Actions
Feature #986
closedset htp request and response size limits
Effort:
Difficulty:
Label:
Description
libhtp uses a limit for request and response sizes of 18k. This limit is applied to the request line and the request headers, or response line and response headers. So the bodies are excluded.
If the limit is reached, the parser fails and we set events:
alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)
We need to be able to set this limit per http server config.
Something like:
default-config: # request size limit (excluding body) request-size-limit: 12kb # response size limit (excluding body) response-size-limit: 25kb
Updated by Victor Julien about 11 years ago
- Assignee set to OISF Dev
- Target version changed from 2.0rc2 to 2.0beta2
Updated by Victor Julien almost 11 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien almost 11 years ago
It looks like libhtp will not allow us to specify this limit separately for requests and responses. Using single limit. If there would ever be a need to have separate limits, we can work with libhtp upstream to support that.
Updated by Victor Julien almost 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Actions