mirror of https://github.com/OISF/suricata
cybersecurityidsintrusion-detection-systemintrusion-prevention-systemipsnetwork-monitornetwork-monitoringnsmsecuritysuricatathreat-hunting
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1bd189a076
Some traffic is very unbalanced. For example a 4 bytes request
followed by 12mb of response data. If the 4 bytes don't lead to
the protocol being detected, then app layer processing won't
start, but it will not give up either. It will just wait for more
data. This leads to piling up data on the opposite side.
Observed:
TS: 4 bytes. PP failed (bit set), PM has not given up (bit not set).
This makes sense as max_depth is not yet reached.
TC: 12mb. PP and PM failed (bits set).
As ts-PM never gives up, we never consider proto detect complete,
so all segments in either direction are still kept in the session.
This patch adds a cutoff for this case:
- IF for TS we have PP bit set, PM not set, AND
- we have TC both bits set, AND
- proto is unknown, AND
- TC data is 100k already, THEN
- give up on protocol detection.
The same for the opposite direction.
|
11 years ago | |
|---|---|---|
| benches | ||
| contrib | ||
| doc | ||
| m4 | ||
| qa | ||
| rules | ||
| scripts | ||
| src | 11 years ago | |
| .gitignore | ||
| COPYING | ||
| ChangeLog | ||
| LICENSE | ||
| Makefile.am | ||
| Makefile.cvs | ||
| acsite.m4 | ||
| autogen.sh | ||
| classification.config | ||
| config.rpath | ||
| configure.ac | ||
| doxygen.cfg | ||
| reference.config | ||
| suricata.yaml.in | ||
| threshold.config | ||