Project

General

Profile

Bug #4331

libhtp: don't put stream in error state on compression issues

Added by Victor Julien 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If we have a response body that takes too long to unpack we may have someone trying to trick us, but it could also be a bit random due to system load (as we experience in QA currently). We shouldn't put the entire stream in an error state, but instead skip the rest of the body in the offending tx. Perhaps it would make sense to count the number of txs in a stream that trigger this and have some threshold for putting the stream in an error state to reduce the effect of truly malicious streams.


Related issues

Related to Task #4257: libhtp 0.5.37ClosedVictor JulienActions
Related to Feature #4332: Makes libhtp decompression time limit configurable from SuricataClosedPhilippe AntoineActions
#1

Updated by Philippe Antoine 6 months ago

#2

Updated by Philippe Antoine 6 months ago

  • Related to Feature #4332: Makes libhtp decompression time limit configurable from Suricata added
#3

Updated by Philippe Antoine 6 months ago

  • Status changed from Assigned to In Review
#4

Updated by Philippe Antoine 6 months ago

Related question, should we use getrusage(RUSAGE_THREAD rather than gettimeofday ? (does it make more sense ?)

#5

Updated by Philippe Antoine 6 months ago

RUSAGE_THREAD seems linux only...

#6

Updated by Philippe Antoine 5 months ago

  • Status changed from In Review to Closed

Also available in: Atom PDF