Skip to content

Commit

Permalink
http1: configurable max number of live tx per flow
Browse files Browse the repository at this point in the history
Ticket: #5921

Co-authored-by: Jason Ish <jason.ish@oisf.net>
(cherry picked from commit 4175680)
  • Loading branch information
catenacyber authored and victorjulien committed Feb 6, 2024
1 parent 9795399 commit e7e2882
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 1 deletion.
2 changes: 2 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -1596,6 +1596,7 @@
AC_CHECK_LIB([htp], [htp_config_set_lzma_layers],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Found htp_config_set_lzma_layers function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_compression_bomb_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT],[1],[Found htp_config_set_compression_bomb_limit function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_compression_time_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT],[1],[Found htp_config_set_compression_time_limit function in libhtp]) ,,[-lhtp])
AC_CHECK_LIB([htp], [htp_config_set_max_tx],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_MAX_TX],[1],[Found htp_config_set_max_tx function in libhtp]) ,,[-lhtp])
])

if test "x$enable_non_bundled_htp" = "xno"; then
Expand All @@ -1620,6 +1621,7 @@
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Assuming htp_config_set_lzma_layers function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT],[1],[Assuming htp_config_set_compression_bomb_limit function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT],[1],[Assuming htp_config_set_compression_time_limit function in bundled libhtp])
AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_MAX_TX],[1],[Assuming htp_config_set_max_tx function in bundled libhtp])
else
echo
echo " ERROR: Libhtp is not bundled. Get libhtp by doing:"
Expand Down
2 changes: 1 addition & 1 deletion doc/userguide/configuration/suricata-yaml.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1761,7 +1761,7 @@ incompatible with ``decode-mime``. If both are enabled,
Maximum transactions
~~~~~~~~~~~~~~~~~~~~

MQTT, FTP, PostgreSQL, SMB, DCERPC and NFS have each a `max-tx` parameter that can be customized.
MQTT, FTP, PostgreSQL, SMB, DCERPC, HTTP1 and NFS have each a `max-tx` parameter that can be customized.
`max-tx` refers to the maximum number of live transactions for each flow.
An app-layer event `protocol.too_many_transactions` is triggered when this value is reached.
The point of this parameter is to find a balance between the completeness of analysis
Expand Down
16 changes: 16 additions & 0 deletions src/app-layer-htp.c
Original file line number Diff line number Diff line change
Expand Up @@ -2517,6 +2517,10 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
#endif
#ifdef HAVE_HTP_CONFIG_SET_COMPRESSION_TIME_LIMIT
htp_config_set_compression_time_limit(cfg_prec->cfg, HTP_CONFIG_DEFAULT_COMPRESSION_TIME_LIMIT);
#endif
#ifdef HAVE_HTP_CONFIG_SET_MAX_TX
#define HTP_CONFIG_DEFAULT_MAX_TX_LIMIT 512
htp_config_set_max_tx(cfg_prec->cfg, HTP_CONFIG_DEFAULT_MAX_TX_LIMIT);
#endif
/* libhtp <= 0.5.9 doesn't use soft limit, but it's impossible to set
* only the hard limit. So we set both here to the (current) htp defaults.
Expand Down Expand Up @@ -2868,6 +2872,18 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
}
SCLogConfig("Setting HTTP decompression time limit to %" PRIu32 " usec", limit);
htp_config_set_compression_time_limit(cfg_prec->cfg, (size_t)limit);
#endif
#ifdef HAVE_HTP_CONFIG_SET_MAX_TX
} else if (strcasecmp("max-tx", p->name) == 0) {
uint32_t limit = 0;
if (ParseSizeStringU32(p->val, &limit) < 0) {
FatalError("failed to parse 'max-tx' "
"from conf file - %s.",
p->val);
}
/* set default soft-limit with our new hard limit */
SCLogConfig("Setting HTTP max-tx limit to %" PRIu32 " bytes", limit);
htp_config_set_max_tx(cfg_prec->cfg, (size_t)limit);
#endif
} else if (strcasecmp("randomize-inspection-sizes", p->name) == 0) {
if (!g_disable_randomness) {
Expand Down
2 changes: 2 additions & 0 deletions suricata.yaml.in
Original file line number Diff line number Diff line change
Expand Up @@ -1086,6 +1086,8 @@ app-layer:
#compression-bomb-limit: 1mb
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
# Maximum number of live transactions per flow
#max-tx: 512

server-config:

Expand Down

0 comments on commit e7e2882

Please sign in to comment.