Project

General

Profile

Actions

Bug #5780

closed

HTTP/2 - FN when matching on multiple http2.header contents

Added by Brandon Murphy almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It appears that when attempting to combine two different HTTP2 headers into a single rule, no alert is produced.

Consider the following rules and the attached pcap, which contains a single tcp session with a single HTTP2 stream.

alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Authority"; flow:established,to_server; http2.header; content:"authority: bugertor"; sid:1;)
alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Method"; flow:established,to_server; http2.header; content:"method: GET"; sid:2;)
alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; flow:established,to_server; http2.header; content:"method: GET"; content:"authority: bugertor.com"; sid:3;)

Current Behavior

Only sid:1 and sid:2 fire

Expected Behavior

All three signatures should fire.

HTTP Keyword Overloading

Once the correct http2 configuration option is enabled (http1-rules), the using the standard http1 keywords (http.method, http.host) the below signature works as expected.

alert http $HOME_NET any -> any any (msg:"HTTP2 - Overload Test"; flow:established,to_server; http.method; content:"GET"; http.host; content:"bugertor.com"; sid:4;)


Files

http2_multiple_headers.pcap (1.7 KB) http2_multiple_headers.pcap Brandon Murphy, 01/10/2023 03:53 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #5784: detect: allow cross buffer inspection on multi-buffer matchesClosedVictor JulienActions
Actions

Also available in: Atom PDF