http: use body limit in inspection

When inspecting HTTP bodies there are several limits involved.
In this patch the reaching of the body limit will trigger body
inspection.

Without this, the body would only be inspected when inspection
limits "request-body-minimal-inspect-size" or
"response-body-minimal-inspect-size" were reached. If the body
limit was smaller than this value, the body would only be
inspected at the end of the tx or stream.

diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index 0f49d2e6bf83dbcd7ccfccb6b783f3a6593ef01b..19d6652065ccdf3fe0fe997e3341f6834f142cb8 100644 (file)
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -144,7 +144,9 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
 
     /* inspect the body if the transfer is complete or we have hit
      * our body size limit */
-    if (htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size &&
+    if ((htp_state->cfg->request_body_limit == 0 ||
+         htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) &&
+        htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size &&
         !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_BODY) &&
         !(flags & STREAM_EOF)) {
         SCLogDebug("we still haven't seen the entire request body.  "

diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index 86283e0408f82f9b30eb22fdbfca9b6845d220a0..0a92848c38bb1de805bb5ba1b57352a391d928f4 100644 (file)
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -141,9 +141,19 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
         goto end;
     }
 
+    SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64
+               ", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
+              htp_state->cfg->response_body_limit,
+              htud->response_body.content_len_so_far,
+              htp_state->cfg->response_inspect_min_size,
+              flags & STREAM_EOF ? "true" : "false",
+              (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) ? "true" : "false");
+
     /* inspect the body if the transfer is complete or we have hit
      * our body size limit */
-    if (htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size &&
+    if ((htp_state->cfg->response_body_limit == 0 ||
+         htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) &&
+        htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size &&
         !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) &&
         !(flags & STREAM_EOF)) {
         SCLogDebug("we still haven't seen the entire response body.  "