Project

General

Profile

Feature #2312

http: parsing for async streams

Added by Victor Julien almost 2 years ago. Updated 19 days ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Currently the parser requires traffic from both sides to be useful/effective.


Related issues

Related to Support #2309: SuriCon 2017 brainstormNew12/01/2017Actions

History

#1

Updated by Victor Julien almost 2 years ago

#2

Updated by Raymond Hansen 11 months ago

Jeffrey has created an http parser that we should evaluate for use. Should include http2?

#3

Updated by Pierre Chifflier 11 months ago

  • Geoffroy :)
#4

Updated by Philippe Antoine 4 months ago

Currently the parser requires traffic from both sides to be useful/effective.

How so ?
From my experience of the code, it is "effective" as it should match signature with http keywords
I did not test it yet but I would like what is expected first.

#5

Updated by Victor Julien 4 months ago

Not sure if this is still true. Some updates were made to libhtp and suricata to allow for this. I think it's a good idea to create some test cases (suricata-verify) for both all request and all response traffic. I'm especially curious how multi-tx sessions work.

#6

Updated by Victor Julien 19 days ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine

Philippe, can you make some SV tests for this? TS only, TC only. Checking logging, file extraction, signature matching?

Also available in: Atom PDF