Merge pull request #1124 in SNORT/snort3 from doc_http2 to master

Squashed commit of the following:

commit 1a0b7f8ae9abfa40457c821ebc05921c83f91b47
Author: Tom Peters <thopeter@cisco.com>
Date:   Mon Mar 5 11:55:14 2018 -0500

    Manual updates for HTTP/2

diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 1bf0e147666fd1e4e8441871b3f67262c7851c46..b52eebcfd1ac0a1331fbe1646fec92722f5d460d 100644 (file)
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -54,6 +54,7 @@ set (
     file_processing.txt
     high_availability.txt
     http_inspect.txt
+    http2_inspect.txt
     overview.txt
     params.txt
     perf_monitor.txt

diff --git a/doc/features.txt b/doc/features.txt
index 8f468afdce5cd4f6feb7d2364a5b3382f0cad395..3179f573f79f1f316eb66ba77a138144305f6331 100644 (file)
--- a/doc/features.txt
+++ b/doc/features.txt
@@ -52,6 +52,10 @@ include::side_channel.txt[]
 
 include::http_inspect.txt[]
 
+=== HTTP/2 Inspector
+
+include::http2_inspect.txt[]
+
 === Performance Monitor
 
 include::perf_monitor.txt[]

diff --git a/doc/http2_inspect.txt b/doc/http2_inspect.txt
new file mode 100644 (file)
index 0000000..6233d04
--- /dev/null
+++ b/doc/http2_inspect.txt
@@ -0,0 +1,43 @@
+Snort 3 is developing an inspector for HTTP/2.
+
+You can configure it by adding:
+
+    http2_inspect = {}
+
+to your snort.lua configuration file.
+
+Everything has a beginning and for http2_inspect this is the beginning of
+the beginning. Most of the protocol including HPACK decompression is not
+implemented yet.
+
+Currently http2_inspect will divide an HTTP/2 connection into individual
+frames and make them available for detection. Two new rule options are
+available for looking at HTTP/2 frames: http2_frame_header provides the
+9-octet frame header and http2_frame_data provides the frame content.
+
+    alert tcp any any -> any any (msg:"Frame type"; flow:established,
+    to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
+    sid:1; rev:1; )
+
+This will match if the Type byte of the frame header is 6 (PING).
+
+    alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";
+    flow:established, to_client; http2_frame_data; content:"peppermint";
+    sid:2; rev:1; )
+
+This will look for peppermint in the frame data but not the frame header.
+
+These can be combined:
+
+    alert tcp any any -> any any ( msg:"Search in message bodies";
+    flow:established, to_client;
+    http2_frame_header; content:"|00|", offset 3, depth 1;
+    http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )
+
+Frame type 0 is DATA which carries the HTTP message body. This rule will
+search for MaLwArE inside an HTTP message body.
+
+In the future, http2_inspect will support HPACK header decompression and
+be fully integrated with http_inspect to provide full inspection of the
+individual HTTP/1.1 streams.
+

diff --git a/doc/http_inspect.txt b/doc/http_inspect.txt
index 2d19e472f5bdcaaa74e85d33eb6f7baa416604ed..af967afa135df7fc74c43f340937a71def84803c 100644 (file)
--- a/doc/http_inspect.txt
+++ b/doc/http_inspect.txt
@@ -10,10 +10,6 @@ You can configure it by adding:
 to your snort.lua configuration file. Or you can read about it in the
 source code under src/service_inspectors/http_inspect.
 
-The classic HTTP preprocessor is still available in the alpha release
-under extra. It has been renamed http_server. Be sure not to configure
-both old and new HTTP inspectors at the same time.
-
 So why a new HTTP inspector?
 
 For starters it is object-oriented. That’s good for us because we maintain