[Oisf-users] libhtp and reassembly

Michał Purzyński michalpurzynski1 at gmail.com
Fri Nov 7 11:35:17 UTC 2014


Good to know. What do you think about the stream depth and body inspection
of that size? My bet is, it does not make much sense. Malware isn't hiding
in files of that size and if it is (archive, etc) well you're not expecting
to detect 100% anyway ;)
Having 1GB inspected is by most means "no limit" and should have a bad
impact on a performance.
Correct me if I'm wrong. I run with 20MB.

On Fri Nov 07 2014 at 10:44:05 AM Victor Julien <lists at inliniac.net> wrote:

> On 11/06/2014 07:12 PM, Michał Purzyński wrote:
> > What is the relation between libhtp and reassembly settings?
> >
> > stream:
> > (...)
> > reassembly:
> > depth: 12mb
> >
> > and
> >
> > libhtp
> >
> > request-body-limit
> > response-body-limit
> >
> > if any? I understand that in order to have like 1GB request/response
> > body limits you need to reassemble them. Or did I get it wrong?
> >
>
> You are right. Currently stream.depth rules all and isn't automagically
> updated to match HTTP body settings. So to get 1gb body inspection
> you'll need at least 1gb stream depth as well.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141107/35332311/attachment-0002.html>


More information about the Oisf-users mailing list