Suricata

for HTTP/2 transactions, pseduo headers are included in several buffers (http.header, http.request_header, http.response_header, http.header_names). The inclusion of them in buffers limits options for allowing existing signatures to be compatible with both HTTP/1 and HTTP/2.

Consider the following rule logic:

http.header_names; bsize:16; content:"|0d 0a|User-Agent|0d 0a 0d 0a|"; 

This logic will result in an FN when presented with HTTP/2 traffic due to the inclusion of `:authority`, `:path`, `:scheme` and `:method`.

As such, i'm requesting a transformation that could be used to remove pseudo headers and, when present, their values from a buffer.