85 #define STREAMTCP_DEFAULT_PREALLOC 2048
86 #define STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024)
87 #define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024)
88 #define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560
89 #define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560
90 #define STREAMTCP_DEFAULT_MAX_SYN_QUEUED 10
91 #define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5
106 .valid_settings_ips = {
132 .valid_settings_ips = {
158 .valid_settings_ips = {
184 .valid_settings_ips = {
207 static int StreamTcpStateDispatch(
216 static uint64_t ssn_pool_cnt = 0;
236 #if defined(DEBUG_VALIDATION) && defined(UNITTESTS)
239 BUG_ON(presize > UINT_MAX);
245 #if defined(DEBUG_VALIDATION) && defined(UNITTESTS)
248 BUG_ON(postsize > presize);
269 if (memcapcopy == 0 || size +
SC_ATOMIC_GET(st_memuse) <= memcapcopy)
281 if (size == 0 || (uint64_t)
SC_ATOMIC_GET(st_memuse) < size) {
302 if (stream != NULL) {
309 static void StreamTcp3wsFreeQueue(
TcpSession *ssn)
336 StreamTcp3wsFreeQueue(ssn);
397 static void *StreamTcpSessionPoolAlloc(
void)
411 static int StreamTcpSessionPoolInit(
void *data,
void* initdata)
421 static void StreamTcpSessionPoolCleanup(
void *s)
435 static inline bool StreamTcpInlineDropInvalid(
void)
446 static inline bool StreamTcpInlineDropUrg(
void)
455 static int RandomGetWrap(
void)
461 }
while(r >= ULONG_MAX - (ULONG_MAX % RAND_MAX));
491 uint16_t rdrange = 10;
500 if ((
ConfGetInt(
"stream.max-sessions", &value)) == 1) {
502 "Number of concurrent sessions is now only limited by Flow and "
503 "TCP stream engine memcaps.");
506 if ((
ConfGetInt(
"stream.prealloc-sessions", &value)) == 1) {
513 if (
ConfGetNode(
"stream.prealloc-sessions") != NULL) {
521 SCLogConfig(
"stream \"prealloc-sessions\": %"PRIu32
" (per thread)",
525 const char *temp_stream_memcap_str;
526 if (
ConfGet(
"stream.memcap", &temp_stream_memcap_str) == 1) {
527 uint64_t stream_memcap_copy;
530 "from conf file - %s. Killing engine",
531 temp_stream_memcap_str);
545 (void)
ConfGetBool(
"stream.midstream", &imidstream);
553 (void)
ConfGetBool(
"stream.async-oneside", &async_oneside);
562 if ((
ConfGetBool(
"stream.checksum-validation", &csum)) == 1) {
574 "enabled" :
"disabled");
577 const char *temp_stream_inline_str;
578 if (
ConfGet(
"stream.inline", &temp_stream_inline_str) == 1) {
583 if (strcmp(temp_stream_inline_str,
"auto") == 0) {
587 }
else if (
ConfGetBool(
"stream.inline", &inl) == 1) {
606 ?
"enabled" :
"disabled");
610 if ((
ConfGetBool(
"stream.bypass", &bypass)) == 1) {
619 ?
"enabled" :
"disabled");
622 int drop_invalid = 0;
623 if ((
ConfGetBool(
"stream.drop-invalid", &drop_invalid)) == 1) {
624 if (drop_invalid == 1) {
631 const char *temp_urgpol = NULL;
632 if (
ConfGet(
"stream.reassembly.urgent.policy", &temp_urgpol) == 1 && temp_urgpol != NULL) {
633 if (strcmp(temp_urgpol,
"inline") == 0) {
635 }
else if (strcmp(temp_urgpol,
"drop") == 0) {
637 }
else if (strcmp(temp_urgpol,
"oob") == 0) {
639 }
else if (strcmp(temp_urgpol,
"gap") == 0) {
642 FatalError(
"stream.reassembly.urgent.policy: invalid value '%s'", temp_urgpol);
651 const char *temp_urgoobpol = NULL;
652 if (
ConfGet(
"stream.reassembly.urgent.oob-limit-policy", &temp_urgoobpol) == 1 &&
653 temp_urgoobpol != NULL) {
654 if (strcmp(temp_urgoobpol,
"inline") == 0) {
656 }
else if (strcmp(temp_urgoobpol,
"drop") == 0) {
658 }
else if (strcmp(temp_urgoobpol,
"gap") == 0) {
661 FatalError(
"stream.reassembly.urgent.oob-limit-policy: invalid value '%s'", temp_urgoobpol);
671 if ((
ConfGetInt(
"stream.max-syn-queued", &value)) == 1) {
672 if (value >= 0 && value <= 255) {
684 if ((
ConfGetInt(
"stream.max-synack-queued", &value)) == 1) {
685 if (value >= 0 && value <= 255) {
697 const char *temp_stream_reassembly_memcap_str;
698 if (
ConfGet(
"stream.reassembly.memcap", &temp_stream_reassembly_memcap_str) == 1) {
699 uint64_t stream_reassembly_memcap_copy;
701 &stream_reassembly_memcap_copy) < 0) {
703 "stream.reassembly.memcap "
704 "from conf file - %s. Killing engine",
705 temp_stream_reassembly_memcap_str);
715 SCLogConfig(
"stream.reassembly \"memcap\": %"PRIu64
"",
719 const char *temp_stream_reassembly_depth_str;
720 if (
ConfGet(
"stream.reassembly.depth", &temp_stream_reassembly_depth_str) == 1) {
724 "stream.reassembly.depth "
725 "from conf file - %s. Killing engine",
726 temp_stream_reassembly_depth_str);
738 if ((
ConfGetBool(
"stream.reassembly.randomize-chunk-size", &randomize)) == 0) {
746 const char *temp_rdrange;
747 if (
ConfGet(
"stream.reassembly.randomize-chunk-range", &temp_rdrange) == 1) {
750 "stream.reassembly.randomize-chunk-range "
751 "from conf file - %s. Killing engine",
754 }
else if (rdrange >= 100) {
755 FatalError(
"stream.reassembly.randomize-chunk-range "
756 "must be lower than 100");
761 const char *temp_stream_reassembly_toserver_chunk_size_str;
762 if (
ConfGet(
"stream.reassembly.toserver-chunk-size",
763 &temp_stream_reassembly_toserver_chunk_size_str) == 1) {
767 "stream.reassembly.toserver-chunk-size "
768 "from conf file - %s. Killing engine",
769 temp_stream_reassembly_toserver_chunk_size_str);
778 long int r = RandomGetWrap();
783 const char *temp_stream_reassembly_toclient_chunk_size_str;
784 if (
ConfGet(
"stream.reassembly.toclient-chunk-size",
785 &temp_stream_reassembly_toclient_chunk_size_str) == 1) {
789 "stream.reassembly.toclient-chunk-size "
790 "from conf file - %s. Killing engine",
791 temp_stream_reassembly_toclient_chunk_size_str);
800 long int r = RandomGetWrap();
806 SCLogConfig(
"stream.reassembly \"toserver-chunk-size\": %"PRIu16,
808 SCLogConfig(
"stream.reassembly \"toclient-chunk-size\": %"PRIu16,
813 if (
ConfGetBool(
"stream.reassembly.raw", &enable_raw) == 1) {
821 SCLogConfig(
"stream.reassembly.raw: %s", enable_raw ?
"enabled" :
"disabled");
825 int liberal_timestamps = 0;
826 if (
ConfGetBool(
"stream.liberal-timestamps", &liberal_timestamps) == 1) {
830 SCLogConfig(
"stream.liberal-timestamps: %s", liberal_timestamps ?
"enabled" :
"disabled");
850 StreamTcpSessionPoolAlloc,
851 StreamTcpSessionPoolInit, NULL,
852 StreamTcpSessionPoolCleanup, NULL);
871 SCLogDebug(
"ssn_pool_cnt %"PRIu64
"", ssn_pool_cnt);
874 static bool IsReassemblyMemcapExceptionPolicyStatsValid(
enum ExceptionPolicy exception_policy)
882 static bool IsStreamTcpSessionMemcapExceptionPolicyStatsValid(
enum ExceptionPolicy policy)
890 static void StreamTcpSsnMemcapExceptionPolicyStatsIncr(
949 if (
unlikely((g_eps_stream_ssn_memcap != UINT64_MAX &&
950 g_eps_stream_ssn_memcap ==
t_pcapcnt))) {
965 const TCPHdr *tcph = PacketGetTCP(p);
1024 if (PacketIsIPv4(p)) {
1034 }
else if (PacketIsIPv6(p)) {
1060 #define StreamTcpUpdateLastAck(ssn, stream, ack) { \
1061 if (SEQ_GT((ack), (stream)->last_ack)) \
1063 SCLogDebug("ssn %p: last_ack set to %"PRIu32", moved %u forward", (ssn), (ack), (ack) - (stream)->last_ack); \
1064 if ((SEQ_LEQ((stream)->last_ack, (stream)->next_seq) && SEQ_GT((ack),(stream)->next_seq))) { \
1065 SCLogDebug("last_ack just passed next_seq: %u (was %u) > %u", (ack), (stream)->last_ack, (stream)->next_seq); \
1067 SCLogDebug("next_seq (%u) <> last_ack now %d", (stream)->next_seq, (int)(stream)->next_seq - (ack)); \
1069 (stream)->last_ack = (ack); \
1070 StreamTcpSackPruneList((stream)); \
1072 SCLogDebug("ssn %p: no update: ack %u, last_ack %"PRIu32", next_seq %u (state %u)", \
1073 (ssn), (ack), (stream)->last_ack, (stream)->next_seq, (ssn)->state); \
1077 #define StreamTcpAsyncLastAckUpdate(ssn, stream) { \
1078 if ((ssn)->flags & STREAMTCP_FLAG_ASYNC) { \
1079 if (SEQ_GT((stream)->next_seq, (stream)->last_ack)) { \
1080 uint32_t ack_diff = (stream)->next_seq - (stream)->last_ack; \
1081 (stream)->last_ack += ack_diff; \
1082 SCLogDebug("ssn %p: ASYNC last_ack set to %"PRIu32", moved %u forward", \
1083 (ssn), (stream)->next_seq, ack_diff); \
1088 #define StreamTcpUpdateNextSeq(ssn, stream, seq) { \
1089 (stream)->next_seq = seq; \
1090 SCLogDebug("ssn %p: next_seq %" PRIu32, (ssn), (stream)->next_seq); \
1091 StreamTcpAsyncLastAckUpdate((ssn), (stream)); \
1101 #define StreamTcpUpdateNextWin(ssn, stream, win) { \
1102 uint32_t sacked_size__ = StreamTcpSackedSize((stream)); \
1103 if (SEQ_GT(((win) + sacked_size__), (stream)->next_win)) { \
1104 (stream)->next_win = ((win) + sacked_size__); \
1105 SCLogDebug("ssn %p: next_win set to %"PRIu32, (ssn), (stream)->next_win); \
1113 SCLogDebug(
"ssn %p: (state: %s) Reset received and state changed to "
1117 static bool IsMidstreamExceptionPolicyStatsValid(
enum ExceptionPolicy policy)
1131 static void StreamTcpMidstreamExceptionPolicyStatsIncr(
1140 static int StreamTcpPacketIsRetransmission(
TcpStream *stream,
Packet *p)
1145 const TCPHdr *tcph = PacketGetTCP(p);
1183 static int StreamTcpPacketStateNone(
1186 const TCPHdr *tcph = PacketGetTCP(p);
1189 SCLogDebug(
"RST packet received, no session setup");
1199 SCLogDebug(
"FIN packet received, no session setup");
1205 SCLogDebug(
"FIN packet received, no session setup");
1222 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1254 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
", "
1255 "ssn->server.next_win %" PRIu32
"",
1257 SCLogDebug(
"ssn %p: ssn->client.last_ack %" PRIu32
", "
1258 "ssn->server.last_ack %" PRIu32
"",
1266 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1267 "ssn->client.last_ts %" PRIu32
"",
1286 SCLogDebug(
"ssn %p: assuming SACK permitted for both sides", ssn);
1295 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
1300 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
1323 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1324 "TCP_SYN_RECV", ssn);
1355 SCLogDebug(
"ssn %p: wscale enabled. client %u server %u",
1359 SCLogDebug(
"ssn %p: ssn->client.isn %"PRIu32
", ssn->client.next_seq"
1360 " %"PRIu32
", ssn->client.last_ack %"PRIu32
"", ssn,
1363 SCLogDebug(
"ssn %p: ssn->server.isn %"PRIu32
", ssn->server.next_seq"
1364 " %"PRIu32
", ssn->server.last_ack %"PRIu32
"", ssn,
1373 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1374 "ssn->client.last_ts %" PRIu32
"", ssn,
1392 SCLogDebug(
"ssn %p: SYN/ACK with SACK permitted, assuming "
1393 "SACK permitted for both sides", ssn);
1411 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_SENT", ssn);
1444 SCLogDebug(
"ssn %p: SACK permitted on SYN packet", ssn);
1451 SCLogDebug(
"ssn: %p (TFO) isn %u base_seq %u next_seq %u payload len %u", ssn,
1458 SCLogDebug(
"ssn %p: ssn->client.isn %" PRIu32
", "
1459 "ssn->client.next_seq %" PRIu32
", ssn->client.last_ack "
1469 SCLogDebug(
"Midstream not enabled, so won't pick up a session");
1474 SCLogDebug(
"Midstream policy not permissive, so won't pick up a session");
1491 SCLogDebug(
"ssn %p: =~ midstream picked ssn state is now "
1492 "TCP_ESTABLISHED", ssn);
1513 SCLogDebug(
"ssn %p: ssn->client.isn %u, ssn->client.next_seq %u",
1522 SCLogDebug(
"ssn %p: ssn->client.next_win %"PRIu32
", "
1523 "ssn->server.next_win %"PRIu32
"", ssn,
1525 SCLogDebug(
"ssn %p: ssn->client.last_ack %"PRIu32
", "
1526 "ssn->server.last_ack %"PRIu32
"", ssn,
1534 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1535 "ssn->client.last_ts %" PRIu32
"", ssn,
1554 SCLogDebug(
"ssn %p: assuming SACK permitted for both sides", ssn);
1568 const TCPHdr *tcph = PacketGetTCP(p);
1598 StreamTcp3whsSynAckToStateQueue(p, &search);
1606 search.
ts == q->
ts) {
1619 if (StreamTcp3whsFindSynAckBySynAck(ssn, p) != NULL)
1623 SCLogDebug(
"ssn %p: =~ SYN/ACK queue limit reached", ssn);
1629 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: stream memcap reached", ssn);
1635 SCLogDebug(
"ssn %p: =~ SYN/ACK queue failed: alloc failed", ssn);
1640 StreamTcp3whsSynAckToStateQueue(p, q);
1654 const TCPHdr *tcph = PacketGetTCP(p);
1689 StreamTcp3whsSynAckToStateQueue(p, &update);
1696 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_SYN_RECV", ssn);
1712 SCLogDebug(
"ssn %p: ssn->server.last_ts %" PRIu32
" "
1713 "ssn->client.last_ts %" PRIu32
"", ssn,
1741 SCLogDebug(
"ssn %p: SACK permitted for session", ssn);
1748 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
"", ssn,
1750 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
"", ssn,
1752 SCLogDebug(
"ssn %p: ssn->server.isn %" PRIu32
", "
1753 "ssn->server.next_seq %" PRIu32
", "
1754 "ssn->server.last_ack %" PRIu32
" "
1755 "(ssn->client.last_ack %" PRIu32
")", ssn,
1762 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS unset, normal SYN/ACK"
1763 " so considering 3WHS", ssn);
1774 static inline bool StateSynSentValidateTimestamp(
TcpSession *ssn,
Packet *p)
1784 if (receiver_stream->
last_ts != 0 && ts_echo != 0 &&
1785 ts_echo != receiver_stream->
last_ts)
1787 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1788 ts_echo, receiver_stream->
last_ts);
1792 if (receiver_stream->
last_ts == 0 && ts_echo != 0) {
1793 SCLogDebug(
"ssn %p: BAD TSECR echo %u recv %u", ssn,
1794 ts_echo, receiver_stream->
last_ts);
1804 memset(q, 0,
sizeof(*q));
1824 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1830 #if defined(DEBUG_VALIDATION) || defined(DEBUG)
1834 memset(q, 0,
sizeof(*q));
1835 const TCPHdr *tcph = PacketGetTCP(p);
1853 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1860 #if defined(DEBUG_VALIDATION) || defined(DEBUG)
1867 memset(q, 0,
sizeof(*q));
1869 const TCPHdr *tcph = PacketGetTCP(p);
1886 SCLogDebug(
"ssn %p: state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq, q->
win,
1896 SCLogDebug(
"ssn %p: search state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, s, s->
seq, s->
win,
1900 SCLogDebug(
"ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->
seq,
1914 TcpStateQueueInitFromSsnSyn(ssn, &search);
1917 if (ssn->
queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL)
1921 SCLogDebug(
"ssn %p: =~ SYN queue limit reached", ssn);
1927 SCLogDebug(
"ssn %p: =~ SYN queue failed: stream memcap reached", ssn);
1933 SCLogDebug(
"ssn %p: =~ SYN queue failed: alloc failed", ssn);
1980 static int StreamTcpPacketStateSynSent(
1984 const TCPHdr *tcph = PacketGetTCP(p);
1990 SCLogDebug(
"ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ssn, p->
pcap_cnt);
1997 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
1998 "%" PRIu32
" from stream",
2004 SCLogDebug(
"ssn %p: (TFO) ACK matches next_seq, packet ACK %" PRIu32
" == "
2005 "%" PRIu32
" from stream",
2008 SCLogDebug(
"ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32
" == "
2009 "%" PRIu32
" from stream",
2017 SCLogDebug(
"ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32
" != "
2018 "%" PRIu32
" from stream",
2026 const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
2031 TcpStateQueueInitFromPktSynAck(p, &search);
2033 const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search);
2039 SCLogDebug(
"ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u",
2043 StreamTcp3whsStoreSynApplyToSsn(ssn, q);
2053 StreamTcp3wsFreeQueue(ssn);
2055 StreamTcp3whsSynAckUpdate(ssn, p, NULL);
2062 SCLogDebug(
"ssn %p: SYN/ACK received in the wrong direction", ssn);
2066 SCLogDebug(
"ssn %p: SYN/ACK received on 4WHS session", ssn);
2073 SCLogDebug(
"ssn %p: 4WHS ACK mismatch, packet ACK %" PRIu32
""
2074 " != %" PRIu32
" from stream",
2084 SCLogDebug(
"ssn %p: 4WHS SEQ mismatch, packet SEQ %" PRIu32
""
2085 " != %" PRIu32
" from *first* SYN pkt",
2092 SCLogDebug(
"ssn %p: =~ 4WHS ssn state is now TCP_SYN_RECV", ssn);
2106 SCLogDebug(
"ssn %p: 4WHS ssn->client.last_ts %" PRIu32
" "
2107 "ssn->server.last_ts %" PRIu32
"",
2132 SCLogDebug(
"ssn %p: SACK permitted for 4WHS session", ssn);
2139 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
2140 "ssn->client.next_seq %" PRIu32
", "
2141 "ssn->client.last_ack %" PRIu32
" "
2142 "(ssn->server.last_ack %" PRIu32
")",
2151 if (!StateSynSentValidateTimestamp(ssn, p)) {
2159 if (!StreamTcpValidateRst(ssn, p))
2166 SCLogDebug(
"ssn->server.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
2168 StreamTcpCloseSsnWithReset(p, ssn);
2169 StreamTcp3wsFreeQueue(ssn);
2173 SCLogDebug(
"ssn->client.flags |= STREAMTCP_STREAM_FLAG_RST_RECV");
2174 StreamTcpCloseSsnWithReset(p, ssn);
2175 StreamTcp3wsFreeQueue(ssn);
2183 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent", ssn);
2185 SCLogDebug(
"ssn %p: SYN packet on state SYN_SENT... resent of "
2198 SCLogDebug(
"ssn %p: STREAMTCP_FLAG_4WHS flag set", ssn);
2235 SCLogDebug(
"ssn %p: 4WHS ssn->server.isn %" PRIu32
", "
2236 "ssn->server.next_seq %" PRIu32
", "
2237 "ssn->server.last_ack %"PRIu32
"", ssn,
2240 SCLogDebug(
"ssn %p: 4WHS ssn->client.isn %" PRIu32
", "
2241 "ssn->client.next_seq %" PRIu32
", "
2242 "ssn->client.last_ack %"PRIu32
"", ssn,
2251 TcpStateQueueInitFromPktSyn(p, &syn_pkt);
2252 TcpStateQueueInitFromSsnSyn(ssn, &syn_ssn);
2254 if (memcmp(&syn_pkt, &syn_ssn,
sizeof(
TcpStateQueue)) != 0) {
2256 StreamTcp3whsStoreSyn(ssn, p);
2257 SCLogDebug(
"ssn %p: Retransmitted SYN. Updating ssn from packet %" PRIu64
2258 ". Stored previous state",
2261 StreamTcp3whsStoreSynApplyToSsn(ssn, &syn_pkt);
2277 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
2278 "%" PRIu32
" from stream",
2285 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2286 StreamTcp3wsFreeQueue(ssn);
2299 SCLogDebug(
"ssn %p: synsent => Asynchronous stream, packet SEQ"
2300 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2301 "ssn->client.next_seq %" PRIu32
"",
2350 static int StreamTcpPacketStateSynRecv(
2354 const TCPHdr *tcph = PacketGetTCP(p);
2357 if (!StreamTcpValidateRst(ssn, p))
2374 SCLogDebug(
"Detection evasion has been attempted, so"
2375 " not resetting the connection !!");
2383 SCLogDebug(
"Detection evasion has been attempted, so"
2384 " not resetting the connection !!");
2390 StreamTcpCloseSsnWithReset(p, ssn);
2393 StreamTcpHandleTimestamp(ssn, p);
2400 if (!StreamTcpValidateTimestamp(ssn, p))
2404 if ((StreamTcpHandleFin(
tv, stt, ssn, p)) == -1)
2409 SCLogDebug(
"ssn %p: SYN/ACK packet on state SYN_RECV. resent", ssn);
2412 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in SYN_RECV state", ssn);
2421 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
2422 "%" PRIu32
" from stream",
2432 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
2433 "%" PRIu32
" from stream",
2436 if (StreamTcp3whsQueueSynAck(ssn, p) == -1)
2438 SCLogDebug(
"ssn %p: queued different SYN/ACK", ssn);
2442 SCLogDebug(
"ssn %p: SYN packet on state SYN_RECV... resent", ssn);
2445 SCLogDebug(
"ssn %p: SYN-pkt to client in SYN_RECV state", ssn);
2452 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
2460 SCLogDebug(
"ssn %p: checking ACK against queued SYN/ACKs", ssn);
2463 SCLogDebug(
"ssn %p: here we update state against queued SYN/ACK", ssn);
2464 StreamTcp3whsSynAckUpdate(ssn, p, q);
2466 SCLogDebug(
"ssn %p: none found, now checking ACK against original SYN/ACK (state)", ssn);
2476 if (!(StreamTcpValidateTimestamp(ssn, p))) {
2482 SCLogDebug(
"ssn %p: ACK received on 4WHS session",ssn);
2485 SCLogDebug(
"ssn %p: 4WHS wrong seq nr on packet", ssn);
2490 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2491 SCLogDebug(
"ssn %p: 4WHS invalid ack nr on packet", ssn);
2497 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
2498 "%" PRIu32
", ACK %" PRIu32
"",
2502 StreamTcpHandleTimestamp(ssn, p);
2511 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2515 SCLogDebug(
"ssn %p: ssn->client.next_win %" PRIu32
", "
2516 "ssn->client.last_ack %"PRIu32
"", ssn,
2521 bool ack_indicates_missed_3whs_ack_packet =
false;
2531 SCLogDebug(
"ssn %p: ACK received on midstream SYN/ACK "
2532 "pickup session",ssn);
2535 SCLogDebug(
"ssn %p: ACK received on TFO session",ssn);
2552 SCLogDebug(
"ssn %p: possible data injection", ssn);
2557 SCLogDebug(
"ssn %p: ACK received in the wrong direction",
2562 ack_indicates_missed_3whs_ack_packet =
true;
2566 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
""
2567 ", ACK %" PRIu32
"",
2579 StreamTcpHandleTimestamp(ssn, p);
2603 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2629 StreamTcpHandleTimestamp(ssn, p);
2642 SCLogDebug(
"ssn %p: synrecv => Asynchronous stream, packet SEQ"
2643 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2644 "ssn->server.next_seq %" PRIu32,
2649 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2658 SCLogDebug(
"ssn %p: wrong ack nr on packet, possible evasion!!",
2668 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2671 StreamTcpHandleTimestamp(ssn, p);
2677 SCLogDebug(
"ssn %p: ACK for missing data: ssn->server.next_seq %u", ssn,
2687 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2696 SCLogDebug(
"ssn %p: ACK for missing data", ssn);
2699 StreamTcpHandleTimestamp(ssn, p);
2721 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2726 }
else if ((ack_indicates_missed_3whs_ack_packet ||
2730 if (ack_indicates_missed_3whs_ack_packet) {
2731 SCLogDebug(
"ssn %p: packet fits perfectly after a missed 3whs-ACK", ssn);
2733 SCLogDebug(
"ssn %p: (TFO) expected packet fits perfectly after SYN/ACK", ssn);
2742 SCLogDebug(
"ssn %p: =~ ssn state is now TCP_ESTABLISHED", ssn);
2747 SCLogDebug(
"ssn %p: wrong seq nr on packet", ssn);
2753 SCLogDebug(
"ssn %p: ssn->server.next_win %" PRIu32
", "
2754 "ssn->server.last_ack %"PRIu32
"", ssn,
2776 static int HandleEstablishedPacketToServer(
2779 const TCPHdr *tcph = PacketGetTCP(p);
2784 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
2785 "ACK %" PRIu32
", WIN %" PRIu16
"",
2791 SCLogDebug(
"ssn %p: accepting ACK as it ACKs the one byte from the ZWP", ssn);
2794 }
else if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
2795 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2803 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2808 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ"
2809 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2810 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2811 "%" PRIu32
"(%" PRIu32
")",
2821 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ."
2822 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2823 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2824 "%" PRIu32
"(%" PRIu32
")",
2836 SCLogDebug(
"ssn %p: server => Asynchronous stream, packet SEQ"
2837 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2838 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2839 "%" PRIu32
"(%" PRIu32
")",
2854 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
2855 " before last_ack %" PRIu32
", after next_seq %" PRIu32
":"
2856 " acked data that we haven't seen before",
2859 SCLogDebug(
"ssn %p: server => SEQ before last_ack, packet SEQ"
2860 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"), "
2861 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2862 "%" PRIu32
"(%" PRIu32
")",
2866 SCLogDebug(
"ssn %p: rejecting because pkt before last_ack", ssn);
2872 int zerowindowprobe = 0;
2875 SCLogDebug(
"ssn %p: zero window probe", ssn);
2876 zerowindowprobe = 1;
2886 if (zerowindowprobe) {
2887 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
2890 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
2895 SCLogDebug(
"ssn %p: ssn->server.window %"PRIu32
"", ssn,
2912 StreamTcpHandleTimestamp(ssn, p);
2924 SCLogDebug(
"ssn %p: toserver => SEQ out of window, packet SEQ "
2925 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2926 "ssn->client.last_ack %" PRIu32
", ssn->client.next_win "
2927 "%" PRIu32
"(%" PRIu32
")",
2931 StreamTcpSackedSize(&ssn->
client));
2951 static int HandleEstablishedPacketToClient(
2954 const TCPHdr *tcph = PacketGetTCP(p);
2959 SCLogDebug(
"ssn %p: =+ pkt (%" PRIu32
") is to client: SEQ %" PRIu32
","
2960 " ACK %" PRIu32
", WIN %" PRIu16
"",
2966 SCLogDebug(
"ssn %p: accepting ACK as it ACKs the one byte from the ZWP", ssn);
2969 }
else if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
2970 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
2984 SCLogDebug(
"ssn %p: adjusted midstream ssn->server.next_win to "
2990 SCLogDebug(
"ssn %p: pkt is keep alive", ssn);
2996 SCLogDebug(
"ssn %p: client => Asynchronous stream, packet SEQ"
2997 " %" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
2998 " ssn->client.last_ack %" PRIu32
", ssn->client.next_win"
2999 " %" PRIu32
"(%" PRIu32
")",
3010 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
3011 " before last_ack %" PRIu32
", after next_seq %" PRIu32
":"
3012 " acked data that we haven't seen before",
3015 SCLogDebug(
"ssn %p: PKT SEQ %" PRIu32
" payload_len %" PRIu16
3016 " before last_ack %" PRIu32
". next_seq %" PRIu32,
3023 int zerowindowprobe = 0;
3026 SCLogDebug(
"ssn %p: zero window probe", ssn);
3027 zerowindowprobe = 1;
3038 if (zerowindowprobe) {
3039 SCLogDebug(
"ssn %p: zero window probe, skipping oow check", ssn);
3042 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
3046 SCLogDebug(
"ssn %p: ssn->client.window %"PRIu32
"", ssn,
3059 StreamTcpHandleTimestamp(ssn, p);
3068 SCLogDebug(
"ssn %p: client => SEQ out of window, packet SEQ"
3069 "%" PRIu32
", payload size %" PRIu32
" (%" PRIu32
"),"
3070 " ssn->server.last_ack %" PRIu32
", ssn->server.next_win "
3071 "%" PRIu32
"(%" PRIu32
")",
3080 static bool StreamTcpPacketIsZeroWindowProbeAck(
const TcpSession *ssn,
const Packet *p)
3082 const TCPHdr *tcph = PacketGetTCP(p);
3106 if (pkt_win != rcv->
window)
3113 SCLogDebug(
"ssn %p: packet %" PRIu64
" is a Zero Window Probe ACK", ssn, p->
pcap_cnt);
3120 static bool StreamTcpPacketIsDupAck(
const TcpSession *ssn,
const Packet *p)
3122 const TCPHdr *tcph = PacketGetTCP(p);
3140 if (pkt_win == 0 || rcv->
window == 0)
3142 if (pkt_win != rcv->
window)
3150 SCLogDebug(
"ssn %p: packet:%" PRIu64
" seq:%u ack:%u win:%u snd %u:%u:%u rcv %u:%u:%u", ssn,
3174 const TCPHdr *tcph = PacketGetTCP(p);
3225 static int StreamTcpPacketIsSpuriousRetransmission(
const TcpSession *ssn,
Packet *p)
3236 const TCPHdr *tcph = PacketGetTCP(p);
3242 "ssn %p: spurious retransmission; packet entirely before base_seq: SEQ %u(%u) "
3243 "last_ack %u base_seq %u",
3252 SCLogDebug(
"ssn %p: spurious retransmission; packet entirely before last_ack: SEQ %u(%u) "
3260 SCLogDebug(
"ssn %p: NOT spurious retransmission; packet NOT entirely before last_ack: SEQ "
3261 "%u(%u) last_ack %u, base_seq %u",
3278 static int StreamTcpPacketStateEstablished(
3282 const TCPHdr *tcph = PacketGetTCP(p);
3288 if (!StreamTcpValidateRst(ssn, p))
3292 StreamTcpCloseSsnWithReset(p, ssn);
3296 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
3306 StreamTcpHandleTimestamp(ssn, p);
3310 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3318 StreamTcpCloseSsnWithReset(p, ssn);
3323 SCLogDebug(
"ssn %p: ssn->server.next_seq %" PRIu32
"", ssn,
3333 StreamTcpHandleTimestamp(ssn, p);
3337 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3348 if (!StreamTcpValidateTimestamp(ssn, p))
3353 " %" PRIu32
", last ACK %" PRIu32
", next win %"PRIu32
","
3358 if ((StreamTcpHandleFin(
tv, stt, ssn, p)) == -1)
3363 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent",
3367 SCLogDebug(
"ssn %p: SYN/ACK-pkt to server in ESTABLISHED state", ssn);
3376 SCLogDebug(
"ssn %p: ACK mismatch, packet ACK %" PRIu32
" != "
3377 "%" PRIu32
" from stream",
3387 SCLogDebug(
"ssn %p: SEQ mismatch, packet SEQ %" PRIu32
" != "
3388 "%" PRIu32
" from stream",
3401 SCLogDebug(
"ssn %p: SYN/ACK packet on state ESTABLISHED... resent. "
3402 "Likely due server not receiving final ACK in 3whs", ssn);
3406 SCLogDebug(
"ssn %p: SYN packet on state ESTABLISHED... resent", ssn);
3408 SCLogDebug(
"ssn %p: SYN-pkt to client in EST state", ssn);
3415 SCLogDebug(
"ssn %p: SYN with different SEQ on SYN_RECV state", ssn);
3436 if (!StreamTcpValidateTimestamp(ssn, p))
3442 HandleEstablishedPacketToServer(
tv, ssn, p, stt);
3444 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
3445 " next win %" PRIu32
", win %" PRIu32
"", ssn,
3452 SCLogDebug(
"3whs is now confirmed by server");
3456 HandleEstablishedPacketToClient(
tv, ssn, p, stt);
3458 SCLogDebug(
"ssn %p: next SEQ %" PRIu32
", last ACK %" PRIu32
","
3459 " next win %" PRIu32
", win %" PRIu32
"", ssn,
3484 const TCPHdr *tcph = PacketGetTCP(p);
3490 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ %" PRIu32
","
3494 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3495 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3501 SCLogDebug(
"ssn %p: -> SEQ %u, re %u. last_ack %u next_win %u", ssn,
seq, pkt_re,
3506 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
3507 "%" PRIu32
" from stream",
3520 SCLogDebug(
"ssn %p: state changed to TCP_CLOSE_WAIT", ssn);
3525 SCLogDebug(
"ssn %p: ssn->client.next_seq %" PRIu32
"", ssn,
3530 StreamTcpHandleTimestamp(ssn, p);
3543 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
3546 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ %" PRIu32
", "
3550 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3551 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3557 SCLogDebug(
"ssn %p: -> SEQ %u, re %u. last_ack %u next_win %u", ssn,
seq, pkt_re,
3562 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
" != "
3563 "%" PRIu32
" from stream (last_ack %u win %u = %u)",
3572 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT1", ssn);
3581 StreamTcpHandleTimestamp(ssn, p);
3594 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK %" PRIu32
"",
3614 static int StreamTcpPacketStateFinWait1(
3618 const TCPHdr *tcph = PacketGetTCP(p);
3624 if (!StreamTcpValidateRst(ssn, p))
3627 StreamTcpCloseSsnWithReset(p, ssn);
3636 StreamTcpHandleTimestamp(ssn, p);
3647 StreamTcpHandleTimestamp(ssn, p);
3655 if (!StreamTcpValidateTimestamp(ssn, p))
3660 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3661 "%" PRIu32
", ACK %" PRIu32
"",
3663 int retransmission = 0;
3665 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3666 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3672 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3673 " != %" PRIu32
" from stream",
3679 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3680 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3685 if (!retransmission) {
3687 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3693 StreamTcpHandleTimestamp(ssn, p);
3709 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3713 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3714 "%" PRIu32
", ACK %" PRIu32
"",
3716 int retransmission = 0;
3718 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3719 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3724 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3730 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3731 " != %" PRIu32
" from stream",
3737 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3738 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3744 StreamTcpHandleTimestamp(ssn, p);
3747 if (!retransmission) {
3749 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
3767 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3774 if (!StreamTcpValidateTimestamp(ssn, p))
3779 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3780 "%" PRIu32
", ACK %" PRIu32
"",
3782 int retransmission = 0;
3784 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3785 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3791 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3792 " != %" PRIu32
" from stream",
3798 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3799 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3804 if (!retransmission) {
3806 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3812 StreamTcpHandleTimestamp(ssn, p);
3829 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3833 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3834 "%" PRIu32
", ACK %" PRIu32
"",
3837 int retransmission = 0;
3839 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3840 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3846 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3847 " != %" PRIu32
" from stream",
3853 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3854 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3859 if (!retransmission) {
3861 SCLogDebug(
"ssn %p: state changed to TCP_CLOSING", ssn);
3867 StreamTcpHandleTimestamp(ssn, p);
3884 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3889 SCLogDebug(
"ssn (%p): SYN pkt on FinWait1", ssn);
3895 if (!StreamTcpValidateTimestamp(ssn, p))
3900 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
3901 "%" PRIu32
", ACK %" PRIu32
"",
3903 int retransmission = 0;
3905 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
3906 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3911 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
3912 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3919 "ssn %p: ACK's older segment as %u < %u", ssn, ack, ssn->
server.
next_seq);
3920 }
else if (!retransmission) {
3924 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
3930 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
3933 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
3934 " != %" PRIu32
" from stream",
3946 StreamTcpHandleTimestamp(ssn, p);
3967 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
3973 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
3974 "%" PRIu32
", ACK %" PRIu32
"",
3977 int retransmission = 0;
3979 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
3980 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
3985 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
3986 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
3991 if (!retransmission) {
3994 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
4000 SCLogDebug(
"ssn %p: state changed to TCP_FIN_WAIT2", ssn);
4003 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4004 " != %" PRIu32
" from stream",
4014 StreamTcpHandleTimestamp(ssn, p);
4035 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4056 static int StreamTcpPacketStateFinWait2(
4060 const TCPHdr *tcph = PacketGetTCP(p);
4066 if (!StreamTcpValidateRst(ssn, p))
4069 StreamTcpCloseSsnWithReset(p, ssn);
4078 StreamTcpHandleTimestamp(ssn, p);
4089 StreamTcpHandleTimestamp(ssn, p);
4097 if (!StreamTcpValidateTimestamp(ssn, p))
4102 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4103 "%" PRIu32
", ACK %" PRIu32
"",
4105 int retransmission = 0;
4111 }
else if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4112 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4118 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
4119 "%" PRIu32
" != %" PRIu32
" from stream",
4125 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4126 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4131 if (!retransmission) {
4133 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4143 StreamTcpHandleTimestamp(ssn, p);
4156 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4160 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4161 "%" PRIu32
", ACK %" PRIu32
"",
4163 int retransmission = 0;
4169 }
else if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4170 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4176 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ "
4177 "%" PRIu32
" != %" PRIu32
" from stream",
4183 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4184 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4189 if (!retransmission) {
4191 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4197 StreamTcpHandleTimestamp(ssn, p);
4209 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4215 SCLogDebug(
"ssn (%p): SYN pkt on FinWait2", ssn);
4221 if (!StreamTcpValidateTimestamp(ssn, p))
4226 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4227 "%" PRIu32
", ACK %" PRIu32
"",
4229 int retransmission = 0;
4231 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4232 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4237 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4238 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4243 if (!retransmission) {
4246 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->client.next_win "
4251 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4252 " != %" PRIu32
" from stream",
4262 StreamTcpHandleTimestamp(ssn, p);
4278 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4282 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4283 "%" PRIu32
", ACK %" PRIu32
"",
4285 int retransmission = 0;
4287 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4288 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4293 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4294 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4299 if (!retransmission) {
4302 SCLogDebug(
"ssn %p: seq %" PRIu32
" in window, ssn->server.next_win "
4306 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4307 " != %" PRIu32
" from stream",
4317 StreamTcpHandleTimestamp(ssn, p);
4333 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4354 static int StreamTcpPacketStateClosing(
4358 const TCPHdr *tcph = PacketGetTCP(p);
4364 if (!StreamTcpValidateRst(ssn, p))
4367 StreamTcpCloseSsnWithReset(p, ssn);
4376 StreamTcpHandleTimestamp(ssn, p);
4387 StreamTcpHandleTimestamp(ssn, p);
4394 SCLogDebug(
"ssn (%p): SYN pkt on Closing", ssn);
4400 if (!StreamTcpValidateTimestamp(ssn, p))
4405 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4406 "%" PRIu32
", ACK %" PRIu32
"",
4408 int retransmission = 0;
4409 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4410 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4416 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4417 " != %" PRIu32
" from stream",
4423 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4424 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4429 if (!retransmission) {
4431 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4437 StreamTcpHandleTimestamp(ssn, p);
4447 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4451 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4452 "%" PRIu32
", ACK %" PRIu32
"",
4454 int retransmission = 0;
4455 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4456 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4462 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4463 " != %" PRIu32
" from stream",
4469 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4470 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4475 if (!retransmission) {
4477 SCLogDebug(
"ssn %p: state changed to TCP_TIME_WAIT", ssn);
4483 StreamTcpHandleTimestamp(ssn, p);
4494 SCLogDebug(
"StreamTcpPacketStateClosing (%p): =+ next SEQ "
4495 "%" PRIu32
", last ACK %" PRIu32
"", ssn,
4515 static int StreamTcpPacketStateCloseWait(
4519 const TCPHdr *tcph = PacketGetTCP(p);
4527 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4528 "%" PRIu32
", ACK %" PRIu32
"",
4531 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4532 "%" PRIu32
", ACK %" PRIu32
"",
4537 if (!StreamTcpValidateRst(ssn, p))
4540 StreamTcpCloseSsnWithReset(p, ssn);
4549 StreamTcpHandleTimestamp(ssn, p);
4560 StreamTcpHandleTimestamp(ssn, p);
4568 if (!StreamTcpValidateTimestamp(ssn, p))
4573 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4574 "%" PRIu32
", ACK %" PRIu32
"",
4577 int retransmission = 0;
4578 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4579 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4584 if (!retransmission) {
4587 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4588 " != %" PRIu32
" from stream",
4595 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4596 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4603 if (!retransmission)
4607 StreamTcpHandleTimestamp(ssn, p);
4619 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4623 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4624 "%" PRIu32
", ACK %" PRIu32
"",
4627 int retransmission = 0;
4628 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4629 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4634 if (!retransmission) {
4637 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4638 " != %" PRIu32
" from stream",
4645 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4646 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4651 if (!retransmission) {
4653 SCLogDebug(
"ssn %p: state changed to TCP_LAST_ACK", ssn);
4659 StreamTcpHandleTimestamp(ssn, p);
4671 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4677 SCLogDebug(
"ssn (%p): SYN pkt on CloseWait", ssn);
4683 if (!StreamTcpValidateTimestamp(ssn, p))
4688 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4689 "%" PRIu32
", ACK %" PRIu32
"",
4692 int retransmission = 0;
4693 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4694 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4700 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4705 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4706 " != %" PRIu32
" from stream",
4712 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4713 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4718 if (!retransmission) {
4723 StreamTcpHandleTimestamp(ssn, p);
4737 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4741 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
4742 "%" PRIu32
", ACK %" PRIu32
"",
4744 int retransmission = 0;
4745 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
4746 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4752 SCLogDebug(
"ssn %p: -> retransmission", ssn);
4757 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4758 " != %" PRIu32
" from stream",
4764 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
4765 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4770 if (!retransmission) {
4775 StreamTcpHandleTimestamp(ssn, p);
4789 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4810 static int StreamTcpPacketStateLastAck(
4814 const TCPHdr *tcph = PacketGetTCP(p);
4820 if (!StreamTcpValidateRst(ssn, p))
4823 StreamTcpCloseSsnWithReset(p, ssn);
4832 StreamTcpHandleTimestamp(ssn, p);
4843 StreamTcpHandleTimestamp(ssn, p);
4851 SCLogDebug(
"ssn (%p): FIN pkt on LastAck", ssn);
4854 SCLogDebug(
"ssn (%p): SYN pkt on LastAck", ssn);
4860 if (!StreamTcpValidateTimestamp(ssn, p))
4865 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4866 "%" PRIu32
", ACK %" PRIu32
"",
4869 int retransmission = 0;
4870 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4871 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4876 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
4877 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
4882 if (!retransmission) {
4884 SCLogDebug(
"ssn %p: not updating state as packet is before next_seq", ssn);
4886 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4887 " != %" PRIu32
" from stream",
4893 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
4899 StreamTcpHandleTimestamp(ssn, p);
4910 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
4931 static int StreamTcpPacketStateTimeWait(
4935 const TCPHdr *tcph = PacketGetTCP(p);
4941 if (!StreamTcpValidateRst(ssn, p))
4944 StreamTcpCloseSsnWithReset(p, ssn);
4953 StreamTcpHandleTimestamp(ssn, p);
4964 StreamTcpHandleTimestamp(ssn, p);
4974 SCLogDebug(
"ssn (%p): SYN pkt on TimeWait", ssn);
4980 if (!StreamTcpValidateTimestamp(ssn, p))
4985 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to server: SEQ "
4986 "%" PRIu32
", ACK %" PRIu32
"",
4988 int retransmission = 0;
4989 if (StreamTcpPacketIsRetransmission(&ssn->
client, p)) {
4990 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
4995 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
4996 " != %" PRIu32
" from stream",
5002 if (StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
5003 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
5008 if (!retransmission) {
5010 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
5016 StreamTcpHandleTimestamp(ssn, p);
5027 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
5031 SCLogDebug(
"ssn %p: pkt (%" PRIu32
") is to client: SEQ "
5032 "%" PRIu32
", ACK %" PRIu32
"",
5034 int retransmission = 0;
5035 if (StreamTcpPacketIsRetransmission(&ssn->
server, p)) {
5036 SCLogDebug(
"ssn %p: packet is retransmission", ssn);
5041 SCLogDebug(
"ssn %p: -> retransmission", ssn);
5044 SCLogDebug(
"ssn %p: -> SEQ mismatch, packet SEQ %" PRIu32
""
5045 " != %" PRIu32
" from stream",
5052 if (StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
5053 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
5058 if (!retransmission) {
5060 SCLogDebug(
"ssn %p: state changed to TCP_CLOSED", ssn);
5066 StreamTcpHandleTimestamp(ssn, p);
5077 SCLogDebug(
"ssn %p: =+ next SEQ %" PRIu32
", last ACK "
5089 static int StreamTcpPacketStateClosed(
5094 const TCPHdr *tcph = PacketGetTCP(p);
5100 TcpStream *stream = NULL, *ostream = NULL;
5117 if (StreamTcpStateDispatch(
tv, p, stt, ssn, ssn->
pstate) < 0)
5132 const TCPHdr *tcph = PacketGetTCP(p);
5146 SCLogDebug(
"regular packet %"PRIu64
" from same sender as "
5147 "the previous RST. Looks like it injected!", p->
pcap_cnt);
5173 const TCPHdr *tcph = PacketGetTCP(p);
5178 TcpStream *stream = NULL, *ostream = NULL;
5189 if (ack == ostream->last_ack &&
seq == (stream->
next_seq - 1)) {
5205 TcpStream *stream = NULL, *ostream = NULL;
5216 const TCPHdr *tcph = PacketGetTCP(p);
5235 if (pkt_win != ostream->window)
5244 SCLogDebug(
"seq %u (%u), ack %u (%u) FLAG_KEEPALIVE: %s",
seq, stream->
next_seq, ack, ostream->last_ack,
5274 TcpStream *stream = NULL, *ostream = NULL;
5288 const TCPHdr *tcph = PacketGetTCP(p);
5307 if (pkt_win == ostream->window)
5310 if (ack == ostream->last_ack &&
seq == stream->
next_seq) {
5325 TcpStream *stream = NULL, *ostream = NULL;
5333 const TCPHdr *tcph = PacketGetTCP(p);
5350 SCLogDebug(
"%"PRIu64
", seq %u ack %u stream->next_seq %u ostream->next_seq %u",
5378 TcpStream *stream = NULL, *ostream = NULL;
5389 const TCPHdr *tcph = PacketGetTCP(p);
5405 if (pkt_win < ostream->window) {
5406 uint32_t diff = ostream->window - pkt_win;
5408 SEQ_GT(ack, ostream->next_seq) &&
5411 SCLogDebug(
"%"PRIu64
", pkt_win %u, stream win %u, diff %u, dsize %u",
5413 SCLogDebug(
"%"PRIu64
", pkt_win %u, stream win %u",
5414 p->
pcap_cnt, pkt_win, ostream->window);
5415 SCLogDebug(
"%"PRIu64
", seq %u ack %u ostream->next_seq %u ostream->last_ack %u, ostream->next_win %u, diff %u (%u)",
5416 p->
pcap_cnt,
seq, ack, ostream->next_seq, ostream->last_ack, ostream->next_win,
5417 ostream->next_seq - ostream->last_ack, stream->
next_seq - stream->
last_ack);
5424 uint32_t adiff = ack - ostream->last_ack;
5425 if (((pkt_win > 1024) && (diff > (adiff + 32))) ||
5426 ((pkt_win <= 1024) && (diff > adiff)))
5428 SCLogDebug(
"pkt ACK %u is %u bytes beyond last_ack %u, shrinks window by %u "
5429 "(allowing 32 bytes extra): pkt WIN %u", ack, adiff, ostream->last_ack, diff, pkt_win);
5430 SCLogDebug(
"%u - %u = %u (state %u)", diff, adiff, diff - adiff, ssn->
state);
5445 static inline int StreamTcpStateDispatch(
5453 SCLogDebug(
"packet received on TCP_SYN_SENT state");
5454 if (StreamTcpPacketStateSynSent(
tv, p, stt, ssn)) {
5459 SCLogDebug(
"packet received on TCP_SYN_RECV state");
5460 if (StreamTcpPacketStateSynRecv(
tv, p, stt, ssn)) {
5465 SCLogDebug(
"packet received on TCP_ESTABLISHED state");
5466 if (StreamTcpPacketStateEstablished(
tv, p, stt, ssn)) {
5471 SCLogDebug(
"packet received on TCP_FIN_WAIT1 state");
5472 if (StreamTcpPacketStateFinWait1(
tv, p, stt, ssn)) {
5477 SCLogDebug(
"packet received on TCP_FIN_WAIT2 state");
5478 if (StreamTcpPacketStateFinWait2(
tv, p, stt, ssn)) {
5483 SCLogDebug(
"packet received on TCP_CLOSING state");
5484 if (StreamTcpPacketStateClosing(
tv, p, stt, ssn)) {
5489 SCLogDebug(
"packet received on TCP_CLOSE_WAIT state");
5490 if (StreamTcpPacketStateCloseWait(
tv, p, stt, ssn)) {
5495 SCLogDebug(
"packet received on TCP_LAST_ACK state");
5496 if (StreamTcpPacketStateLastAck(
tv, p, stt, ssn)) {
5501 SCLogDebug(
"packet received on TCP_TIME_WAIT state");
5502 if (StreamTcpPacketStateTimeWait(
tv, p, stt, ssn)) {
5508 SCLogDebug(
"packet received on closed state");
5510 if (StreamTcpPacketStateClosed(
tv, p, stt, ssn)) {
5516 SCLogDebug(
"packet received on default state");
5552 const TCPHdr *tcph = PacketGetTCP(p);
5567 SCLogDebug(
"ssn %p: removing ASYNC flag as we have packets on both sides", ssn);
5587 if (StreamTcpCheckFlowDrops(p) == 1) {
5597 if (StreamTcpPacketStateNone(
tv, p, stt, ssn) == -1) {
5623 if (StreamTcpPacketIsKeepAlive(ssn, p) == 1) {
5626 if (StreamTcpPacketIsKeepAliveACK(ssn, p) == 1) {
5627 StreamTcpClearKeepAliveFlag(ssn, p);
5630 StreamTcpClearKeepAliveFlag(ssn, p);
5632 const bool is_zwp_ack = StreamTcpPacketIsZeroWindowProbeAck(ssn, p);
5643 if (StreamTcpPacketIsDupAck(ssn, p)) {
5650 if (StreamTcpPacketIsFinShutdownAck(ssn, p) == 0) {
5651 if (StreamTcpPacketIsWindowUpdate(ssn, p) == 0) {
5652 if (StreamTcpPacketIsBadWindowUpdate(ssn,p))
5654 if (StreamTcpPacketIsOutdatedAck(ssn, p))
5659 int ret = StreamTcpPacketIsSpuriousRetransmission(ssn, p);
5668 if (StreamTcpStateDispatch(
tv, p, stt, ssn, ssn->
state) < 0)
5672 StreamTcpPacketCheckPostRst(ssn, p);
5721 SCLogDebug(
"bypass as stream is dead and we have no rules");
5734 if (StreamTcpInlineDropInvalid()) {
5738 DecodeSetNoPayloadInspectionFlag(p);
5752 static inline int StreamTcpValidateChecksum(
Packet *p)
5760 const TCPHdr *tcph = PacketGetTCP(p);
5761 if (PacketIsIPv4(p)) {
5762 const IPV4Hdr *ip4h = PacketGetIPv4(p);
5763 p->
l4.
csum = TCPChecksum(ip4h->s_ip_addrs, (uint16_t *)tcph,
5766 }
else if (PacketIsIPv6(p)) {
5767 const IPV6Hdr *ip6h = PacketGetIPv6(p);
5768 p->
l4.
csum = TCPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)tcph,
5789 static int TcpSessionPacketIsStreamStarter(
const Packet *p)
5791 const TCPHdr *tcph = PacketGetTCP(p);
5814 static bool TcpSessionReuseDoneEnoughSyn(
const Packet *p,
const Flow *f,
const TcpSession *ssn)
5816 const TCPHdr *tcph = PacketGetTCP(p);
5821 SCLogDebug(
"steam starter packet %" PRIu64
", ssn %p null. Reuse.", p->
pcap_cnt, ssn);
5826 ", ssn %p. STREAMTCP_FLAG_TFO_DATA_IGNORED set. Reuse.",
5831 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p. Packet SEQ == Stream ISN. Retransmission. Don't reuse.", p->
pcap_cnt, ssn);
5835 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5838 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5841 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5851 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5854 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5857 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5870 static bool TcpSessionReuseDoneEnoughSynAck(
const Packet *p,
const Flow *f,
const TcpSession *ssn)
5872 const TCPHdr *tcph = PacketGetTCP(p);
5875 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p null. No reuse.", p->
pcap_cnt, ssn);
5879 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p. Packet SEQ == Stream ISN. Retransmission. Don't reuse.", p->
pcap_cnt, ssn);
5883 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5886 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5889 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5899 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state >= TCP_LAST_ACK (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5902 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state == TCP_NONE (%u). Reuse.", p->
pcap_cnt, ssn, ssn->
state);
5905 SCLogDebug(
"steam starter packet %"PRIu64
", ssn %p state < TCP_LAST_ACK (%u). Don't reuse.", p->
pcap_cnt, ssn, ssn->
state);
5921 const TCPHdr *tcph = PacketGetTCP(p);
5923 return TcpSessionReuseDoneEnoughSyn(p, f, ssn);
5928 return TcpSessionReuseDoneEnoughSynAck(p, f, ssn);
5937 if (p->
proto == IPPROTO_TCP && PacketIsTCP(p)) {
5938 if (TcpSessionPacketIsStreamStarter(p) == 1) {
5939 if (TcpSessionReuseDoneEnough(p, f, tcp_ssn) == 1) {
5962 if (!(PacketIsTCP(p))) {
5966 HandleThreadId(
tv, p, stt);
5972 if (StreamTcpValidateChecksum(p) == 0) {
5994 *data = (
void *)stt;
6003 IsStreamTcpSessionMemcapExceptionPolicyStatsValid);
6011 "tcp.midstream_exception_policy.", IsMidstreamExceptionPolicyStatsValid);
6015 "tcp.midstream_exception_policy.", IsMidstreamExceptionPolicyStatsValid);
6030 "tcp.reassembly_exception_policy.", IsReassemblyMemcapExceptionPolicyStatsValid);
6044 SCLogDebug(
"StreamTcp thread specific ctx online at %p, reassembly ctx %p",
6053 StreamTcpSessionPoolAlloc,
6054 StreamTcpSessionPoolInit, NULL,
6055 StreamTcpSessionPoolCleanup, NULL);
6065 SCLogError(
"failed to setup/expand stream session pool. Expand stream.memcap?");
6110 const TCPHdr *tcph = PacketGetTCP(p);
6118 if (!StreamTcpValidateTimestamp(ssn, p)) {
6147 StreamTcpValidateAck(ssn, &ssn->
server, p) == -1) {
6148 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
6160 StreamTcpValidateAck(ssn, &ssn->
client, p) == -1) {
6161 SCLogDebug(
"ssn %p: rejecting because of invalid ack value", ssn);
6174 receiver_stream = &ssn->
server;
6176 receiver_stream = &ssn->
client;
6178 SCLogDebug(
"ssn %p: setting STREAMTCP_STREAM_FLAG_RST_RECV on receiver stream", ssn);
6198 switch (os_policy) {
6205 SCLogDebug(
"reset is not Valid! Packet SEQ: %" PRIu32
" "
6206 "and server SEQ: %" PRIu32
"",
6215 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" "
6216 "and client SEQ: %" PRIu32
"",
6233 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6234 " server SEQ: %" PRIu32
"",
6246 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6247 " client SEQ: %" PRIu32
"",
6268 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" "
6269 "and server SEQ: %" PRIu32
"",
6275 SCLogDebug(
"reset is valid! Packet SEQ: %" PRIu32
" Stream %u",
seq,
6279 SCLogDebug(
"reset is not valid! Packet SEQ: %" PRIu32
" and"
6280 " client SEQ: %" PRIu32
"",
6311 uint8_t check_ts = 1;
6312 const TCPHdr *tcph = PacketGetTCP(p);
6316 sender_stream = &ssn->
client;
6317 receiver_stream = &ssn->
server;
6319 sender_stream = &ssn->
server;
6320 receiver_stream = &ssn->
client;
6331 uint32_t last_pkt_ts = sender_stream->
last_pkt_ts;
6332 uint32_t last_ts = sender_stream->
last_ts;
6382 SCLogDebug(
"ts %"PRIu32
", last_ts %"PRIu32
"",
ts, last_ts);
6386 result = (int32_t) ((
ts - last_ts) + 1);
6388 result = (int32_t) (
ts - last_ts);
6391 SCLogDebug(
"result %" PRIi32
", p->ts(secs) %" PRIuMAX
"", result,
6394 if (last_pkt_ts == 0 &&
6402 "%" PRIu32
" p->tcpvars->ts %" PRIu32
" result "
6403 "%" PRId32
"", last_ts,
ts, result);
6406 }
else if ((sender_stream->
last_ts != 0) &&
6408 SCLogDebug(
"packet is not valid last_pkt_ts "
6409 "%" PRIu32
" p->ts(sec) %" PRIu32
"",
6421 SCLogDebug(
"timestamp considered valid anyway");
6453 uint8_t check_ts = 1;
6454 const TCPHdr *tcph = PacketGetTCP(p);
6458 sender_stream = &ssn->
client;
6459 receiver_stream = &ssn->
server;
6461 sender_stream = &ssn->
server;
6462 receiver_stream = &ssn->
client;
6530 result = (int32_t) ((
ts - sender_stream->
last_ts) + 1);
6532 result = (int32_t) (
ts - sender_stream->
last_ts);
6535 SCLogDebug(
"result %" PRIi32
", p->ts(sec) %" PRIuMAX
"", result,
6545 SCLogDebug(
"timestamp is not valid sender_stream->last_ts "
6546 "%" PRIu32
" p->tcpvars->ts %" PRIu32
" result "
6547 "%" PRId32
"", sender_stream->
last_ts,
ts, result);
6550 }
else if ((sender_stream->
last_ts != 0) &&
6553 SCLogDebug(
"packet is not valid sender_stream->last_pkt_ts "
6554 "%" PRIu32
" p->ts(sec) %" PRIu32
"",
6568 }
else if (ret == 0) {
6578 SCLogDebug(
"timestamp considered valid anyway");
6614 const TCPHdr *tcph = PacketGetTCP(p);
6629 SCLogDebug(
"ssn %p: pkt ACK %" PRIu32
" == stream last ACK %" PRIu32, ssn, ack,
6642 SCLogDebug(
"ACK %"PRIu32
" is before last_ack %"PRIu32
" - window "
6643 "%"PRIu32
" = %"PRIu32, ack, stream->
last_ack,
6666 SCLogDebug(
"default path leading to invalid: ACK %"PRIu32
", last_ack %"PRIu32
6679 const uint32_t progress)
6733 static void StreamTcpPseudoPacketCreateDetectLogFlush(
ThreadVars *
tv,
6756 np->
proto = IPPROTO_TCP;
6757 FlowReference(&np->
flow, f);
6767 DecodeSetNoPacketInspectionFlag(np);
6770 DecodeSetNoPayloadInspectionFlag(np);
6810 ip4h->
ip_len = htons(40);
6816 ip4h->s_ip_src.s_addr = f->
src.addr_data32[0];
6817 ip4h->s_ip_dst.s_addr = f->
dst.addr_data32[0];
6819 ip4h->s_ip_src.s_addr = f->
dst.addr_data32[0];
6820 ip4h->s_ip_dst.s_addr = f->
src.addr_data32[0];
6853 ip6h->s_ip6_vfc = 0x60;
6854 ip6h->s_ip6_flow = 0;
6855 ip6h->s_ip6_nxt = IPPROTO_TCP;
6856 ip6h->s_ip6_plen = htons(20);
6857 ip6h->s_ip6_hlim = 64;
6859 ip6h->s_ip6_src[0] = f->
src.addr_data32[0];
6860 ip6h->s_ip6_src[1] = f->
src.addr_data32[1];
6861 ip6h->s_ip6_src[2] = f->
src.addr_data32[2];
6862 ip6h->s_ip6_src[3] = f->
src.addr_data32[3];
6863 ip6h->s_ip6_dst[0] = f->
dst.addr_data32[0];
6864 ip6h->s_ip6_dst[1] = f->
dst.addr_data32[1];
6865 ip6h->s_ip6_dst[2] = f->
dst.addr_data32[2];
6866 ip6h->s_ip6_dst[3] = f->
dst.addr_data32[3];
6868 ip6h->s_ip6_src[0] = f->
dst.addr_data32[0];
6869 ip6h->s_ip6_src[1] = f->
dst.addr_data32[1];
6870 ip6h->s_ip6_src[2] = f->
dst.addr_data32[2];
6871 ip6h->s_ip6_src[3] = f->
dst.addr_data32[3];
6872 ip6h->s_ip6_dst[0] = f->
src.addr_data32[0];
6873 ip6h->s_ip6_dst[1] = f->
src.addr_data32[1];
6874 ip6h->s_ip6_dst[2] = f->
src.addr_data32[2];
6875 ip6h->s_ip6_dst[3] = f->
src.addr_data32[3];
6907 np->
ts = parent->
ts;
6915 FlowDeReference(&np->
flow);
6934 StreamTcpPseudoPacketCreateDetectLogFlush(
tv, stt, p, ssn, pq,
ts^0);
6935 StreamTcpPseudoPacketCreateDetectLogFlush(
tv, stt, p, ssn, pq,
ts^1);
6955 if (p->
flow == NULL)
6983 const uint8_t *seg_data;
6984 uint32_t seg_datalen;
6987 int ret = CallbackFunc(p, seg, data, seg_data, seg_datalen);
7015 if (p->
flow == NULL)
7029 if (server_node == NULL && client_node == NULL) {
7033 while (server_node != NULL || client_node != NULL) {
7034 const uint8_t *seg_data;
7035 uint32_t seg_datalen;
7036 if (server_node == NULL) {
7043 &client_stream->
sb, &client_node->
sbseg, &seg_data, &seg_datalen);
7044 ret = CallbackFunc(p, client_node, data, seg_data, seg_datalen);
7049 client_node = TCPSEG_RB_NEXT(client_node);
7050 }
else if (client_node == NULL) {
7057 &server_stream->
sb, &server_node->
sbseg, &seg_data, &seg_datalen);
7058 ret = CallbackFunc(p, server_node, data, seg_data, seg_datalen);
7063 server_node = TCPSEG_RB_NEXT(server_node);
7068 &client_stream->
sb, &client_node->
sbseg, &seg_data, &seg_datalen);
7069 ret = CallbackFunc(p, client_node, data, seg_data, seg_datalen);
7074 client_node = TCPSEG_RB_NEXT(client_node);
7077 &server_stream->
sb, &server_node->
sbseg, &seg_data, &seg_datalen);
7078 ret = CallbackFunc(p, server_node, data, seg_data, seg_datalen);
7083 server_node = TCPSEG_RB_NEXT(server_node);
7118 const char *tcp_state = NULL;
7124 tcp_state =
"syn_sent";
7127 tcp_state =
"syn_recv";
7130 tcp_state =
"established";
7133 tcp_state =
"fin_wait1";
7136 tcp_state =
"fin_wait2";
7139 tcp_state =
"time_wait";
7142 tcp_state =
"last_ack";
7145 tcp_state =
"close_wait";
7148 tcp_state =
"closing";
7151 tcp_state =
"closed";