File: http2-keywords.rst

package info (click to toggle)
suricata 1%3A7.0.10-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 83,104 kB
  • sloc: ansic: 334,774; python: 7,725; sh: 5,001; makefile: 2,075; perl: 867
file content (118 lines) | stat: -rw-r--r-- 2,618 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
HTTP2 Keywords
==============

HTTP2 frames are grouped into transactions based on the stream identifier it it is not 0.
For frames with stream identifier 0, whose effects are global for the connection, a transaction is created for each frame.


http2.frametype
---------------

Match on the frame type present in a transaction.

Examples::

  http2.frametype:GOAWAY;


http2.errorcode
---------------

Match on the error code in a GOWAY or RST_STREAM frame

Examples::

  http2.errorcode: NO_ERROR;
  http2.errorcode: INADEQUATE_SECURITY;


http2.priority
--------------

Match on the value of the HTTP2 priority field present in a PRIORITY or HEADERS frame.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

* ``>`` (greater than)
* ``<`` (less than)
* ``x-y`` (range between values x and y)

Examples::

  http2.priority:2;
  http2.priority:>100;
  http2.priority:32-64;


http2.window
------------

Match on the value of the HTTP2 value field present in a WINDOWUPDATE frame.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

* ``>`` (greater than)
* ``<`` (less than)
* ``x-y`` (range between values x and y)

Examples::

  http2.window:1;
  http2.window:<100000;


http2.size_update
-----------------

Match on the size of the HTTP2 Dynamic Headers Table.
More information on the protocol can be found here:
`<https://tools.ietf.org/html/rfc7541#section-6.3>`_

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

* ``>`` (greater than)
* ``<`` (less than)
* ``x-y`` (range between values x and y)

Examples::

  http2.size_update:1234;
  http2.size_update:>4096;


http2.settings
--------------

Match on the name and value of a HTTP2 setting from a SETTINGS frame.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

* ``>`` (greater than)
* ``<`` (less than)
* ``x-y`` (range between values x and y)

Examples::

  http2.settings:SETTINGS_ENABLE_PUSH=0;
  http2.settings:SETTINGS_HEADER_TABLE_SIZE>4096;

http2.header_name
-----------------

Match on the name of a HTTP2 header from a HEADER frame (or PUSH_PROMISE or CONTINUATION).

Examples::

  http2.header_name; content:"agent";

``http2.header_name`` is a 'sticky buffer'.

``http2.header_name`` can be used as ``fast_pattern``.

``http2.header_name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

Additional information
----------------------

More information on the protocol can be found here:
`<https://tools.ietf.org/html/rfc7540>`_