New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Http2 header 5780 v4 #8775
Http2 header 5780 v4 #8775
Conversation
WARNING:
Pipeline 13443 |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #8775 +/- ##
==========================================
- Coverage 82.30% 82.28% -0.03%
==========================================
Files 969 969
Lines 272771 272846 +75
==========================================
- Hits 224509 224499 -10
- Misses 48262 48347 +85
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doc changes look good to me :)
headers = tx->response_headers; | ||
} | ||
if (cbdata->local_id < htp_table_size(headers)) { | ||
htp_header_t *h = htp_table_get_index(headers, cbdata->local_id, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
htp_table_get_index
can return NULL
I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, it is not NULL-checked in detect-http-header-names.c
Match on the name and value of a HTTP request header (HTTP1 or HTTP2). | ||
|
||
For HTTP2, name and value get concatenated by ": ", colon and space. | ||
Each colon in the name or the value should be escaped as a double colon "::" for detection |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand this escaping logic. The normal way to escape :
in content
is \:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But then, I would also need to escape backslash itself ;-)
Yes. But maybe it will be good to add a warning that it is removed in 7. |
Old keyword test can go |
Yeah seems good. |
Looks good. Pattern is equal to http.start for example. |
Looks fine as is. |
Is this about the |
} | ||
|
||
static int PrefilterMpmHttp1HeaderRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, | ||
MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rebase hint: was renamed to DetectBufferMpmRegistry
Yes, this is about The reason for |
That is more complex, as this is about rules, not S-V checks... |
Replaced by #8986 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5780
Describe changes:
http.header
Replaces #8621 with needed rebase (because
DetectBufferSetActiveList
wants nowde_ctx
as argument)I have lots of questions...
Should this be one commit ?
Even if it is renaming + adding HTTP1 functionality
Did I get right the use of HttpHeaderBuffer ?
Is src/detect-http-header.c the right file do put it ?
I removed the validation callback as it is HTTP2-specific
Should we just remove the escaping being done in HTTP2, and not be able to match differently on a HTTP2 header name having comma in it like
x: y
versus a HTTP2 header having x as its name and y as its value ?How do we merger with S-V having some test with rules with the keyword being deprecated ?
Do we keep the deprecated keyword in 6 ?
OISF/suricata-verify#1153