Project

General

Profile

Actions
Copy link

Bug #7903

open

App layer protocols do not support new kibi-byte units in memcap (e.g. "64 MiB")

Added by Christian Prähauser 2 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

App layer protocols do not support new kibi-byte units in memcap.

Examples are "app-layer.protocols.ftp.memcap" and "app-layer.protocols.mqtt.max-msg-length".
Un-commenting the default value leads to error (see below).

ftp:
      enabled: yes
      memcap: 64 MiB

Leads to <Error> -- Invalid value for websocket.max-payload-size

Same for "mqtt.max-msg-length":

mqtt:
      enabled: yes
      max-msg-length: 1 MiB

Leads to <Error> -- Invalid value for mqtt.max-msg-length: 1 MiB

I think this is because the Rust get_memunit() function does not know the new suffixes.
See https://github.com/OISF/suricata/blob/e62eb004599ec500aeacfa7150b0dbca19f0a0fb/rust/src/conf.rs#L183

Actions
Copy link
 #1

Updated by Christian Prähauser 2 days ago

Further, "app-layer.protocols.websocket.max-payload-size" does not support mem size units at all despite mentioning it in the config template:

   websocket:
      #enabled: yes
      # Maximum used payload size, the rest is skipped
      # Also applies as a maximum for uncompressed data
      # max-payload-size: 64 KiB

Un-commenting "max-payload-size" leads to Invalid value for websocket.max-payload-size.

Actions
Copy link

Also available in: Atom PDF