Support #3438
closedtcp stream gap and packet loss in network
Description
According to https://redmine.openinfosecfoundation.org/issues/2093 if tcp session has a gap then suricata either hoping that next segment can fill the gap or attempting to resync and carry on.
Let's suppose that traffic for suricata comes from some mirror port, which sometimes can produce packet loss(because of poor network quality, high load on a switch or something similar that suricata cannot control). In this scenario tcp gap can occur and there is no way to fill it. Let's say we have modbus protocol or any other without gap parser support. After gap suricata will wait for lost segment until session will be closed, which could take a long time, and there is no way to inspect packet at app-layer during this time.
Is there any setting/workaround for this in suricata? Could I somehow reset tcp session after gap or something like this?
Updated by Victor Julien almost 5 years ago
We're adding support for recovering after a gap to the various protocols. It's a tricky job to scan the traffic after a gap for the start of a new record. This has not yet been done for modbus.
Updated by Victor Julien almost 5 years ago
- Related to Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols added
Updated by Victor Julien almost 5 years ago
- Related to Task #3554: modbus: support GAP recovery added
Updated by Victor Julien almost 5 years ago
- Status changed from New to Closed