-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: add bug 7422 tests #2154
Conversation
a582ae0
to
d5c2298
Compare
d5c2298
to
b7cf987
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests are looking good and match the analysis given on Suricata PR. Asked question inline about file behavior.
count: 1 | ||
match: | ||
event_type: fileinfo | ||
fileinfo.sha256: 2a6d1d2d85129cf9e84290a94e7b4d7cfe09d80c47a899dbc04cc61cc737c5a4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unable to understand the file behavior in this case.
Suricata logs file.size: 17146
and file.gaps: false
.
But, there's a gap right after 6th file segment. Also, there is a lot more data than 17146 bytes. Could you please tell:
Q1: When should the file processing ideally stop?
Q2: Why are no gaps logged in fileinfo event?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the gap tracking for files is incomplete, possibly only working well for smb/nfs?
Tests various forms of RST triggering handling of unACK'd data.
Add tests for bad handling of unacked data following a RST.
b7cf987
to
e806da1
Compare
replaced by #2215 |
Tests various forms of RST triggering handling of unACK'd data.
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7422