[Oisf-devel] suricata 1.4rc1 don't invoke HTPCallbackRequest if request body len >2919Byte
Delta Yeh
delta.yeh at gmail.com
Thu Dec 13 09:40:22 UTC 2012
Hi,
I'm testing suricata 1.4 rc1,
If the post data < 2919 bytes, everythin is OK.
But if post data > 2919 bytes, the
HTPCallbackRequest callback is not invoked, but I can see the request is
logged in the http.log .
The command to run suricata is : suricata -c /etc/suricata/suriata.yaml -i
eth2
The command to run wget is :
wget -d --post-data=/tmp/post-data.txt http://192.168.39.252/
The output of wget is :
---request begin---
POST / HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: 192.168.39.252
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2920
---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 1018 [text/html]
Saving to: `index.html.93'
No rule is loaded during the tests, the suricata.yaml is :
runmode: autofp
autofp-scheduler: active-packets
default-packet-size: 1514
max-pending-packets: 500
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
- http-log:
enabled: yes
filename: /tmp/accesslog
defrag:
max-frags: 65535
prealloc: yes
timeout: 3
detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 2
toserver-src-groups: 2
toserver-dst-groups: 3
toserver-sp-groups: 2
toserver-dp-groups: 5
- sgh-mpm-context: single
- inspection-recursion-limit: 10
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.5
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: low
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: low
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: low
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: low
- wumanber:
hash-size: low
bf-size: low
# Defrag settings:
defrag:
max-frags: 65535
prealloc: yes
timeout: 20
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
prune-flows: 5
flow-timeouts:
default:
new: 3
established: 5
closed: 0
emergency-new: 1
emergency-established: 1
emergency-closed: 0
tcp:
new: 3
established: 5
closed: 0
emergency-new: 1
emergency-established: 1
emergency-closed: 0
udp:
new: 1
established: 1
emergency-new: 1
emergency-established: 1
icmp:
new: 1
established: 1
emergency-new: 1
emergency-established: 1
stream:
memcap: 32mb
checksum-validation: no
max-sessions: 20000
midstream: false
inline: no # no inline mode
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: error
pcap:
- interface: eth2
#buffer-size: 32768
#bpf-filter: "tcp and port 80"
checksum-checks: no
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
action-order:
- pass
- drop
- reject
- alert
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: Minimal
request-body-limit: 8096
response-body-limit: 8096
coredump:
max-dump: unlimited
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121213/84242959/attachment.html>
More information about the Oisf-devel
mailing list