp_no_flow;
/** sessions reused */
uint16_t counter_tcp_reused_ssn;
Add counters for SYN, SYN/ACK and RST TCP packets. Issue #251.
14 years ago
/** syn pkts */
uint16_t counter_tcp_syn;
/** syn/ack pkts */
uint16_t counter_tcp_synack;
/** rst pkts */
uint16_t counter_tcp_rst;
We now inspect timed out streams + streams not processed as yet, at engine shutdown
14 years ago
/** tcp reassembly thread data */
TcpReassemblyThreadCtx *ra_ctx;
} StreamTcpThread;
New function for task3
16 years ago
TcpStreamCnf stream_config;
void StreamTcpInitConfig (char);
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
void StreamTcpFreeConfig(char);
Flow get state protocol specific
16 years ago
void StreamTcpRegisterTests (void);
Large update: pcap support, threading fixes, initial stream tracking, time handling, pool support, runmodes, decoders added, autojunk update.
16 years ago
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
void StreamTcpSessionPktFree (Packet *);
Convert stream memcaps to u64. Bug #332.
14 years ago
void StreamTcpIncrMemuse(uint64_t);
void StreamTcpDecrMemuse(uint64_t);
int StreamTcpCheckMemcap(uint64_t);
Stream engine memory handling update The stream engine memory handling needed updating as it didn't scale. Changes: - pools can now be initialized to size 0, meaning unlimited - stream engine uses a memcap setting. Sessions, segments and aldata is part of this, app layer state isn't. - memory is accounted using a global int that is spinlocked. - a counter for sessions that have not been picked up because of memcap was added. - all reassembly errors are converted to debug msgs.
16 years ago
Inspect a pseudo packet upon receiving a RST so that we are sure both sides of the TCP session are inspected.
15 years ago
Packet *StreamTcpPseudoSetup(Packet *, uint8_t *, uint32_t);
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
Packet logging API: convert unified2 Convert unified2 alert to new logging API.
12 years ago
int StreamTcpSegmentForEach(const Packet *p, uint8_t flag,
Introduce StreamSegmentForEach function This patch introduces a function called StreamMsgForEach which can be used to run a callback on all segments of a stream. This is currently only supported for TCP as this is the only streaming aware protocol.
14 years ago
StreamSegmentCallback CallbackFunc,
void *data);
stream: add option to match on overlapping data Set event on overlapping data segments that have different data. Add stream-events option stream-event:reassembly_overlap_different_data and add an example rule. Issue 603.
13 years ago
void StreamTcpReassembleConfigEnableOverlapCheck(void);
stream: per TcpStream reassembly depth
10 years ago
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size);
Introduce StreamSegmentForEach function This patch introduces a function called StreamMsgForEach which can be used to run a callback on all segments of a stream. This is currently only supported for TCP as this is the only streaming aware protocol.
14 years ago
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
/** ------- Inline functions: ------ */
/**
* \brief If we are on IPS mode, and got a drop action triggered from
* the IP only module, or from a reassembled msg and/or from an
* applayer detection, then drop the rest of the packets of the
* same stream and avoid inspecting it any further
* \param p pointer to the Packet to check
* \retval 1 if we must drop this stream
* \retval 0 if the stream still legal
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static inline int StreamTcpCheckFlowDrops(Packet *p)
{
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
/* If we are on IPS mode, and got a drop action triggered from
* the IP only module, or from a reassembled msg and/or from an
* applayer detection, then drop the rest of the packets of the
* same stream and avoid inspecting it any further */
refactor IDS/IPS engine mode logic Instead of error phrone externs with macro's, use functions with a local static enum var instead. - EngineModeIsIPS(): in IPS mode - EngineModeIsIDS(): in IDS mode To set the modes: - EngineModeSetIDS(): IDS mode (default) - EngineModeSetIPS(): IPS mode Bug #1177.
11 years ago
if (EngineModeIsIPS() && (p->flow->flags & FLOW_ACTION_DROP))
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
return 1;
return 0;
}
/**
* \brief Function to flip the direction When we missed the SYN packet,
* SYN/ACK is considered as sent by server, but our engine flagged the
* packet as from client for the host whose packet is received first in
* the session.
*
* \param ssn TcpSession to whom this packet belongs
* \param p Packet whose flag has to be changed
*/
static inline void StreamTcpPacketSwitchDir(TcpSession *ssn, Packet *p)
{
SCLogDebug("ssn %p: switching pkt direction", ssn);
if (PKT_IS_TOSERVER(p)) {
p->flowflags &= ~FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
flow: tag first packet in each direction Set a flowflag for the first packet in each direction: FLOW_PKT_TOSERVER_FIRST and FLOW_PKT_TOCLIENT_FIRST
11 years ago
if (p->flowflags & FLOW_PKT_TOSERVER_FIRST) {
p->flowflags &= ~FLOW_PKT_TOSERVER_FIRST;
p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
}
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
} else {
p->flowflags &= ~FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
flow: tag first packet in each direction Set a flowflag for the first packet in each direction: FLOW_PKT_TOSERVER_FIRST and FLOW_PKT_TOCLIENT_FIRST
11 years ago
if (p->flowflags & FLOW_PKT_TOCLIENT_FIRST) {
p->flowflags &= ~FLOW_PKT_TOCLIENT_FIRST;
p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
}
Drop streams on inline mode when a drop rule match from a reassembled stream and/or app layer inspection
15 years ago
}
}
minor code cleanup. remove commented out code
14 years ago
enum {
/* stream has no segments for forced reassembly, nor for detection */
STREAM_HAS_UNPROCESSED_SEGMENTS_NONE = 0,
/* stream seems to have segments that need to be forced reassembled */
STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_REASSEMBLY = 1,
/* stream has no segments for forced reassembly, but only segments that
* have been sent for detection, but are stuck in the detection queues */
STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION = 2,
};
stream-tcp: no longer register as a thread module Now that the FlowWorker handles the TCP Stream directly, having the TCP engine as a thread module is no longer needed. This patch removes the registration.
9 years ago
TmEcode StreamTcp (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
int StreamNeedsReassembly(TcpSession *ssn, int direction);
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
TmEcode StreamTcpThreadInit(ThreadVars *, void *, void **);
TmEcode StreamTcpThreadDeinit(ThreadVars *tv, void *data);
stream-tcp: no longer register as a thread module Now that the FlowWorker handles the TCP Stream directly, having the TCP engine as a thread module is no longer needed. This patch removes the registration.
9 years ago
void StreamTcpRegisterTests (void);
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
PacketQueue *pq);
stream-tcp: unify ssn clean up functions There were 2 separate function doing ssn cleanup. To prevent issues common with code duplication, unify them.
9 years ago
/* clear ssn and return to pool */
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
void StreamTcpSessionClear(void *ssnptr);
stream-tcp: unify ssn clean up functions There were 2 separate function doing ssn cleanup. To prevent issues common with code duplication, unify them.
9 years ago
/* cleanup ssn, but don't free ssn */
void StreamTcpSessionCleanup(TcpSession *ssn);
stream-tcp: introduce stream cleanup function
9 years ago
/* cleanup stream, but don't free the stream */
void StreamTcpStreamCleanup(TcpStream *stream);
stream-tcp: enable bypass setting This permits to enable/disable in suricata.yaml and the bypass function will be called when stream.depth is reached.
9 years ago
/* check if bypass is enabled */
int StreamTcpBypassEnabled(void);
stream-tcp: unify ssn clean up functions There were 2 separate function doing ssn cleanup. To prevent issues common with code duplication, unify them.
9 years ago
proto detection: add limit for one sided sessions If a session only has data in one direction, like ftp data sessions, protocol detection will only run in one direction. This led to a situation where reassembly would hold all the segments as proto detection was never flagged as complete. This patch introduces a limit for protocol detection in this case. If the limit is reached, detection will give up.
12 years ago
uint32_t StreamTcpGetStreamSize(TcpStream *stream);
App layer protocol detection updated and improved. We now use confirmation from both directions and set events if there's a mismatch between the 2 directions. FPs from corrupt flows have disappeared with this.
12 years ago
Large update: pcap support, threading fixes, initial stream tracking, time handling, pool support, runmodes, decoders added, autojunk update.
16 years ago
#endif /* __STREAM_TCP_H__ */