[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0.2-113-g6b0ff01

OISF Git noreply at openinfosecfoundation.org
Fri Aug 8 06:44:26 UTC 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  6b0ff0193d9e3a7f4c2c909ef463d8a9c858c42b (commit)
       via  7cc63918c365a8aecde09455a22a026b5f75beae (commit)
      from  2b84cd948381c3e33d728160a4c19b3a912bff94 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6b0ff0193d9e3a7f4c2c909ef463d8a9c858c42b
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jul 17 00:23:50 2014 +0200

    stream: detect and filter out bad window updates
    Reported in bug 1238 is an issue where stream reassembly can be
    A packet that was in-window, but otherwise unexpected set the
    window to a really low value, causing the next *expected* packet
    to be considered out of window. This lead to missing data in the
    stream reassembly.
    The packet was unexpected in various ways:
    - it would ack unseen traffic
    - it's sequence number would not match the expected next_seq
    - set a really low window, while not being a proper window update
    Detection however, it greatly hampered by the fact that in case of
    packet loss, quite similar packets come in. Alerting in this case
    is unwanted. Ignoring/skipping packets in this case as well.
    The logic used in this patch is as follows. If:
    - the packet is not a window update AND
    - packet seq > next_seq AND
    - packet acq > next_seq (packet acks unseen data) AND
    - packet shrinks window more than it's own data size
    THEN set event and skip the packet in the stream engine.
    So in case of a segment with no data, any window shrinking is rejected.
    Bug #1238.

commit 7cc63918c365a8aecde09455a22a026b5f75beae
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Aug 7 15:02:56 2014 +0200

    ipv6: fix dst/hop header option parsing
    The extension header option parsing used a uint8_t internally. However
    much bigger option sizes are valid.


Summary of changes:
 rules/stream-events.rules |    4 ++-
 src/decode-events.h       |    1 +
 src/decode-ipv6.c         |    2 +-
 src/detect-engine-event.h |    1 +
 src/stream-tcp.c          |   76 ++++++++++++++++++++++++++++++++++++++++++++-
 5 files changed, 81 insertions(+), 3 deletions(-)


More information about the Oisf-devel mailing list