Project

General

Profile

Actions
Copy link

Bug #3972

closed

HTTP2: stream_id_reuse

Added by David Beckett about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
6.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the attached pcap I am seeing the following alerts generated by suricata.

{"timestamp":"2020-09-18T09:50:11.891538-0400","flow_id":870210757415512,"pcap_cnt":15,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":6,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

{"timestamp":"2020-09-18T09:50:13.634665-0400","flow_id":870210757415512,"pcap_cnt":23,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":10,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

This pcap was taken from a valid web browsing session so should have no alerts. I get these logs with vanilla 6.0.0-rc1 and also after applying catenacyber's http2 pcapfixes v3 pull request.

Files

Download all files
http2_stream_id_reuse_anomaly.pcapng (9.94 KB) http2_stream_id_reuse_anomaly.pcapng David Beckett, 09/21/2020 03:08 PM
suricata.yaml (70.2 KB) suricata.yaml David Beckett, 09/28/2020 03:44 PM
Actions
Copy link

Also available in: Atom PDF