[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0.2-113-g6b0ff01
OISF Git
noreply at openinfosecfoundation.org
Fri Aug 8 06:44:26 UTC 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via 6b0ff0193d9e3a7f4c2c909ef463d8a9c858c42b (commit)
via 7cc63918c365a8aecde09455a22a026b5f75beae (commit)
from 2b84cd948381c3e33d728160a4c19b3a912bff94 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6b0ff0193d9e3a7f4c2c909ef463d8a9c858c42b
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jul 17 00:23:50 2014 +0200
stream: detect and filter out bad window updates
Reported in bug 1238 is an issue where stream reassembly can be
disrupted.
A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.
The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update
Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.
The logic used in this patch is as follows. If:
- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.
So in case of a segment with no data, any window shrinking is rejected.
Bug #1238.
commit 7cc63918c365a8aecde09455a22a026b5f75beae
Author: Victor Julien <victor at inliniac.net>
Date: Thu Aug 7 15:02:56 2014 +0200
ipv6: fix dst/hop header option parsing
The extension header option parsing used a uint8_t internally. However
much bigger option sizes are valid.
-----------------------------------------------------------------------
Summary of changes:
rules/stream-events.rules | 4 ++-
src/decode-events.h | 1 +
src/decode-ipv6.c | 2 +-
src/detect-engine-event.h | 1 +
src/stream-tcp.c | 76 ++++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 81 insertions(+), 3 deletions(-)
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list