stream: set event for suspected data injection during 3whs

This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.

rules/stream-events.rules

@@ -15,6 +15,11 @@ alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive diff
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; classtype:protocol-command-decode; sid:2210008; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; classtype:protocol-command-decode; sid:2210009; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;)
+# suspected data injection by sending data packet right after the SYN/ACK,
+# this to make sure network inspection reject tools reject it as it's
+# before the 3whs is complete. Only set in IPS mode. Drops unconditionally
+# in the code, so can't be made not to drop.
+drop tcp any any -> any any (msg:"SURICATA STREAM 3way handshake toclient data injection suspected"; flow:to_client; stream-event:3whs_ack_data_inject; classtype:protocol-command-decode; sid:2210057; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong ACK"; stream-event:4whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210011; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong SYN"; stream-event:4whs_synack_with_wrong_syn; classtype:protocol-command-decode; sid:2210012; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; stream-event:4whs_wrong_seq; classtype:protocol-command-decode; sid:2210013; rev:2;)
@@ -81,5 +86,5 @@ alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; st
 # rule to alert if a stream has excessive retransmissions
 alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
 
-# next sid 2210057
+# next sid 2210058
 

src/decode-events.c

@@ -196,6 +196,7 @@ const struct DecodeEvents_ DEvents[] = {
     { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
     { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
     { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
+    { "stream.3whs_ack_data_inject", STREAM_3WHS_ACK_DATA_INJECT, },
     { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
     { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
     { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },

src/decode-events.h

@@ -206,6 +206,7 @@ enum {
     STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV,
     STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV,
     STREAM_3WHS_WRONG_SEQ_WRONG_ACK,
+    STREAM_3WHS_ACK_DATA_INJECT,
     STREAM_4WHS_SYNACK_WITH_WRONG_ACK,
     STREAM_4WHS_SYNACK_WITH_WRONG_SYN,
     STREAM_4WHS_WRONG_SEQ,

src/stream-tcp.c

@@ -1854,9 +1854,17 @@ static int StreamTcpPacketStateSynRecv(ThreadVars *tv, Packet *p,
                  * careful.
                  */
                 if (StreamTcpInlineMode()) {
+                    if (p->payload_len > 0 &&
+                            SEQ_EQ(TCP_GET_ACK(p), ssn->client.last_ack) &&
+                            SEQ_EQ(TCP_GET_SEQ(p), ssn->server.next_seq)) {
+                        /* packet loss is possible but unlikely here */
+                        SCLogDebug("ssn %p: possible data injection", ssn);
+                        StreamTcpSetEvent(p, STREAM_3WHS_ACK_DATA_INJECT);
+                        return -1;
+                    }
+
                     SCLogDebug("ssn %p: ACK received in the wrong direction",
                             ssn);
-
                     StreamTcpSetEvent(p, STREAM_3WHS_ACK_IN_WRONG_DIR);
                     return -1;
                 }