From: Mike Stepanek (mstepane) Date: Tue, 15 Dec 2020 22:41:36 +0000 (+0000) Subject: Merge pull request #2667 in SNORT/snort3 from ~THOPETER/snort3:h2i19 to master X-Git-Tag: 3.0.3-6~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db351e1fc6d46dcb05bbe6214413c84fa8e854ec;p=thirdparty%2Fsnort3.git Merge pull request #2667 in SNORT/snort3 from ~THOPETER/snort3:h2i19 to master Squashed commit of the following: commit ec134c29fde5e04d049e59c04363b0244abc8aec Author: Tom Peters Date: Tue Dec 1 12:39:37 2020 -0500 http_inspect: script detection for HTTP/2 --- diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc index 139d04662..595994be2 100644 --- a/src/service_inspectors/http_inspect/http_cutter.cc +++ b/src/service_inspectors/http_inspect/http_cutter.cc @@ -716,7 +716,7 @@ ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length, return accelerate_this_packet ? SCAN_NOT_FOUND_ACCELERATE : SCAN_NOT_FOUND; } -ScanResult HttpBodyH2Cutter::cut(const uint8_t* /*buffer*/, uint32_t length, +ScanResult HttpBodyH2Cutter::cut(const uint8_t* buffer, uint32_t length, HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool /*stretch*/, H2BodyState state) { @@ -756,12 +756,14 @@ ScanResult HttpBodyH2Cutter::cut(const uint8_t* /*buffer*/, uint32_t length, // Not enough data yet to create a message section octets_seen += length; total_octets_scanned += length; - return SCAN_NOT_FOUND; + return need_accelerated_blocking(buffer, length) ? + SCAN_NOT_FOUND_ACCELERATE : SCAN_NOT_FOUND; } else { num_flush = flow_target - octets_seen; total_octets_scanned += num_flush; + need_accelerated_blocking(buffer, num_flush); return SCAN_FOUND_PIECE; } } diff --git a/src/service_inspectors/http_inspect/http_cutter.h b/src/service_inspectors/http_inspect/http_cutter.h index 7d55b9353..093259137 100644 --- a/src/service_inspectors/http_inspect/http_cutter.h +++ b/src/service_inspectors/http_inspect/http_cutter.h @@ -186,8 +186,8 @@ public: HttpEnums::CompressId compression) : HttpBodyCutter(accelerated_blocking, compression), expected_body_length(expected_length) {} - HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*, - uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override; + HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions*, + HttpEventGen*, uint32_t flow_target, bool stretch, HttpEnums::H2BodyState state) override; private: int64_t expected_body_length; uint32_t total_octets_scanned = 0; diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index cd98bcb0c..d676447f3 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -397,9 +397,10 @@ void HttpMsgHeader::prepare_body() if (source_id == SRC_SERVER) { + // detained inspection not supported for HTTP/2 if (params->script_detection) session_data->accelerated_blocking[source_id] = AB_INSPECT; - else if (params->detained_inspection) + else if ((params->detained_inspection) && !session_data->for_http2) session_data->accelerated_blocking[source_id] = AB_DETAIN; } diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc index 150ee4061..c0b006063 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc @@ -88,7 +88,7 @@ HttpCutter* HttpStreamSplitter::get_cutter(SectionType type, case SEC_BODY_H2: return (HttpCutter*)new HttpBodyH2Cutter( session_data->data_length[source_id], - AB_NONE, + session_data->accelerated_blocking[source_id], session_data->compression[source_id]); default: assert(false);