Suricata

libhtp uses a limit for request and response sizes of 18k. This limit is applied to the request line and the request headers, or response line and response headers. So the bodies are excluded.

If the limit is reached, the parser fails and we set events:

alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)

We need to be able to set this limit per http server config.

Something like:

default-config:
  # request size limit (excluding body)
  request-size-limit: 12kb

  # response size limit (excluding body)
  response-size-limit: 25kb