Project

General

Profile

Actions
Copy link

Bug #3345

closed

App-Layer: Not all parsers register TX detect flags that should

Added by Jason Ish about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
5.0.1
Affected Versions:
4.1.5, 5.0.0
Effort:
Difficulty:
Label:
Needs backport

Description

User reported slowdown in the DHCP parser. It turns out that the DHCP parser did not register tx detect flag callbacks resulting the transactions on a flow never being freed. This is particular noticeable on DHCP due to the 0.0.0.0->255.255.255.255 address pair that is used for many DHCP requests.

First fixed as an app-layer fixup to handle parsers without tx detect flags, such as DHCP that don't need them as they don't register any detection engines.

The second fix was to throw a fatal error if a detect engine is registered for an app-layer proto without tx detect flags. This should never happen in production, its more of a check during development.

Finally protocols that were missing tx detect flags that needed them were fixed up to use them.

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3356: DHCP: Slow down over time due to lack of detect flags (4.1.x)ClosedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF