Project

General

Profile

Task #4067

Task #4201: http2: full protocol support

http2: overload existing http keywords to support http/2

Added by Victor Julien 9 months ago. Updated about 1 month ago.

Status:
In Review
Priority:
High
Target version:
Effort:
Difficulty:
Label:

Description

Meta tickets. Please create evaluate all existing http keywords and see if we can support them in http/2. For the ones we can, please create a sub-ticket each keyword. For the ones we can't support we need an explanation of why (in this ticket) and a documentation update in the user guide.

#1

Updated by Victor Julien 8 months ago

  • Priority changed from Normal to High
#2

Updated by Victor Julien 8 months ago

  • Subject changed from http/2: overload existing http keywords to support http/2 to http2: overload existing http keywords to support http/2
#3

Updated by Victor Julien 7 months ago

  • Parent task set to #4201
#4

Updated by Philippe Antoine 6 months ago

  • Status changed from Assigned to In Review
#5

Updated by Philippe Antoine 4 months ago

Some keywords are now working. Need to complete with all keywords

#6

Updated by Philippe Antoine about 2 months ago

One keyword may not be translated :
http.stat_msg has no HTTP2 meaning (besides translating the status code)

#7

Updated by Philippe Antoine about 2 months ago

http.start does not seem to make sense for HTTP2 in my humble opinion

#8

Updated by Philippe Antoine about 2 months ago

http.response_body seems to be handled by file_data for HTTP2

#9

Updated by Philippe Antoine about 2 months ago

There is no such thing as http.response_line in HTTP2

#10

Updated by Philippe Antoine about 2 months ago

nor http.request_line

There is no http.protocol, or it is always HTTP2

#11

Updated by Philippe Antoine about 2 months ago

http.request_body should be covered by file_data

#12

Updated by Philippe Antoine about 2 months ago

Should HTTP2MimicHttp1Request translate headers names ? like Host becomes :authority from HTTP1 to HTTP2

How would we do the http.host normalisation ?

Should we concatenate the values in case there are multiple times the same header (name) in HTTP2 ?

#13

Updated by Philippe Antoine about 2 months ago

http.cookie calls DetectAppLayerMpmRegister2 with SIG_FLAG_TOCLIENT and HTP_REQUEST_HEADERS, that should rather be HTP_RESPONSE_HEADERS, right ?

#14

Updated by Victor Julien about 1 month ago

https://github.com/OISF/suricata/pull/6087 was merged towards this ticket. It is not complete as some body keywords are missing as mentioned in the PR:

http.request_body and http.response_body, covered by file_data

#15

Updated by Philippe Antoine about 1 month ago

What remains to be done :

- http.host : do the same normalization... same for http.header. For http.header.raw it is not raw in HTTP2, we need to concatenate key and value. For http.header_names, we can have linefeeds in HTTP2 header names, should we escape them ?
- Concatenate when we get multiple values for one header name cf https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#id2 example request with 2 Hosts ?
- Make HTTP2MimicHttp1Request translate header names (Host becomes :authority) ?
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Also available in: Atom PDF