Merge pull request #1971 in SNORT/snort3 from ~DERAMADA/snort3:doc_h2i_manual_update...

Squashed commit of the following:

commit d5be2e81ccc7858c1857f0233a424b68d6f18f35
Author: deramada <deramada@cisco.com>
Date:   Wed Jan 29 15:00:03 2020 -0500

    doc: manual updates for HTTP/2

diff --git a/doc/http2_inspect.txt b/doc/http2_inspect.txt
index 6233d041c82f28ef26ec5f9b52db2fdafb4539bc..6db65d6a2971fbe36acb67821169ef9303f9666d 100644 (file)
--- a/doc/http2_inspect.txt
+++ b/doc/http2_inspect.txt
@@ -37,6 +37,30 @@ These can be combined:
 Frame type 0 is DATA which carries the HTTP message body. This rule will
 search for MaLwArE inside an HTTP message body.
 
+To smooth the transition to inspecting HTTP/2, rules that specify 
+service:http will be treated as if they also specify service:http2. 
+Thus:
+
+    alert tcp any any -> any any (flow:established, to_server;
+    http_uri; content:"/foo"; 
+    service: http; sid:10; rev:1;)
+
+is understood to mean:
+
+    alert tcp any any -> any any (flow:established, to_server; 
+    http_uri; content:"/foo"; 
+    service: http,http2; sid:10; rev:1;)
+
+Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2 traffic.
+
+The reverse is not true. "service: http2" without http will match on HTTP/2 
+flows but not HTTP/1 flows.
+
+This feature makes it easy to add HTTP/2 inspection without modifying 
+large numbers of existing rules. New rules should explicitly specify 
+"service http,http2;" if that is the desired behavior. Eventually 
+support for http implies http2 may be deprecated and removed.
+
 In the future, http2_inspect will support HPACK header decompression and
 be fully integrated with http_inspect to provide full inspection of the
 individual HTTP/1.1 streams.