stream: no more stream events after known issue

No longer set stream events after a gap or wrong thread. We know we lost sync and are now in 'lets make the best of it'-mode. No point in flooding the system with stream events. Ticket #2484
7 years ago · 2a3cb32071
parent b0b12021d3
commit 2a3cb32071
3 changed files with 21 additions and 3 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -1131,6 +1131,9 @@ void DecodeUnregisterCounters(void);

 #define PKT_PSEUDO_DETECTLOG_FLUSH      (1<<27)     /**< Detect/log flush for protocol upgrade */

+/** Packet is part of stream in known bad condition (loss, wrong thread),
+ *  so flag it for not setting stream events */
+#define PKT_STREAM_NO_EVENTS            (1<<28)

 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@ -243,9 +243,15 @@ enum
    } while(0); \
 }

-#define StreamTcpSetEvent(p, e) { \
-    SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")", (e), p, (p)->pcap_cnt); \
-    ENGINE_SET_EVENT((p), (e)); \
+#define StreamTcpSetEvent(p, e) {                                           \
+    if ((p)->flags & PKT_STREAM_NO_EVENTS) {                                \
+        SCLogDebug("not setting event %"PRIu8" on pkt %p (%"PRIu64"), "     \
+                   "stream in known bad condition", (e), p, (p)->pcap_cnt); \
+    } else {                                                                \
+        SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")",          \
+                    (e), p, (p)->pcap_cnt);                                 \
+        ENGINE_SET_EVENT((p), (e));                                         \
+    }                                                                       \
 }

 typedef struct TcpSession_ {
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -4765,6 +4765,15 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
            goto skip;
        }

+        if (p->flow->flags & FLOW_WRONG_THREAD ||
+            ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP ||
+            ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP)
+        {
+            /* Stream and/or session in known bad condition. Block events
+             * from being set. */
+            p->flags |= PKT_STREAM_NO_EVENTS;
+        }
+
        /* check if the packet is in right direction, when we missed the
           SYN packet and picked up midstream session. */
        if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK)