Project

General

Profile

Bug #2093

Handle TCP stream gaps.

Added by Jason Ish over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:

Description

Currently if a TCP session has a gap, app-layer parsing is aborted. For some protocols, resyncing may be impossible and this is the best we can do, for others, we can attempt to resync and carry on. This is easier for protocols with well defined message boundaries that can be probed for.

Basic idea would be to flag the gap. Check if app-layer is configured to support gaps, if so, send the latest data down with a gap flag. Let the application decide. If it sees the data as OK, carry on. If it needs to abort parsing, it can simply return an error code (-1) then the app-layer will abort.

For some, the app-layer may not be able to continue parsing right away, but they may choose not to return error in hopes that it may sync up on the next segment. This is very likely for record based protocols.

Note: Work in progress. But didn't see a ticket for it.

History

#1 Updated by Jason Ish over 1 year ago

  • Status changed from Assigned to Closed
  • Target version changed from Soon to 4.0beta1

Last PR: https://github.com/inliniac/suricata/pull/2710
Merged with: https://github.com/inliniac/suricata/pull/2737

Includes modifications to the DNS for handling gaps by reprobing after a gap.

Also available in: Atom PDF