From 43dbb806dcc9d243600a81baad9593dd5360eb5e Mon Sep 17 00:00:00 2001 From: "Tom Peters (thopeter)" Date: Thu, 8 Mar 2018 10:48:34 -0500 Subject: [PATCH] Merge pull request #1124 in SNORT/snort3 from doc_http2 to master Squashed commit of the following: commit 1a0b7f8ae9abfa40457c821ebc05921c83f91b47 Author: Tom Peters Date: Mon Mar 5 11:55:14 2018 -0500 Manual updates for HTTP/2 --- doc/CMakeLists.txt | 1 + doc/features.txt | 4 ++++ doc/http2_inspect.txt | 43 +++++++++++++++++++++++++++++++++++++++++++ doc/http_inspect.txt | 4 ---- 4 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 doc/http2_inspect.txt diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 1bf0e1476..b52eebcfd 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -54,6 +54,7 @@ set ( file_processing.txt high_availability.txt http_inspect.txt + http2_inspect.txt overview.txt params.txt perf_monitor.txt diff --git a/doc/features.txt b/doc/features.txt index 8f468afdc..3179f573f 100644 --- a/doc/features.txt +++ b/doc/features.txt @@ -52,6 +52,10 @@ include::side_channel.txt[] include::http_inspect.txt[] +=== HTTP/2 Inspector + +include::http2_inspect.txt[] + === Performance Monitor include::perf_monitor.txt[] diff --git a/doc/http2_inspect.txt b/doc/http2_inspect.txt new file mode 100644 index 000000000..6233d041c --- /dev/null +++ b/doc/http2_inspect.txt @@ -0,0 +1,43 @@ +Snort 3 is developing an inspector for HTTP/2. + +You can configure it by adding: + + http2_inspect = {} + +to your snort.lua configuration file. + +Everything has a beginning and for http2_inspect this is the beginning of +the beginning. Most of the protocol including HPACK decompression is not +implemented yet. + +Currently http2_inspect will divide an HTTP/2 connection into individual +frames and make them available for detection. Two new rule options are +available for looking at HTTP/2 frames: http2_frame_header provides the +9-octet frame header and http2_frame_data provides the frame content. + + alert tcp any any -> any any (msg:"Frame type"; flow:established, + to_client; http2_frame_header; content:"|06|", offset 3, depth 1; + sid:1; rev:1; ) + +This will match if the Type byte of the frame header is 6 (PING). + + alert tcp any any -> any any ( msg:"Content of HTTP/2 frame"; + flow:established, to_client; http2_frame_data; content:"peppermint"; + sid:2; rev:1; ) + +This will look for peppermint in the frame data but not the frame header. + +These can be combined: + + alert tcp any any -> any any ( msg:"Search in message bodies"; + flow:established, to_client; + http2_frame_header; content:"|00|", offset 3, depth 1; + http2_frame_data; content:"MaLwArE"; sid:3; rev:1; ) + +Frame type 0 is DATA which carries the HTTP message body. This rule will +search for MaLwArE inside an HTTP message body. + +In the future, http2_inspect will support HPACK header decompression and +be fully integrated with http_inspect to provide full inspection of the +individual HTTP/1.1 streams. + diff --git a/doc/http_inspect.txt b/doc/http_inspect.txt index 2d19e472f..af967afa1 100644 --- a/doc/http_inspect.txt +++ b/doc/http_inspect.txt @@ -10,10 +10,6 @@ You can configure it by adding: to your snort.lua configuration file. Or you can read about it in the source code under src/service_inspectors/http_inspect. -The classic HTTP preprocessor is still available in the alpha release -under extra. It has been renamed http_server. Be sure not to configure -both old and new HTTP inspectors at the same time. - So why a new HTTP inspector? For starters it is object-oriented. That’s good for us because we maintain -- 2.47.3