Feature #1576
http: byte-range support
Description
Not currently supported by libhtp: https://github.com/OISF/libhtp/issues/58
Some discussion: https://lists.openinfosecfoundation.org/pipermail/oisf-devel/2015-October/003492.html
Related issues
Updated by Victor Julien about 3 years ago
- Related to Feature #2485: http: log byte range with file extraction added
Updated by Raymond Hansen over 2 years ago
First step would be to document the chunks of file(s) as identified per sensor, if multiple sensors are in use.
Updated by Victor Julien over 2 years ago
- Has duplicate Bug #2326: File extraction not properly handling http range requests added
Updated by Victor Julien about 2 years ago
- Related to Feature #1017: Add support for content-range added
Updated by Philippe Antoine about 2 years ago
My understanding is the following :
We now log the byte-range but we would like suricata to handle the complete file reassembly (in case there is any).
Is that correct ?
Is there already an example of suricata of reassembly over TCP ? And in this case over different flows ?
Updated by Philippe Antoine over 1 year ago
First is rebuilding the file if multiple requests/responses are in the same flow
Updated by Andreas Herz over 1 year ago
Does anyone remember WHAT smaller tasks we wanted to create :)?
Updated by Philippe Antoine over 1 year ago
First is rebuilding file if multiple transactions are in the same flow (maybe first subclass, if they are in the right order)
Then next task would be to see what to do if the transactions are across many flows
Updated by Philippe Antoine over 1 year ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine about 1 year ago
- Status changed from In Review to Assigned
- Target version changed from 6.0.0beta1 to 7.0rc1
PR needs deeper work to have something generic over multiple flows cf https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94
https://github.com/OISF/suricata/pull/4818
https://github.com/OISF/suricata-verify/pull/171
Updated by Victor Julien 12 months ago
- Related to deleted (Feature #1017: Add support for content-range)
Updated by Victor Julien 12 months ago
- Has duplicate Feature #1017: Add support for content-range added
Updated by Philippe Antoine 8 months ago
- Related to Feature #4117: http2: byte-range support added
Updated by Philippe Antoine 4 months ago
So, we would like :
- To handle ranges over multiple flows, ie use another container than the flow (the url for instance)- This container can be generic with a key, and a type for the key
- To handle unordered ranges - That means storing an unordered range up until we can do the reassembly
- We need to limit the memory consumption... use a global memcap for these containers ?
- We also need timeouts (the new container shall timeout as flow time out)
Updated by Philippe Antoine 4 months ago
- Status changed from In Progress to In Review