Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

next/589/70x/20240925/v1 #11835

Merged
merged 2 commits into from
Sep 26, 2024
Merged

next/589/70x/20240925/v1 #11835

merged 2 commits into from
Sep 26, 2024

Conversation

victorjulien
Copy link
Member

catenacyber and others added 2 commits September 24, 2024 14:59
@catenacyber @jufajardini
ssl/ja3: better check for ja3 being enabled
04ef7b6 
Ticket: 6634

Completes commit 8473525

Avoids error log in Ja3BufferAddValue about NULL buffer

(cherry picked from commit 1d32f11)
@victorjulien
stream: improve 3whs completed by ACK with data
4f59fd9 
If the ACK packet completing the 3whs is received, the stream engine will
transition to "established". However, the packet itself will not be tagged
as "established". This will only happen for the next packet after the 3whs,
so that `flow:established` only matches after the 3whs.

It is possible that the ACK packet completing the 3whs was lost. Since the
ACK packets themselves are not acknowledged, there will be no retransmission
of them. Instead, the next packet can have the expected ACK flag as well as
data.

This case was mishandled in a subtle way. The stream engine state transition
was done correctly, as well as the data handling and app-layer updates.
However, the packet itself was not tagged as "established", which meant
that `flow:established` would not yet match.

This patch detects this case and tags the packet as established if ACK
with data is received that completes the 3whs.

Bug: OISF#7264.
(cherry picked from commit 45eb7e4)
jasonish
jasonish approved these changes Sep 25, 2024
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-running failed job.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.tx.dcerpc_tcp 5949 6289 105.72%

Pipeline 22814

@victorjulien victorjulien merged commit 4f59fd9 into OISF:main-7.0.x Sep 26, 2024
42 checks passed
This was referenced Sep 26, 2024
Merged
Closed
@victorjulien victorjulien deleted the next/589/70x/20240925/v1 branch September 26, 2024 04:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@victorjulien @suricata-qa @jasonish @catenacyber