Bug #5754: I use the file-extraction to store the files transferred by HTTP2, but fileinfo does not have the filename field. - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Bug #5754

open

I use the file-extraction to store the files transferred by HTTP2, but fileinfo does not have the filename field.

Added by YuHan Xu almost 2 years ago. Updated about 1 year ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

6.0.8

Effort:

Difficulty:

Label:

Description

{"timestamp":"2022-12-09T06:02:08.553120+0000","flow_id":912881598130729,"in_iface":"ens256","event_type":"fileinfo","src_ip":"2.0.1.195","src_port":80,"dest_ip":"1.0.4.75","dest_port":61828,"proto":"TCP","http2":{"version":"2","response_headers":[{"name":":status","value":"200"},{"name":"content-type","value":"image/jpeg"}],"status":200,"http2":{"stream_id":1,"request":{},"response":{}}},"app_proto":"http2","fileinfo":{"sid":[3900017],"magic":"EICAR virus test files","gaps":false,"state":"CLOSED","md5":"44d88612fea8a8f36de82e1278abb02f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","stored":true,"file_id":2,"size":68,"tx_id":1},"host":"suricata"}
My yaml file,pcap and rules have been uploaded.

Files

Download all files

suricata.yaml (71.2 KB) suricata.yaml		YuHan Xu, 12/13/2022 09:25 AM
http2-get.pcap (32.3 KB) http2-get.pcap	test pcap	YuHan Xu, 12/13/2022 09:26 AM
filestore.rules (667 Bytes) filestore.rules	my rules	YuHan Xu, 12/13/2022 09:27 AM

Related issues 1 (0 open — 1 closed)

Related to Suricata - Documentation #5088: file.name sticky buffer is not documented

Closed

Jason Taylor

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Jason Taylor about 1 year ago

I wonder if this is related to something I came across while working on documentation for the file.name keyword.

http2 app layer does not seem to support file.name functionality, though according to the logs it would seem http2 applayer registers file.name support.

suricata --build-info
This is Suricata version 7.0.2-dev (bb15a8f76 2023-09-29)

suricata.log entries:
Info: output-filestore: forcing filestore of all files [OutputFilestoreLogInitCtx:output-filestore.c:444]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:878]
Perf: ippair: ippair memory usage: 0 bytes, maximum: 0 [IPPairPrintStats:ippair.c:296]
Error: detect-parse: protocol HTTP2 doesn't support file name matching [SigValidate:detect-parse.c:2084]
Error: detect: error parsing signature "alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)" from file /rules/test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180]
Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed [SigLoadSignatures:detect-engine-loader.c:350]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1045]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1499]
Perf: detect: TCP toserver: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: TCP toclient: 1 port groups, 1 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toserver: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toclient: 0 port groups, 0 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1049]
Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [RulesGroupByProto:detect-engine-build.c:1082]
Perf: detect: Unique rule groups: 2 [SigAddressPrepareStage4:detect-engine-build.c:1858]
Perf: detect: Builtin MPM "toserver TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient TCP stream": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toserver UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "toclient UDP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: Builtin MPM "other IP packet": 0 [MpmStoreReportStats:detect-engine-mpm.c:1480]
Perf: detect: AppLayer MPM "toclient file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (nfs)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smb)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (ftp-data)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toclient file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Perf: detect: AppLayer MPM "toserver file.name (smtp)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1487]
Info: unix-manager: unix socket '/suri/suri.socket' [UnixNew:unix-manager.c:136]
Notice: threads: Threads created -> Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]

Actions

Copy link

Updated by Jason Taylor about 1 year ago

the rules that were in the sig file to be loaded:

alert http any any -> any any (msg:"http2 layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:1; rev:1;)

alert http2 any any -> any any (msg:"smb layer file.name keyword usage"; file.name; content:"file.txt"; classtype:bad-unknown; sid:2; rev:1;)

Actions

Copy link

Updated by Victor Julien about 1 year ago

Looking at the pcap, there is no specific filename in the traffic. There is the URL, which I think is what we use in HTTP1 as the filename (unless we're doing the multi-part thing). @Philippe Antoine should we set the URL as the filename for HTTP2?

Actions

Copy link