Flow timing/v4.1 stream rst/v1.1 #2215
Conversation
Test checked for a flow log being generated by shutdown, but it is possible to have the flow manager handle it before shutdown. So in that case it would be "timeout". Since the test isn't about that, remove the check.
Tests various forms of RST triggering handling of unACK'd data.
Add tests for bad handling of unacked data following a RST.
| @@ -0,0 +1,560 @@ | |||
| %YAML 1.1 | |||
There was a problem hiding this comment.
Why do we need a so big suricata.yaml ?
There was a problem hiding this comment.
it's not so big I think, just app layer and eve sections really
There was a problem hiding this comment.
Sure, but how is it different than the default suricata.yaml ?
| count: 1 | ||
| match: | ||
| event_type: fileinfo | ||
| fileinfo.sha256: 8ff57c7fc0d4babd27e2e914ad9b556b1b980a69710d3917266ec1cb4edbb782 |
There was a problem hiding this comment.
Why do we need multiple tests ? What is the difference between tcp-rst-unacked-stream-10 and tcp-rst-unacked-stream-9 ?
There was a problem hiding this comment.
they are just multiple failure cases from tlpw1, showing slightly different issues (e.g. the flow counting being off in one shows that there are multiple paths taken)
There was a problem hiding this comment.
(e.g. the flow counting being off in one shows that there are multiple paths taken)
I do not understand this
Running suricata master on these tests I find stats.app_layer.flow.http: 1 for both tcp-rst-unacked-stream-09 and tcp-rst-unacked-stream-10
(so my interpretation of flow counting being off in one is not correct)
|
replaced by #2226 |
#2154 and #2203