Project

General

Profile

Actions

Task #4721

closed

Feature #4201: http2: full protocol support

http2: enable by default

Added by Victor Julien over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Enable by default in config and code defaults.


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #4530: DOS Quadratic complexity when having too many transactionsClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine over 2 years ago

  • Status changed from Assigned to In Review
Actions #2

Updated by Philippe Antoine over 2 years ago

  • Related to Bug #4530: DOS Quadratic complexity when having too many transactions added
Actions #3

Updated by Philippe Antoine over 2 years ago

Should we handle #4530 first as HTTP2 is an easy way to trigger it ?

Actions #4

Updated by Victor Julien over 2 years ago

In master @424dcda2c000f4578d85f51293492a0fc7e03815 this doesn't yet fully work.

My yaml is the default except I removed the http2 app-layer config. So I'd expect this to behave like "enabled by default", however:

./src/suricata -c suricata.yaml -l tmp/ -S rules/http2-events.rules -T
[1646250] 11/10/2021 -- 08:20:36 - (suricata.c:1620) <Info> (ParseCommandLine) -- Running suricata under test mode
[1646250] 11/10/2021 -- 08:20:36 - (suricata.c:1065) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (424dcda2c 2021-10-09) running in SYSTEM mode
[1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:486) <Notice> (RegisterTemplateParsers) -- Template TCP protocol detection enabled.
[1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:505) <Notice> (RegisterTemplateParsers) -- No template app-layer configuration, enabling echo detection TCP detection on port 7.
[1646250] 11/10/2021 -- 08:20:36 - (app-layer-template.c:523) <Notice> (RegisterTemplateParsers) -- Registering Template protocol parser.
[1646250] 11/10/2021 -- 08:20:37 - (detect-template-buffer.c:93) <Notice> (DetectTemplateBufferRegister) -- Template application layer detect registered.
[1646250] 11/10/2021 -- 08:20:37 - (output-tx.c:77) <Notice> (OutputRegisterTxLogger) -- LogHttp2Log logger not enabled: protocol http2 is disabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame header"; flow:established; app-layer-event:http2.invalid_frame_header; classtype:protocol-command-decode; sid:2290000; rev:1;)" from file rules/http2-events.rules at line 8
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid client magic"; flow:established; app-layer-event:http2.invalid_client_magic; classtype:protocol-command-decode; sid:2290001; rev:1;)" from file rules/http2-events.rules at line 9
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame data"; flow:established; app-layer-event:http2.invalid_frame_data; classtype:protocol-command-decode; sid:2290002; rev:1;)" from file rules/http2-events.rules at line 10
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid header"; flow:established; app-layer-event:http2.invalid_header; classtype:protocol-command-decode; sid:2290003; rev:1;)" from file rules/http2-events.rules at line 11
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid frame length"; flow:established; app-layer-event:http2.invalid_frame_length; classtype:protocol-command-decode; sid:2290004; rev:1;)" from file rules/http2-events.rules at line 12
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 header frame with extra data"; flow:established; app-layer-event:http2.extra_header_data; classtype:protocol-command-decode; sid:2290005; rev:1;)" from file rules/http2-events.rules at line 13
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 too long frame data"; flow:established; app-layer-event:http2.long_frame_data; classtype:protocol-command-decode; sid:2290006; rev:1;)" from file rules/http2-events.rules at line 14
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 stream identifier reuse"; flow:established; app-layer-event:http2.stream_id_reuse; classtype:protocol-command-decode; sid:2290007; rev:1;)" from file rules/http2-events.rules at line 15
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid HTTP1 settings during upgrade"; flow:established; app-layer-event:http2.invalid_http1_settings; classtype:protocol-command-decode; sid:2290008; rev:1;)" from file rules/http2-events.rules at line 16
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 failed decompression"; flow:established; app-layer-event:http2.failed_decompression; classtype:protocol-command-decode; sid:2290009; rev:1;)" from file rules/http2-events.rules at line 17
[1646250] 11/10/2021 -- 08:20:37 - (detect-parse.c:912) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "http2" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.http2.detection-enabled
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow:established; app-layer-event:http2.invalid_range; classtype:protocol-command-decode; sid:2290010; rev:1;)" from file rules/http2-events.rules at line 18
[1646250] 11/10/2021 -- 08:20:37 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
[1646250] 11/10/2021 -- 08:20:37 - (suricata.c:2199) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Actions #5

Updated by Victor Julien over 2 years ago

Ah I see https://github.com/OISF/suricata/pull/6468 now, will test it.

Actions #6

Updated by Philippe Antoine over 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF