[Oisf-users] libhtp and reassembly

Peter Manev petermanev at gmail.com
Fri Nov 7 11:48:35 UTC 2014


On Fri, Nov 7, 2014 at 12:35 PM, Michał Purzyński
<michalpurzynski1 at gmail.com> wrote:
> Good to know. What do you think about the stream depth and body inspection
> of that size? My bet is, it does not make much sense. Malware isn't hiding
> in files of that size and if it is (archive, etc) well you're not expecting
> to detect 100% anyway ;)
> Having 1GB inspected is by most means "no limit" and should have a bad
> impact on a performance.
> Correct me if I'm wrong. I run with 20MB.

1GB is huge in my opinion - I run with 12MB in general but this is
after a good few "calibration" runs on the network that i monitor :)

>
> On Fri Nov 07 2014 at 10:44:05 AM Victor Julien <lists at inliniac.net> wrote:
>>
>> On 11/06/2014 07:12 PM, Michał Purzyński wrote:
>> > What is the relation between libhtp and reassembly settings?
>> >
>> > stream:
>> > (...)
>> > reassembly:
>> > depth: 12mb
>> >
>> > and
>> >
>> > libhtp
>> >
>> > request-body-limit
>> > response-body-limit
>> >
>> > if any? I understand that in order to have like 1GB request/response
>> > body limits you need to reassemble them. Or did I get it wrong?
>> >
>>
>> You are right. Currently stream.depth rules all and isn't automagically
>> updated to match HTTP body settings. So to get 1gb body inspection
>> you'll need at least 1gb stream depth as well.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list