From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 7/7] suricata: Handle retransmitted SYN with TSval
Date: Fri, 19 Nov 2021 17:44:58 +0000 [thread overview]
Message-ID: <20211119174458.789486-7-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3667 bytes --]
Read more in the patch.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
lfs/suricata | 1 +
...-Handle-retransmitted-SYN-with-TSval.patch | 55 +++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
diff --git a/lfs/suricata b/lfs/suricata
index 38289962f..b54a038c3 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--sysconfdir=/etc \
diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
new file mode 100644
index 000000000..fcea77cfa
--- /dev/null
+++ b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
@@ -0,0 +1,55 @@
+From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer(a)ipfire.org>
+Date: Fri, 19 Nov 2021 17:17:47 +0000
+Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
+
+For connections that use TCP timestamps for which the first SYN packet
+does not reach the server, any replies to retransmitted SYNs will be
+tropped.
+
+This is happening in StateSynSentValidateTimestamp, where the timestamp
+value in a SYN-ACK packet must match the one from the SYN packet.
+However, since the server never received the first SYN packet, it will
+respond with an updated timestamp from any of the following SYN packets.
+
+The timestamp value inside suricata is not being updated at any time
+which should happen. This patch fixes that problem.
+
+This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
+
+Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
+---
+ src/stream-tcp.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index 1cff19fa5..af681760b 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
+ "ssn->client.last_ack %"PRIu32"", ssn,
+ ssn->client.isn, ssn->client.next_seq,
+ ssn->client.last_ack);
++ } else if (PKT_IS_TOSERVER(p)) {
++ /*
++ * On retransmitted SYN packets, the timestamp value must be updated,
++ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
++ * with an updated timestamp in StateSynSentValidateTimestamp.
++ */
++ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
++ uint32_t ts_val = TCP_GET_TSVAL(p);
++
++ // Check whether packets have been received in the correct order (only ever update)
++ if (ssn->client.last_ts < ts_val) {
++ ssn->client.last_ts = ts_val;
++ ssn->client.last_pkt_ts = p->ts.tv_sec;
++ }
++
++ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
++ }
+ }
+
+ /** \todo check if it's correct or set event */
+--
+2.30.2
+
--
2.30.2
prev parent reply other threads:[~2021-11-19 17:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-19 17:44 [PATCH 1/7] suricata: Include all default rules Michael Tremer
2021-11-19 17:44 ` [PATCH 2/7] rust: Drop Cargo home directory after build Michael Tremer
2021-11-19 17:44 ` [PATCH 3/7] suricata: Drop extra rootfiles Michael Tremer
2021-11-19 17:44 ` [PATCH 4/7] suricata: This package is supported on all architectures Michael Tremer
2021-11-24 14:54 ` Arne Fitzenreiter
2021-11-24 16:53 ` Michael Tremer
2021-11-19 17:44 ` [PATCH 5/7] suricata: Load *.config files from default location Michael Tremer
2021-11-22 4:21 ` Stefan Schantl
2021-11-22 9:52 ` Michael Tremer
2021-11-19 17:44 ` [PATCH 6/7] IPS: Do not try to show rules when stat on rules tarball fails Michael Tremer
2021-11-19 17:44 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211119174458.789486-7-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox