Project

General

Profile

Actions

Feature #4121

closed

Feature #4201: http2: full protocol support

http2: support file inspection API

Added by Victor Julien over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Originally reported as a bug with a single sig, this is really about properly supporting the file inspection API.

Adding alert http2 any any -> any any (flow:established,to_client; filemd5:test.md5; sid:5; rev:1;) with 15560fc6a1e4845498d8d952691afb11 in test.md5 should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.

Setting private as this first triggers #4120.


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #4076: http2: Memory leak when parsing signature with filestoreClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien over 3 years ago

This looks like it is caused by multiple issues. First, the "files" inspect engine is not registered for ALPROTO_HTTP2 (src/detect-filename.c). However, if this is done it still doesn't work. Since md5's are logged for these files, something else must be missing.

One thing to look at could be the hack SMB and NFS use before calling into Rust:

static AppLayerResult SMBTCPParseRequest(Flow *f, void *state,
        AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len,
        void *local_data, const uint8_t flags)
{
    SCLogDebug("SMBTCPParseRequest");
    uint16_t file_flags = FileFlowToFlags(f, STREAM_TOSERVER);
    rs_smb_setfileflags(0, state, file_flags|FILE_USE_DETECT);
...

Actions #2

Updated by Victor Julien over 3 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from http2: filemd5 matching generates too many alerts to http2: support file inspection API
  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version changed from 6.0.1 to 7.0.0-beta1
Actions #3

Updated by Philippe Antoine over 3 years ago

  • Related to Bug #4076: http2: Memory leak when parsing signature with filestore added
Actions #4

Updated by Philippe Antoine over 3 years ago

should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.

I get no alerts so far...

Actions #5

Updated by Philippe Antoine over 3 years ago

should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.

Ok without the fix for #4076 it generates 23 alerts
With the fix, it generates 0 alert

Actions #6

Updated by Philippe Antoine over 3 years ago

DetectFileHashMatch gets called, but only 3 times

eve.json shows that first "event_type": "fileinfo" has "tx_id": 3 and no http data
when first "event_type": "http" has "tx_id": 2,

Seems like the bug was that the file tracker was not using tx_id, but tx_id - 1

FILE_USE_DETECT seems also needed, but for the rule alert http2 any any -> any any (file.data; content:!"html"; startswith; sid:7; rev:1;)

Actions #7

Updated by Philippe Antoine over 3 years ago

  • Status changed from Assigned to In Review
  • Target version changed from 7.0.0-beta1 to 6.0.1

Gitlab

Actions #8

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions #9

Updated by Victor Julien over 3 years ago

  • Parent task set to #4201
  • Private changed from Yes to No
Actions

Also available in: Atom PDF