From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 28 Jan 2022 13:02:32 +0000 (+0100)
Subject: detect: checking validity of rules with http protocol
X-Git-Tag: suricata-7.0.0-beta1~963
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf30eb344a851889d468f5caba75ad538e99143c;p=thirdparty%2Fsuricata.git

detect: checking validity of rules with http protocol

We want to check that a rule beginning with alert http
can be valid, that is if either HTTP1 or HTTP2 is enabled.
So, AppLayerProtoDetectGetProtoName will do a more complex
check for this ALPROTO_HTTP (any).
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index accaf530c3..5b43b0a97c 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -2190,6 +2190,18 @@ AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
 
 const char *AppLayerProtoDetectGetProtoName(AppProto alproto)
 {
+    // Special case for http (any version) :
+    // returns "http" if both versions are enabled
+    // and returns "http1" or "http2" if only one version is enabled
+    if (alproto == ALPROTO_HTTP) {
+        if (alpd_ctx.alproto_names[ALPROTO_HTTP1]) {
+            if (alpd_ctx.alproto_names[ALPROTO_HTTP2]) {
+                return "http";
+            } // else
+            return alpd_ctx.alproto_names[ALPROTO_HTTP1];
+        } // else
+        return alpd_ctx.alproto_names[ALPROTO_HTTP2];
+    }
     return alpd_ctx.alproto_names[alproto];
 }