Project

General

Profile

Actions

Bug #1325

closed

tls detection leads to tcp stream reassembly sequence gaps

Added by Martin Küchler about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello, I am new to suricata - 2.0.4 stable Ubuntu PPA (Ubuntu 12.04).

When app-layer.protocols.tls.enabled is set to yes or detection only, the tcp.reassembly_gap counter increases quickly (depending on the amount of ssl traffic). When I set app-layer.protocols.tls.enabled to no, the tcp.reassembly_gap stays at 0. So my suspicion is that it's not a matter of packet loss (why would it concern only tls and not non-tls traffic?), but rather some problem in the tls routine.

I use nfqueue IPS mode, most other settings on default values.

As a sidenote I would mention that the tcp.invalid_checksum counter increases as well, but in a rather steady manner, not related to the amount of ssl traffic, and it continues to increase even with app-layer.protocols.tls.enabled=no. I don't think that this is related to the tcp reassembly gaps, and I suspect rather some problem in my system as a culprit, but I prefer to mention it just in case there is a link that I am not aware of.

Actions

Also available in: Atom PDF