Project

General

Profile

Actions

Bug #7422

open

tcp: GAP event set on unack'd data following a RST

Added by Victor Julien 28 days ago. Updated 27 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

What is happening, is the following:
​1. a normal tcp session
2. a RST+ACK comes in - the reset packet is accepted. Instead of using the ACK value from this packet, Suricata auto-ACK's all data
3. a few more packets come in as the flow times out, these are not accepted as the session is now CLOSED (due to (2))
​4. the flow timeout triggers, and it sees that there is unprocessed data
5. the unprocessed data contains gaps. This is normal, as it was in-window, but not yet ACKd
6. the GAP event is raised and the counter is incremented

The behavior of a valid RST making all data inspectable in Suricata is long standing, although sadly not explained:
https://github.com/OISF/suricata/commit/1578ef1e3e8a24d0cc615430c4e6bec1fefdad28


Subtasks 1 (1 open0 closed)

Bug #7428: tcp: GAP event set on unack'd data following a RST (7.0.x backport)AssignedVictor JulienActions
Actions

Also available in: Atom PDF