Actions
Bug #4917
open
VJ
OD
tls: leading GAP in toserver direction leads to various issues
Bug #4917:
tls: leading GAP in toserver direction leads to various issues
Affected Versions:
Effort:
Difficulty:
Label:
Description
Attached is a pcap from https://github.com/OISF/suricata-verify/tree/master/tests/tls-ja3s, but with the first data segment to the server (the client hello) removed.
This leads to various issues:- flow logging
app_protoas "failed", even ifapp_proto_tcis "tls". - no TLS logging or inspection
- no GAP detected
- app-layer event
applayer_wrong_direction_first_datatriggering
The parser does not support GAPs or first data into the toclient direction. Since the leading GAP isn't detected (in time), the first data sent to the parser is in the toclient direction. This is then rejected and leads to the event and failure state for the flow.
Files
VJ Updated by Victor Julien over 4 years ago
- Related to Task #3560: ssl/tls: support GAP recovery added
VJ Updated by Victor Julien over 4 years ago
- Related to Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols added
PA Updated by Philippe Antoine almost 3 years ago
- Target version set to 8.0.0-beta1
PA Updated by Philippe Antoine almost 3 years ago
- Assignee set to OISF Dev
VJ Updated by Victor Julien over 1 year ago
- Related to Bug #7238: app-layer: protocol flows are miscounted in case of error added
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
PA Updated by Philippe Antoine 9 months ago
- Affected Versions 8.0.0 added
Actions