Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stream: RST no longer acks all data #12300

Closed
wants to merge 1 commit into from
Closed

stream: RST no longer acks all data #12300

wants to merge 1 commit into from

Conversation

victorjulien
Copy link
Member

Since forever (1578ef1) a valid RST would update the internal last_ack representation to include all unack'd data. This was originally done to make sure the unACK'd data was inspected/processed at flow timeout.

It was observed however, that if GAPs existed in this unACK'd data, a GAP could be reported in the stats and a GAP event would be raised. This doesn't make sense, as missing segments in the unACK'd part of the stream are completely normal. Segments simply do not all arrive in order.

It turns out that the original behavior of updating last_ack to include all unACK'd data is no longer needed.

For raw stream inspection, the detection engine will already include the unACK'd data on flow end.

For app-layer updates the unACK'd data is often harmful, as the data often has GAPs. Parser like the http parser would report these GAPs and could also get confused about the post-GAP data being a new transaction including a file. This lead to many reported errors and fantom txs and files.

Since the GAP detection uses last_ack to determine GAPs, not moving last_ack addresses the GAP false positives.

Ticket: #7422.

Rebases #12186.

SV_BRANCH=OISF/suricata-verify#2154

https://redmine.openinfosecfoundation.org/issues/7422

@victorjulien
stream: RST no longer acks all data
1eadf08 
Since forever (1578ef1) a valid RST
would update the internal `last_ack` representation to include all
unack'd data. This was originally done to make sure the unACK'd data was
inspected/processed at flow timeout.

It was observed however, that if GAPs existed in this unACK'd data, a
GAP could be reported in the stats and a GAP event would be raised. This
doesn't make sense, as missing segments in the unACK'd part of the
stream are completely normal. Segments simply do not all arrive in
order.

It turns out that the original behavior of updating `last_ack` to
include all unACK'd data is no longer needed.

For raw stream inspection, the detection engine will already include the
unACK'd data on flow end.

For app-layer updates the unACK'd data is often harmful, as the data
often has GAPs. Parser like the http parser would report these GAPs and
could also get confused about the post-GAP data being a new transaction
including a file. This lead to many reported errors and fantom txs and
files.

Since the GAP detection uses `last_ack` to determine GAPs, not moving
`last_ack` addresses the GAP false positives.

Ticket: OISF#7422.
@victorjulien victorjulien added the needs baseline update QA will need a new base line label Dec 17, 2024
@victorjulien victorjulien mentioned this pull request Dec 17, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Dec 17, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 85.71429% with 4 lines in your changes missing coverage. Please review.

Project coverage is 79.55%. Comparing base (0e4faba) to head (1eadf08).
Report is 31 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12300      +/-   ##
==========================================
- Coverage   83.22%   79.55%   -3.68%     
==========================================
  Files         912      912              
  Lines      257311   257427     +116     
==========================================
- Hits       214154   204788    -9366     
- Misses      43157    52639    +9482
Flag Coverage Δ
fuzzcorpus 61.06% <85.71%> (-0.01%) ⬇️
livemode 19.40% <0.00%> (-0.13%) ⬇️
pcap 44.39% <71.42%> (+0.02%) ⬆️
suricata-verify ?
unittests 59.18% <0.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPW1_files_sha256.

field baseline test %
SURI_TLPR1_stats_chk
.flow.end.tcp_liberal 13783 12319 89.38%
.app_layer.error.http.parser 729 574 78.74%
.app_layer.error.tls.gap 1725 1651 95.71%

Pipeline 23981

@victorjulien victorjulien mentioned this pull request Jan 6, 2025
Closed
@victorjulien
Copy link
Member Author

replaced by #12341

@victorjulien victorjulien deleted the stream-fixes/v6 branch January 13, 2025 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs baseline update QA will need a new base line
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@victorjulien @suricata-qa