Suricata

Currently if a TCP session has a gap, app-layer parsing is aborted. For some protocols, resyncing may be impossible and this is the best we can do, for others, we can attempt to resync and carry on. This is easier for protocols with well defined message boundaries that can be probed for.

Basic idea would be to flag the gap. Check if app-layer is configured to support gaps, if so, send the latest data down with a gap flag. Let the application decide. If it sees the data as OK, carry on. If it needs to abort parsing, it can simply return an error code (-1) then the app-layer will abort.

For some, the app-layer may not be able to continue parsing right away, but they may choose not to return error in hopes that it may sync up on the next segment. This is very likely for record based protocols.

Note: Work in progress. But didn't see a ticket for it.