Project

General

Profile

Actions
Copy link

Bug #4331

closed
VJ PA

libhtp: don't put stream in error state on compression issues

Bug #4331: libhtp: don't put stream in error state on compression issues

Added by Victor Julien about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

If we have a response body that takes too long to unpack we may have someone trying to trick us, but it could also be a bit random due to system load (as we experience in QA currently). We shouldn't put the entire stream in an error state, but instead skip the rest of the body in the offending tx. Perhaps it would make sense to count the number of txs in a stream that trigger this and have some threshold for putting the stream in an error state to reduce the effect of truly malicious streams.

Related issues 2 (0 open2 closed)

Related to Suricata - Task #4257: libhtp 0.5.37ClosedVictor JulienActions
Related to Suricata - Feature #4332: Makes libhtp decompression time limit configurable from SuricataClosedPhilippe AntoineActions

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #1

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #2

  • Related to Feature #4332: Makes libhtp decompression time limit configurable from Suricata added

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #3

  • Status changed from Assigned to In Review

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #4

Related question, should we use getrusage(RUSAGE_THREAD rather than gettimeofday ? (does it make more sense ?)

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #5

RUSAGE_THREAD seems linux only...

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #6

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom