AC_CHECK_LIB([htp], [htp_decode_query_inplace],AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Found htp_decode_query_inplace function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_response_decompression_layer_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Found htp_config_set_response_decompression_layer_limit function in libhtp]) ,,[-lhtp])
AC_EGREP_HEADER(htp_config_set_path_decode_u_encoding, htp/htp.h, AC_DEFINE_UNQUOTED([HAVE_HTP_SET_PATH_DECODE_U_ENCODING],[1],[Found usable htp_config_set_path_decode_u_encoding function in libhtp]) )
+ AC_CHECK_LIB([htp], [htp_config_set_lzma_memlimit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Found htp_config_set_lzma_memlimit function in libhtp]) ,,[-lhtp])
])
if test "x$enable_non_bundled_htp" = "xno"; then
AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Assuming htp_decode_query_inplace function in bundled libhtp])
# enable when libhtp has been updated
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Assuming htp_config_set_response_decompression_layer_limit function in bundled libhtp])
+ AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Assuming htp_config_set_lzma_memlimit function in bundled libhtp])
else
echo
echo " ERROR: Libhtp is not bundled. Get libhtp by doing:"
alert http any any -> any any (msg:"SURICATA HTTP Invalid Request line"; flow:established,to_server; app-layer-event:http.request_line_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221044; rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP Unexpected Request body"; flow:established,to_server; app-layer-event:http.request_body_unexpected; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221045; rev:1;)
-# next sid 2221046
+alert http any any -> any any (msg:"SURICATA HTTP LZMA reached its memory limit"; flow:established; app-layer-event:http.lzma_memlimit_reached; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221046; rev:1;)
+
+# next sid 2221047
{ "REQUEST_LINE_INCOMPLETE",
HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
+ { "LZMA_MEMLIMIT_REACHED",
+ HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED},
+
/* suricata warnings/errors */
{ "MULTIPART_GENERIC_ERROR",
HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR},
{ "Invalid response line: invalid response status", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS},
{ "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
{ "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED},
+ { "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED},
};
#define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
htp_config_set_field_limits(cfg_prec->cfg,
(size_t)HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT,
(size_t)limit);
+#ifdef HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT
+ } else if (strcasecmp("lzma-memlimit", p->name) == 0) {
+ uint32_t limit = 0;
+ if (ParseSizeStringU32(p->val, &limit) < 0) {
+ FatalError(SC_ERR_SIZE_PARSE, "failed to parse 'lzma-memlimit' "
+ "from conf file - %s.", p->val);
+ }
+ if (limit == 0) {
+ FatalError(SC_ERR_SIZE_PARSE, "'lzma-memlimit' "
+ "from conf file cannot be 0.");
+ }
+ /* set default soft-limit with our new hard limit */
+ htp_config_set_lzma_memlimit(cfg_prec->cfg,
+ (size_t)limit);
+#endif
} else if (strcasecmp("randomize-inspection-sizes", p->name) == 0) {
if (!g_disable_randomness) {
cfg_prec->randomize = ConfValIsTrue(p->val);
HTTP_DECODER_EVENT_REQUEST_LINE_INVALID,
HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED,
+ HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED,
+
/* suricata errors/warnings */
HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,
HTTP_DECODER_EVENT_MULTIPART_NO_FILEDATA,