From: Mike Stepanek (mstepane) Date: Thu, 24 Jul 2025 18:30:49 +0000 (+0000) Subject: Pull request #4815: http_inspect: add peg count for when published body has hit the... X-Git-Tag: 3.9.3.0~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fb3b2db84411bc52c7bdc6691dc4660ff9799ba;p=thirdparty%2Fsnort3.git Pull request #4815: http_inspect: add peg count for when published body has hit the requested max size Merge in SNORT/snort3 from ~MSTEPANE/snort3:peg_client_body_depth to master Squashed commit of the following: commit 1ae5a159d08006a673e388e84b00c9773d0373df Author: mstepane Date: Mon Jul 14 10:39:16 2025 -0400 http_inspect: add peg count for when published body has hit the requested max size --- diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index fbac0fa09..cae6c4643 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -69,7 +69,7 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY, PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_TOTAL_BYTES, PEG_JS_INLINE, PEG_JS_EXTERNAL, PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COMPRESSED_GZIP, PEG_COMPRESSED_NOT_SUPPORTED, - PEG_COMPRESSED_UNKNOWN, PEG_COUNT_MAX}; + PEG_COMPRESSED_UNKNOWN, PEG_MAX_PUBLISH_DEPTH_HITS, PEG_COUNT_MAX}; // Result of scanning by splitter enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE, diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 593350609..79c976ef8 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -28,6 +28,7 @@ #include "file_api/file_service.h" #include "hash/hash_key_operations.h" #include "helpers/buffer_data.h" +#include "http_module.h" #include "js_norm/js_enum.h" #include "pub_sub/http_request_body_event.h" #include "pub_sub/http_body_event.h" @@ -213,6 +214,23 @@ void HttpMsgBody::analyze() publish_length = (pub_depth_remaining > msg_text_new.length()) ? msg_text_new.length() : pub_depth_remaining; pub_depth_remaining -= publish_length; + + // If we're about to hit the max requested publish depth (as requested + // by responding to an "HTTP publish length" event), then increment the + // max-publish-depth peg count. + if (pub_depth_remaining == 0) + { + const bool is_request = (source_id == SRC_CLIENT); + int32_t should_publish_body = 0; + if (is_request) + flow->get_attr(STASH_PUBLISH_REQUEST_BODY, should_publish_body); + else + flow->get_attr(STASH_PUBLISH_RESPONSE_BODY, should_publish_body); + if (should_publish_body) + { + HttpModule::increment_peg_counts(PEG_MAX_PUBLISH_DEPTH_HITS); + } + } } if (session_data->mime_state[source_id]) diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 5b27de7c0..f5cfdf79e 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -398,6 +398,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] = { CountType::SUM, "compressed_gzip", "total number of HTTP bodies compressed with GZIP" }, { CountType::SUM, "compressed_not_supported", "total number of HTTP bodies compressed with known but not supported methods" }, { CountType::SUM, "compressed_unknown", "total number of HTTP bodies compressed with unknown methods" }, + { CountType::SUM, "max_publish_depth_hits", "total number of times the maximum publish depth was exceeded" }, { CountType::END, nullptr, nullptr } };