Hi, <br> I'm testing suricata 1.4 rc1, <br> If the post data < 2919 bytes, everythin is OK.<br> But if post data > 2919 bytes, the <br>HTPCallbackRequest callback is not invoked, but I can see the request is logged in the http.log .<br>
<br>The command to run suricata is : suricata -c /etc/suricata/suriata.yaml -i eth2<br><br>The command to run wget is :<br> wget -d --post-data=/tmp/post-data.txt <a href="http://192.168.39.252/">http://192.168.39.252/</a><br>
The output of wget is :<br><br>---request begin---<br>POST / HTTP/1.0<br>User-Agent: Wget/1.12 (linux-gnu)<br>Accept: */*<br>Host: 192.168.39.252<br>Connection: Keep-Alive<br>Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 2920<br>---response end---<br>200 OK<br>Registered socket 3 for persistent reuse.<br>Length: 1018 [text/html]<br>Saving to: `index.html.93'<br><br><br><br><br>No rule is loaded during the tests, the suricata.yaml is :<br>
<br><br>runmode: autofp<br>autofp-scheduler: active-packets<br>default-packet-size: 1514<br>max-pending-packets: 500<br># Configure the type of alert (and other) logging you would like.<br>outputs:<br> # a line based alerts log similar to Snort's fast.log<br>
- fast:<br> enabled: yes<br> filename: fast.log<br><br> - http-log:<br> enabled: yes<br> filename: /tmp/accesslog<br><br>defrag:<br> max-frags: 65535<br> prealloc: yes<br> timeout: 3<br>detect-engine:<br>
- profile: custom<br> - custom-values:<br> toclient-src-groups: 2<br> toclient-dst-groups: 2<br> toclient-sp-groups: 2<br> toclient-dp-groups: 2<br> toserver-src-groups: 2<br> toserver-dst-groups: 3<br>
toserver-sp-groups: 2<br> toserver-dp-groups: 5<br> - sgh-mpm-context: single<br> - inspection-recursion-limit: 10<br><br>threading:<br> set-cpu-affinity: no<br> detect-thread-ratio: 1.5<br><br>mpm-algo: ac<br>
pattern-matcher:<br> - b2gc:<br> search-algo: B2gSearchBNDMq<br> hash-size: low<br> bf-size: low<br> - b2gm:<br> search-algo: B2gSearchBNDMq<br> hash-size: low<br> bf-size: low<br> - b2g:<br>
search-algo: B2gSearchBNDMq<br> hash-size: low<br> bf-size: low<br> - b3g:<br> search-algo: B3gSearchBNDMq<br> hash-size: low<br> bf-size: low<br> - wumanber:<br> hash-size: low<br> bf-size: low<br>
<br># Defrag settings:<br>defrag:<br> max-frags: 65535<br> prealloc: yes<br> timeout: 20<br><br>flow:<br> memcap: 32mb<br> hash-size: 65536<br> prealloc: 10000<br> emergency-recovery: 30<br> prune-flows: 5<br><br>
flow-timeouts:<br><br> default:<br> new: 3<br> established: 5<br> closed: 0<br> emergency-new: 1<br> emergency-established: 1<br> emergency-closed: 0<br> tcp:<br> new: 3<br> established: 5<br> closed: 0<br>
emergency-new: 1<br> emergency-established: 1<br> emergency-closed: 0<br> udp:<br> new: 1<br> established: 1<br> emergency-new: 1<br> emergency-established: 1<br> icmp:<br> new: 1<br> established: 1<br>
emergency-new: 1<br> emergency-established: 1<br><br>stream:<br> memcap: 32mb<br> checksum-validation: no <br> max-sessions: 20000<br> midstream: false <br> inline: no # no inline mode<br>
reassembly:<br> memcap: 64mb<br> depth: 1mb # reassemble 1mb into a stream<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br><br><br>host:<br> hash-size: 4096<br> prealloc: 1000<br>
memcap: 16777216<br>logging:<br> default-log-level: error<br><br>pcap:<br> - interface: eth2<br> #buffer-size: 32768<br> #bpf-filter: "tcp and port 80"<br> checksum-checks: no<br><br>classification-file: /etc/suricata/classification.config<br>
reference-config-file: /etc/suricata/reference.config<br><br>action-order:<br> - pass<br> - drop<br> - reject<br> - alert<br>pcre:<br> match-limit: 3500<br> match-limit-recursion: 1500<br><br>libhtp:<br><br> default-config:<br>
personality: Minimal<br> request-body-limit: 8096<br> response-body-limit: 8096<br>coredump:<br> max-dump: unlimited<br><br><br><br><br><br><br><br>