Project

General

Profile

Bug #5780

Updated by Brandon Murphy almost 2 years ago

It appears that when attempting to combine two different HTTP2 headers into a single rule, no alert is produced.  

 Consider the following rules and the attached pcap, which contains a single tcp session with a single HTTP2 stream. 
 <pre> 
 alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Authority"; flow:established,to_server; http2.header; content:"authority: bugertor"; sid:1;) 
 alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Method"; flow:established,to_server; http2.header; content:"method: GET"; sid:2;) 
 alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; flow:established,to_server; http2.header; content:"method: GET"; content:"authority: bugertor.com"; sid:3;) 
 </pre> 


 h2. Current Behavior 
 Only sid:1 and sid:2 fire 

 h2. Expected Behavior 
 All three signatures should fire. 

 h2. HTTP Keyword Overloading 
 Once the correct http2 configuration option is enabled (http1-rules), the using the standard http1 keywords (http.method, http.host) the below signature works as expected. rules.  
 <pre> 
 alert http $HOME_NET any -> any any (msg:"HTTP2 - Overload Test"; flow:established,to_server; http.method; content:"GET"; http.host; content:"bugertor.com"; sid:4;) 
 </pre> 
 ```

Back