Project

General

Profile

Actions

Task #4067

open

Task #4201: http2: full protocol support

http2: overload existing http keywords to support http/2

Added by Victor Julien 11 months ago. Updated 11 days ago.

Status:
In Review
Priority:
High
Target version:
Effort:
Difficulty:
Label:

Description

Meta tickets. Please create evaluate all existing http keywords and see if we can support them in http/2. For the ones we can, please create a sub-ticket each keyword. For the ones we can't support we need an explanation of why (in this ticket) and a documentation update in the user guide.

Actions #1

Updated by Victor Julien 10 months ago

  • Priority changed from Normal to High
Actions #2

Updated by Victor Julien 10 months ago

  • Subject changed from http/2: overload existing http keywords to support http/2 to http2: overload existing http keywords to support http/2
Actions #3

Updated by Victor Julien 10 months ago

  • Parent task set to #4201
Actions #4

Updated by Philippe Antoine 9 months ago

  • Status changed from Assigned to In Review
Actions #5

Updated by Philippe Antoine 6 months ago

Some keywords are now working. Need to complete with all keywords

Actions #6

Updated by Philippe Antoine 5 months ago

One keyword may not be translated :
http.stat_msg has no HTTP2 meaning (besides translating the status code)

Actions #7

Updated by Philippe Antoine 5 months ago

http.start does not seem to make sense for HTTP2 in my humble opinion

Actions #8

Updated by Philippe Antoine 5 months ago

http.response_body seems to be handled by file_data for HTTP2

Actions #9

Updated by Philippe Antoine 5 months ago

There is no such thing as http.response_line in HTTP2

Actions #10

Updated by Philippe Antoine 5 months ago

nor http.request_line

There is no http.protocol, or it is always HTTP2

Actions #11

Updated by Philippe Antoine 5 months ago

http.request_body should be covered by file_data

Actions #12

Updated by Philippe Antoine 5 months ago

Should HTTP2MimicHttp1Request translate headers names ? like Host becomes :authority from HTTP1 to HTTP2

How would we do the http.host normalisation ?

Should we concatenate the values in case there are multiple times the same header (name) in HTTP2 ?

Actions #13

Updated by Philippe Antoine 5 months ago

http.cookie calls DetectAppLayerMpmRegister2 with SIG_FLAG_TOCLIENT and HTP_REQUEST_HEADERS, that should rather be HTP_RESPONSE_HEADERS, right ?

Actions #14

Updated by Victor Julien 4 months ago

https://github.com/OISF/suricata/pull/6087 was merged towards this ticket. It is not complete as some body keywords are missing as mentioned in the PR:

http.request_body and http.response_body, covered by file_data

Actions #15

Updated by Philippe Antoine 4 months ago

What remains to be done :

- http.host : do the same normalization... same for http.header. For http.header.raw it is not raw in HTTP2, we need to concatenate key and value. For http.header_names, we can have linefeeds in HTTP2 header names, should we escape them ?
- Concatenate when we get multiple values for one header name cf https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#id2 example request with 2 Hosts ?
- Make HTTP2MimicHttp1Request translate header names (Host becomes :authority) ?
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Actions #16

Updated by Philippe Antoine 2 months ago

After https://github.com/OISF/suricata/pull/6183
There will be the following questions where we want the opinion of signature writers :
- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

Actions #17

Updated by Jason Williams 21 days ago

There will be the following questions where we want the opinion of signature writers :

- http.request_body and http.response_body, covered by file_data. Should we have these specifically ?
- http.request_line and http.response_line do not exist in HTTP2, should we emulate them ? What about http.start ?
- http.protocol and http.stat_msg are implicit, should we emulate them ?

To retain compatibility of current rules in ET ruleset for example, emulation would likely be necessary of all of these keywords are used fairly heavily

Actions #18

Updated by Philippe Antoine 11 days ago

Merge of https://github.com/OISF/suricata/pull/6328

Only emulation remaining

Actions

Also available in: Atom PDF