mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
843d0b7a10
In case of a valid RST on a SYN, the state is switched to 'TCP_CLOSED'. However, the target of the RST may not have received it, or may not have accepted it. Also, the RST may have been injected, so the supposed sender may not actually be aware of the RST that was sent in it's name. In this case the previous behavior was to switch the state to CLOSED and accept no further TCP updates or stream reassembly. This patch changes this. It still switches the state to CLOSED, as this is by far the most likely to be correct. However, it will reconsider the state if the receiver continues to talk. To do this on each state change the previous state will be recorded in TcpSession::pstate. If a non-RST packet is received after a RST, this TcpSession::pstate is used to try to continue the conversation. If the (supposed) sender of the RST is also continueing the conversation as normal, it's highly likely it didn't send the RST. In this case a stream event is generated. Ticket: #2501 Reported-By: Kirill Shipulin |
7 years ago | |
|---|---|---|
| .. | ||
| Makefile.am | 7 years ago | |
| app-layer-events.rules | ||
| decoder-events.rules | 7 years ago | |
| dhcp-events.rules | 7 years ago | |
| dnp3-events.rules | ||
| dns-events.rules | ||
| files.rules | 7 years ago | |
| http-events.rules | 7 years ago | |
| ipsec-events.rules | 7 years ago | |
| kerberos-events.rules | 7 years ago | |
| modbus-events.rules | ||
| nfs-events.rules | 8 years ago | |
| ntp-events.rules | 8 years ago | |
| smb-events.rules | 7 years ago | |
| smtp-events.rules | ||
| stream-events.rules | 7 years ago | |
| tls-events.rules | ||