aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: set of response body decompress limit

Browse Source 
This is a per personality setting.
pull/2140/head
Victor Julien 10 years ago
parent ed7dc0c6b3
commit 5ec885e451
3 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File

5
configure.ac
Unescape Escape View File

@ -1240,6 +1240,7 @@
# check for htp_tx_get_response_headers_raw # check for htp_tx_get_response_headers_raw
AC_CHECK_LIB([htp], [htp_tx_get_response_headers_raw],AC_DEFINE_UNQUOTED([HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW],[1],[Found htp_tx_get_response_headers_raw in libhtp]) ,,[-lhtp]) AC_CHECK_LIB([htp], [htp_tx_get_response_headers_raw],AC_DEFINE_UNQUOTED([HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW],[1],[Found htp_tx_get_response_headers_raw in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_decode_query_inplace],AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Found htp_decode_query_inplace function in libhtp]) ,,[-lhtp]) AC_CHECK_LIB([htp], [htp_decode_query_inplace],AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Found htp_decode_query_inplace function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_response_decompression_layer_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Found htp_config_set_response_decompression_layer_limit function in libhtp]) ,,[-lhtp])
AC_EGREP_HEADER(htp_config_set_path_decode_u_encoding, htp/htp.h, AC_DEFINE_UNQUOTED([HAVE_HTP_SET_PATH_DECODE_U_ENCODING],[1],[Found usable htp_config_set_path_decode_u_encoding function in libhtp]) ) AC_EGREP_HEADER(htp_config_set_path_decode_u_encoding, htp/htp.h, AC_DEFINE_UNQUOTED([HAVE_HTP_SET_PATH_DECODE_U_ENCODING],[1],[Found usable htp_config_set_path_decode_u_encoding function in libhtp]) )
]) ])
@ -1259,10 +1260,12 @@
AC_DEFINE_UNQUOTED([HAVE_HTP_URI_NORMALIZE_HOOK],[1],[Assuming htp_config_register_request_uri_normalize function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_URI_NORMALIZE_HOOK],[1],[Assuming htp_config_register_request_uri_normalize function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW],[1],[Assuming htp_tx_get_response_headers_raw function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW],[1],[Assuming htp_tx_get_response_headers_raw function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Assuming htp_decode_query_inplace function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Assuming htp_decode_query_inplace function in bundled libhtp])
# enable when libhtp has been updated
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Assuming htp_config_set_response_decompression_layer_limit function in bundled libhtp])
else else
echo echo
echo " ERROR: Libhtp is not bundled. Get libhtp by doing:" echo " ERROR: Libhtp is not bundled. Get libhtp by doing:"
echo " git clone https://github.com/ironbee/libhtp" echo " git clone https://github.com/OISF/libhtp"
echo " Then re-run Suricata's autogen.sh and configure script." echo " Then re-run Suricata's autogen.sh and configure script."
echo " Or, if libhtp is installed in a different location," echo " Or, if libhtp is installed in a different location,"
echo " pass --enable-non-bundled-htp to Suricata's configure script." echo " pass --enable-non-bundled-htp to Suricata's configure script."

13
src/app-layer-htp.c
Unescape Escape View File

@ -2348,6 +2348,19 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} else if (strcasecmp("response-body-decompress-layer-limit", p->name) == 0) {
uint32_t value = 2;
if (ParseSizeStringU32(p->val, &value) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing response-body-inspect-window "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
#ifdef HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT
htp_config_set_response_decompression_layer_limit(cfg_prec->cfg, value);
#else
SCLogWarning(SC_WARN_OUTDATED_LIBHTP, "can't set response-body-decompress-layer-limit "
"to %u, libhtp version too old", value);
#endif
} else if (strcasecmp("path-convert-backslash-separators", p->name) == 0) { } else if (strcasecmp("path-convert-backslash-separators", p->name) == 0) {
htp_config_set_backslash_convert_slashes(cfg_prec->cfg, htp_config_set_backslash_convert_slashes(cfg_prec->cfg,
HTP_DECODER_URL_PATH, HTP_DECODER_URL_PATH,

6
suricata.yaml.in
Unescape Escape View File

@ -721,6 +721,9 @@ app-layer:
# by file_data, http_server_body & pcre /Q option. # by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI # double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI # double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
# #
# server-config: List of server configurations to use if address matches # server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block # address: List of ip addresses or networks for this block
@ -766,6 +769,9 @@ app-layer:
response-body-minimal-inspect-size: 40kb response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb response-body-inspect-window: 16kb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically # auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto http-body-inline: auto

Write Preview
Loading…
Cancel
Save