Project

General

Profile

Actions

Support #1433

closed

Transaction can be logged before stream reassembly and parsing are complete

Added by Ray Ruvinskiy almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

This has been observed with suricata 2.0, specifically with HTTP transactions, although I wonder if the issue is more general than that.

When suricata sees a FIN from the server to the client, StreamTcpHandleFin is called, which sets STREAMTCP_STREAM_FLAG_CLOSE_INITIATED in the stream flags. When the reassembly layer next processes any packet in the client direction for the stream, STREAM_EOF is set, which then results in APP_LAYER_PARSER_EOF being set. Once APP_LAYER_PARSER_EOF is set, the transaction logging code considers it safe to log the transaction. However, there is no guarantee at that point that all the ACKs in the opposite (client to server) direction have been seen and processed and that the reassembly layer has passed all the data in the response to the app parser. As a result, I've observed response data being parsed by libhtp after the transaction has already been logged. This behaviour can result in, e.g., incorrect response length values being output to the log and potentially missing header values. I'm not sure if there are more far reaching implications.

Actions #1

Updated by Victor Julien over 9 years ago

Can you try with 2.0.7 or the git master? We've fixed a similar issue some time ago.

Actions #2

Updated by Ray Ruvinskiy over 9 years ago

Confirmed fixed with 2.1beta3.

Actions #3

Updated by Ray Ruvinskiy over 9 years ago

Confirmed fixed with 2.1beta3. Thanks!

Actions #4

Updated by Victor Julien over 9 years ago

  • Status changed from New to Closed
Actions #5

Updated by Victor Julien over 9 years ago

  • Tracker changed from Bug to Support
Actions

Also available in: Atom PDF