Configuring HTTP2

I started a thread here Suricata-daily serving up 5.0.2-dev by default. But many errors in that query where mine. I not have a simple setup as HAProxy(SSL Termination) → Nginx(port 80 for HTTP1.1) and Nginx(Port 81 for H/2). The traffic is routed based on alpn to the correct port. I have the following overrides in a second file that I link to include1.yaml. Sorry for the large config, but seemed better than omitting anything especially when there is nothing secret. I’ve tried a couple different http2 config changes. All nginx servers proxy_pass to either a Scala app, or a static website, and i see all those in the logs, but nothing for when it hits nginx as h2.

%YAML 1.1
vars:
  address-groups:
    HOME_NET: "[127.0.0.1, {{network.cidr}}, {{pillar['network-configuration']['drone-ip']}}]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
  port-groups:
    HTTP_PORTS: "[80, 81]"
    SHELLCODE_PORTS: "!$HTTP_PORTS"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

outputs:
  - stats:
      enabled: yes
      interval: 8
      filename: stats.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-ips.json
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
            payload: yes
            payload-printable: yes
            http-body: yes
            http-body-printable: yes
            tagged-packets: yes
            metadata: yes
        - dns:
            enabled: no
        - nfs:
            enabled: no
        - smb:
            enabled: no
        - ssh:
            enabled: yes
        - drop:
            enabled: yes
        - tftp:
            enabled: no
        - ikev2:
            enabled: no
        - krb5:
            enabled: no
        - dhcp:
            enabled: no
        - stats:
            enabled: no
        - flow:
            enabled: no
        - http:
            enabled: yes
            extended: yes
        - tls:
            enabled: yes
            extended: no
        - http2:
            enabled: yes
        - stats:
app-layer:
  protocols:
    rfb:
      enabled: yes
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt:
    krb5:
      enabled: no
    snmp:
      enabled: yes
    ikev2:
      enabled: no
    tls:
      enabled: yes
      detection-ports:
        dp: 443



    dcerpc:
      enabled: yes
    ftp:
      enabled: no
    rdp:
    ssh:
      enabled: yes
    http2:
      enabled: yes
      detection-ports:
        dp: 81
    smtp:
      enabled: yes
      raw-extraction: no
      mime:
        decode-mime: yes

        decode-base64: yes
        decode-quoted-printable: yes

        header-value-depth: 2000

        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: no
    smb:
      enabled: no
      detection-ports:
        dp: 139, 445


    nfs:
      enabled: no
    tftp:
      enabled: no
    dns:
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes



      libhtp:
        default-config:
          personality: IDS

          request-body-limit: 100kb
          response-body-limit: 100kb

          request-body-minimal-inspect-size: 32kb
          request-body-inspect-window: 4kb
          response-body-minimal-inspect-size: 40kb
          response-body-inspect-window: 16kb

          response-body-decompress-layer-limit: 2

          http-body-inline: auto

          swf-decompression:
            enabled: yes
            type: both
            compress-depth: 0
            decompress-depth: 0


          double-decode-path: no
          double-decode-query: no


        server-config:



    modbus:

      enabled: no
      detection-ports:
        dp: 502

      stream-depth: 0

    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818

    ntp:
      enabled: yes

    dhcp:
      enabled: yes

    sip:

host-os-policy:
  linux: [{{network.cidr}}]

Oh, as i mentioned this is my override file. Per the logs it seems there is no yaml merging, just overwrites, if there is an open issue for that and if its desirable, i’d love to take a shot. Oh and Yes, this is managed by a config mgmt system (SaltStack), hence the variables.

I am actually getting http2 responses in the logs. So i think this is a valid config. Hope it helps someone…now i just have more to learn about information available.

The running override configuration

%YAML 1.1

vars:
address-groups:
HOME_NET: “[127.0.0.1, {{network.cidr}}, {{pillar[‘network-configuration’][‘drone-ip’]}}]”
EXTERNAL_NET: “!$HOME_NET”
HTTP_SERVERS: “$HOME_NET”
SMTP_SERVERS: “$HOME_NET”
SQL_SERVERS: “$HOME_NET”
DNS_SERVERS: “$HOME_NET”
TELNET_SERVERS: “$HOME_NET”
AIM_SERVERS: “$EXTERNAL_NET”
DC_SERVERS: “$HOME_NET”
DNP3_SERVER: “$HOME_NET”
DNP3_CLIENT: “$HOME_NET”
MODBUS_CLIENT: “$HOME_NET”
MODBUS_SERVER: “$HOME_NET”
ENIP_CLIENT: “$HOME_NET”
ENIP_SERVER: “$HOME_NET”
port-groups:
HTTP_PORTS: “[80, 81]”
SHELLCODE_PORTS: “!$HTTP_PORTS”
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: “[$HTTP_PORTS,110,143]”
FTP_PORTS: 21

default-rule-path: /var/lib/suricata/rules
rule-files:

  • suricata.rules

outputs:

  • stats:
    enabled: yes
    interval: 8
    filename: stats.log

  • fast:
    enabled: yes
    filename: fast.log
    append: yes

  • eve-log:
    enabled: yes
    filetype: regular
    filename: eve-ips.json
    pcap-file: false
    community-id: false
    community-id-seed: 0
    xff:
    enabled: no
    mode: extra-data
    deployment: reverse
    header: X-Forwarded-For
    types:
    - alert:
    payload: yes
    payload-printable: yes
    http-body: yes
    http-body-printable: yes
    tagged-packets: yes
    metadata: yes
    - dns:
    enabled: no
    - nfs:
    enabled: no
    - smb:
    enabled: no
    - ssh:
    enabled: yes
    - drop:
    enabled: yes
    - tftp:
    enabled: no
    - ikev2:
    enabled: no
    - krb5:
    enabled: no
    - dhcp:
    enabled: no
    - stats:
    enabled: no
    - flow:
    enabled: no
    - http:
    enabled: yes
    extended: yes
    - tls:
    enabled: yes
    extended: no
    - http2:
    enabled: yes
    - stats:
    enabled: no
    app-layer:
    protocols:
    rfb:
    enabled: yes
    detection-ports:
    dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt:
    krb5:
    enabled: no
    snmp:
    enabled: yes
    ikev2:
    enabled: no
    tls:
    enabled: yes
    detection-ports:
    dp: 443

    dcerpc:
    enabled: yes
    ftp:
    enabled: no
    rdp:
    ssh:
    enabled: yes
    http2:
    enabled: yes
    detection-ports:
    dp: 81
    smtp:
    enabled: yes
    raw-extraction: no
    mime:
    decode-mime: yes

    decode-base64: yes
    decode-quoted-printable: yes
    
    header-value-depth: 2000
    
    extract-urls: yes
    body-md5: no
    

    inspected-tracker:
    content-limit: 100000
    content-inspect-min-size: 32768
    content-inspect-window: 4096
    imap:
    enabled: no
    smb:
    enabled: no
    detection-ports:
    dp: 139, 445

    nfs:
    enabled: no
    tftp:
    enabled: no
    dns:
    tcp:
    enabled: yes
    detection-ports:
    dp: 53
    udp:
    enabled: yes
    detection-ports:
    dp: 53
    http:
    enabled: yes

    libhtp:
    default-config:
    personality: IDS

      request-body-limit: 100kb
      response-body-limit: 100kb
    
      request-body-minimal-inspect-size: 32kb
      request-body-inspect-window: 4kb
      response-body-minimal-inspect-size: 40kb
      response-body-inspect-window: 16kb
    
      response-body-decompress-layer-limit: 2
    
      http-body-inline: auto
    
      swf-decompression:
        enabled: yes
        type: both
        compress-depth: 0
        decompress-depth: 0
    
    
      double-decode-path: no
      double-decode-query: no
    
    
    server-config:
    

    modbus:

    enabled: no
    detection-ports:
    dp: 502

    stream-depth: 0

    dnp3:
    enabled: no
    detection-ports:
    dp: 20000

    enip:
    enabled: no
    detection-ports:
    dp: 44818
    sp: 44818

    ntp:
    enabled: yes

    dhcp:
    enabled: yes

    sip:

host-os-policy:
linux: [{{network.cidr}}]