Agent can send too large of an event submission payload that is rejected by the server

[malexe3169]

i've had this bug with one of my setup so far, and it generated a HUGE amount of bandwidth. in fact it maxed out the network. and no new event saved in the server once it is happening.

Is there a way to bypass it ?

[jasonish]

Unfortunately no way to get around this in the current release. The master branch has a fix though. You have to update the agent and the server. The server has increased its input size to 32mb, and the client will send a maximum size of 16mb. In practice the size is actually much smaller, but Suricata can generate some extremely large HTTP payloads in the eve.json which I found is the usual cause for this to start happening. Anyways, I force "push" events at a certain size now if that happens before either the timeout or event count limit is reached.

If you use Elasticsearch, you can update to the development releases without risk. I'll probably make these real releases very soon just because of this.

If using SQLite there is a schema migration that likely breaks backward compatibility.

[jasonish]

Already fixed in main branch which will become 0.17.0.