Project

General

Profile

Actions

Bug #3972

closed

HTTP2: stream_id_reuse

Added by David Beckett over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the attached pcap I am seeing the following alerts generated by suricata.

{"timestamp":"2020-09-18T09:50:11.891538-0400","flow_id":870210757415512,"pcap_cnt":15,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":6,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

{"timestamp":"2020-09-18T09:50:13.634665-0400","flow_id":870210757415512,"pcap_cnt":23,"event_type":"anomaly","src_ip":"172.217.0.2","src_port":443,"dest_ip":"192.168.122.7","dest_port":51824,"proto":"TCP","tx_id":10,"community_id":"1:2tXN+cZWZcOSPfZUYJW/VfrVacQ=","anomaly":{"app_proto":"http2","type":"applayer","event":"stream_id_reuse","layer":"proto_parser"}}

This pcap was taken from a valid web browsing session so should have no alerts. I get these logs with vanilla 6.0.0-rc1 and also after applying catenacyber's http2 pcapfixes v3 pull request.


Files

http2_stream_id_reuse_anomaly.pcapng (9.94 KB) http2_stream_id_reuse_anomaly.pcapng David Beckett, 09/21/2020 03:08 PM
suricata.yaml (70.2 KB) suricata.yaml David Beckett, 09/28/2020 03:44 PM
Actions #1

Updated by Jason Ish over 4 years ago

  • Project changed from Suricata-Update to Suricata

I think this is for Suricata, not Suricata-Update.

Actions #2

Updated by Victor Julien about 4 years ago

  • Status changed from New to Assigned
  • Assignee changed from Shivani Bhardwaj to Philippe Antoine
  • Target version set to 6.0.0
Actions #3

Updated by Philippe Antoine about 4 years ago

David, I am not able to reproduce this...
I run ./src/suricata -k none -c suricata.yaml -r /Users/catena/Downloads/http2_stream_id_reuse_anomaly.pcapng -l log

Suricata.yaml is modified to enable http2 and its logging

And then

jq '.event_type' log/eve.json | sort | uniq -c | sort -n
   1 "flow" 
   1 "stats" 
   5 "fileinfo" 
   9 "http" 

so, no anomaly...

What is your configuration ? your command line options ?

Actions #4

Updated by David Beckett about 4 years ago

Philippe,

I run
sudo ./suricata -c /etc/suricata/suricata.yaml -v --user=logstash -r ~/http2_stream_id_reuse_anomaly.pcapng --runmode single -l /tmp/

then
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
2 "stats"
4 "anomaly"
4 "flow"
10 "fileinfo"
18 "http"

I've attached my yaml file

Actions #5

Updated by David Beckett about 4 years ago

Just realised I had forgotten to remove my eve.json before running that command hence the doubled output.
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "anomaly"
2 "flow"
5 "fileinfo"
9 "http"

My git history is

commit 662723423cf0e1fa3cba2014821f422c753c77ac (HEAD -> httpfix2)
Author: Philippe Antoine <>
Date: Thu Sep 17 22:48:52 2020 +0200

http2: use variable integer for headers lengths

commit 051cb47175c653cbd61c43d6ca53f386d5cb8f36
Author: Philippe Antoine <>
Date: Fri Sep 18 14:44:40 2020 +0200

protodetect: rerun probing parser if pattern matched
If a pattern matches in the other direction, after
probing parser finished without finding a protocol,
we will rerun the probing parser, which will include
the newly protocol found by its pattern

commit cf164bf0134e28dcddb5a63ae7c93931e9f591b5
Author: Philippe Antoine <>
Date: Thu Sep 17 16:52:13 2020 +0200

protodetect: runs probing parser on protocol found
It a protocol is found in a first direction, we should run the
probing parser, even if it is not in the known ports.
That can happen for HTTP2, where client magic is detected,
then server probe can be run

commit 222b3861024fbe1d40e3c97cfa65b5ce3243ba3d (origin/master, origin/HEAD, master)
Author: Philippe Antoine <>
Date: Wed Sep 9 16:05:56 2020 +0200

rust: rebuilds std when building fuzzers
so as to have MSAN working
Actions #6

Updated by Philippe Antoine about 4 years ago

  • Status changed from Assigned to In Review

Thanks David.
I did not reproduce it but I think I got it
Could you test
https://github.com/OISF/suricata/pull/5455

The RFC states
An endpoint MUST NOT send frames other than PRIORITY on a closed stream.

But then it states
WINDOW_UPDATE or RST_STREAM frames can be received in this state for a short period...

Actions #7

Updated by David Beckett about 4 years ago

Thanks that seems to have fixed it

jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
5 "fileinfo"
7 "http"

I am getting 7 http requests now rather than 9 which both of us had last time, but I presume this is ok.

Thanks for the fix, I'll try and test some more live http/2 traffic against it soon to see if I can find any other issues, but I really appreciate your time on this.

Actions #8

Updated by Philippe Antoine about 4 years ago

The number of http events is kind of unpredictable because of `RST_STREAM` frames which may be taken into account in the current stream, or in a new one

Actions #9

Updated by Victor Julien about 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF