Project

General

Profile

Actions
Copy link

Bug #7422

open

tcp: GAP event set on unack'd data following a RST

Added by Victor Julien 19 days ago. Updated 19 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

What is happening, is the following:
​1. a normal tcp session
2. a RST+ACK comes in - the reset packet is accepted. Instead of using the ACK value from this packet, Suricata auto-ACK's all data
3. a few more packets come in as the flow times out, these are not accepted as the session is now CLOSED (due to (2))
​4. the flow timeout triggers, and it sees that there is unprocessed data
5. the unprocessed data contains gaps. This is normal, as it was in-window, but not yet ACKd
6. the GAP event is raised and the counter is incremented

The behavior of a valid RST making all data inspectable in Suricata is long standing, although sadly not explained:
https://github.com/OISF/suricata/commit/1578ef1e3e8a24d0cc615430c4e6bec1fefdad28

Subtasks 1 (1 open0 closed)

Bug #7428: tcp: GAP event set on unack'd data following a RST (7.0.x backport)AssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 19 days ago

  • Status changed from Assigned to In Progress
Actions
Copy link
 #2

Updated by Victor Julien 19 days ago

  • Status changed from In Progress to In Review
  • Label Needs backport to 7.0 added
Actions
Copy link
 #3

Updated by OISF Ticketbot 19 days ago

  • Subtask #7428 added
Actions
Copy link
 #4

Updated by OISF Ticketbot 19 days ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link

Also available in: Atom PDF