aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stream/tcp: track if ssn has been closed with RST

Browse Source
pull/5234/head
Victor Julien 5 years ago
parent 1b3582325b
commit c825f83633
2 changed files with 22 additions and 35 deletions
Show Stats Download Patch File Download Diff File

3
src/stream-tcp-private.h
Unescape Escape View File

@ -164,7 +164,8 @@ enum TcpState
#define STREAMTCP_FLAG_TIMESTAMP 0x0008
/** Server supports wscale (even though it can be 0) */
#define STREAMTCP_FLAG_SERVER_WSCALE 0x0010
// vacancy
/** Closed by RST */
#define STREAMTCP_FLAG_CLOSED_BY_RST 0x0020
/** Flag to indicate that the session is handling asynchronous stream.*/
#define STREAMTCP_FLAG_ASYNC 0x0040
/** Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK

54
src/stream-tcp.c
Unescape Escape View File

@ -853,6 +853,14 @@ void StreamTcpSetOSPolicy(TcpStream *stream, Packet *p)
} \
}
static inline void StreamTcpCloseSsnWithReset(Packet *p, TcpSession *ssn)
{
ssn->flags |= STREAMTCP_FLAG_CLOSED_BY_RST;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: (state: %s) Reset received and state changed to "
"TCP_CLOSED", ssn, StreamTcpStateAsString(ssn->state));
}
static int StreamTcpPacketIsRetransmission(TcpStream *stream, Packet *p)
{
if (p->payload_len == 0)
@ -1430,17 +1438,12 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
{
SCLogDebug("ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received and state changed to "
"TCP_CLOSED", ssn);
StreamTcpCloseSsnWithReset(p, ssn);
}
} else {
ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV;
SCLogDebug("ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received and state changed to "
"TCP_CLOSED", ssn);
StreamTcpCloseSsnWithReset(p, ssn);
}
/* FIN */
@ -1771,9 +1774,7 @@ static int StreamTcpPacketStateSynRecv(ThreadVars *tv, Packet *p,
}
if (reset == TRUE) {
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received and state changed to "
"TCP_CLOSED", ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {
StreamTcpHandleTimestamp(ssn, p);
@ -2504,9 +2505,7 @@ static int StreamTcpPacketStateEstablished(ThreadVars *tv, Packet *p,
return -1;
if (PKT_IS_TOSERVER(p)) {
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received and state changed to "
"TCP_CLOSED", ssn);
StreamTcpCloseSsnWithReset(p, ssn);
ssn->server.next_seq = TCP_GET_ACK(p);
ssn->client.next_seq = TCP_GET_SEQ(p) + p->payload_len;
@ -2535,9 +2534,7 @@ static int StreamTcpPacketStateEstablished(ThreadVars *tv, Packet *p,
* packet will take care, otherwise the normal session
* cleanup. */
} else {
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received and state changed to "
"TCP_CLOSED", ssn);
StreamTcpCloseSsnWithReset(p, ssn);
ssn->server.next_seq = TCP_GET_SEQ(p) + p->payload_len + 1;
ssn->client.next_seq = TCP_GET_ACK(p);
@ -2829,9 +2826,7 @@ static int StreamTcpPacketStateFinWait1(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -3268,9 +3263,7 @@ static int StreamTcpPacketStateFinWait2(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -3567,9 +3560,7 @@ static int StreamTcpPacketStateClosing(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -3746,9 +3737,7 @@ static int StreamTcpPacketStateCloseWait(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -4036,9 +4025,7 @@ static int StreamTcpPacketStateLastAck(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -4163,9 +4150,7 @@ static int StreamTcpPacketStateTimeWait(ThreadVars *tv, Packet *p,
if (!StreamTcpValidateRst(ssn, p))
return -1;
StreamTcpPacketSetState(p, ssn, TCP_CLOSED);
SCLogDebug("ssn %p: Reset received state changed to TCP_CLOSED",
ssn);
StreamTcpCloseSsnWithReset(p, ssn);
if (PKT_IS_TOSERVER(p)) {
if ((p->tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0)
@ -4372,6 +4357,7 @@ static void StreamTcpPacketCheckPostRst(TcpSession *ssn, Packet *p)
SCLogDebug("regular packet %"PRIu64" from same sender as "
"the previous RST. Looks like it injected!", p->pcap_cnt);
ostream->flags &= ~STREAMTCP_STREAM_FLAG_RST_RECV;
ssn->flags &= ~STREAMTCP_FLAG_CLOSED_BY_RST;
StreamTcpSetEvent(p, STREAM_SUSPECTED_RST_INJECT);
return;
}

Write Preview
Loading…
Cancel
Save