Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-1164: Fix incorrect RSTOS0 conn_state determinations

Browse source 
The RSTOS0 `conn_state` label is documented as "Originator sent a SYN
followed by a RST, never saw SYN-ACK from responder", but was previously
applied to cases where no originator SYN exists, like a single RST-only
packet.
This commit is contained in:
Jon Siwek 2020-09-11 16:14:41 -07:00
parent 5945aec7e8
commit a16bd47bf7
11 changed files with 1365 additions and 1339 deletions
Download patch file Download diff file Expand all files Collapse all files

12
testing/btest/scripts/base/protocols/conn/conn_state-RST-behavior.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/single-rst.pcap %INPUT >out
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-rst.pcap %INPUT >>out
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-ack-then-rst.pcap %INPUT >>out
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn-then-stuff-then-rst.pcap %INPUT >>out
# @TEST-EXEC: btest-diff out
@load base/protocols/conn
event connection_state_remove(c: connection)
{
print c$history, c$conn$conn_state;
}