aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

htp: randomization of htp inspection sizes

Browse Source 
This is an implementation of #940. It randomize libhtp request
and response size if the same way this has been done for stream
inspection.
pull/673/merge
Eric Leblond 12 years ago committed by Victor Julien
parent 81ee6f5aad
commit ff784075a2
3 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File

34
src/app-layer-htp.c
Unescape Escape View File

@ -2112,6 +2112,8 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
cfg_prec->request_inspect_window = HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW;
cfg_prec->response_inspect_min_size = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE;
cfg_prec->response_inspect_window = HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW;
cfg_prec->randomize = HTP_CONFIG_DEFAULT_RANDOMIZE;
cfg_prec->randomize_range = HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE;
htp_config_register_request_header_data(cfg_prec->cfg, HTPCallbackRequestHeaderData);
htp_config_register_request_trailer_data(cfg_prec->cfg, HTPCallbackRequestHeaderData);
@ -2150,6 +2152,25 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
* the query and path. */
static void HTPConfigSetDefaultsPhase2(HTPCfgRec *cfg_prec)
{
/* randomize inspection size if needed */
if (cfg_prec->randomize) {
int rdrange = cfg_prec->randomize_range;
cfg_prec->request_inspect_min_size +=
(int) (cfg_prec->request_inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->request_inspect_window +=
(int) (cfg_prec->request_inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->response_inspect_min_size +=
(int) (cfg_prec->response_inspect_min_size *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
cfg_prec->response_inspect_window +=
(int) (cfg_prec->response_inspect_window *
(random() * 1.0 / RAND_MAX - 0.5) * rdrange / 100);
}
htp_config_register_request_line(cfg_prec->cfg, HTPCallbackRequestLine);
return;
@ -2355,6 +2376,19 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
htp_config_set_field_limits(cfg_prec->cfg,
(size_t)HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT,
(size_t)limit);
} else if (strcasecmp("randomize-inspection-sizes", p->name) == 0) {
cfg_prec->randomize = ConfValIsTrue(p->val);
} else if (strcasecmp("randomize-inspection-range", p->name) == 0) {
uint32_t range = atoi(p->val);
if (range > 100) {
SCLogError(SC_ERR_SIZE_PARSE, "Invalid value for randomize"
" inspection range setting from conf file - %s."
" It should be inferior to 100."
" Killing engine",
p->val);
exit(EXIT_FAILURE);
}
cfg_prec->randomize_range = range;
} else {
SCLogWarning(SC_ERR_UNKNOWN_VALUE, "LIBHTP Ignoring unknown "
"default config: %s", p->name);

5
src/app-layer-htp.h
Unescape Escape View File

@ -48,6 +48,9 @@
#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U
#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U
#define HTP_CONFIG_DEFAULT_RANDOMIZE 1
#define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10
/** a boundary should be smaller in size */
#define HTP_BOUNDARY_MAX 200U
@ -147,6 +150,8 @@ typedef struct HTPCfgRec_ {
uint32_t response_inspect_min_size;
uint32_t response_inspect_window;
int randomize;
int randomize_range;
} HTPCfgRec;
/** Struct used to hold chunks of a body on a request */

9
suricata.yaml.in
Unescape Escape View File

@ -1123,6 +1123,15 @@ app-layer:
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no

Write Preview
Loading…
Cancel
Save