[Oisf-devel] [COMMIT] OISF branch, master-2.0.x, updated. suricata-2.0.2-23-gba7e5aa

OISF Git noreply at openinfosecfoundation.org
Thu Aug 7 20:32:15 UTC 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master-2.0.x has been updated
       via  ba7e5aac88b8bd1431531b68537e56a7e25f09b8 (commit)
       via  c6e83d92d76d3ed847b90f3b0d460f34a410c92f (commit)
      from  facacc0d1c921a07c14c5d46be1b44996545e9c9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ba7e5aac88b8bd1431531b68537e56a7e25f09b8
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jul 17 00:23:50 2014 +0200

    stream: detect and filter out bad window updates
    Reported in bug 1238 is an issue where stream reassembly can be
    A packet that was in-window, but otherwise unexpected set the
    window to a really low value, causing the next *expected* packet
    to be considered out of window. This lead to missing data in the
    stream reassembly.
    The packet was unexpected in various ways:
    - it would ack unseen traffic
    - it's sequence number would not match the expected next_seq
    - set a really low window, while not being a proper window update
    Detection however, it greatly hampered by the fact that in case of
    packet loss, quite similar packets come in. Alerting in this case
    is unwanted. Ignoring/skipping packets in this case as well.
    The logic used in this patch is as follows. If:
    - the packet is not a window update AND
    - packet seq > next_seq AND
    - packet acq > next_seq (packet acks unseen data) AND
    - packet shrinks window more than it's own data size
    THEN set event and skip the packet in the stream engine.
    So in case of a segment with no data, any window shrinking is rejected.
    Bug #1238.

commit c6e83d92d76d3ed847b90f3b0d460f34a410c92f
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Aug 7 15:02:56 2014 +0200

    ipv6: fix dst/hop header option parsing
    The extension header option parsing used a uint8_t internally. However
    much bigger option sizes are valid.


Summary of changes:
 rules/stream-events.rules |    4 ++-
 src/decode-events.h       |    1 +
 src/decode-ipv6.c         |    2 +-
 src/detect-engine-event.h |    1 +
 src/stream-tcp.c          |   76 ++++++++++++++++++++++++++++++++++++++++++++-
 5 files changed, 81 insertions(+), 3 deletions(-)


More information about the Oisf-devel mailing list