From: Victor Julien Date: Tue, 26 Nov 2013 13:05:53 +0000 (+0100) Subject: http: use body limit in inspection X-Git-Tag: suricata-2.0beta2~132 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3521c37d4afafff9136f4e3302b471470941cc99;p=thirdparty%2Fsuricata.git http: use body limit in inspection When inspecting HTTP bodies there are several limits involved. In this patch the reaching of the body limit will trigger body inspection. Without this, the body would only be inspected when inspection limits "request-body-minimal-inspect-size" or "response-body-minimal-inspect-size" were reached. If the body limit was smaller than this value, the body would only be inspected at the end of the tx or stream. --- diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 0f49d2e6bf..19d6652065 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -144,7 +144,9 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, /* inspect the body if the transfer is complete or we have hit * our body size limit */ - if (htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size && + if ((htp_state->cfg->request_body_limit == 0 || + htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) && + htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size && !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_BODY) && !(flags & STREAM_EOF)) { SCLogDebug("we still haven't seen the entire request body. " diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 86283e0408..0a92848c38 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -141,9 +141,19 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, goto end; } + SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64 + ", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s", + htp_state->cfg->response_body_limit, + htud->response_body.content_len_so_far, + htp_state->cfg->response_inspect_min_size, + flags & STREAM_EOF ? "true" : "false", + (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) ? "true" : "false"); + /* inspect the body if the transfer is complete or we have hit * our body size limit */ - if (htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size && + if ((htp_state->cfg->response_body_limit == 0 || + htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) && + htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size && !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) && !(flags & STREAM_EOF)) { SCLogDebug("we still haven't seen the entire response body. "