"service http,http2;" if that is the desired behavior. Eventually
support for http implies http2 may be deprecated and removed.
+Occasionally one needs a rule that looks at the content of the raw HTTP/2 frame, for example to match
+some odd value for an identifier in a settings frame:
+
+ alert http2 (
+ msg:"SETTINGS frame with odd max frame size";
+ flow:to_server,established;
+ http2_frame_header; content:"|04|",offset 3,depth 1;
+ http2_frame_data; content:"|00 05 12 34 56 78|";
+ sid:1;
+ )
+
+Here http2_frame_header represents the 9 bytes of the HTTP/2 header of the frame, and
+http2_frame_data represents the data part of the same frame after any padding was removed.
+
+Support for http2_frame_header is limited to data, headers, settings and push promise frames, while
+support for http2_frame_data is limited to headers, settings, push promise and continuation frames.
+
+For frames that support both http2_frame_header and http2_frame_data the rule has to match both
+on the same frame as in the example above.
+
+When http2_frame_data is matching on a headers or push promise continuation frame, http2_frame_header
+will match on the header of the headers or push promise frame. In the example below the header string
+is matched on a continuation of a headers frame.
+
+ alert http2 (
+ http2_frame_header; content:"|01|", offset 3, depth 1;
+ http2_frame_data; content:"header";
+ sid:1;
+ )
+
+In the example below the header string is matched on a continuation of a push promise frame.
+
+ alert http2 (
+ http2_frame_header; content:"|05|", offset 3, depth 1;
+ http2_frame_data; content:"header";
+ sid:1;
+ )
+
+Matching http2_frame_header on a data frame may be mixed matching on its payload, and, as one would
+expect, the http2_frame_header is the one from the data frame that is matching the payload.
+
+ alert http2 (
+ http2_frame_header; content:"|00|", offset 3, depth 1;
+ file_data; content:"response";
+ sid:1;
+ )
+
+Mixing the two HTTP/2 frame options with HTTP options at the level of an HTTP transaction (where the
+two matches correspond to different HTTP/2 frames) is not recommended. This is an example that will
+not work, it tries to match on the header of a data frame and the payload of a headers frame.
+
+ alert http2 (
+ msg:"DO NOT ATTEMPT - THIS RULE WILL NOT WORK";
+ http2_frame_header; content:"|00|", offset 3, depth 1;
+ http_method; content:"GET";
+ sid:1;
+ )
+
+
return MATCH;
}
-#ifdef REG_TEST
+//-------------------------------------------------------------------------
+// http2_frame_data
+//-------------------------------------------------------------------------
+
+#undef IPS_OPT
+#define IPS_OPT "http2_frame_data"
+#undef IPS_HELP
+#define IPS_HELP "rule option to set detection cursor to the HTTP/2 frame body"
+
+static Module* frame_data_mod_ctor()
+{
+ return new Http2CursorModule(IPS_OPT, IPS_HELP, HTTP2_BUFFER_FRAME_DATA, CAT_SET_OTHER,
+ PSI_FRAME_DATA);
+}
+
+static const IpsApi frame_data_api =
+{
+ {
+ PT_IPS_OPTION,
+ sizeof(IpsApi),
+ IPSAPI_VERSION,
+ 1,
+ API_RESERVED,
+ API_OPTIONS,
+ IPS_OPT,
+ IPS_HELP,
+ frame_data_mod_ctor,
+ Http2CursorModule::mod_dtor
+ },
+ OPT_TYPE_DETECTION,
+ 0, PROTO_BIT__TCP,
+ nullptr,
+ nullptr,
+ nullptr,
+ nullptr,
+ Http2IpsOption::opt_ctor,
+ Http2IpsOption::opt_dtor,
+ nullptr
+};
+
//-------------------------------------------------------------------------
// http2_frame_header
//-------------------------------------------------------------------------
Http2IpsOption::opt_dtor,
nullptr
};
-#endif
#ifdef REG_TEST
//-------------------------------------------------------------------------
//-------------------------------------------------------------------------
// plugins
//-------------------------------------------------------------------------
-#ifdef REG_TEST
+const BaseApi* ips_http2_frame_data = &frame_data_api.base;
const BaseApi* ips_http2_frame_header = &frame_header_api.base;
+#ifdef REG_TEST
const BaseApi* ips_http2_decoded_header = &decoded_header_api.base;
#endif
projects / thirdparty / snort3.git / commitdiff
