stream: RST no longer acks all data #12186
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12186 +/- ##
==========================================
- Coverage 83.17% 83.16% -0.02%
==========================================
Files 912 912
Lines 257111 257090 -21
==========================================
- Hits 213856 213798 -58
- Misses 43255 43292 +37
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: ERROR: QA failed on SURI_TLPW1_files_sha256.
Pipeline 23616 |
|
@ct0br0 I have the pcaps, no action needed at this point. |
|
After investigating the missing hashes, my conclusion is that the behavior in this PR is correct. They all seem to have the following pattern:
In Since the issues are with TLPW1, I'm crafting some additional SV tests to show the issue. |
Since forever (1578ef1) a valid RST would update the internal `last_ack` representation to include all unack'd data. This was originally done to make sure the unACK'd data was inspected/processed at flow timeout. It was observed however, that if GAPs existed in this unACK'd data, a GAP could be reported in the stats and a GAP event would be raised. This doesn't make sense, as missing segments in the unACK'd part of the stream are completely normal. Segments simply do not all arrive in order. It turns out that the original behavior of updating `last_ack` to include all unACK'd data is no longer needed. For raw stream inspection, the detection engine will already include the unACK'd data on flow end. For app-layer updates the unACK'd data is often harmful, as the data often has GAPs. Parser like the http parser would report these GAPs and could also get confused about the post-GAP data being a new transaction including a file. This lead to many reported errors and fantom txs and files. Since the GAP detection uses `last_ack` to determine GAPs, not moving `last_ack` addresses the GAP false positives. Ticket: OISF#7422.
victorjulien
force-pushed
the
stream-fixes/v5
branch
from
3fe31ad to
1d96aa2
Compare
|
OISF/suricata-verify@b7cf987 has a couple of tests to show the issue with TLPW1. |
| @@ -3242,10 +3216,9 @@ static int StreamTcpPacketStateEstablished( | |||
| ssn->client.window = window << ssn->client.wscale; | |||
|
|
|||
| if ((tcph->th_flags & TH_ACK) && StreamTcpValidateAck(ssn, &ssn->server, p) == 0) | |||
| StreamTcpUpdateLastAck( | |||
| ssn, &ssn->server, StreamTcpResetGetMaxAck(&ssn->server, window)); | |||
There was a problem hiding this comment.
also, notice this fix here ;)
|
Information: ERROR: QA failed on SURI_TLPW1_files_sha256.
Pipeline 23719 |
Since forever (1578ef1) a valid RST would update the internal
last_ackrepresentation to include all unack'd data. This was originally done to make sure the unACK'd data was inspected/processed at flow timeout.It was observed however, that if GAPs existed in this unACK'd data, a GAP could be reported in the stats and a GAP event would be raised. This doesn't make sense, as missing segments in the unACK'd part of the stream are completely normal. Segments simply do not all arrive in order.
It turns out that the original behavior of updating
last_ackto include all unACK'd data is no longer needed. Both raw stream inspection and app-layer updates will include the unACK'd data on stream timeout.Since the GAP detection uses
last_ackto determine GAPs, not movinglast_ackaddresses the GAP false positives.Ticket: #7422.
SV_BRANCH=OISF/suricata-verify#2154