Project

General

Profile

Actions

Task #4067

open

Task #4201: http2: full protocol support

http2: overload existing http keywords to support http/2

Added by Victor Julien about 2 years ago. Updated 15 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Meta tickets. Please create evaluate all existing http keywords and see if we can support them in http/2. For the ones we can, please create a sub-ticket each keyword. For the ones we can't support we need an explanation of why (in this ticket) and a documentation update in the user guide.

Actions #1

Updated by Victor Julien about 2 years ago

  • Priority changed from Normal to High
Actions #2

Updated by Victor Julien about 2 years ago

  • Subject changed from http/2: overload existing http keywords to support http/2 to http2: overload existing http keywords to support http/2
Actions #3

Updated by Victor Julien about 2 years ago

  • Parent task set to #4201
Actions #4

Updated by Philippe Antoine almost 2 years ago

  • Status changed from Assigned to In Review
Actions #5

Updated by Philippe Antoine over 1 year ago

Some keywords are now working. Need to complete with all keywords

Actions #6

Updated by Philippe Antoine over 1 year ago

One keyword may not be translated :
http.stat_msg has no HTTP2 meaning (besides translating the status code)

Actions #7

Updated by Philippe Antoine over 1 year ago

http.start does not seem to make sense for HTTP2 in my humble opinion

Actions #8

Updated by Philippe Antoine over 1 year ago

http.response_body seems to be handled by file_data for HTTP2

Actions #9

Updated by Philippe Antoine over 1 year ago

There is no such thing as http.response_line in HTTP2

Actions #10

Updated by Philippe Antoine over 1 year ago

nor http.request_line

There is no http.protocol, or it is always HTTP2

Actions #11

Updated by Philippe Antoine over 1 year ago

http.request_body should be covered by file_data

Actions #12

Updated by Philippe Antoine over 1 year ago

Should HTTP2MimicHttp1Request translate headers names ? like Host becomes :authority from HTTP1 to HTTP2

How would we do the http.host normalisation ?

Should we concatenate the values in case there are multiple times the same header (name) in HTTP2 ?

Actions #13

Updated by Philippe Antoine over 1 year ago

http.cookie calls DetectAppLayerMpmRegister2 with SIG_FLAG_TOCLIENT and HTP_REQUEST_HEADERS, that should rather be HTP_RESPONSE_HEADERS, right ?

Actions #14

Updated by Victor Julien over 1 year ago

https://github.com/OISF/suricata/pull/6087 was merged towards this ticket. It is not complete as some body keywords are missing as mentioned in the PR:

http.request_body and http.response_body, covered by file_data

Actions #15

Updated by Philippe Antoine over 1 year ago

What remains to be done :

- http.host : do the same normalization... same for http.header. For http.header.raw it is not raw in HTTP2, we need to concatenate key and value. For http.header_names, we can have linefeeds in HTTP2 header names, should we escape them ?
- Concatenate when we get multiple values for one header name cf https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#id2 example request with 2 Hosts ?
- Make HTTP2MimicHttp1Request translate header names (Host becomes :authority) ?
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Actions #16

Updated by Philippe Antoine over 1 year ago

After https://github.com/OISF/suricata/pull/6183
There will be the following questions where we want the opinion of signature writers :
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Actions #17

Updated by Jason Williams over 1 year ago

There will be the following questions where we want the opinion of signature writers :

- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

To retain compatibility of current rules in ET ruleset for example, emulation would likely be necessary of all of these keywords are used fairly heavily

Actions #18

Updated by Philippe Antoine about 1 year ago

Merge of https://github.com/OISF/suricata/pull/6328

Only emulation remaining

Actions #19

Updated by Philippe Antoine 3 months ago

  • Target version changed from 7.0.0-beta1 to TBD
Actions #20

Updated by Victor Julien about 1 month ago

  • Target version changed from TBD to 7.0.0-rc1
Actions #21

Updated by Philippe Antoine about 1 month ago

Do you know what you want for 7 rc1 ?

That is do you know what should be done for
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Actions #22

Updated by Philippe Antoine 15 days ago

  • Status changed from In Review to Feedback
  • Assignee changed from Philippe Antoine to Victor Julien
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF