When I have a custom dbp signature payload which is being scanned for, it goes from the first byte and doesn’t search separately originator and responder. So if my match is only on the responder side, and there is over 1024 bytes of originator data that I don’t care about first, it doesn’t match. I confirmed this because if I increase the buffer size, it does match. Is there a way to search the first 1024 bytes of each side, or ignore one side when searching?
Hi there,
You can use tcp-state originator or tcp-state responder to match selectively on directionality, like here. You can also adjust the buffer size via the dpd_buffer_size setting. That’s best upped in moderation since it affects buffering globally…
Does that help?
Best,
Christian
I have it set to only tcp-state responder, but it still doesn’t match unless I do increase the dpd_buffer_size. So even if you have it set to one side, it uses up the default 1024 searching the other side anyway. I figured this out because when I increased the dpd_buffer_size it matches.
Yeah that’s consistent with the current implementation, and a bit confusing — the underlying buffering works in both directions, tracking chunks directionally, but accounting for size globally. The only workaround I’m aware of right now is to up the DPD buffer size.
Best,
Christian