-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stream: RST no longer acks all data #12186
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12186 +/- ##
==========================================
- Coverage 83.17% 83.16% -0.02%
==========================================
Files 912 912
Lines 257111 257090 -21
==========================================
- Hits 213856 213798 -58
- Misses 43255 43292 +37
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: ERROR: QA failed on SURI_TLPW1_files_sha256.
Pipeline 23616 |
@ct0br0 I have the pcaps, no action needed at this point. |
After investigating the missing hashes, my conclusion is that the behavior in this PR is correct. They all seem to have the following pattern:
In Since the issues are with TLPW1, I'm crafting some additional SV tests to show the issue. |
Since forever (1578ef1) a valid RST would update the internal `last_ack` representation to include all unack'd data. This was originally done to make sure the unACK'd data was inspected/processed at flow timeout. It was observed however, that if GAPs existed in this unACK'd data, a GAP could be reported in the stats and a GAP event would be raised. This doesn't make sense, as missing segments in the unACK'd part of the stream are completely normal. Segments simply do not all arrive in order. It turns out that the original behavior of updating `last_ack` to include all unACK'd data is no longer needed. For raw stream inspection, the detection engine will already include the unACK'd data on flow end. For app-layer updates the unACK'd data is often harmful, as the data often has GAPs. Parser like the http parser would report these GAPs and could also get confused about the post-GAP data being a new transaction including a file. This lead to many reported errors and fantom txs and files. Since the GAP detection uses `last_ack` to determine GAPs, not moving `last_ack` addresses the GAP false positives. Ticket: OISF#7422.
3fe31ad
to
1d96aa2
Compare
OISF/suricata-verify@b7cf987 has a couple of tests to show the issue with TLPW1. |
@@ -3242,10 +3216,9 @@ static int StreamTcpPacketStateEstablished( | |||
ssn->client.window = window << ssn->client.wscale; | |||
|
|||
if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0) | |||
StreamTcpUpdateLastAck( | |||
ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, window)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, notice this fix here ;)
Information: ERROR: QA failed on SURI_TLPW1_files_sha256.
Pipeline 23719 |
Replaced by #12300 |
Since forever (1578ef1) a valid RST would update the internal
last_ack
representation to include all unack'd data. This was originally done to make sure the unACK'd data was inspected/processed at flow timeout.It was observed however, that if GAPs existed in this unACK'd data, a GAP could be reported in the stats and a GAP event would be raised. This doesn't make sense, as missing segments in the unACK'd part of the stream are completely normal. Segments simply do not all arrive in order.
It turns out that the original behavior of updating
last_ack
to include all unACK'd data is no longer needed. Both raw stream inspection and app-layer updates will include the unACK'd data on stream timeout.Since the GAP detection uses
last_ack
to determine GAPs, not movinglast_ack
addresses the GAP false positives.Ticket: #7422.
SV_BRANCH=OISF/suricata-verify#2154