Feature #4121
closedFeature #4201: http2: full protocol support
http2: support file inspection API
Description
Originally reported as a bug with a single sig, this is really about properly supporting the file inspection API.
Adding alert http2 any any -> any any (flow:established,to_client; filemd5:test.md5; sid:5; rev:1;) with 15560fc6a1e4845498d8d952691afb11 in test.md5 should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
Setting private as this first triggers #4120.
Updated by Victor Julien almost 4 years ago
This looks like it is caused by multiple issues. First, the "files" inspect engine is not registered for ALPROTO_HTTP2 (src/detect-filename.c). However, if this is done it still doesn't work. Since md5's are logged for these files, something else must be missing.
One thing to look at could be the hack SMB and NFS use before calling into Rust:
static AppLayerResult SMBTCPParseRequest(Flow *f, void *state,
AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len,
void *local_data, const uint8_t flags)
{
SCLogDebug("SMBTCPParseRequest");
uint16_t file_flags = FileFlowToFlags(f, STREAM_TOSERVER);
rs_smb_setfileflags(0, state, file_flags|FILE_USE_DETECT);
...
Updated by Victor Julien almost 4 years ago
- Tracker changed from Bug to Feature
- Subject changed from http2: filemd5 matching generates too many alerts to http2: support file inspection API
- Description updated (diff)
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version changed from 6.0.1 to 7.0.0-beta1
Updated by Philippe Antoine almost 4 years ago
- Related to Bug #4076: http2: Memory leak when parsing signature with filestore added
Updated by Philippe Antoine almost 4 years ago
should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
I get no alerts so far...
Updated by Philippe Antoine almost 4 years ago
should trigger just a single alert in SV test http2-basic, yet it generates 23 alerts.
Ok without the fix for #4076 it generates 23 alerts
With the fix, it generates 0 alert
Updated by Philippe Antoine almost 4 years ago
DetectFileHashMatch gets called, but only 3 times
eve.json shows that first "event_type": "fileinfo" has "tx_id": 3 and no http data
when first "event_type": "http" has "tx_id": 2,
Seems like the bug was that the file tracker was not using tx_id, but tx_id - 1
FILE_USE_DETECT seems also needed, but for the rule alert http2 any any -> any any (file.data; content:!"html"; startswith; sid:7; rev:1;)
Updated by Philippe Antoine almost 4 years ago
- Status changed from Assigned to In Review
- Target version changed from 7.0.0-beta1 to 6.0.1
Gitlab
Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Closed
Updated by Victor Julien almost 4 years ago
- Parent task set to #4201
- Private changed from Yes to No