Task #4067
openTask #4201: http2: full protocol support
http2: overload existing http keywords to support http/2
Description
Meta tickets. Please create evaluate all existing http keywords and see if we can support them in http/2. For the ones we can, please create a sub-ticket each keyword. For the ones we can't support we need an explanation of why (in this ticket) and a documentation update in the user guide.
Updated by Victor Julien almost 2 years ago
- Priority changed from Normal to High
Updated by Victor Julien almost 2 years ago
- Subject changed from http/2: overload existing http keywords to support http/2 to http2: overload existing http keywords to support http/2
Updated by Philippe Antoine over 1 year ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine over 1 year ago
Some keywords are now working. Need to complete with all keywords
Updated by Philippe Antoine over 1 year ago
One keyword may not be translated :http.stat_msg
has no HTTP2 meaning (besides translating the status code)
Updated by Philippe Antoine over 1 year ago
http.start
does not seem to make sense for HTTP2 in my humble opinion
Updated by Philippe Antoine over 1 year ago
http.response_body
seems to be handled by file_data for HTTP2
Updated by Philippe Antoine over 1 year ago
There is no such thing as http.response_line
in HTTP2
Updated by Philippe Antoine over 1 year ago
nor http.request_line
There is no http.protocol
, or it is always HTTP2
Updated by Philippe Antoine over 1 year ago
http.request_body
should be covered by file_data
Updated by Philippe Antoine over 1 year ago
Should HTTP2MimicHttp1Request
translate headers names ? like Host
becomes :authority
from HTTP1 to HTTP2
How would we do the http.host
normalisation ?
Should we concatenate the values in case there are multiple times the same header (name) in HTTP2 ?
Updated by Philippe Antoine over 1 year ago
http.cookie
calls DetectAppLayerMpmRegister2
with SIG_FLAG_TOCLIENT
and HTP_REQUEST_HEADERS
, that should rather be HTP_RESPONSE_HEADERS
, right ?
Updated by Victor Julien about 1 year ago
https://github.com/OISF/suricata/pull/6087 was merged towards this ticket. It is not complete as some body keywords are missing as mentioned in the PR:
http.request_body and http.response_body, covered by file_data
Updated by Philippe Antoine about 1 year ago
What remains to be done :
- http.host : do the same normalization... same for http.header. For http.header.raw it is not raw in HTTP2, we need to concatenate key and value. For http.header_names, we can have linefeeds in HTTP2 header names, should we escape them ?
- Concatenate when we get multiple values for one header name cf https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#id2 example request with 2 Hosts ?
- Make HTTP2MimicHttp1Request translate header names (Host becomes :authority) ?
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?
Updated by Philippe Antoine about 1 year ago
After https://github.com/OISF/suricata/pull/6183
There will be the following questions where we want the opinion of signature writers :
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?
Updated by Jason Williams 12 months ago
There will be the following questions where we want the opinion of signature writers :
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?
To retain compatibility of current rules in ET ruleset for example, emulation would likely be necessary of all of these keywords are used fairly heavily
Updated by Philippe Antoine 11 months ago
Merge of https://github.com/OISF/suricata/pull/6328
Only emulation remaining