Project

General

Profile

Actions

Feature #1373

closed

Allow different reassembly depth for filestore rules

Added by Duane Howard almost 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

In order to capture full files, stream reassembly depth needs to be > file length, in many cases this would mean expanding stream reassembly to several MB. However for non-filestore rules most badness and detection can happen in the first few KB, so reassembling seems wasteful. It could be interesting to have a distinct option to reassemble streams that match of filestore rules to a different depth than those that are not filestore rules.

Actions #1

Updated by Victor Julien over 7 years ago

I guess setting those flows/sessions to 'unlimited' would be good enough? Or would a more gradual approach be better?

Actions #2

Updated by Duane Howard over 7 years ago

It could be good enough, but it could cause other issues (DoS comes to mind, filling up a disk). It'd be helpful to be able to say:

for all alert type rules, inspect up to 2MB
For files, extract up to 15MB or similar.

Actions #3

Updated by Peter Manev over 7 years ago

I think 'unlimited' can have serious drawbacks on high traffic. The suggestion before seems sane.

Actions #4

Updated by Duane Howard about 7 years ago

As discussed during the user conference a solid way forward with this might be to be able to specify a unique depth in the filestore rule itself. (maybe we could reuse the 'tag' keyword?) This would allow a lot of flexibility in defining how long to track and write stream content based on each file type, etc.

Actions #5

Updated by Victor Julien about 7 years ago

  • Target version set to 70
Actions #6

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
Actions #7

Updated by Duane Howard over 6 years ago

This seems like something that would be reasonable to target for 3.1, yes?

Actions #8

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Giuseppe Longo

Eric and Giuseppe are working on this.

Actions #9

Updated by chris K. over 6 years ago

What's the status of this feature request? It would be useful in my organization too. Thanks.

Actions #10

Updated by Victor Julien about 6 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2beta1
Actions

Also available in: Atom PDF