[Oisf-devel] suricata 1.4rc1 don't invoke HTPCallbackRequest if request body len >2919Byte

Victor Julien victor at inliniac.net
Thu Dec 13 09:44:12 UTC 2012 

On 12/13/2012 10:40 AM, Delta Yeh wrote:
> Hi,
>  I'm testing suricata 1.4 rc1,
>  If the post data < 2919 bytes, everythin is OK.
>  But if post data > 2919 bytes, the
> HTPCallbackRequest  callback is not invoked, but I can see the request
> is logged in the http.log .
> 
> The command to run suricata is : suricata -c /etc/suricata/suriata.yaml
> -i eth2
> 
> The command to run wget is :
>  wget  -d --post-data=/tmp/post-data.txt  http://192.168.39.252/
> The output of wget is :

Can you attach a pcap that as this problem?

Cheers,
Victor

> ---request begin---
> POST / HTTP/1.0
> User-Agent: Wget/1.12 (linux-gnu)
> Accept: */*
> Host: 192.168.39.252
> Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2920
> ---response end---
> 200 OK
> Registered socket 3 for persistent reuse.
> Length: 1018 [text/html]
> Saving to: `index.html.93'
> 
> 
> 
> 
> No rule is loaded during the tests, the suricata.yaml is :
> 
> 
> runmode: autofp
> autofp-scheduler: active-packets
> default-packet-size: 1514
> max-pending-packets: 500
> # Configure the type of alert (and other) logging you would like.
> outputs:
>   # a line based alerts log similar to Snort's fast.log
>   - fast:
>       enabled: yes
>       filename: fast.log
> 
>   - http-log:
>       enabled: yes
>       filename: /tmp/accesslog
> 
> defrag:
>   max-frags: 65535
>   prealloc: yes
>   timeout: 3
> detect-engine:
>   - profile: custom
>   - custom-values:
>       toclient-src-groups: 2
>       toclient-dst-groups: 2
>       toclient-sp-groups: 2
>       toclient-dp-groups: 2
>       toserver-src-groups: 2
>       toserver-dst-groups: 3
>       toserver-sp-groups: 2
>       toserver-dp-groups: 5
>   - sgh-mpm-context: single
>   - inspection-recursion-limit: 10
> 
> threading:
>   set-cpu-affinity: no
>   detect-thread-ratio: 1.5
> 
> mpm-algo: ac
> pattern-matcher:
>   - b2gc:
>       search-algo: B2gSearchBNDMq
>       hash-size: low
>       bf-size: low
>   - b2gm:
>       search-algo: B2gSearchBNDMq
>       hash-size: low
>       bf-size: low
>   - b2g:
>       search-algo: B2gSearchBNDMq
>       hash-size: low
>       bf-size: low
>   - b3g:
>       search-algo: B3gSearchBNDMq
>       hash-size: low
>       bf-size: low
>   - wumanber:
>       hash-size: low
>       bf-size: low
> 
> # Defrag settings:
> defrag:
>   max-frags: 65535
>   prealloc: yes
>   timeout: 20
> 
> flow:
>   memcap: 32mb
>   hash-size: 65536
>   prealloc: 10000
>   emergency-recovery: 30
>   prune-flows: 5
> 
> flow-timeouts:
> 
>   default:
>     new: 3
>     established: 5
>     closed: 0
>     emergency-new: 1
>     emergency-established: 1
>     emergency-closed: 0
>   tcp:
>     new: 3
>     established: 5
>     closed: 0
>     emergency-new: 1
>     emergency-established: 1
>     emergency-closed: 0
>   udp:
>     new: 1
>     established: 1
>     emergency-new: 1
>     emergency-established: 1
>   icmp:
>     new: 1
>     established: 1
>     emergency-new: 1
>     emergency-established: 1
> 
> stream:
>   memcap: 32mb
>   checksum-validation: no      
>   max-sessions: 20000
>   midstream: false              
>   inline: no                    # no inline mode
>   reassembly:
>     memcap: 64mb
>     depth: 1mb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
> 
> 
> host:
>   hash-size: 4096
>   prealloc: 1000
>   memcap: 16777216
> logging:
>   default-log-level: error
> 
> pcap:
>   - interface: eth2
>     #buffer-size: 32768
>     #bpf-filter: "tcp and port 80"
>     checksum-checks: no
> 
> classification-file: /etc/suricata/classification.config
> reference-config-file: /etc/suricata/reference.config
> 
> action-order:
>   - pass
>   - drop
>   - reject
>   - alert
> pcre:
>   match-limit: 3500
>   match-limit-recursion: 1500
> 
> libhtp:
> 
>    default-config:
>      personality: Minimal
>      request-body-limit: 8096
>      response-body-limit: 8096
> coredump:
>   max-dump: unlimited
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list