Project

General

Profile

Actions

Bug #7422

open

tcp: GAP event set on unack'd data following a RST

Added by Victor Julien 28 days ago. Updated 27 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

What is happening, is the following:
​1. a normal tcp session
2. a RST+ACK comes in - the reset packet is accepted. Instead of using the ACK value from this packet, Suricata auto-ACK's all data
3. a few more packets come in as the flow times out, these are not accepted as the session is now CLOSED (due to (2))
​4. the flow timeout triggers, and it sees that there is unprocessed data
5. the unprocessed data contains gaps. This is normal, as it was in-window, but not yet ACKd
6. the GAP event is raised and the counter is incremented

The behavior of a valid RST making all data inspectable in Suricata is long standing, although sadly not explained:
https://github.com/OISF/suricata/commit/1578ef1e3e8a24d0cc615430c4e6bec1fefdad28


Subtasks 1 (1 open0 closed)

Bug #7428: tcp: GAP event set on unack'd data following a RST (7.0.x backport)AssignedVictor JulienActions
Actions #1

Updated by Victor Julien 27 days ago

  • Status changed from Assigned to In Progress
Actions #2

Updated by Victor Julien 27 days ago

  • Status changed from In Progress to In Review
  • Label Needs backport to 7.0 added
Actions #3

Updated by OISF Ticketbot 27 days ago

  • Subtask #7428 added
Actions #4

Updated by OISF Ticketbot 27 days ago

  • Label deleted (Needs backport to 7.0)
Actions

Also available in: Atom PDF