diff --git a/rules/stream-events.rules b/rules/stream-events.rules index 7ea3261862b..39435819f53 100644 --- a/rules/stream-events.rules +++ b/rules/stream-events.rules @@ -91,5 +91,8 @@ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; f # Packet on wrong thread. Fires at most once per flow. alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;) -# next sid 2210060 +# Packet with FIN+SYN set +alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;) + +# next sid 2210061 diff --git a/src/decode-events.c b/src/decode-events.c index f96c574fa84..a4ec4e697b7 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -723,6 +723,10 @@ const struct DecodeEvents_ DEvents[] = { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, }, + { + "stream.fin_syn", + STREAM_FIN_SYN, + }, { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, diff --git a/src/decode-events.h b/src/decode-events.h index 886cedf3a69..b82fa235d88 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -254,6 +254,7 @@ enum { STREAM_FIN2_INVALID_ACK, STREAM_FIN_BUT_NO_SESSION, STREAM_FIN_OUT_OF_WINDOW, + STREAM_FIN_SYN, STREAM_LASTACK_ACK_WRONG_SEQ, STREAM_LASTACK_INVALID_ACK, STREAM_RST_BUT_NO_SESSION, diff --git a/src/stream-tcp.c b/src/stream-tcp.c index a170f902667..e6ab8b2bd28 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -2750,6 +2750,11 @@ static int StreamTcpHandleFin(ThreadVars *tv, StreamTcpThread *stt, return -1; } + if (p->tcph->th_flags & TH_SYN) { + SCLogDebug("ssn %p: FIN+SYN", ssn); + StreamTcpSetEvent(p, STREAM_FIN_SYN); + return -1; + } StreamTcpPacketSetState(p, ssn, TCP_CLOSE_WAIT); SCLogDebug("ssn %p: state changed to TCP_CLOSE_WAIT", ssn);