http: use body limit in inspection

When inspecting HTTP bodies there are several limits involved. In this patch the reaching of the body limit will trigger body inspection. Without this, the body would only be inspected when inspection limits "request-body-minimal-inspect-size" or "response-body-minimal-inspect-size" were reached. If the body limit was smaller than this value, the body would only be inspected at the end of the tx or stream.
11 years ago · 3521c37d4a
parent 493d531ae8
commit 3521c37d4a
2 changed files with 14 additions and 2 deletions
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@ -144,7 +144,9 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,

    /* inspect the body if the transfer is complete or we have hit
     * our body size limit */
-    if (htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size &&
+    if ((htp_state->cfg->request_body_limit == 0 ||
+         htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) &&
+        htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size &&
        !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_BODY) &&
        !(flags & STREAM_EOF)) {
        SCLogDebug("we still haven't seen the entire request body.  "
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@ -141,9 +141,19 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
        goto end;
    }

+    SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64
+               ", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
+              htp_state->cfg->response_body_limit,
+              htud->response_body.content_len_so_far,
+              htp_state->cfg->response_inspect_min_size,
+              flags & STREAM_EOF ? "true" : "false",
+              (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) ? "true" : "false");
+
    /* inspect the body if the transfer is complete or we have hit
     * our body size limit */
-    if (htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size &&
+    if ((htp_state->cfg->response_body_limit == 0 ||
+         htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) &&
+        htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size &&
        !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) &&
        !(flags & STREAM_EOF)) {
        SCLogDebug("we still haven't seen the entire response body.  "