Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve analysis of TCP SYN/SYN-ACK reversal situations.

Browse source 
- Since it's just the handshake packets out of order, they're no
  longer treated as partial connections, which some protocol analyzers
  immediately refuse to look at.

- The TCP_Reassembler "is_orig" state failed to change, which led to
  protocol analyzers sometimes using the wrong value for that.

- Add a unit test which exercises the Connection::FlipRoles() code
  path (i.e. the SYN/SYN-ACK reversal situation).

Addresses BIT-1148.
This commit is contained in:
Jon Siwek 2014-03-11 16:56:17 -05:00
parent 063200c71a
commit 066473b1f1
7 changed files with 65 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/analyzer/protocol/tcp/TCP.cc
View file

@ -95,9 +95,9 @@ void TCP_Analyzer::Done()
void TCP_Analyzer::EnableReassembly()
{
SetReassembler(new TCP_Reassembler(this, this,
TCP_Reassembler::Forward, true, orig),
new TCP_Reassembler(this, this,
TCP_Reassembler::Forward, false, resp));
TCP_Reassembler::Forward, orig),
new TCP_Reassembler(this, this,
TCP_Reassembler::Forward, resp));
reassembling = 1;
@ -590,6 +590,7 @@ void TCP_Analyzer::UpdateInactiveState(double t,
// per the discussion in IsReuse.
// Flip the endpoints and establish
// the connection.
is_partial = 0;
Conn()->FlipRoles();
peer->SetState(TCP_ENDPOINT_ESTABLISHED);
}