New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Http2 v3 #4772

Closed

catenacyber wants to merge 17 commits into OISF:master from catenacyber:http2-v3

Contributor

catenacyber commented Apr 3, 2020

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/1947

DRAFT for discussion
Not to be merged

Describe changes:

Adds basic HTTP2 parser

Much more work to be done :

Commit squashing
handle transactions with progress completion
parse interesting frame types
connection upgrade from HTTP1
rules file for applayer events
tests
robustness against evasions

Modifies #4736 with

rebasing
parsing/logging/detecting RSTSTREAM PRIORITY WINDOWUPDATE SETTINGS
using nom::Err::Incomplete value for `AppLayerResult::incomplete
using panic
managing to translate a Rust string to uppercase for case-insensitive signatures about enumerations
Implementing generic DetectU8Data
Right keywords testing framework

catenacyber added 17 commits

April 3, 2020 11:37


          http2: first skeleton

ebfe9e7


          right probing

7cf1c69


          http2 parse

37b5cc4


          http2 log

5cb3a00


          applayer: allow rust parsers to have only one probe

0c323aa


          activate log in eve for HTTP2

6e6bc2e


          parsing fix

59529c4


          http2 detect

cc2ee6f


          rebased ok

00a9ff1


          HTTP2ErrorCode

f8c0e9d


          DETECT_HTTP2_ERRORCODE

b6a9991


          fixup

b6ab082


          detect: adds engine for u8 keywords

d0befc1


          http2: add priority

e4fc2ef


          More HTTP2 simple frame types parsing

c193fd8


          http2 minor fixes

708ce1a


          http2 settings

57b4243

catenacyber requested review from jasonish, victorjulien and a team as code owners

April 3, 2020 09:42

Contributor Author

catenacyber commented Apr 3, 2020

Forgot to make it a draft PR again :-(

catenacyber commented

View reviewed changes

src/detect-http2.c

+                          return -1;
+                      }
+                      strncpy(str_first, str, space - str);
+                      //TODO better no copy, and pass a length argument next ?

Contributor Author

catenacyber Apr 3, 2020

Any thoughts here ? Using Rust to parse signatures ?

catenacyber mentioned this pull request

Closed

catenacyber closed this

catenacyber deleted the http2-v3 branch

September 4, 2020 08:47

jasonish added a commit to jasonish/suricata that referenced this pull request


          schema: add an object for mapping fields to keywords

4c26ffc

To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

9427e0f

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          schema: add an object for mapping fields to keywords

To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

c9ccd3f

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          schema: add an object for mapping fields to keywords

d4a2e55

To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

7c77745

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          schema: add an object for mapping fields to keywords

0389e9b

To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

68e1839

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          schema: add an object for mapping fields to keywords

76f5697

To some EVE fields and a "suricata" object that contains an array of
keywords. These are the keywords that map directly to this field, or
somehow cover this field.

This is an attempt at tooling to help with EVE and keyword parity.

Related to tickets: OISF#5642, OISF#6463, OISF#4772

jasonish added a commit to jasonish/suricata that referenced this pull request


          script/eve-parity: add script for checking eve/keyword parity

38f5fda

Currently this script has two commands: "missing" and "having".

"missing" will show eve fields that do not map to any keywords.

"having" will sohw eve fields along with their keyword mappsings,
while also validating that those keywords really exist.

Related to tickets: OISF#6463, OISF#4772

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet