[Oisf-devel] http.response_body and Luajit
Victor Julien
victor at inliniac.net
Mon Dec 10 11:05:27 UTC 2012
On 12/10/2012 11:10 AM, Chris Wakelin wrote:
> Hi,
>
> Is there a limit to the size of the http.response_body string passed to
> Lua in a luajit sig? I've been trying to match exploit kit Java archives
> that contain the payload in the jar, which makes them rather larger than
> usual.
>
> To do this I dump the response body as a tmpfile and then process it
> with luazip:
>
> t = tostring(args["http.response_body"])
> tmpname = os.tmpname()
> tmp = io.open(tmpname,'w')
> tmp:write(t)
> tmp:close()
>
> z = zip.open(tmpname)
>
> which is working well for "normal" size exploit jars, but it seems the
> jars get truncated when larger than about 33-35k. They get stored
> properly using filestore.
>
> I have "response-body-limit: 1048576" in the suricata.yaml file.
>From default config:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 3072
response-body-limit: 3072
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
Check these settings. The *-minimal-inspect-size queues up the first
part of the body until that limit is reached (or the body is complete).
>From then on the body is inspected in chunks of *-inspect-window.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list