Project

General

Profile

Actions

Support #3438

closed

tcp stream gap and packet loss in network

Added by Denis Golovkov about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

According to https://redmine.openinfosecfoundation.org/issues/2093 if tcp session has a gap then suricata either hoping that next segment can fill the gap or attempting to resync and carry on.

Let's suppose that traffic for suricata comes from some mirror port, which sometimes can produce packet loss(because of poor network quality, high load on a switch or something similar that suricata cannot control). In this scenario tcp gap can occur and there is no way to fill it. Let's say we have modbus protocol or any other without gap parser support. After gap suricata will wait for lost segment until session will be closed, which could take a long time, and there is no way to inspect packet at app-layer during this time.

Is there any setting/workaround for this in suricata? Could I somehow reset tcp session after gap or something like this?


Related issues 2 (2 open0 closed)

Related to Suricata - Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocolsNewActions
Related to Suricata - Task #3554: modbus: support GAP recoveryAssignedSimon DugasActions
Actions

Also available in: Atom PDF