Merge pull request #2667 in SNORT/snort3 from ~THOPETER/snort3:h2i19 to master

Squashed commit of the following:

commit ec134c29fde5e04d049e59c04363b0244abc8aec
Author: Tom Peters <thopeter@cisco.com>
Date:   Tue Dec 1 12:39:37 2020 -0500

    http_inspect: script detection for HTTP/2

diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc
index 139d046624d81a2303c3661f9125d8909910090b..595994be2f1920dbffca5a1ed1f873442e2426e6 100644 (file)
--- a/src/service_inspectors/http_inspect/http_cutter.cc
+++ b/src/service_inspectors/http_inspect/http_cutter.cc
@@ -716,7 +716,7 @@ ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length,
     return accelerate_this_packet ? SCAN_NOT_FOUND_ACCELERATE : SCAN_NOT_FOUND;
 }
 
-ScanResult HttpBodyH2Cutter::cut(const uint8_t* /*buffer*/, uint32_t length,
+ScanResult HttpBodyH2Cutter::cut(const uint8_t* buffer, uint32_t length,
     HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool /*stretch*/,
     H2BodyState state)
 {
@@ -756,12 +756,14 @@ ScanResult HttpBodyH2Cutter::cut(const uint8_t* /*buffer*/, uint32_t length,
             // Not enough data yet to create a message section
             octets_seen += length;
             total_octets_scanned += length;
-            return SCAN_NOT_FOUND;
+            return need_accelerated_blocking(buffer, length) ?
+                SCAN_NOT_FOUND_ACCELERATE : SCAN_NOT_FOUND;
         }
         else
         {
             num_flush = flow_target - octets_seen;
             total_octets_scanned += num_flush;
+            need_accelerated_blocking(buffer, num_flush);
             return SCAN_FOUND_PIECE;
         }
     }

diff --git a/src/service_inspectors/http_inspect/http_cutter.h b/src/service_inspectors/http_inspect/http_cutter.h
index 7d55b9353757edd30402afcb5af264459aded910..093259137ab8086e775eff53ac7ffcd881b91689 100644 (file)
--- a/src/service_inspectors/http_inspect/http_cutter.h
+++ b/src/service_inspectors/http_inspect/http_cutter.h
@@ -186,8 +186,8 @@ public:
         HttpEnums::CompressId compression) :
         HttpBodyCutter(accelerated_blocking, compression), expected_body_length(expected_length)
         {}
-    HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*,
-        uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override;
+    HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions*,
+        HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override;
 private:
     int64_t expected_body_length;
     uint32_t total_octets_scanned = 0;

diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index cd98bcb0cfd1a891beca9ad9707e648f1bf4e393..d676447f344a5a7aae55ef0a608c8e9db6e75017 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -397,9 +397,10 @@ void HttpMsgHeader::prepare_body()
 
     if (source_id == SRC_SERVER)
     {
+        // detained inspection not supported for HTTP/2
         if (params->script_detection)
             session_data->accelerated_blocking[source_id] = AB_INSPECT;
-        else if (params->detained_inspection)
+        else if ((params->detained_inspection) && !session_data->for_http2)
             session_data->accelerated_blocking[source_id] = AB_DETAIN;
     }
 

diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
index 150ee40613cafc469a66eda8444e8cee55d0b289..c0b0060633be3cf0266b0f3d701fcd415d51f231 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
@@ -88,7 +88,7 @@ HttpCutter* HttpStreamSplitter::get_cutter(SectionType type,
     case SEC_BODY_H2:
         return (HttpCutter*)new HttpBodyH2Cutter(
             session_data->data_length[source_id],
-            AB_NONE,
+            session_data->accelerated_blocking[source_id],
             session_data->compression[source_id]);
     default:
         assert(false);