Bug #3345
closedApp-Layer: Not all parsers register TX detect flags that should
Description
User reported slowdown in the DHCP parser. It turns out that the DHCP parser did not register tx detect flag callbacks resulting the transactions on a flow never being freed. This is particular noticeable on DHCP due to the 0.0.0.0->255.255.255.255 address pair that is used for many DHCP requests.
First fixed as an app-layer fixup to handle parsers without tx detect flags, such as DHCP that don't need them as they don't register any detection engines.
The second fix was to throw a fatal error if a detect engine is registered for an app-layer proto without tx detect flags. This should never happen in production, its more of a check during development.
Finally protocols that were missing tx detect flags that needed them were fixed up to use them.
Updated by Victor Julien about 5 years ago
We should also review if any other parser has the same issue. Perhaps the API should enforce it.
Updated by Victor Julien about 5 years ago
- Target version set to 5.0.1
- Label Needs backport added
Updated by Jason Ish about 5 years ago
Victor Julien wrote:
We should also review if any other parser has the same issue. Perhaps the API should enforce it.
Looks like most of the Rust ones (but not all).
Is there any parser where it would make sense to not have these callbacks set?
Updated by Jason Ish about 5 years ago
- Copied to Bug #3356: DHCP: Slow down over time due to lack of detect flags (4.1.x) added
Updated by Jason Ish about 5 years ago
- Status changed from Assigned to Closed
Merged. More of a general TX detect flags fix than a DHCP fix.
Pull request: https://github.com/OISF/suricata/pull/4405
See commits starting at: 739df21e2d87fe195a09334f66409f458711f3f8
Updated by Jason Ish about 5 years ago
- Subject changed from DHCP: Slow down over time due to lack of detect flags. to App-Layer: Not all parsers register TX detect flags that should
- Description updated (diff)