From 3521c37d4afafff9136f4e3302b471470941cc99 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 26 Nov 2013 14:05:53 +0100 Subject: [PATCH] http: use body limit in inspection When inspecting HTTP bodies there are several limits involved. In this patch the reaching of the body limit will trigger body inspection. Without this, the body would only be inspected when inspection limits "request-body-minimal-inspect-size" or "response-body-minimal-inspect-size" were reached. If the body limit was smaller than this value, the body would only be inspected at the end of the tx or stream. --- src/detect-engine-hcbd.c | 4 +++- src/detect-engine-hsbd.c | 12 +++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 0f49d2e6bf..19d6652065 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -144,7 +144,9 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, /* inspect the body if the transfer is complete or we have hit * our body size limit */ - if (htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size && + if ((htp_state->cfg->request_body_limit == 0 || + htud->request_body.content_len_so_far < htp_state->cfg->request_body_limit) && + htud->request_body.content_len_so_far < htp_state->cfg->request_inspect_min_size && !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 0) > HTP_REQUEST_BODY) && !(flags & STREAM_EOF)) { SCLogDebug("we still haven't seen the entire request body. " diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c index 86283e0408..0a92848c38 100644 --- a/src/detect-engine-hsbd.c +++ b/src/detect-engine-hsbd.c @@ -141,9 +141,19 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id, goto end; } + SCLogDebug("response_body_limit %u response_body.content_len_so_far %"PRIu64 + ", response_inspect_min_size %"PRIu32", EOF %s, progress > body? %s", + htp_state->cfg->response_body_limit, + htud->response_body.content_len_so_far, + htp_state->cfg->response_inspect_min_size, + flags & STREAM_EOF ? "true" : "false", + (AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) ? "true" : "false"); + /* inspect the body if the transfer is complete or we have hit * our body size limit */ - if (htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size && + if ((htp_state->cfg->response_body_limit == 0 || + htud->response_body.content_len_so_far < htp_state->cfg->response_body_limit) && + htud->response_body.content_len_so_far < htp_state->cfg->response_inspect_min_size && !(AppLayerGetAlstateProgress(ALPROTO_HTTP, tx, 1) > HTP_RESPONSE_BODY) && !(flags & STREAM_EOF)) { SCLogDebug("we still haven't seen the entire response body. "