I started a thread here Suricata-daily serving up 5.0.2-dev by default. But many errors in that query where mine. I not have a simple setup as HAProxy(SSL Termination) → Nginx(port 80 for HTTP1.1) and Nginx(Port 81 for H/2). The traffic is routed based on alpn to the correct port. I have the following overrides in a second file that I link to include1.yaml. Sorry for the large config, but seemed better than omitting anything especially when there is nothing secret. I’ve tried a couple different http2 config changes. All nginx servers proxy_pass to either a Scala app, or a static website, and i see all those in the logs, but nothing for when it hits nginx as h2.
%YAML 1.1 vars: address-groups: HOME_NET: "[127.0.0.1, {{network.cidr}}, {{pillar['network-configuration']['drone-ip']}}]" EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "[80, 81]" SHELLCODE_PORTS: "!$HTTP_PORTS" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules outputs: - stats: enabled: yes interval: 8 filename: stats.log - fast: enabled: yes filename: fast.log append: yes - eve-log: enabled: yes filetype: regular filename: eve-ips.json pcap-file: false community-id: false community-id-seed: 0 xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For types: - alert: payload: yes payload-printable: yes http-body: yes http-body-printable: yes tagged-packets: yes metadata: yes - dns: enabled: no - nfs: enabled: no - smb: enabled: no - ssh: enabled: yes - drop: enabled: yes - tftp: enabled: no - ikev2: enabled: no - krb5: enabled: no - dhcp: enabled: no - stats: enabled: no - flow: enabled: no - http: enabled: yes extended: yes - tls: enabled: yes extended: no - http2: enabled: yes - stats: app-layer: protocols: rfb: enabled: yes detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: krb5: enabled: no snmp: enabled: yes ikev2: enabled: no tls: enabled: yes detection-ports: dp: 443 dcerpc: enabled: yes ftp: enabled: no rdp: ssh: enabled: yes http2: enabled: yes detection-ports: dp: 81 smtp: enabled: yes raw-extraction: no mime: decode-mime: yes decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: no smb: enabled: no detection-ports: dp: 139, 445 nfs: enabled: no tftp: enabled: no dns: tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes libhtp: default-config: personality: IDS request-body-limit: 100kb response-body-limit: 100kb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: enabled: yes type: both compress-depth: 0 decompress-depth: 0 double-decode-path: no double-decode-query: no server-config: modbus: enabled: no detection-ports: dp: 502 stream-depth: 0 dnp3: enabled: no detection-ports: dp: 20000 enip: enabled: no detection-ports: dp: 44818 sp: 44818 ntp: enabled: yes dhcp: enabled: yes sip: host-os-policy: linux: [{{network.cidr}}]