git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Fri, 17 Aug 2018 15:53:16 +0000 (17:53 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 1 Nov 2018 14:46:10 +0000 (15:46 +0100)
commit	7c4f0ac9014f1a9f3ef087bba37dbcc0cd5666dc
tree	fa9681e0aa672ecb58638ac61c528164248b249b	tree
parent	a0734cf7e1fb5a756859785c62028434df1e9165	commit \| diff

http: implement min size stream logic

Update HTTP parser to set the min inspect depth per transaction. This
allows for signatures to have their fast_pattern in the HTTP body,
while still being able to inspect the raw stream reliably with it.

The inspect depth is set per transaction as it:
- depends on the per personality config for min inspect size
- is set to the size of the actual body if it is smaller

After the initial inspection is done, it is set to 0 which disables
the feature for the rest of the transaction.

This removes the rescanning flush logic in commit
7e004f52c60c5e4d7cd8f5ed09491291d18f42d2 and provides an alternative
fix for bug #2522. The old approach caused too much rescanning of
HTTP body data leading to a performance degradation.

Bug #2522

src/app-layer-htp.c		diff \| blob \| blame \| history
src/app-layer-htp.h		diff \| blob \| blame \| history
src/detect-engine-hcbd.c		diff \| blob \| blame \| history
src/detect-engine-hsbd.c		diff \| blob \| blame \| history