Bug #3998
closedHTTP2: invalid header anomaly
Description
I'm getting a HTTP invalid_header anomaly on instagram. The alert doesn't seem to appear too often and it's hard to actually trigger it, so it's a low priority bug.
I've attached a pcap
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
21 "fileinfo"
24 "http"
31 "anomaly"
{"timestamp":"2020-10-05T07:04:51.102483-0400","flow_id":21414669293269,"pcap_cnt":276,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":17,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}}
{"timestamp":"2020-10-05T07:05:06.816392-0400","flow_id":21414669293269,"pcap_cnt":306,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":23,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}}
...
Files
Updated by Philippe Antoine about 4 years ago
Could you test with the following patch ?
diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
index 9a0330103..8b4112ead 100644
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@@ -466,17 +466,19 @@ impl HTTP2State {
Ok((_, set)) => {
for i in 0..set.len() {
if set[i].id == parser::HTTP2SettingsId::SETTINGSHEADERTABLESIZE {
- //set for both endpoints ? to be tested
- self.dynamic_headers_tc.max_size = set[i].value as usize;
- self.dynamic_headers_ts.max_size = set[i].value as usize;
+ //reverse order as this is what we accept from the other endpoint
+ let dyn_headers = if dir == STREAM_TOCLIENT {
+ &mut self.dynamic_headers_ts
+ } else {
+ &mut self.dynamic_headers_tc
+ };
+ dyn_headers.max_size = set[i].value as usize;
if set[i].value > HTTP2_MAX_TABLESIZE {
//mark potential overflow
- self.dynamic_headers_tc.overflow = 1;
- self.dynamic_headers_ts.overflow = 1;
+ dyn_headers.overflow = 1;
} else {
//reset in case peer set a lower value, to be tested
- self.dynamic_headers_tc.overflow = 0;
- self.dynamic_headers_ts.overflow = 0;
+ dyn_headers.overflow = 0;
}
}
}
Updated by Philippe Antoine about 4 years ago
For information, this pcap is the first one I see with asymmetric header table size : 65536 for the client and 4096 for the server
See with Wireshark filter http2.settings.id == 1
But I am not sure how to interpret http2.header_table_size_update
Updated by David Beckett about 4 years ago
Ah ok, it doesn't seem common for website to use asymmetric table sizes, especially that small, but it's definitely part of the spec. I've tested your patch and it seems to work fine now for the attached pcap, further Instagram browsing and for a few dozen other websites
Updated by Philippe Antoine about 4 years ago
- Status changed from New to In Review
- Target version set to 6.0.0
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed