From 9ba55b8a282eca795c21ff53dd54937492bb8cf1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 1 Aug 2023 07:48:04 +0200 Subject: [PATCH] stream: add stream.rst_with_data event for RST with data --- src/decode-events.c | 4 ++++ src/decode-events.h | 1 + src/stream-tcp.c | 15 +++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/src/decode-events.c b/src/decode-events.c index 207de286f6..83f8b22efd 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -814,6 +814,10 @@ const struct DecodeEvents_ DEvents[] = { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, }, + { + "stream.rst_with_data", + STREAM_RST_WITH_DATA, + }, { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, diff --git a/src/decode-events.h b/src/decode-events.h index 451482403c..5547866fa5 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -280,6 +280,7 @@ enum { STREAM_PKT_INVALID_ACK, STREAM_PKT_BROKEN_ACK, STREAM_RST_INVALID_ACK, + STREAM_RST_WITH_DATA, STREAM_PKT_RETRANSMISSION, STREAM_PKT_SPURIOUS_RETRANSMISSION, STREAM_PKT_BAD_WINDOW_UPDATE, diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 99dcd29953..d76a0593a0 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5865,6 +5865,21 @@ static int StreamTcpValidateRst(TcpSession *ssn, Packet *p) } } + /* RST with data, it's complicated: + + 4.2.2.12 RST Segment: RFC-793 Section 3.4 + + A TCP SHOULD allow a received RST segment to include data. + + DISCUSSION + It has been suggested that a RST segment could contain + ASCII text that encoded and explained the cause of the + RST. No standard has yet been established for such + data. + */ + if (p->payload_len) + StreamTcpSetEvent(p, STREAM_RST_WITH_DATA); + /* Set up the os_policy to be used in validating the RST packets based on target system */ if (PKT_IS_TOSERVER(p)) {