suricata
suricata copied to clipboard
OISF
App layer error close txs 4318 v6
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4318
Describe changes:
- app-layer: clean and "close" all txs if protocol reaches error state
Still need to test this, and check current app-layer parser returning error
Modifies #7243 with adding ticket number in message
Codecov Report
Merging #7513 (bea2797) into master (8377b9d) will decrease coverage by
0.09%. The diff coverage is100.00%.
@@ Coverage Diff @@
## master #7513 +/- ##
==========================================
- Coverage 75.83% 75.74% -0.10%
==========================================
Files 655 657 +2
Lines 186236 186373 +137
==========================================
- Hits 141239 141161 -78
- Misses 44997 45212 +215
| Flag | Coverage Δ | |
|---|---|---|
| fuzzcorpus | 59.97% <100.00%> (-0.11%) |
:arrow_down: |
| suricata-verify | 52.16% <88.88%> (-0.09%) |
:arrow_down: |
| unittests | 60.77% <88.88%> (-0.04%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
One example where I am not sure how it should be dealt with :
if a HTP2 client does not send the magic banner, the app-layer parser returns an error. Should it return an error ? or Should it try to parse further frames ?
It looks like we have two cases here :
- both client and server were recognized using the app-layer protocol
- or client and server do not talk the same protocol
PS : the banner can be split over multiple TCP packets, and the server side may have created multiple transactions before getting the error