Let’s say I want to run Suricata in IPS mode.
In this mode, Suricata uses a sliding window (saving packets in a buffer).
Since there are some HTTP fields, for example the URI, or even the HTTP body, which are not bounded by size and can be very big, how can I define a buffer size without compromising on security level ?
Attacker can always send a transaction which is 1B bigger than that window.
Do you know if and where IPS mode is deployd ? How this question was addressed in those deployments?
Not a complete answer but in general you will always have to balance the security level and performance/timeframes. So you want to find settings that catch nearly all cases but won’t kill the whole routine.
Any plans in the future to support a “cross packet context” for large signatures, instead of working with a sliding window approach ?
For example, see HyperScan streaming mode. Which is not in use in Suricata today.
you can do it in lua extension. put into http-body-line mode , and using hyperscan lua binding to inspect the buffer of message body passed up one by one.