Hello
I am worried about the use of flowbits in HTTP2.
When there is a payload loaded in the body like file up/down in HTTP, it cannot be reassembled into an infinitely large window, so flowbits are used if identification is impossible at once.
Examples:
alert tcp any any -> any any (msg:"Requset line set"; flow:established,to_server; http.request_line; content:"POST|20|/test.file"; nocase; flowbits:set,test; sid:1; )
alert tcp any any -> any any (msg:"isset Body"; flow:established,to_server; flowbits:isset,test; http.request_body; content:"filePayload"; nocase; sid:2;)
In the case of HTTP proceeding in a single stream, there was no concern about the detection of the above method. Although there may be multiple transactions, it was possible to infer the sequential progression and avoiding false detections with less frequency. Also, tcp fastopen was not a concern as it was difficult to exist in reality.
However, in HTTP2, I think multiplexing and connection-reuse are very troublesome to judge flowbits-based detection. For example, I want to link the header (or req line) of stream 1 and the body, but I think that the header of stream 2 and the body of stream 1 can be linked.
Is there a good plan or plan to combine flowbits in individual stream units like SCTP or HTTP2?
Thank you.