Project

General

Profile

Actions
Copy link

Bug #3972

closed

HTTP2: stream_id_reuse

Added by David Beckett over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
6.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the attached pcap I am seeing the following alerts generated by suricata.

{"timestamp":"2020-09-18T09:50:11.891538-0400","flow_id":870210757415512,"pcap_cnt":15,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":6,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

{"timestamp":"2020-09-18T09:50:13.634665-0400","flow_id":870210757415512,"pcap_cnt":23,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":10,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

This pcap was taken from a valid web browsing session so should have no alerts. I get these logs with vanilla 6.0.0-rc1 and also after applying catenacyber's http2 pcapfixes v3 pull request.

Files

Download all files
http2_stream_id_reuse_anomaly.pcapng (9.94 KB) http2_stream_id_reuse_anomaly.pcapng David Beckett, 09/21/2020 03:08 PM
suricata.yaml (70.2 KB) suricata.yaml David Beckett, 09/28/2020 03:44 PM
Actions
Copy link
 #1

Updated by Jason Ish over 3 years ago

  • Project changed from Suricata-Update to Suricata

I think this is for Suricata, not Suricata-Update.

Actions
Copy link
 #2

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from Shivani Bhardwaj to Philippe Antoine
  • Target version set to 6.0.0
Actions
Copy link
 #3

Updated by Philippe Antoine over 3 years ago

David, I am not able to reproduce this...
I run ./src/suricata -k none -c suricata.yaml -r /Users/catena/Downloads/http2_stream_id_reuse_anomaly.pcapng -l log

Suricata.yaml is modified to enable http2 and its logging

And then 

jq '.event_type' log/eve.json | sort | uniq -c | sort -n
   1 "flow" 
   1 "stats" 
   5 "fileinfo" 
   9 "http"

so, no anomaly...

What is your configuration ? your command line options ?

Actions
Copy link
 #4

Updated by David Beckett over 3 years ago

Philippe,

I run
sudo ./suricata -c /etc/suricata/suricata.yaml -v --user=logstash -r ~/http2_stream_id_reuse_anomaly.pcapng --runmode single -l /tmp/

then
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
2 "stats"
4 "anomaly"
4 "flow"
10 "fileinfo"
18 "http"

I've attached my yaml file

Actions
Copy link
 #5

Updated by David Beckett over 3 years ago

Just realised I had forgotten to remove my eve.json before running that command hence the doubled output.
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "anomaly"
2 "flow"
5 "fileinfo"
9 "http"

My git history is

commit 662723423cf0e1fa3cba2014821f422c753c77ac (HEAD -> httpfix2)
Author: Philippe Antoine <>
Date: Thu Sep 17 22:48:52 2020 +0200

http2: use variable integer for headers lengths

commit 051cb47175c653cbd61c43d6ca53f386d5cb8f36
Author: Philippe Antoine <>
Date: Fri Sep 18 14:44:40 2020 +0200

protodetect: rerun probing parser if pattern matched
If a pattern matches in the other direction, after
    probing parser finished without finding a protocol,
    we will rerun the probing parser, which will include
    the newly protocol found by its pattern

commit cf164bf0134e28dcddb5a63ae7c93931e9f591b5
Author: Philippe Antoine <>
Date: Thu Sep 17 16:52:13 2020 +0200

protodetect: runs probing parser on protocol found
It a protocol is found in a first direction, we should run the
    probing parser, even if it is not in the known ports.
That can happen for HTTP2, where client magic is detected,
    then server probe can be run

commit 222b3861024fbe1d40e3c97cfa65b5ce3243ba3d (origin/master, origin/HEAD, master)
Author: Philippe Antoine <>
Date: Wed Sep 9 16:05:56 2020 +0200

rust: rebuilds std when building fuzzers
so as to have MSAN working
Actions
Copy link
 #6

Updated by Philippe Antoine over 3 years ago

  • Status changed from Assigned to In Review

Thanks David.
I did not reproduce it but I think I got it
Could you test
https://github.com/OISF/suricata/pull/5455

The RFC states
An endpoint MUST NOT send frames other than PRIORITY on a closed stream.

But then it states
WINDOW_UPDATE or RST_STREAM frames can be received in this state for a short period...

Actions
Copy link
 #7

Updated by David Beckett over 3 years ago

Thanks that seems to have fixed it

jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
5 "fileinfo"
7 "http"

I am getting 7 http requests now rather than 9 which both of us had last time, but I presume this is ok.

Thanks for the fix, I'll try and test some more live http/2 traffic against it soon to see if I can find any other issues, but I really appreciate your time on this.

Actions
Copy link
 #8

Updated by Philippe Antoine over 3 years ago

The number of http events is kind of unpredictable because of `RST_STREAM` frames which may be taken into account in the current stream, or in a new one

Actions
Copy link
 #9

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF