Project

General

Profile

Actions

Feature #986

closed

set htp request and response size limits

Added by Victor Julien about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

libhtp uses a limit for request and response sizes of 18k. This limit is applied to the request line and the request headers, or response line and response headers. So the bodies are excluded.

If the limit is reached, the parser fails and we set events:

alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)

We need to be able to set this limit per http server config.

Something like:

default-config:
  # request size limit (excluding body)
  request-size-limit: 12kb

  # response size limit (excluding body)
  response-size-limit: 25kb
Actions

Also available in: Atom PDF