Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Http2 header 5780 v4 #8775

Closed
wants to merge 2 commits into from
Closed

Http2 header 5780 v4 #8775

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5780

Describe changes:

  • http2: rename http2.header to http.request_header and http.response_header as it is confusing with http.header

Replaces #8621 with needed rebase (because DetectBufferSetActiveList wants now de_ctx as argument)

I have lots of questions...

Should this be one commit ?
Even if it is renaming + adding HTTP1 functionality

Did I get right the use of HttpHeaderBuffer ?

Is src/detect-http-header.c the right file do put it ?

I removed the validation callback as it is HTTP2-specific
Should we just remove the escaping being done in HTTP2, and not be able to match differently on a HTTP2 header name having comma in it like x: y versus a HTTP2 header having x as its name and y as its value ?

How do we merger with S-V having some test with rules with the keyword being deprecated ?

Do we keep the deprecated keyword in 6 ?

OISF/suricata-verify#1153

SV_BRANCH=pr/1153

@catenacyber
http2: rename http2.header to http.request_header
5427461 
Or http.response_header based on the direction

http2.header had a different behavior than http.header and this was
confusing.

Ticket: OISF#5780
@catenacyber
http1: implement http.request_header
00373c3 
So that it is generic for HTTP1 and HTTP2

Ticket: OISF#5780
@catenacyber catenacyber mentioned this pull request Apr 27, 2023
Closed
@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW1_stats_chk
.tcp.rst 113274 145114 128.11%

Pipeline 13443

@codecov
Copy link

codecov bot commented Apr 27, 2023
edited

Codecov Report

Merging #8775 (00373c3) into master (cb66a1e) will decrease coverage by 0.03%.
The diff coverage is 49.51%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #8775      +/-   ##
==========================================
- Coverage   82.30%   82.28%   -0.03%     
==========================================
  Files         969      969              
  Lines      272771   272846      +75     
==========================================
- Hits       224509   224499      -10     
- Misses      48262    48347      +85
Flag Coverage Δ
fuzzcorpus 64.59% <18.26%> (-0.09%) ⬇️
suricata-verify 60.31% <49.51%> (-0.05%) ⬇️
unittests 62.85% <18.26%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber catenacyber added the needs rebase Needs rebase to master label May 4, 2023
@victorjulien victorjulien self-assigned this May 5, 2023
jufajardini
jufajardini reviewed May 29, 2023
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doc changes look good to me :)

victorjulien
victorjulien requested changes Jun 5, 2023
View reviewed changes
src/detect-http-header.c
headers = tx->response_headers;
}
if (cbdata->local_id < htp_table_size(headers)) {
htp_header_t *h = htp_table_get_index(headers, cbdata->local_id, NULL);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

htp_table_get_index can return NULL I think

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it is not NULL-checked in detect-http-header-names.c

doc/userguide/rules/http-keywords.rst
Match on the name and value of a HTTP request header (HTTP1 or HTTP2).

For HTTP2, name and value get concatenated by ": ", colon and space.
Each colon in the name or the value should be escaped as a double colon "::" for detection
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this escaping logic. The normal way to escape : in content is \:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then, I would also need to escape backslash itself ;-)

@victorjulien
Copy link
Member

Do we keep the deprecated keyword in 6 ?

Yes. But maybe it will be good to add a warning that it is removed in 7.

@victorjulien
Copy link
Member

How do we merger with S-V having some test with rules with the keyword being deprecated ?

Old keyword test can go lt-version: 6, tests for new stuff min-version: 7

@victorjulien
Copy link
Member

Is src/detect-http-header.c the right file do put it ?

Yeah seems good.

@victorjulien
Copy link
Member

Did I get right the use of HttpHeaderBuffer ?

Looks good. Pattern is equal to http.start for example.

@victorjulien
Copy link
Member

Should this be one commit ?
Even if it is renaming + adding HTTP1 functionality

Looks fine as is.

@victorjulien
Copy link
Member

Should we just remove the escaping being done in HTTP2, and not be able to match differently on a HTTP2 header name having comma in it like x: y versus a HTTP2 header having x as its name and y as its value ?

Is this about the :: escaping? I didn't immediately see how it works, but I don't really like it. Would like buffers to be as "raw" as possible. Does that help?

victorjulien
victorjulien reviewed Jun 5, 2023
View reviewed changes
src/detect-http-header.c
}

static int PrefilterMpmHttp1HeaderRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rebase hint: was renamed to DetectBufferMpmRegistry

@catenacyber
Copy link
Contributor Author

Is this about the :: escaping? I didn't immediately see how it works, but I don't really like it. Would like buffers to be as "raw" as possible. Does that help?

Yes, this is about :: escaping.
Yes, this helps.

The reason for :: escaping was to be able to detect HTTP2 header names having :

@catenacyber
Copy link
Contributor Author

Old keyword test can go lt-version: 6, tests for new stuff min-version: 7

That is more complex, as this is about rules, not S-V checks...

@catenacyber catenacyber mentioned this pull request Jun 7, 2023
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #8986

@catenacyber catenacyber closed this Jun 7, 2023
This was referenced Jun 12, 2023
Closed
Closed
@catenacyber catenacyber mentioned this pull request Jun 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien victorjulien requested changes

Assignees

@victorjulien victorjulien

Labels
needs rebase Needs rebase to master needs review
Milestone
No milestone
4 participants
@catenacyber @suricata-qa @victorjulien @jufajardini