From: Philippe Antoine Date: Thu, 13 Jan 2022 15:05:46 +0000 (+0100) Subject: doc: suricata.yaml fields about maximum transactions X-Git-Tag: suricata-7.0.0-beta1~946 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11d3af551bf64c0a85d2c69e2416a7712d5b3cbb;p=thirdparty%2Fsuricata.git doc: suricata.yaml fields about maximum transactions For HTTP2, MQTT and FTP. --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 8f744e4dfd..8cb069d2d7 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -1375,6 +1375,36 @@ independent. The ``probing parsers`` will only run on the ``detection-ports``. SMB is commonly used to transfer the DCERPC protocol. This traffic is also handled by this parser. +Configure HTTP2 +~~~~~~~~~~~~~~~ + +HTTP2 has 2 parameters that can be customized. +The point of these 2 parameters is to find a balance between the completeness +of analysis and the resource consumption. + +`http2.max-table-size` refers to `SETTINGS_HEADER_TABLE_SIZE` from rfc 7540 section 6.5.2. +Its default value is 4096 bytes, but it can be set to any uint32 by a flow. + +`http2.max-streams` refers to `SETTINGS_MAX_CONCURRENT_STREAMS` from rfc 7540 section 6.5.2. +Its default value is unlimited. + +Configure MQTT +~~~~~~~~~~~~~~ + +MQTT has one parameter that can be customized. +`mqtt.max-tx` refers to the maximum number of live transactions for each flow. +The app-layer event `mqtt.too_many_transactions` is triggered when this value is reached. +The point of this parameter is to find a balance between the completeness of analysis +and the resource consumption. + +Configure FTP +~~~~~~~~~~~~~ + +FTP has one parameter that can be customized. +`ftp.max-tx` refers to the maximum number of live transactions for each flow. +The point of this parameter is to find a balance between the completeness of analysis +and the resource consumption. + Engine Logging --------------