From: Mike Stepanek (mstepane) Date: Mon, 26 Oct 2020 15:48:32 +0000 (+0000) Subject: Merge pull request #2570 in SNORT/snort3 from ~MDAGON/snort3:doc_react2 to master X-Git-Tag: 3.0.3-4~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5993323d0e10c87359f66b6fe6b16b0232b9ed78;p=thirdparty%2Fsnort3.git Merge pull request #2570 in SNORT/snort3 from ~MDAGON/snort3:doc_react2 to master Squashed commit of the following: commit 5a8126c7228ba454e3e187e2f524e3b8bf6de5a7 Author: mdagon Date: Wed Oct 21 10:43:04 2020 -0400 actions: react supports HTTP/2 --- diff --git a/doc/user/active.txt b/doc/user/active.txt index 12eb50431..5ea2d0475 100644 --- a/doc/user/active.txt +++ b/doc/user/active.txt @@ -91,7 +91,7 @@ The headers used are: "HTTP/1.1 403 Forbidden\r\n" \ "Connection: close\r\n" \ "Content-Type: text/html; charset=utf-8\r\n" \ - "Content-Length: 439\r\n" \ + "Content-Length: 438\r\n" \ "\r\n" The page to be sent can be read from a file: @@ -115,13 +115,26 @@ or else the default is used: "\r\n" Note that the file contains the message body only. The headers will be added -with an updated value for Content-Length. +with an updated value for Content-Length. For HTTP/2 traffic Snort will +translate the page to HTTP/2 format. + +Limitations for HTTP/2: + +* Packet will be injected against the last received stream id. + +* Injection triggered while server-to-client flow of traffic is in a middle +of a frame is not supported. The traffic will be blocked, but the page will +not be injected/displayed. When using react, payload injector must be configured as well. +Also Snort should be in ips mode, so the rule is triggered on the client +packet, and not delayed until the server sends ACK. To achieve this use +the default normalizer. It will set normalizer.tcp.ips = true. Example: react = { page = "my_block_page.html" } payload_injector = { } + normalizer = { } local_rules = [[