Pull request #4815: http_inspect: add peg count for when published body has hit the...

Merge in SNORT/snort3 from ~MSTEPANE/snort3:peg_client_body_depth to master

Squashed commit of the following:

commit 1ae5a159d08006a673e388e84b00c9773d0373df
Author: mstepane <mstepane@cisco.com>
Date:   Mon Jul 14 10:39:16 2025 -0400

    http_inspect: add peg count for when published body has hit the requested max size

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index fbac0fa09655d1eb52a57e40ef121f2cd5c3dd4a..cae6c464345669ba2b884d60e6f5838a1df4b43a 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -69,7 +69,7 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES
     PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY,
     PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_TOTAL_BYTES, PEG_JS_INLINE, PEG_JS_EXTERNAL,
     PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COMPRESSED_GZIP, PEG_COMPRESSED_NOT_SUPPORTED,
-    PEG_COMPRESSED_UNKNOWN, PEG_COUNT_MAX};
+    PEG_COMPRESSED_UNKNOWN, PEG_MAX_PUBLISH_DEPTH_HITS, PEG_COUNT_MAX};
 
 // Result of scanning by splitter
 enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE,

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 593350609332c2766fa52fc6b47ff6c1d0ea6d7f..79c976ef85a19ab21eb68f7364a9d6a3a6ca2ae9 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -28,6 +28,7 @@
 #include "file_api/file_service.h"
 #include "hash/hash_key_operations.h"
 #include "helpers/buffer_data.h"
+#include "http_module.h"
 #include "js_norm/js_enum.h"
 #include "pub_sub/http_request_body_event.h"
 #include "pub_sub/http_body_event.h"
@@ -213,6 +214,23 @@ void HttpMsgBody::analyze()
         publish_length = (pub_depth_remaining > msg_text_new.length()) ?
             msg_text_new.length() : pub_depth_remaining;
         pub_depth_remaining -= publish_length;
+
+        // If we're about to hit the max requested publish depth (as requested
+        // by responding to an "HTTP publish length" event), then increment the
+        // max-publish-depth peg count.
+        if (pub_depth_remaining == 0)
+        {
+            const bool is_request = (source_id == SRC_CLIENT);
+            int32_t should_publish_body = 0;
+            if (is_request)
+                flow->get_attr(STASH_PUBLISH_REQUEST_BODY, should_publish_body);
+            else
+                flow->get_attr(STASH_PUBLISH_RESPONSE_BODY, should_publish_body);
+            if (should_publish_body)
+            {
+                HttpModule::increment_peg_counts(PEG_MAX_PUBLISH_DEPTH_HITS);
+            }
+        }
     }
 
     if (session_data->mime_state[source_id])

diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 5b27de7c0912f98f35904364a74a09d642d2ab77..f5cfdf79e9d267f421f1a36ca408be82b7e7fdc0 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -398,6 +398,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
     { CountType::SUM, "compressed_gzip", "total number of HTTP bodies compressed with GZIP" },
     { CountType::SUM, "compressed_not_supported", "total number of HTTP bodies compressed with known but not supported methods" },
     { CountType::SUM, "compressed_unknown", "total number of HTTP bodies compressed with unknown methods" },
+    { CountType::SUM, "max_publish_depth_hits", "total number of times the maximum publish depth was exceeded" },
     { CountType::END, nullptr, nullptr }
 };