STREAM::max_matchsize¶
Description¶
Sets a limit to the number of octets that the system may buffer during
partial matches. The default value is 4096.
The Stream Profile may buffer data for partial matches, such as when
matching a sequence of characters which arrive in successive TCP
segments. If more than octets would have to be buffered to resolve the
current partial match the connection will be closed without warning.
A limit is necessary because a match-value regular expression with an
unlimited or excessive repetition in it (like
[^"]*
or
\s{1,99999}
) might demand an unreasonable amount of system memory to buffer a partial match (for instance, when some connection’s data stream does not have the expected format). A problem as simple as a missing or garbled application-protocol delimiter (consider
"first" "second'
) could keep a regular-expression match from completing.
Syntax¶
STREAM::max_matchsize <max_matchsize>
STREAM::max_matchsize <max_matchsize>¶
- Sets the maximum number of octets that the system will buffer during partial matches. The default value is 4096.
When a match-value regular expression trying to match the data stream
of a particular connection demands more than this amount of buffer
space, the connection may be closed without warning.
Examples¶
when CLIENT_ACCEPTED {
STREAM::max_matchsize 8192
STREAM::expression {@<val>[^<]*</val>@<val>none</val>@}
}