Merge remote-tracking branch 'origin/topic/jsiwek/gh-1164-fix-rst-conn-state'

* origin/topic/jsiwek/gh-1164-fix-rst-conn-state:
  GH-1164: Fix incorrect RSTOS0 conn_state determinations

CHANGES

@@ -1,4 +1,13 @@
 
+3.3.0-dev.275 | 2020-09-17 13:39:46 -0700
+
+  * GH-1164: Fix incorrect RSTOS0 conn_state determinations
+
+    The RSTOS0 `conn_state` label is documented as "Originator sent a SYN
+    followed by a RST, never saw SYN-ACK from responder", but was previously
+    applied to cases where no originator SYN exists, like a single RST-only
+    packet. (Jon Siwek, Corelight)
+
 3.3.0-dev.273 | 2020-09-17 13:11:44 -0700
 
   * GH-1119: add base/protcols/conn/removal-hooks.zeek

VERSION

@@ -1 +1 @@
-3.3.0-dev.273
+3.3.0-dev.275

scripts/base/protocols/conn/main.zeek

@@ -72,8 +72,8 @@ export {
 		## * SHR: Responder sent a SYN ACK followed by a FIN, we never saw a
 		##   SYN from the originator.
 		##
-		## * OTH: No SYN seen, just midstream traffic (a "partial connection"
-		##   that was not later closed).
+		## * OTH: No SYN seen, just midstream traffic (one example of this
+		##   is a "partial connection" that was not later closed).
 		conn_state:   string          &log &optional;
 
 		## If the connection is originated locally, this value will be T.
@@ -183,7 +183,17 @@ function conn_state(c: connection, trans: transport_proto): string
 				return "RSTR";
 			}
 		else if ( os == TCP_RESET )
-			return r_inactive ? "RSTOS0" : "RSTO";
+			{
+			if ( r_inactive )
+				{
+				if ( /\^?S[^HAFGIQ]*R.*/ == c$history )
+					return "RSTOS0";
+
+				return "OTH";
+				}
+
+			return "RSTO";
+			}
 		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
 			return "SF";
 		else if ( os == TCP_CLOSED )

testing/btest/Baseline/core.tunnels.teredo/conn.log

@@ -9,7 +9,7 @@
 1210953047.736921	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	^fA	1	40	1	40	-
 1210953050.867067	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	^fA	1	40	1	40	-
 1210953057.833364	C37jN32gN3y3AZzyf6	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	-
-1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-
+1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	OTH	-	-	0	R	1	40	0	0	-
 1210953057.834454	C3eiCBGOLw3VtHfOj	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	-
 1210953058.350065	C0LAHyvtKSQHyJxIl	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	-
 1210953058.577231	CFLRIC3zaTU1loLGxh	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	-

testing/btest/Baseline/scripts.base.protocols.conn.conn_state-RST-behavior/out

@@ -0,0 +1,4 @@
+R, OTH
+SR, RSTOS0
+SaR, RSTOS0
+SaFR, OTH

testing/btest/scripts/base/protocols/conn/conn_state-RST-behavior.zeek

@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/single-rst.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-rst.pcap %INPUT >>out
+# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-ack-then-rst.pcap %INPUT >>out
+# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-stuff-then-rst.pcap %INPUT >>out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/conn
+
+event connection_state_remove(c: connection)
+	{
+	print c$history, c$conn$conn_state;
+	}

testing/external/commit-hash.zeek-testing

@@ -1 +1 @@
-c88caca55f5f847a1b06b3e74935ec80b2936d2c
+59377d5d78f4251f89db615a1af6f031eb6342c6

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-b1728209d1011e0eddcf8248a5c7d6fe1a558592
+e814a2c80157e60caaa725fe140faa5ab75ccca6