Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/jsbarber/rexmit-patch' of https://github.com/jsbarber/zeek

Browse source 
* 'topic/jsbarber/rexmit-patch' of https://github.com/jsbarber/zeek:
  Duplicate TCP segment should trigger tcp_multiple_retransmissions
This commit is contained in:
Jon Siwek 2019-07-29 20:15:27 -07:00
commit db9f81a890
12 changed files with 35 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-711 | 2019-07-29 20:15:27 -0700
* Fix duplicate TCP packets not being detected as retransmissions (Jeff Barber)
2.6-708 | 2019-07-30 02:46:39 +0000 2.6-708 | 2019-07-30 02:46:39 +0000
* Add an additional license file, COPYING.3rdparty, that collects * Add an additional license file, COPYING.3rdparty, that collects

2
VERSION
View file

@ -1 +1 @@
2.6-708 2.6-711

4
src/analyzer/protocol/tcp/TCP.cc
View file

@ -891,6 +891,8 @@ static void init_endpoint(TCP_Endpoint* endpoint, TCP_Flags flags,
// numbering consistent. // numbering consistent.
endpoint->InitAckSeq(first_seg_seq - 1); endpoint->InitAckSeq(first_seg_seq - 1);
endpoint->InitStartSeq(first_seg_seq - 1); endpoint->InitStartSeq(first_seg_seq - 1);
// But ensure first packet is not marked duplicate
last_seq = first_seg_seq;
} }
endpoint->InitLastSeq(last_seq); endpoint->InitLastSeq(last_seq);
@ -1019,7 +1021,7 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
// ## endpoint->last_seq = last_seq; // ## endpoint->last_seq = last_seq;
endpoint->UpdateLastSeq(last_seq); endpoint->UpdateLastSeq(last_seq);
else if ( delta_last < 0 && len > 0 ) else if ( delta_last <= 0 && len > 0 )
endpoint->DidRxmit(); endpoint->DidRxmit();
return delta_last; return delta_last;

6
testing/btest/Baseline/core.pppoe-over-qinq/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path conn #path conn
#open 2018-08-01-20-09-03 #open 2019-07-26-20-04-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1523351398.449222 CHhAvVGS1DHFjwGM9 1.1.1.1 20394 2.2.2.2 443 tcp - 273.626833 11352 4984 SF - - 0 ShADdtaTTFf 44 25283 42 13001 - 1523351398.449222 CHhAvVGS1DHFjwGM9 1.1.1.1 20394 2.2.2.2 443 tcp - 273.626833 11352 4984 SF - - 0 ShADdtaTTtFf 44 25283 42 13001 -
#close 2018-08-01-20-09-03 #close 2019-07-26-20-05-00

3
testing/btest/Baseline/core.tcp.tcp-dups/out Normal file
View file

@ -0,0 +1,3 @@
RETRANSMITS:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], T, 10, ShADTadtT
RETRANSMITS:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], F, 10, ShADTadtTt
REMOVE:, [orig_h=192.168.0.102, orig_p=53206/tcp, resp_h=192.168.0.112, resp_p=22/tcp], ShADTadtTtFf

6
testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path conn #path conn
#open 2016-07-13-16-16-21 #open 2019-07-26-20-05-28
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1078232251.833846 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF - - 0 ShADadfF 14 2257 16 944 - 1078232251.833846 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF - - 0 ShADadtTfF 14 2257 16 944 -
#close 2016-07-13-16-16-21 #close 2019-07-26-20-05-29

6
testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path conn #path conn
#open 2016-07-13-16-16-28 #open 2019-07-26-20-10-57
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1311189318.898709 ClEkJM2Vm5giqnMf4h 192.168.1.77 57655 209.197.168.151 1024 tcp irc-dcc-data 2.256935 124 42208 SF - - 0 ShAdDaFf 28 1592 43 44452 - 1311189318.898709 ClEkJM2Vm5giqnMf4h 192.168.1.77 57655 209.197.168.151 1024 tcp irc-dcc-data 2.256935 124 42208 SF - - 0 ShAdDaFf 28 1592 43 44452 -
1311189164.064603 CHhAvVGS1DHFjwGM9 192.168.1.77 57640 66.198.80.67 6667 tcp irc 178.237017 453 25404 S3 - - 0 ShADdaf 63 3761 52 28194 - 1311189164.064603 CHhAvVGS1DHFjwGM9 192.168.1.77 57640 66.198.80.67 6667 tcp irc 178.237017 453 25404 S3 - - 0 ShADdTtaf 63 3761 52 28194 -
#close 2016-07-13-16-16-28 #close 2019-07-26-20-10-58

2
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
View file

File diff suppressed because one or more lines are too long

BIN
testing/btest/Traces/tcp/ssh-dups.pcap Normal file
View file

Binary file not shown.

12
testing/btest/core/tcp/tcp-dups.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-EXEC: zeek -C -r $TRACES/tcp/ssh-dups.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
event tcp_multiple_retransmissions(c: connection, is_orig: bool, threshold: count)
{
print "RETRANSMITS:", c$id, is_orig, threshold, c$history;
}
event connection_state_remove(c: connection)
{
print "REMOVE:", c$id, c$history;
}

2
testing/external/commit-hash.zeek-testing vendored
View file

@ -1 +1 @@
84239d2fdd2f491f436f8597e8b6ca5fb93f7a5f 4e78e7e6f9baf56ec6303d2580f380628fd31e36

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
e485d5c6ce4407c9b62880e075b1ba86d8d563cd d4500752b4359db494d4f24b04543986e76eefec