mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
81ae68be16
That field is based on TCP sequence numbers and on seeing a SYN followed by a failed RST injection response, the initial sequence number tracked the value in the injection (most likely zero) instead of value in subsequent SYN response. This could make c$resp$size be set to large values when it's not really. Also removed some dead code paths.
12 lines
353 B
Text
12 lines
353 B
Text
# @TEST-EXEC: bro -b -r $TRACES/tcp/rst-inject-rae.trace %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
# Mostly just checking that c$resp$size isn't huge due to the injected
|
|
# RST packet being used to initialize sequence number in TCP analyzer.
|
|
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
print c$id;
|
|
print "orig:", c$orig;
|
|
print "resp:", c$resp;
|
|
}
|