Feature #4121
closed
Feature #4201: http2: full protocol support
http2: support file inspection API
Added by Victor Julien about 4 years ago.
Updated almost 4 years ago.
Description
Originally reported as a bug with a single sig, this is really about properly supporting the file inspection API.
Adding alert http2 any any -> any any (flow:established,to_client; filemd5:test.md5; sid:5; rev:1;) with 15560fc6a1e4845498d8d952691afb11 in test.md5 should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
Setting private as this first triggers #4120.
This looks like it is caused by multiple issues. First, the "files" inspect engine is not registered for ALPROTO_HTTP2 (src/detect-filename.c). However, if this is done it still doesn't work. Since md5's are logged for these files, something else must be missing.
One thing to look at could be the hack SMB and NFS use before calling into Rust:
static AppLayerResult SMBTCPParseRequest(Flow *f, void *state,
AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len,
void *local_data, const uint8_t flags)
{
SCLogDebug("SMBTCPParseRequest");
uint16_t file_flags = FileFlowToFlags(f, STREAM_TOSERVER);
rs_smb_setfileflags(0, state, file_flags|FILE_USE_DETECT);
...
- Tracker changed from Bug to Feature
- Subject changed from http2: filemd5 matching generates too many alerts to http2: support file inspection API
- Description updated (diff)
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version changed from 6.0.1 to 7.0.0-beta1
- Related to Bug #4076: http2: Memory leak when parsing signature with filestore added
should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
I get no alerts so far...
should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
Ok without the fix for #4076 it generates 23 alerts
With the fix, it generates 0 alert
DetectFileHashMatch gets called, but only 3 times
eve.json shows that first "event_type": "fileinfo" has "tx_id": 3 and no http data
when first "event_type": "http" has "tx_id": 2,
Seems like the bug was that the file tracker was not using tx_id, but tx_id - 1
FILE_USE_DETECT seems also needed, but for the rule alert http2 any any -> any any (file.data; content:!"html"; startswith; sid:7; rev:1;)
- Status changed from Assigned to In Review
- Target version changed from 7.0.0-beta1 to 6.0.1
- Status changed from In Review to Closed
- Parent task set to #4201
- Private changed from Yes to No
Also available in: Atom
PDF