Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Improve TCP connection size reporting for half-open connections.

Browse source 
If TCP endpoint A and B are synchronized at some point, but A
closes/aborts/crashes and B goes on without knowledge of it and then A
tries to re-synchronize, Bro could end up seeing something like
(sequence numbers made up):

A: SYN 100
B: ACK 500
A: RST 500

The final sequence number of A, in this case, is not useful in the
context of determining the number of data bytes sent by A, so Bro now
reports that as 0 (where before it could often be misleadingly large).
This commit is contained in:
Jon Siwek 2014-01-24 16:32:55 -06:00
parent 9b12967d40
commit 6d46144c3b
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -161,6 +161,13 @@ void TCP_Endpoint::SetState(EndpointState new_state)
bro_int_t TCP_Endpoint::Size() const bro_int_t TCP_Endpoint::Size() const
{ {
if ( prev_state == TCP_ENDPOINT_SYN_SENT && state == TCP_ENDPOINT_RESET &&
peer->state == TCP_ENDPOINT_INACTIVE && ! NoDataAcked() )
// This looks like a half-open connection was discovered and aborted.
// Sequence numbers could be misleading if used in context of data size
// and there was never a chance for this endpoint to send data anyway.
return 0;
bro_int_t size; bro_int_t size;
uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq; uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;