Change HTTP's DPD signatures so that each side can trigger the analyzer on its own.

This is to avoid missing large sessions where a single side exceeds the DPD buffer size. It comes with the trade-off that now the analyzer can be triggered by anybody controlling one of the endpoints (instead of both). Test suite changes are minor, and nothing in "external". Closes #343.
2025-10-02 14:48:21 +00:00 · 2020-09-08 07:33:36 +00:00 · 2020-09-08 07:33:36 +00:00 · 0af57d12b2
commit 0af57d12b2
parent a00b712e39
6 changed files with 32 additions and 6 deletions
--- a/scripts/base/protocols/http/dpd.sig
+++ b/scripts/base/protocols/http/dpd.sig
@ -1,15 +1,20 @@
 # List of HTTP headers pulled from:
 #   http://annevankesteren.nl/2007/10/http-methods
+#
+# We match each side of the connection independently to avoid missing
+# large HTTP sessions where one side exceeds the DPD buffer size on
+# its own already. See https://github.com/zeek/zeek/issues/343.
+
 signature dpd_http_client {
  ip-proto == tcp
  payload /^[[:space:]]*(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH|BCOPY|BDELETE|BMOVE|BPROPFIND|BPROPPATCH|NOTIFY|POLL|SUBSCRIBE|UNSUBSCRIBE|X-MS-ENUMATTS|RPC_OUT_DATA|RPC_IN_DATA)[[:space:]]*/
  tcp-state originator
+  enable "http"
 }

 signature dpd_http_server {
  ip-proto == tcp
  payload /^HTTP\/[0-9]/
  tcp-state responder
-  requires-reverse-signature dpd_http_client
  enable "http"
 }