AC_CHECK_LIB([htp], [htp_config_set_lzma_memlimit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Found htp_config_set_lzma_memlimit function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_lzma_layers],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Found htp_config_set_lzma_layers function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_compression_bomb_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT],[1],[Found htp_config_set_compression_bomb_limit function in libhtp]) ,,[-lhtp])
+ AC_CHECK_LIB([htp], [htp_config_set_compression_time_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT],[1],[Found htp_config_set_compression_time_limit function in libhtp]) ,,[-lhtp])
])
if test "x$enable_non_bundled_htp" = "xno"; then
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Assuming htp_config_set_lzma_memlimit function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Assuming htp_config_set_lzma_layers function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT],[1],[Assuming htp_config_set_compression_bomb_limit function in bundled libhtp])
+ AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT],[1],[Assuming htp_config_set_compression_time_limit function in bundled libhtp])
else
echo
echo " ERROR: Libhtp is not bundled. Get libhtp by doing:"
# Maximum decompressed size with a compression ratio
# above 2048 (only reachable by LZMA)
#compression-bomb-limit: 1 Mb
+ # Maximum time spent decompressing a single transaction in usec
+ #decompression-time-limit: 100000
Other parameters are customizable from Suricata.
::
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
+# double-decode-path: Double decode path section of the URI
+# double-decode-query: Double decode query section of the URI
+
+decompression-time-limit
+------------------------
+
+decompression-time-limit was implemented to avoid DOS by resource exhaustion
+on inputs such as decompression bombs (found by fuzzing).
+The lower the limit, the better the protection against DOS is, but this
+may also lead to false positives.
+In case the time limit is reached,
+the app-layer event ``http.compression_bomb`` is set
+(this event can also set from other conditions).
+This can happen on slow configurations (hardware, ASAN, etc...)
Configure SMB (Rust)
~~~~~~~~~~~~~~~~~~~~
#ifdef HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT
htp_config_set_compression_bomb_limit(cfg_prec->cfg,
HTP_CONFIG_DEFAULT_COMPRESSION_BOMB_LIMIT);
+#endif
+#ifdef HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT
+ htp_config_set_compression_time_limit(cfg_prec->cfg, HTP_CONFIG_DEFAULT_COMPRESSION_TIME_LIMIT);
#endif
/* libhtp <= 0.5.9 doesn't use soft limit, but it's impossible to set
* only the hard limit. So we set both here to the (current) htp defaults.
/* set default soft-limit with our new hard limit */
SCLogConfig("Setting HTTP compression bomb limit to %"PRIu32" bytes", limit);
htp_config_set_compression_bomb_limit(cfg_prec->cfg, (size_t)limit);
+#endif
+#ifdef HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT
+ } else if (strcasecmp("decompression-time-limit", p->name) == 0) {
+ uint32_t limit = 0;
+ // between 1 usec and 1 second
+ if (StringParseU32RangeCheck(&limit, 10, 0, p->val, 1, 1000000) < 0) {
+ FatalError(SC_ERR_SIZE_PARSE,
+ "failed to parse 'decompression-time-limit' "
+ "from conf file - %s.",
+ p->val);
+ }
+ SCLogConfig("Setting HTTP decompression time limit to %" PRIu32 " usec", limit);
+ htp_config_set_compression_time_limit(cfg_prec->cfg, (size_t)limit);
#endif
} else if (strcasecmp("randomize-inspection-sizes", p->name) == 0) {
if (!g_disable_randomness) {
/* default libhtp lzma limit, taken from libhtp. */
#define HTP_CONFIG_DEFAULT_LZMA_MEMLIMIT 1048576U
#define HTP_CONFIG_DEFAULT_COMPRESSION_BOMB_LIMIT 1048576U
+// 100000 usec is 0.1 sec
+#define HTP_CONFIG_DEFAULT_COMPRESSION_TIME_LIMIT 100000
#define HTP_CONFIG_DEFAULT_RANDOMIZE 1
#define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
#compression-bomb-limit: 1mb
+ # Maximum time spent decompressing a single transaction in usec
+ #decompression-time-limit: 100000
server-config:
projects / thirdparty / suricata.git / commitdiff
