Project

General

Profile

Actions

Feature #986

closed

set htp request and response size limits

Added by Victor Julien about 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

libhtp uses a limit for request and response sizes of 18k. This limit is applied to the request line and the request headers, or response line and response headers. So the bodies are excluded.

If the limit is reached, the parser fails and we set events:

alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)

We need to be able to set this limit per http server config.

Something like:

default-config:
  # request size limit (excluding body)
  request-size-limit: 12kb

  # response size limit (excluding body)
  response-size-limit: 25kb
Actions #1

Updated by Victor Julien about 11 years ago

  • Assignee set to OISF Dev
  • Target version changed from 2.0rc2 to 2.0beta2
Actions #2

Updated by Victor Julien almost 11 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #3

Updated by Victor Julien almost 11 years ago

It looks like libhtp will not allow us to specify this limit separately for requests and responses. Using single limit. If there would ever be a need to have separate limits, we can work with libhtp upstream to support that.

Actions #4

Updated by Victor Julien almost 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF