Join GitHub today
http dpd sigs don't trigger for large requests #343
Attached is a pcap where the client sends a 1500byte or so http request to the server
even though the request starts with "GET" and the response starts with "HTTP " the dpd signature doesn't match because the client request exceeds the default dpd_buffer_size of 1024 bytes. Only 5 bytes from each flow should have been needed to identify this as HTTP.
If you're requiring a match from both directions to identify it as HTTP, then it's more like you need 5 bytes from resp, but an arbitrary number of bytes from orig because we need to buffer everything orig sends for replaying into the analyzer that gets instantiated whenever the match finally occurs.
Is the idea here to change to default
Otherwise, seems it's a question of tuning the
(I did take a peek into DPD matching code/logic and didn't notice any obvious bugs there -- I generally could make sense of it, and still seems like it's the way things should be done generally, but possible I'm overlooking a better solution)