Suricata

I wonder if this is related to something I came across while working on documentation for the file.name keyword.

http2 app layer does not seem to support file.name functionality, though according to the logs it would seem http2 applayer registers file.name support.

suricata --build-info
This is Suricata version 7.0.2-dev (bb15a8f76 2023-09-29)

suricata.log entries:
Info: output-filestore: forcing filestore of all files [OutputFilestoreLogInitCtx:output-filestore.c:444]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:878]
Perf: ippair: ippair memory usage: 0 bytes, maximum: 0 [IPPairPrintStats:ippair.c:296]
Error: detect-parse: protocol HTTP2 doesn't support file name matching [SigValidate:detect-parse.c:2084]
Error: detect: error parsing signature "alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)" from file /rules/test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180]
Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed [SigLoadSignatures:detect-engine-loader.c:350]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1045]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1499]
Perf: detect: TCP toserver: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: TCP toclient: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toserver: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toclient: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1049]
Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1082]
Perf: detect: Unique rule groups: 2 [SigAddressPrepareStage4:detect-engine-build.c:1858]
Perf: detect: Builtin MPM "toserver TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "other IP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: AppLayer MPM "toclient file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smtp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Info: unix-manager: unix socket '/suri/suri.socket' [UnixNew:unix-manager.c:136]
Notice: threads: Threads created -> Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]

the rules that were in the sig file to be loaded:

alert http any any -> any any (msg:"http2 layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:1; rev:1;)

alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)

Looking at the pcap, there is no specific filename in the traffic. There is the URL, which I think is what we use in HTTP1 as the filename (unless we're doing the multi-part thing). @Philippe Antoine should we set the URL as the filename for HTTP2?

should we set the URL as the filename for HTTP2?

Now, HTTP2 does not define file names as there is no clear definition of it...

We could set a part of the URL as the file name.
In HTTP1, we try some headers for the filename, and fall back to URI path if we do not find any...