Bug #5780
Updated by Brandon Murphy almost 2 years ago
It appears that when attempting to combine two different HTTP2 headers into a single rule, no alert is produced. Consider the following rules and the attached pcap, which contains a single tcp session with a single HTTP2 stream. <pre> alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Authority"; flow:established,to_server; http2.header; content:"authority: bugertor"; sid:1;) alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Single Header - Method"; flow:established,to_server; http2.header; content:"method: GET"; sid:2;) alert http2 $HOME_NET any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; flow:established,to_server; http2.header; content:"method: GET"; content:"authority: bugertor.com"; sid:3;) </pre> h3. h2. Current Behavior Only sid:1 and sid:2 fire h3. h2. Expected Behavior All three signatures should fire. h3. h2. HTTP Keyword Overloading Once the correct http2 configuration option is enabled (http1-rules), the using the standard http1 keywords (http.method, http.host) the below signature works as expected. <pre> alert http $HOME_NET any -> any any (msg:"HTTP2 - Overload Test"; flow:established,to_server; http.method; content:"GET"; http.host; content:"bugertor.com"; sid:4;) </pre>