Merge remote-tracking branch 'origin/topic/jsiwek/gh-1164-fix-rst-conn-state'

* origin/topic/jsiwek/gh-1164-fix-rst-conn-state: GH-1164: Fix incorrect RSTOS0 conn_state determinations
2025-10-02 06:38:20 +00:00 · 2020-09-17 13:39:46 -07:00 · 2020-09-17 13:39:46 -07:00 · 6b93020c6f
commit 6b93020c6f
parent 3b641870dc a16bd47bf7
13 changed files with 1375 additions and 1340 deletions
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -72,8 +72,8 @@ export {
 		## * SHR: Responder sent a SYN ACK followed by a FIN, we never saw a
 		##   SYN from the originator.
 		##
-		## * OTH: No SYN seen, just midstream traffic (a "partial connection"
-		##   that was not later closed).
+		## * OTH: No SYN seen, just midstream traffic (one example of this
+		##   is a "partial connection" that was not later closed).
 		conn_state:   string          &log &optional;

 		## If the connection is originated locally, this value will be T.
@ -183,7 +183,17 @@ function conn_state(c: connection, trans: transport_proto): string
 				return "RSTR";
 			}
 		else if ( os == TCP_RESET )
-			return r_inactive ? "RSTOS0" : "RSTO";
+			{
+			if ( r_inactive )
+				{
+				if ( /\^?S[^HAFGIQ]*R.*/ == c$history )
+					return "RSTOS0";
+
+				return "OTH";
+				}
+
+			return "RSTO";
+			}
 		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
 			return "SF";
 		else if ( os == TCP_CLOSED )