From: Tom Peters (thopeter) Date: Mon, 24 May 2021 20:26:37 +0000 (+0000) Subject: Merge pull request #2899 in SNORT/snort3 from ~NIHDESAI/snort3:h2_rule_options to... X-Git-Tag: 3.1.6.0~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a47a822234092f62b60b446610f16cf26be72c7d;p=thirdparty%2Fsnort3.git Merge pull request #2899 in SNORT/snort3 from ~NIHDESAI/snort3:h2_rule_options to master Squashed commit of the following: commit eee6084bae7e383f5b2dce1728b324cd2a4dd2e4 Author: Nihal Desai Date: Sun May 16 23:32:05 2021 -0400 http2_inspect: rule options and doc clean up --- diff --git a/doc/user/http2_inspect.txt b/doc/user/http2_inspect.txt index 85577ee4e..641b301ba 100644 --- a/doc/user/http2_inspect.txt +++ b/doc/user/http2_inspect.txt @@ -6,19 +6,6 @@ You can configure it by adding: to your snort.lua configuration file. -Everything has a beginning and for http2_inspect this is the beginning of -the beginning. - -Currently http2_inspect will divide an HTTP/2 connection into individual -frames. Two new rule options are available for looking at HTTP/2 frames: -http2_frame_header provides the 9-octet frame header. - - alert tcp any any -> any any (msg:"Frame type"; flow:established, - to_client; http2_frame_header; content:"|06|", offset 3, depth 1; - sid:1; rev:1; ) - -This will match if the Type byte of the frame header is 6 (PING). - To smooth the transition to inspecting HTTP/2, rules that specify service:http will be treated as if they also specify service:http2. Thus: @@ -43,6 +30,3 @@ large numbers of existing rules. New rules should explicitly specify "service http,http2;" if that is the desired behavior. Eventually support for http implies http2 may be deprecated and removed. -In the future, http2_inspect will be fully integrated with http_inspect to -provide full inspection of the individual HTTP/1.1 streams. - diff --git a/src/service_inspectors/http2_inspect/http2_api.cc b/src/service_inspectors/http2_inspect/http2_api.cc index 338f45d0d..ab3e8a731 100644 --- a/src/service_inspectors/http2_inspect/http2_api.cc +++ b/src/service_inspectors/http2_inspect/http2_api.cc @@ -38,9 +38,10 @@ Inspector* Http2Api::http2_ctor(Module* mod) const char* Http2Api::classic_buffer_names[] = { - "http2_frame_type", - "http2_raw_frame", +#ifdef REG_TEST + "http2_frame_header", "http2_decoded_header", +#endif nullptr }; @@ -72,8 +73,10 @@ const InspectApi Http2Api::http2_api = nullptr }; +#ifdef REG_TEST extern const BaseApi* ips_http2_frame_header; extern const BaseApi* ips_http2_decoded_header; +#endif #ifdef BUILDING_SO SO_PUBLIC const BaseApi* snort_plugins[] = @@ -82,8 +85,10 @@ const BaseApi* sin_http2[] = #endif { &Http2Api::http2_api.base, +#ifdef REG_TEST ips_http2_frame_header, ips_http2_decoded_header, +#endif nullptr }; diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h index 25d23a75a..e4fedee86 100644 --- a/src/service_inspectors/http2_inspect/http2_enum.h +++ b/src/service_inspectors/http2_inspect/http2_enum.h @@ -45,8 +45,7 @@ enum StreamState { STREAM_EXPECT_HEADERS, STREAM_EXPECT_BODY, STREAM_BODY, STREA // Message buffers available to clients // This enum must remain synchronized with Http2Api::classic_buffer_names[] -enum HTTP2_BUFFER { HTTP2_BUFFER_FRAME_HEADER = 1, HTTP2_BUFFER_FRAME_DATA, - HTTP2_BUFFER_DECODED_HEADER, HTTP2_BUFFER__MAX }; +enum HTTP2_BUFFER { HTTP2_BUFFER_FRAME_HEADER = 1, HTTP2_BUFFER_DECODED_HEADER, HTTP2_BUFFER__MAX }; // Peg counts // This enum must remain synchronized with Http2Module::peg_names[] in http2_tables.cc diff --git a/src/service_inspectors/http2_inspect/http2_frame.cc b/src/service_inspectors/http2_inspect/http2_frame.cc index 23ef47c82..b0843d7e7 100644 --- a/src/service_inspectors/http2_inspect/http2_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_frame.cc @@ -115,8 +115,6 @@ const Field& Http2Frame::get_buf(unsigned id) { case HTTP2_BUFFER_FRAME_HEADER: return header; - case HTTP2_BUFFER_FRAME_DATA: - return data; default: return Field::FIELD_NULL; } diff --git a/src/service_inspectors/http2_inspect/ips_http2.cc b/src/service_inspectors/http2_inspect/ips_http2.cc index c088a720f..8fe824486 100644 --- a/src/service_inspectors/http2_inspect/ips_http2.cc +++ b/src/service_inspectors/http2_inspect/ips_http2.cc @@ -81,6 +81,7 @@ IpsOption::EvalStatus Http2IpsOption::eval(Cursor& c, Packet* p) return MATCH; } +#ifdef REG_TEST //------------------------------------------------------------------------- // http2_frame_header //------------------------------------------------------------------------- @@ -120,7 +121,9 @@ static const IpsApi frame_header_api = Http2IpsOption::opt_dtor, nullptr }; +#endif +#ifdef REG_TEST //------------------------------------------------------------------------- // http2_decoded_header //------------------------------------------------------------------------- @@ -160,11 +163,13 @@ static const IpsApi decoded_header_api = Http2IpsOption::opt_dtor, nullptr }; +#endif //------------------------------------------------------------------------- // plugins //------------------------------------------------------------------------- - +#ifdef REG_TEST const BaseApi* ips_http2_frame_header = &frame_header_api.base; const BaseApi* ips_http2_decoded_header = &decoded_header_api.base; +#endif