Project

General

Profile

Actions

Bug #5754

open

I use the file-extraction to store the files transferred by HTTP2, but fileinfo does not have the filename field.

Added by YuHan Xu over 1 year ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

{"timestamp":"2022-12-09T06:02:08.553120+0000","flow_id":912881598130729,"in_iface":"ens256","event_type":"fileinfo","src_ip":"2.0.1.195","src_port":80,"dest_ip":"1.0.4.75","dest_port":61828,"proto":"TCP","http2":{"version":"2","response_headers":[{"name":":status","value":"200"},{"name":"content-type","value":"image/jpeg"}],"status":200,"http2":{"stream_id":1,"request":{},"response":{}}},"app_proto":"http2","fileinfo":{"sid":[3900017],"magic":"EICAR virus test files","gaps":false,"state":"CLOSED","md5":"44d88612fea8a8f36de82e1278abb02f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","stored":true,"file_id":2,"size":68,"tx_id":1},"host":"suricata"}
My yaml file,pcap and rules have been uploaded.


Files

suricata.yaml (71.2 KB) suricata.yaml YuHan Xu, 12/13/2022 09:25 AM
http2-get.pcap (32.3 KB) http2-get.pcap test pcap YuHan Xu, 12/13/2022 09:26 AM
filestore.rules (667 Bytes) filestore.rules my rules YuHan Xu, 12/13/2022 09:27 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Documentation #5088: file.name sticky buffer is not documentedClosedJason TaylorActions
Actions #1

Updated by Jason Taylor 8 months ago

I wonder if this is related to something I came across while working on documentation for the file.name keyword.

http2 app layer does not seem to support file.name functionality, though according to the logs it would seem http2 applayer registers file.name support.

suricata --build-info
This is Suricata version 7.0.2-dev (bb15a8f76 2023-09-29)

suricata.log entries:
Info: output-filestore: forcing filestore of all files [OutputFilestoreLogInitCtx:output-filestore.c:444]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:878]
Perf: ippair: ippair memory usage: 0 bytes, maximum: 0 [IPPairPrintStats:ippair.c:296]
Error: detect-parse: protocol HTTP2 doesn't support file name matching [SigValidate:detect-parse.c:2084]
Error: detect: error parsing signature "alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)" from file /rules/test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180]
Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed [SigLoadSignatures:detect-engine-loader.c:350]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1045]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1499]
Perf: detect: TCP toserver: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: TCP toclient: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toserver: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toclient: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1049]
Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1082]
Perf: detect: Unique rule groups: 2 [SigAddressPrepareStage4:detect-engine-build.c:1858]
Perf: detect: Builtin MPM "toserver TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "other IP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: AppLayer MPM "toclient file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smtp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Info: unix-manager: unix socket '/suri/suri.socket' [UnixNew:unix-manager.c:136]
Notice: threads: Threads created -> Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]

Actions #2

Updated by Jason Taylor 8 months ago

the rules that were in the sig file to be loaded:

alert http any any -> any any (msg:"http2 layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:1; rev:1;)

alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)

Actions #3

Updated by Victor Julien 8 months ago

Looking at the pcap, there is no specific filename in the traffic. There is the URL, which I think is what we use in HTTP1 as the filename (unless we're doing the multi-part thing). @Philippe Antoine should we set the URL as the filename for HTTP2?

Actions #4

Updated by Philippe Antoine 8 months ago

should we set the URL as the filename for HTTP2?

Now, HTTP2 does not define file names as there is no clear definition of it...

We could set a part of the URL as the file name.
In HTTP1, we try some headers for the filename, and fall back to URI path if we do not find any...

Actions #5

Updated by Juliana Fajardini Reichow 8 months ago

Actions

Also available in: Atom PDF