From: Mike Stepanek (mstepane) Date: Thu, 30 Jan 2020 18:31:34 +0000 (+0000) Subject: Merge pull request #1971 in SNORT/snort3 from ~DERAMADA/snort3:doc_h2i_manual_update... X-Git-Tag: 3.0.0-268~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0287e6167240e075fbe4c20ff2b4ba3b2a85b5e2;p=thirdparty%2Fsnort3.git Merge pull request #1971 in SNORT/snort3 from ~DERAMADA/snort3:doc_h2i_manual_update to master Squashed commit of the following: commit d5be2e81ccc7858c1857f0233a424b68d6f18f35 Author: deramada Date: Wed Jan 29 15:00:03 2020 -0500 doc: manual updates for HTTP/2 --- diff --git a/doc/http2_inspect.txt b/doc/http2_inspect.txt index 6233d041c..6db65d6a2 100644 --- a/doc/http2_inspect.txt +++ b/doc/http2_inspect.txt @@ -37,6 +37,30 @@ These can be combined: Frame type 0 is DATA which carries the HTTP message body. This rule will search for MaLwArE inside an HTTP message body. +To smooth the transition to inspecting HTTP/2, rules that specify +service:http will be treated as if they also specify service:http2. +Thus: + + alert tcp any any -> any any (flow:established, to_server; + http_uri; content:"/foo"; + service: http; sid:10; rev:1;) + +is understood to mean: + + alert tcp any any -> any any (flow:established, to_server; + http_uri; content:"/foo"; + service: http,http2; sid:10; rev:1;) + +Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2 traffic. + +The reverse is not true. "service: http2" without http will match on HTTP/2 +flows but not HTTP/1 flows. + +This feature makes it easy to add HTTP/2 inspection without modifying +large numbers of existing rules. New rules should explicitly specify +"service http,http2;" if that is the desired behavior. Eventually +support for http implies http2 may be deprecated and removed. + In the future, http2_inspect will support HPACK header decompression and be fully integrated with http_inspect to provide full inspection of the individual HTTP/1.1 streams.