From 0ef709ae7c02524d7fbce3853c36ed08ac47a220 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 8 Nov 2022 13:25:20 +0100 Subject: [PATCH] Add some missing bits when flipping endpoints. Couple places missed flipping state. --- src/analyzer/Analyzer.h | 6 ++++++ src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc | 3 +++ 2 files changed, 9 insertions(+) diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index f5387a2f4a..63b90aa3cd 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -860,6 +860,12 @@ public: */ void ForwardUndelivered(uint64_t seq, int len, bool orig) override; + /** + * Signals that Zeek has flipped the direction of the connection, meaning + * that originator and responder state need to be swapped. + */ + void FlipRoles() override { orig = ! orig; } + protected: friend class Analyzer; diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index 3bd418ea86..a85545a407 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1162,6 +1162,9 @@ void TCPSessionAdapter::FlipRoles() orig = tmp_ep; orig->is_orig = ! orig->is_orig; resp->is_orig = ! resp->is_orig; + first_packet_seen = ((first_packet_seen & ORIG) ? RESP : 0) | + ((first_packet_seen & RESP) ? ORIG : 0); + is_partial = 0; // resetting, it may be re-established later } void TCPSessionAdapter::UpdateConnVal(RecordVal* conn_val)