will be 10000 flows prepared.
In IPS mode, a memcap-policy exception policy can be set, telling Suricata
-what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
+what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject',
+'ignore'.
::
The stream-engine has two memcaps that can be set. One for the
stream-tracking-engine and one for the reassembly-engine. For both cases,
in IPS mode, an exception policy (memcap-policy) can be set, telling Suricata
-what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
+what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject',
+'ignore'.
The stream-tracking-engine keeps information of the flow in
memory. Information about the state, TCP-sequence-numbers and the TCP
be able to reconstruct a stream. To avoid resource starvation a memcap
is used to limit the memory used. In IPS mode, an exception policy
(memcap-policy) can be set, telling Suricata what to do in case memcap
-is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
+is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject', 'ignore'.
Reassembling a stream is an expensive operation. With the option depth
you can control how far into a stream reassembly is done. By default
A in IPS mode, a global exception policy accessed via the ``error-policy``
setting can be defined to indicate what the engine should do in case if
encounters an app-layer error. Possible values are "drop-flow", "pass-flow",
-"bypass", "drop-packet", "pass-packet" or "ignore" (which will mean keeping
-the default behavior).
+"bypass", "drop-packet", "pass-packet", "reject" or "ignore" (which will mean
+keeping the default behavior).
Each supported protocol will have a dedicated subsection under ``protocols``.
switch (policy) {
case EXCEPTION_POLICY_IGNORE:
break;
+ case EXCEPTION_POLICY_REJECT:
+ SCLogDebug("EXCEPTION_POLICY_REJECT");
+ PacketDrop(p, ACTION_REJECT, drop_reason);
+ /* fall through */
case EXCEPTION_POLICY_DROP_FLOW:
SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");
if (p->flow) {
} else if (strcmp(value_str, "pass-packet") == 0) {
policy = EXCEPTION_POLICY_PASS_PACKET;
SCLogConfig("%s: %s", option, value_str);
+ } else if (strcmp(value_str, "reject") == 0) {
+ policy = EXCEPTION_POLICY_REJECT;
+ SCLogConfig("%s: %s", option, value_str);
} else if (strcmp(value_str, "ignore") == 0) { // TODO name?
policy = EXCEPTION_POLICY_IGNORE;
SCLogConfig("%s: %s", option, value_str);
EXCEPTION_POLICY_BYPASS_FLOW,
EXCEPTION_POLICY_DROP_PACKET,
EXCEPTION_POLICY_DROP_FLOW,
+ EXCEPTION_POLICY_REJECT,
};
void ExceptionPolicyApply(
# Configure the app-layer parsers.
#
# The error-policy setting applies to all app-layer parsers. Values can be
-# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet" or "ignore"
-# (the default).
+# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
+# "ignore" (the default).
#
# The protocol's section details each protocol.
#
# Defrag settings:
# The memcap-policy value can be "drop-flow", "pass-flow", "bypass",
-# "drop-packet", "pass-packet" or "ignore" (which is the default).
+# "drop-packet", "pass-packet", "reject" or "ignore" (which is the default).
defrag:
memcap: 32mb
# memcap-policy: ignore
# The memcap can be specified in kb, mb, gb. Just a number indicates it's
# in bytes.
# The memcap-policy can be "drop-flow", "pass-flow", "bypass", "drop-packet",
-# "pass-packet" or "ignore" (which is the default).
+# "pass-packet", "reject" or "ignore" (which is the default).
flow:
memcap: 128mb
# memcap: 64mb # Can be specified in kb, mb, gb. Just a
# # number indicates it's in bytes.
# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet" or "ignore"
-# # default is "ignore"
+# # "drop-packet", "pass-packet", "reject" or
+# # "ignore" default is "ignore"
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packets with invalid csum values will not
# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet" or "ignore"
-# # default is "ignore"
+# # "drop-packet", "pass-packet", "reject" or
+# # "ignore" default is "ignore"
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
# memcap: 256mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet" or "ignore"
-# # default is "ignore"
+# # "drop-packet", "pass-packet", "reject" or
+# # "ignore" default is "ignore"
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
projects / thirdparty / suricata.git / commitdiff
