Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/robin/gh-2426-flipping'

Browse source 
* origin/topic/robin/gh-2426-flipping:
  Fixing productive connections with missing SYN still considered partial after flipping direction.
  Add some missing bits when flipping endpoints.
This commit is contained in:
Robin Sommer 2022-11-18 11:49:47 +01:00
commit d2585e21be
No known key found for this signature in database
GPG key ID: D8187293B3FFE5D0
10 changed files with 62 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

@ -787,6 +787,11 @@ void TCPSessionAdapter::SetPartialStatus(analyzer::tcp::TCP_Flags flags, bool is
}
}
void TCPSessionAdapter::SetFirstPacketSeen(bool is_orig)
{
first_packet_seen |= (is_orig ? ORIG : RESP);
}
void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, uint32_t base_seq,
uint32_t ack_seq, int len, bool is_orig,
@ -829,6 +834,7 @@ void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoin
is_partial = 0;
Conn()->FlipRoles();
peer->SetState(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
SetFirstPacketSeen(true);
}
else
@ -913,6 +919,7 @@ void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoin
// as partial and instead establish the connection.
endpoint->SetState(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
is_partial = 0;
SetFirstPacketSeen(is_orig);
}
else
@ -1162,6 +1169,9 @@ void TCPSessionAdapter::FlipRoles()
orig = tmp_ep;
orig->is_orig = ! orig->is_orig;
resp->is_orig = ! resp->is_orig;
first_packet_seen = ((first_packet_seen & ORIG) ? RESP : 0) |
((first_packet_seen & RESP) ? ORIG : 0);
is_partial = 0; // resetting, it may be re-established later
}
void TCPSessionAdapter::UpdateConnVal(RecordVal* conn_val)

2
src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
View file

@ -80,6 +80,7 @@ public:
protected:
friend class analyzer::tcp::TCP_ApplicationAnalyzer;
friend class analyzer::tcp::TCP_Endpoint;
friend class analyzer::tcp::TCP_Reassembler;
friend class analyzer::pia::PIA_TCP;
friend class packet_analysis::TCP::TCPAnalyzer;
@ -95,6 +96,7 @@ protected:
bool IsReuse(double t, const u_char* pkt) override;
void SetPartialStatus(analyzer::tcp::TCP_Flags flags, bool is_orig);
void SetFirstPacketSeen(bool is_orig);
// Update the state machine of the TCPs based on the activity. This
// includes our pseudo-states such as TCP_ENDPOINT_PARTIAL.