From: Giuseppe Longo <giuseppelng@gmail.com>
Date: Thu, 28 May 2015 11:42:28 +0000 (+0200)
Subject: app-layer-htp: add http_body_inline setting
X-Git-Tag: suricata-3.0RC1~313
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a459376d2e0e04937cdf603b5d8d8c86549ce2bf;p=thirdparty%2Fsuricata.git

app-layer-htp: add http_body_inline setting
---

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 2817332551..3fd009f573 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -2468,6 +2468,21 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
                 exit(EXIT_FAILURE);
             }
             cfg_prec->randomize_range = range;
+        } else if (strcasecmp("http-body-inline", p->name) == 0) {
+            if (ConfValIsTrue(p->val)) {
+                cfg_prec->http_body_inline = 1;
+            } else if (ConfValIsFalse(p->val)) {
+                cfg_prec->http_body_inline = 0;
+            } else {
+                if (strcmp("auto", p->val) != 0) {
+                    WarnInvalidConfEntry("http_body_inline", "%s", "auto");
+                }
+                if (EngineModeIsIPS()) {
+                    cfg_prec->http_body_inline = 1;
+                } else {
+                    cfg_prec->http_body_inline = 0;
+                }
+            }
         } else {
             SCLogWarning(SC_ERR_UNKNOWN_VALUE, "LIBHTP Ignoring unknown "
                          "default config: %s", p->name);
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 50b95d66d1..275bc4b7ef 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -157,6 +157,7 @@ typedef struct HTPCfgRec_ {
     uint32_t            response_inspect_window;
     int                 randomize;
     int                 randomize_range;
+    int                 http_body_inline;
 } HTPCfgRec;
 
 /** Struct used to hold chunks of a body on a request */
diff --git a/suricata.yaml.in b/suricata.yaml.in
index d4883c4236..a4c7ab5aab 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1366,6 +1366,10 @@ app-layer:
            request-body-inspect-window: 4kb
            response-body-minimal-inspect-size: 32kb
            response-body-inspect-window: 4kb
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
            # Take a random value for inspection sizes around the specified value.
            # This lower the risk of some evasion technics but could lead
            # detection change between runs. It is set to 'yes' by default.