[Snort-sigs] What is the FLUSH STREAM (in spp_stream4.c) for?

Jeff Nathan jeff at ...95...
Tue Jul 15 00:40:08 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, July 11, 2003 15:04 +0800 "=?gb2312?B?1Pgg0KHBog==?=" 
<e_zxl at ...12...> wrote:

>
>
>       In spp_stream4.c there're variable ACTIONS for variable TCP state,
> for example, if the TCP state for the client is SYN_SENT, and then you
> receive a packet from the server with the flags TH_SYN| TH_ACK, thus the
> program take an action of ACTION_SET_SERVER_ISN. For most of the ACTIONS
> I can understand easily. But for this one below I can't understand at
> all. In this case the TCP state for the client is still SYN_SENT, and
> then you receive a packet from the server with the flags TH_RST, and then
> the program take an action of ACTION_FLUSH_CLIENT_STREAM |
> ACTION_FLUSH_SERVER_STREAM| ACTION_DROP_SESSION. What do the FLUSH STREAM
> mean? The code for this case is like this:
>

It means that if the observed client (originating TCP) state is that of 
TH_SENT and a TCP reset is received from the server (receiving TCP) within 
the window of acceptable sequence numbers, the stream is flushed.

Flushing a stream normally means that accumulated stream data is rebuilt 
into a larger stream segment and re-inserted into the detection engine. 
When a stream is flushed other things occur as well, such as memory is 
freed up to deal with other streams.  There are several flush points within 
stream4 to cope with a number of oddities in TCP and the ways TCP stream 
reassemblers can be evaded or attacked.

The code below is part of a larger switch statement operating on the 
perceived state of the TCP session.  As you mention above, the state is 
TH_SENT and a RST is received.  If it's within the window of acceptable 
sequence numbers, the state of the client and the state of the server are 
set to closed within a Session pointer and, the debug code is called (if 
necessary) and the the values ACTION_FLUSH_CLIENT_STREAM, 
ACTION_FLUSH_SERVER_STREAM and ACTION_DROP_SESSION are combined using a 
bitwise-inclusive-OR.  The result of this bitwise-inclusive-OR is returned 
to the calling function.

- -Jeff


>    if(p->tcph->th_flags & TH_RST)
>    {
>             /* check to make sure the RST is in window */
>             if(CheckRst(ssn, direction, pkt_seq, p))
>             {
>                      ssn->client.state = CLOSED;
>                      ssn->server.state = CLOSED;
>
>                      DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
>                                   "   Client Transition: CLOSED\n");
>                      DebugMessage(DEBUG_STREAM,
>                                    "   Server Transision: CLOSED\n"););
>
>                      return ACTION_FLUSH_CLIENT_STREAM |
>                                ACTION_FLUSH_SERVER_STREAM |
>                                ACTION_DROP_SESSION;
>             }
>     }
>
>    There're  a lot of FLUSH STREAM cases in spp_stream4.c. Do you know
> the meaning of that?
>
>     Looking forward to your reply. Thank you in advance!
>
>
>
>
> Best regards
> Daisy

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/E6+1Eqr8+Gkj0/0RAjNgAKCFbMyTTbjows06pqKMcjksWPppOwCgirbz
Kg38BnW8evmC9EK/DsRkTYA=
=2N3x
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list