Actions
Task #4721
closedFeature #4201: http2: full protocol support
http2: enable by default
Effort:
Difficulty:
Label:
Description
Enable by default in config and code defaults.
Updated by Philippe Antoine about 3 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine about 3 years ago
- Related to Bug #4530: DOS Quadratic complexity when having too many transactions added
Updated by Philippe Antoine about 3 years ago
Should we handle #4530 first as HTTP2 is an easy way to trigger it ?
Updated by Victor Julien almost 3 years ago
In master @424dcda2c000f4578d85f51293492a0fc7e03815
this doesn't yet fully work.
My yaml is the default except I removed the http2
app-layer config. So I'd expect this to behave like "enabled by default", however:
./src/suricata -c suricata.yaml -l tmp/ -S rules/http2-events.rules -T [1646250] 11/10/2021 -- 08:20:36 - (suricata.c:1620) <Info> (ParseCommandLine) -- Running suricata under test mode [1646250] 11/10/2021 -- 08:20:36 - (suricata.c:1065) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (424dcda2c 2021-10-09) running in SYSTEM mode [1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:486) <Notice> (RegisterTemplateParsers) -- Template TCP protocol detection enabled. [1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:505) <Notice> (RegisterTemplateParsers) -- No template app-layer configuration, enabling echo detection TCP detection on port 7. [1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:523) <Notice> (RegisterTemplateParsers) -- Registering Template protocol parser. [1646250] 11/10/2021 -- 08:20:37 - (detect-template-buffer.c:93) <Notice> (DetectTemplateBufferRegister) -- Template application layer detect registered. [1646250] 11/10/2021 -- 08:20:37 - (output-tx.c:77) <Notice> (OutputRegisterTxLogger) -- LogHttp2Log logger not enabled: protocol http2 is disabled [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame header"; flow:established; app-layer-event:http2.invalid_frame_header; classtype:protocol-command-decode; sid:2290000; rev:1;)" from file rules/http2-events.rules at line 8 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid client magic"; flow:established; app-layer-event:http2.invalid_client_magic; classtype:protocol-command-decode; sid:2290001; rev:1;)" from file rules/http2-events.rules at line 9 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame data"; flow:established; app-layer-event:http2.invalid_frame_data; classtype:protocol-command-decode; sid:2290002; rev:1;)" from file rules/http2-events.rules at line 10 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid header"; flow:established; app-layer-event:http2.invalid_header; classtype:protocol-command-decode; sid:2290003; rev:1;)" from file rules/http2-events.rules at line 11 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame length"; flow:established; app-layer-event:http2.invalid_frame_length; classtype:protocol-command-decode; sid:2290004; rev:1;)" from file rules/http2-events.rules at line 12 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 header frame with extra data"; flow:established; app-layer-event:http2.extra_header_data; classtype:protocol-command-decode; sid:2290005; rev:1;)" from file rules/http2-events.rules at line 13 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 too long frame data"; flow:established; app-layer-event:http2.long_frame_data; classtype:protocol-command-decode; sid:2290006; rev:1;)" from file rules/http2-events.rules at line 14 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 stream identifier reuse"; flow:established; app-layer-event:http2.stream_id_reuse; classtype:protocol-command-decode; sid:2290007; rev:1;)" from file rules/http2-events.rules at line 15 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid HTTP1 settings during upgrade"; flow:established; app-layer-event:http2.invalid_http1_settings; classtype:protocol-command-decode; sid:2290008; rev:1;)" from file rules/http2-events.rules at line 16 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 failed decompression"; flow:established; app-layer-event:http2.failed_decompression; classtype:protocol-command-decode; sid:2290009; rev:1;)" from file rules/http2-events.rules at line 17 [1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow:established; app-layer-event:http2.invalid_range; classtype:protocol-command-decode; sid:2290010; rev:1;)" from file rules/http2-events.rules at line 18 [1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! [1646250] 11/10/2021 -- 08:20:37 - (suricata.c:2199) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Updated by Victor Julien almost 3 years ago
Ah I see https://github.com/OISF/suricata/pull/6468 now, will test it.
Updated by Philippe Antoine almost 3 years ago
- Status changed from In Review to Closed
Actions