suricata/src/stream-tcp-private.h

#ifndef __STREAM_TCP_PRIVATE_H__
#define __STREAM_TCP_PRIVATE_H__

typedef struct TcpSegment_ {
    uint8_t *payload;
    uint16_t payload_len; /* actual size of the payload */
    uint32_t seq;
    uint16_t pool_size; /* size of the memory */
    struct TcpSegment_ *next;
    struct TcpSegment_ *prev;
} TcpSegment;

typedef struct TcpStream_ {
    uint32_t isn;       /**< initial sequence number */
    uint32_t next_seq;  /**< next expected sequence number */
    uint32_t last_ack;  /**< last ack'd sequence number in this stream */
    uint32_t next_win;  /**< next max seq within window */
    uint32_t window;    /**< current window setting */
    uint8_t wscale;     /**< wscale setting in this direction */

    uint32_t last_ts; /**< Time stamp (TSVAL) of the last seen packet for this stream*/
    uint32_t last_pkt_ts; /**< Time of last seen packet for this stream (needed for PAWS update)
                                This will be used to validate the last_ts, when connection has been idle for
                                longer time.(RFC 1323)*/

    /* reassembly */
    uint32_t ra_base_seq; /**< reassembled seq. We've reassembled up to this point. */
    TcpSegment *seg_list; /**< list of TCP segments that are not yet (fully) used in reassembly */
    uint8_t os_policy; /**< target based OS policy used for reassembly and handling packets*/
    uint8_t flags;      /**< Flag specific to the stream e.g. Timestamp */
} TcpStream;

/* from /usr/include/netinet/tcp.h */
enum
{
    TCP_NONE,
    TCP_LISTEN,
    TCP_SYN_SENT,
    TCP_SYN_RECV,
    TCP_ESTABLISHED,
    TCP_FIN_WAIT1,
    TCP_FIN_WAIT2,
    TCP_TIME_WAIT,
    TCP_LAST_ACK,
    TCP_CLOSE_WAIT,
    TCP_CLOSING,
    TCP_CLOSED,
};

#define STREAMTCP_FLAG_MIDSTREAM                0x01    /**< Flag for mid stream session*/
#define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED    0x02    /**< Flag for mid stream established session*/
#define STREAMTCP_FLAG_TIMESTAMP                0x04    /**< Flag for TCP Timestamp option*/
#define STREAMTCP_FLAG_SERVER_WSCALE            0x08    /**< Server supports wscale (even though it can be 0) */
#define STREAMTCP_FLAG_ZERO_TIMESTAMP           0x10    /**< Flag to indicate the zero value of timestamp*/
#define STREAMTCP_FLAG_NO_REASSEMBLY            0x20    /**< Flag to avoid stream reassembly / application layer
                                                             inspection for the client stream.*/

#define PAWS_24DAYS         2073600         /* 24 days in seconds */

/* Macro's for comparing Sequence numbers
 * Page 810 from TCP/IP Illustrated, Volume 2. */
#define SEQ_EQ(a,b)  ((int)((a) - (b)) == 0)
#define SEQ_LT(a,b)  ((int)((a) - (b)) <  0)
#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
#define SEQ_GT(a,b)  ((int)((a) - (b)) >  0)
#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)

typedef struct TcpSession_ {
    uint8_t state;
    uint8_t flags;
    uint16_t alproto; /**< application level protocol */
    TcpStream server;
    TcpStream client;
    void **aldata; /**< application level storage ptrs */
} TcpSession;
#endif /* __STREAM_TCP_PRIVATE_H__ */
Pool update. Stream reassembly start. 16 years ago			`#ifndef __STREAM_TCP_PRIVATE_H__`
			`#define __STREAM_TCP_PRIVATE_H__`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct TcpSegment_ {`
64 bit cleanup part2 16 years ago			`uint8_t *payload;`
			`uint16_t payload_len; /* actual size of the payload */`
			`uint32_t seq;`
			`uint16_t pool_size; /* size of the memory */`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`struct TcpSegment_ *next;`
			`struct TcpSegment_ *prev;`
Pool update. Stream reassembly start. 16 years ago			`} TcpSegment;`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct TcpStream_ {`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`uint32_t isn; /*< initial sequence number /`
			`uint32_t next_seq; /*< next expected sequence number /`
			`uint32_t last_ack; /*< last ack'd sequence number in this stream /`
			`uint32_t next_win; /*< next max seq within window /`
			`uint32_t window; /*< current window setting /`
			`uint8_t wscale; /*< wscale setting in this direction /`
Pool update. Stream reassembly start. 16 years ago
fixed unit tests and add the comments 16 years ago			`uint32_t last_ts; /*< Time stamp (TSVAL) of the last seen packet for this stream/`
			`uint32_t last_pkt_ts; /**< Time of last seen packet for this stream (needed for PAWS update)`
			`This will be used to validate the last_ts, when connection has been idle for`
			`longer time.(RFC 1323)*/`
timestamp support 16 years ago
Pool update. Stream reassembly start. 16 years ago			`/* reassembly */`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`uint32_t ra_base_seq; /*< reassembled seq. We've reassembled up to this point. /`
			`TcpSegment seg_list; /< list of TCP segments that are not yet (fully) used in reassembly /`
			`uint8_t os_policy; /*< target based OS policy used for reassembly and handling packets/`
target based paws handling 16 years ago			`uint8_t flags; /*< Flag specific to the stream e.g. Timestamp /`
Pool update. Stream reassembly start. 16 years ago			`} TcpStream;`

			`/* from /usr/include/netinet/tcp.h */`
			`enum`
			`{`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`TCP_NONE,`
			`TCP_LISTEN,`
Pool update. Stream reassembly start. 16 years ago			`TCP_SYN_SENT,`
			`TCP_SYN_RECV,`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`TCP_ESTABLISHED,`
Pool update. Stream reassembly start. 16 years ago			`TCP_FIN_WAIT1,`
			`TCP_FIN_WAIT2,`
			`TCP_TIME_WAIT,`
			`TCP_LAST_ACK,`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`TCP_CLOSE_WAIT,`
			`TCP_CLOSING,`
			`TCP_CLOSED,`
Pool update. Stream reassembly start. 16 years ago			`};`

initial version to support detection byepass 16 years ago			`#define STREAMTCP_FLAG_MIDSTREAM 0x01 /*< Flag for mid stream session/`
			`#define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED 0x02 /*< Flag for mid stream established session/`
			`#define STREAMTCP_FLAG_TIMESTAMP 0x04 /*< Flag for TCP Timestamp option/`
			`#define STREAMTCP_FLAG_SERVER_WSCALE 0x08 /*< Server supports wscale (even though it can be 0) /`
target based paws handling 16 years ago			`#define STREAMTCP_FLAG_ZERO_TIMESTAMP 0x10 /*< Flag to indicate the zero value of timestamp/`
initial version to support detection byepass 16 years ago			`#define STREAMTCP_FLAG_NO_REASSEMBLY 0x20 /**< Flag to avoid stream reassembly / application layer`
			`inspection for the client stream.*/`
New function for task3 16 years ago
timestamp support 16 years ago			`#define PAWS_24DAYS 2073600 /* 24 days in seconds */`

Pool update. Stream reassembly start. 16 years ago			`/* Macro's for comparing Sequence numbers`
			`* Page 810 from TCP/IP Illustrated, Volume 2. */`
			`#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0)`
			`#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)`
			`#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)`
			`#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)`
			`#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct TcpSession_ {`
64 bit cleanup part2 16 years ago			`uint8_t state;`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`uint8_t flags;`
			`uint16_t alproto; /*< application level protocol /`
Pool update. Stream reassembly start. 16 years ago			`TcpStream server;`
			`TcpStream client;`
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters. 16 years ago			`void aldata; /< application level storage ptrs */`
Pool update. Stream reassembly start. 16 years ago			`} TcpSession;`
			`#endif /* __STREAM_TCP_PRIVATE_H__ */`