Project

General

Profile

Actions

Bug #5843

closed

tcp/stream: session reuse on tcp flows w/o sessions

Added by Victor Julien almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When a "stream starter" packet finds an existing TCP flow, the flow will be evaluated for reuse.

The following scenario isn't handled well:

1. Suricata starts after a tool has just stopped using lots of connections (in my case, ab stress testing a webserver)
2. even though the client is closed already, the server is still doing connection cleanup sending many FINs and later RSTs
3. Suricata creates flows for these packets, but no TCP sessions
4. client resumes testing, creating flows that have the same 5 tuple as the flows created for the FIN/RST packets
5. Suricata refuses to "reuse" the flows as the condition "tcp flow w/o session" is not considered valid for session reuse
6. new TCP connection is not properly tracked and evaluated in parsing and detection


Subtasks 1 (0 open1 closed)

Bug #5852: tcp/stream: session reuse on tcp flows w/o sessions (6.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to In Progress
  • Label Needs backport to 6.0 added
Actions #3

Updated by Shivani Bhardwaj almost 2 years ago

  • Subtask #5852 added
Actions #4

Updated by Shivani Bhardwaj almost 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #5

Updated by Victor Julien almost 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF