Run stream reassembly on both directions upon receiving a FIN packet
Suricata invokes the stream reassembly logic only for the current packet direction if the packet contains a FIN flag. However, this does not handle the case in which the packet ACKs data from the opposing direction.
Pcap, configuration and rule files to reproduce the issue are attached.
The pcap performs 2 file downloads ("notepad.exe" and "test.pdf") via the commands "STOR" and "RETR".
We expect the sha256 hashes for the two fileinfo events generated for each file to be the same. However, in the case of the "test.pdf" file, the fileinfo event generated by the "RETR" command has a wrong hash due to the last chunk not being processed by the stream reassembly engine because of the above bug.
The packet with the FIN and ACK flags set is packet 400 in the pcap.
Expected "test.pdf" hash: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382
Obtained "test.pdf" hashes: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382 f7c7d7a890e94023b1c5fae718f017b4e4a1ab13c4db06417c96289759c0bf84 (wrong)
Updated by Shivani Bhardwaj 6 months ago
- Status changed from Assigned to Closed