Merge pull request #2570 in SNORT/snort3 from ~MDAGON/snort3:doc_react2 to master

Squashed commit of the following:

commit 5a8126c7228ba454e3e187e2f524e3b8bf6de5a7
Author: mdagon <mdagon@cisco.com>
Date:   Wed Oct 21 10:43:04 2020 -0400

    actions: react supports HTTP/2

diff --git a/doc/user/active.txt b/doc/user/active.txt
index 12eb504316b856fc31d2c2a5780129b2fae577f8..5ea2d0475dab36ecc6a5266c5b7c24ef49ac19b2 100644 (file)
--- a/doc/user/active.txt
+++ b/doc/user/active.txt
@@ -91,7 +91,7 @@ The headers used are:
     "HTTP/1.1 403 Forbidden\r\n" \
     "Connection: close\r\n" \
     "Content-Type: text/html; charset=utf-8\r\n" \
-    "Content-Length: 439\r\n" \
+    "Content-Length: 438\r\n" \
     "\r\n"
 
 The page to be sent can be read from a file:
@@ -115,13 +115,26 @@ or else the default is used:
     "</html>\r\n"
 
 Note that the file contains the message body only. The headers will be added
-with an updated value for Content-Length.
+with an updated value for Content-Length. For HTTP/2 traffic Snort will
+translate the page to HTTP/2 format.
+
+Limitations for HTTP/2:
+
+* Packet will be injected against the last received stream id.
+
+* Injection triggered while server-to-client flow of traffic is in a middle
+of a frame is not supported. The traffic will be blocked, but the page will
+not be injected/displayed.
 
 When using react, payload injector must be configured as well.
+Also Snort should be in ips mode, so the rule is triggered on the client
+packet, and not delayed until the server sends ACK. To achieve this use
+the default normalizer. It will set normalizer.tcp.ips = true. 
 Example:
     
     react = { page = "my_block_page.html" }
     payload_injector = { }
+    normalizer = { }
     
     local_rules =
     [[