Actions
Bug #7422
closed
VJ
VJ
tcp: GAP event set on unack'd data following a RST
Bug #7422:
tcp: GAP event set on unack'd data following a RST
Affected Versions:
Effort:
Difficulty:
Label:
Description
What is happening, is the following:
1. a normal tcp session
2. a RST+ACK comes in - the reset packet is accepted. Instead of using the ACK value from this packet, Suricata auto-ACK's all data
3. a few more packets come in as the flow times out, these are not accepted as the session is now CLOSED (due to (2))
4. the flow timeout triggers, and it sees that there is unprocessed data
5. the unprocessed data contains gaps. This is normal, as it was in-window, but not yet ACKd
6. the GAP event is raised and the counter is incremented
The behavior of a valid RST making all data inspectable in Suricata is long standing, although sadly not explained:
https://github.com/OISF/suricata/commit/1578ef1e3e8a24d0cc615430c4e6bec1fefdad28
VJ Updated by Victor Julien over 1 year ago
- Status changed from Assigned to In Progress
VJ Updated by Victor Julien over 1 year ago
- Status changed from In Progress to In Review
- Label Needs backport to 7.0 added
OT Updated by OISF Ticketbot over 1 year ago
- Subtask #7428 added
OT Updated by OISF Ticketbot over 1 year ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien about 1 year ago
- Status changed from In Review to Resolved
VJ Updated by Victor Julien about 1 year ago
- Status changed from Resolved to Closed
Actions