Actions
Bug #4331
closedlibhtp: don't put stream in error state on compression issues
Affected Versions:
Effort:
Difficulty:
Label:
Description
If we have a response body that takes too long to unpack we may have someone trying to trick us, but it could also be a bit random due to system load (as we experience in QA currently). We shouldn't put the entire stream in an error state, but instead skip the rest of the body in the offending tx. Perhaps it would make sense to count the number of txs in a stream that trigger this and have some threshold for putting the stream in an error state to reduce the effect of truly malicious streams.
Updated by Philippe Antoine almost 4 years ago
- Related to Task #4257: libhtp 0.5.37 added
Updated by Philippe Antoine almost 4 years ago
- Related to Feature #4332: Makes libhtp decompression time limit configurable from Suricata added
Updated by Philippe Antoine almost 4 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine almost 4 years ago
Related question, should we use getrusage(RUSAGE_THREAD rather than gettimeofday ? (does it make more sense ?)
Updated by Philippe Antoine almost 4 years ago
RUSAGE_THREAD seems linux only...
Updated by Philippe Antoine over 3 years ago
- Status changed from In Review to Closed
Actions