Project

General

Profile

Actions

Bug #4331

closed

libhtp: don't put stream in error state on compression issues

Added by Victor Julien 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If we have a response body that takes too long to unpack we may have someone trying to trick us, but it could also be a bit random due to system load (as we experience in QA currently). We shouldn't put the entire stream in an error state, but instead skip the rest of the body in the offending tx. Perhaps it would make sense to count the number of txs in a stream that trigger this and have some threshold for putting the stream in an error state to reduce the effect of truly malicious streams.


Related issues

Related to Task #4257: libhtp 0.5.37ClosedVictor JulienActions
Related to Feature #4332: Makes libhtp decompression time limit configurable from SuricataClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 7 months ago

Actions #2

Updated by Philippe Antoine 7 months ago

  • Related to Feature #4332: Makes libhtp decompression time limit configurable from Suricata added
Actions #3

Updated by Philippe Antoine 7 months ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Philippe Antoine 7 months ago

Related question, should we use getrusage(RUSAGE_THREAD rather than gettimeofday ? (does it make more sense ?)

Actions #5

Updated by Philippe Antoine 7 months ago

RUSAGE_THREAD seems linux only...

Actions #6

Updated by Philippe Antoine 7 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF