[Snort-sigs] What is the FLUSH STREAM (in spp_stream4.c) for?
jeff at ...95...
Tue Jul 15 00:40:08 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
- --On Friday, July 11, 2003 15:04 +0800 "=?gb2312?B?1Pgg0KHBog==?="
<e_zxl at ...12...> wrote:
> In spp_stream4.c there're variable ACTIONS for variable TCP state,
> for example, if the TCP state for the client is SYN_SENT, and then you
> receive a packet from the server with the flags TH_SYN| TH_ACK, thus the
> program take an action of ACTION_SET_SERVER_ISN. For most of the ACTIONS
> I can understand easily. But for this one below I can't understand at
> all. In this case the TCP state for the client is still SYN_SENT, and
> then you receive a packet from the server with the flags TH_RST, and then
> the program take an action of ACTION_FLUSH_CLIENT_STREAM |
> ACTION_FLUSH_SERVER_STREAM| ACTION_DROP_SESSION. What do the FLUSH STREAM
> mean? The code for this case is like this:
It means that if the observed client (originating TCP) state is that of
TH_SENT and a TCP reset is received from the server (receiving TCP) within
the window of acceptable sequence numbers, the stream is flushed.
Flushing a stream normally means that accumulated stream data is rebuilt
into a larger stream segment and re-inserted into the detection engine.
When a stream is flushed other things occur as well, such as memory is
freed up to deal with other streams. There are several flush points within
stream4 to cope with a number of oddities in TCP and the ways TCP stream
reassemblers can be evaded or attacked.
The code below is part of a larger switch statement operating on the
perceived state of the TCP session. As you mention above, the state is
TH_SENT and a RST is received. If it's within the window of acceptable
sequence numbers, the state of the client and the state of the server are
set to closed within a Session pointer and, the debug code is called (if
necessary) and the the values ACTION_FLUSH_CLIENT_STREAM,
ACTION_FLUSH_SERVER_STREAM and ACTION_DROP_SESSION are combined using a
bitwise-inclusive-OR. The result of this bitwise-inclusive-OR is returned
to the calling function.
> if(p->tcph->th_flags & TH_RST)
> /* check to make sure the RST is in window */
> if(CheckRst(ssn, direction, pkt_seq, p))
> ssn->client.state = CLOSED;
> ssn->server.state = CLOSED;
> " Client Transition: CLOSED\n");
> " Server Transision: CLOSED\n"););
> return ACTION_FLUSH_CLIENT_STREAM |
> ACTION_FLUSH_SERVER_STREAM |
> There're a lot of FLUSH STREAM cases in spp_stream4.c. Do you know
> the meaning of that?
> Looking forward to your reply. Thank you in advance!
> Best regards
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-sigs