This feature is off by default. script_detection = true will activate it.
-===== partial_depth
+===== partial_depth_body
Partial depth detection is a feature that enables Snort to more quickly detect
-and block malicious requests. It is configured by the partial_depth parameter
+and block malicious requests. It is configured by the partial_depth_body parameter
which can take values in the range -1-16384 bytes. The feature is enabled by
-setting partial_depth to some non zero value. When the feature is enabled and
+setting partial_depth_body to some non zero value. When the feature is enabled and
either, the number of bytes received in the request body is below the value
-specified by partial_depth, or partial_depth is set to -1, unlimited; it
+specified by partial_depth_body, or partial_depth_body is set to -1, unlimited; it
immediately forwards the available part of the message body for early detection.
This enables earlier threat detection but consumes somewhat more of the sensor's
resources.
-This feature is turned off by default by setting partial_depth = 0. To activate
-it, set partial_depth to the desired value.
+This feature is turned off by default by setting partial_depth_body = 0. To activate
+it, set partial_depth_body to the desired value.
===== gzip
lost by storing partial message sections in HI while waiting for reassemble() would be more than
compensated for by not having two instances of zlib.
-For request bodies, when partial_depth parameter is set to a non zero value, a partial body will
-be subjected to partial inspection if its length is below partial_depth value. When the partial_depth
-parameter is set to -1, the entire body will be subjected to inspection regardless of its length.
+For request bodies, when partial_depth_body parameter is set to a non zero value, a partial body
+will be subjected to partial inspection if its length is below partial_depth_body value. When
+the partial_depth_body parameter is set to -1, the entire body will be subjected to inspection
+regardless of its length.
The http_inspect partial inspection mechanism is invoked by http2_inspect on frame boundaries.
ConfigLogger::log_limit("request_depth", params->request_depth, -1);
ConfigLogger::log_limit("response_depth", params->response_depth, -1);
- ConfigLogger::log_limit("partial_depth", params->partial_depth, -1, 0);
+ ConfigLogger::log_limit("partial_depth_body", params->partial_depth_body, -1, 0);
ConfigLogger::log_flag("unzip", params->unzip);
ConfigLogger::log_flag("normalize_utf", params->normalize_utf);
ConfigLogger::log_flag("decompress_pdf", params->decompress_pdf);
{ "response_depth", Parameter::PT_INT, "-1:max53", "-1",
"maximum response message body bytes to examine (-1 no limit)" },
- { "partial_depth", Parameter::PT_INT, "-1:16384", "0",
+ { "partial_depth_body", Parameter::PT_INT, "-1:16384", "0",
"maximum request body to send to early detection (0 disabled, -1 no limit)" },
{ "unzip", Parameter::PT_BOOL, nullptr, "true",
{
params->response_depth = val.get_int64();
}
- else if (val.is("partial_depth"))
+ else if (val.is("partial_depth_body"))
{
- params->partial_depth = val.get_int64();
+ params->partial_depth_body = val.get_int64();
}
else if (val.is("unzip"))
{
~HttpParaList();
int64_t request_depth = -1;
int64_t response_depth = -1;
- int64_t partial_depth = 0;
+ int64_t partial_depth_body = 0;
bool unzip = true;
bool normalize_utf = true;
}
if (is_body(type) && source_id == SRC_CLIENT &&
- (my_inspector->params->partial_depth == -1 ||
- (cutter->get_octets_seen() < my_inspector->params->partial_depth && cutter->get_num_flush() == 0)))
+ (my_inspector->params->partial_depth_body == -1 ||
+ (cutter->get_octets_seen() < my_inspector->params->partial_depth_body && cutter->get_num_flush() == 0)))
{
static const uint64_t MAX_PARTIAL_FLUSH_COUNTER = 20;
if (++session_data->partial_flush_counter == MAX_PARTIAL_FLUSH_COUNTER)
projects / thirdparty / snort3.git / commitdiff
