From: Tom Peters (thopeter) Date: Wed, 23 Jun 2021 04:08:57 +0000 (+0000) Subject: Merge pull request #2950 in SNORT/snort3 from ~KATHARVE/snort3:doc_h2i to master X-Git-Tag: 3.1.7.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07d0e2c1df361011fde7314abb2ffacc33926c79;p=thirdparty%2Fsnort3.git Merge pull request #2950 in SNORT/snort3 from ~KATHARVE/snort3:doc_h2i to master Squashed commit of the following: commit d3d998e9162a3ab633e7c321838b496e3b2fcf75 Author: Katura Harvey Date: Tue Jun 22 12:01:03 2021 -0400 doc: updates for http2_inspect --- diff --git a/doc/user/http2_inspect.txt b/doc/user/http2_inspect.txt index 641b301ba..4312197c8 100644 --- a/doc/user/http2_inspect.txt +++ b/doc/user/http2_inspect.txt @@ -1,13 +1,38 @@ -Snort 3 is developing an inspector for HTTP/2. +New in Snort 3, the HTTP/2 inspector enables Snort to process HTTP/2 traffic. -You can configure it by adding: +==== Overview + +Despite the name, it is better to think of HTTP/2 not as a newer version of HTTP/1.1, but rather a +separate protocol layer that runs under HTTP/1.1 and on top of TLS or TCP. It supports several new +features with the goal of improving the performance of HTTP requests, notably the ability to +multiplex many requests over a single TCP connection, HTTP header compression, and server push. + +HTTP/2 is a perfect fit for the new Snort 3 PDU-based inspection architecture. The HTTP/2 inspector +parses and strips the HTTP/2 protocol framing and outputs HTTP/1.1 messages, exactly what +http_inspect wants to input. The HTTP/2 traffic then undergoes the same processing as regular +HTTP/1.1 traffic discussed above. So if you haven't already, take a look at the HTTP Inspector +section; those features also apply to HTTP/2 traffic. + +==== Configuration + +You can configure the HTTP/2 inspector with the default configuration by adding: http2_inspect = {} -to your snort.lua configuration file. +to your snort.lua configuration file. Since processing HTTP/2 traffic relies on the HTTP inspector, +http_inspect must also be configured. Keep in mind that the http_inspect configuration will also +impact HTTP/2 traffic. + +===== concurrent_streams_limit +This limits the maximum number of HTTP/2 streams Snort will process concurrently in a single HTTP/2 +flow. The default and minimum configurable value is 100. It can be configured up to a maximum of +1000. + +==== Detection rules -To smooth the transition to inspecting HTTP/2, rules that specify -service:http will be treated as if they also specify service:http2. +Since HTTP/2 traffic is processed through the HTTP inspector, all of the rule options discussed +above are also available for HTTP/2 traffic. To smooth the transition to inspecting HTTP/2, rules +that specify service:http will be treated as if they also specify service:http2. Thus: alert tcp any any -> any any (flow:established, to_server; diff --git a/doc/user/http_inspect.txt b/doc/user/http_inspect.txt index 10b180b08..cb7df1eb1 100755 --- a/doc/user/http_inspect.txt +++ b/doc/user/http_inspect.txt @@ -40,14 +40,6 @@ Want to ask questions that involve both the client request and the server response? Or different requests in the same session? These things are possible. -Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from -Google’s SPDY project and is in the process of being standardized. Despite -the name, it is better to think of HTTP/2 not as a newer version of -HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and -on top of TLS or TCP. It’s a perfect fit for the new Snort 3 architecture -because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but -not any underlying packets. Exactly what http_inspect wants to input. - http_inspect is taking a very different approach to HTTP header fields. The classic preprocessor divides all the HTTP headers following the start line into cookies and everything else. It normalizes the two pieces using a