Is http/2 from lua output and lua detection currently not supported?
I checked against v7.0.0, and I don’t seem to find a way to get any http/2 parsing from a lua script. It was my understanding that http/2 was currently supported, is that still not the case?
HTTP/2 is supported with 7.0.x so what exactly did not work?
How does your config look like and do you have examples?
I also found this the other day, it doesn’t look like HTTP/2 traffic works with Lua.
1 Like
Yes, for instance take the actual example script from:
[
17.2. Lua Output — Suricata 7.0.0 documentation
docs.suricata.io
](17.2. Lua Output — Suricata 7.0.0 documentation)
That seems to yield output for http/1.1 but not for http/2.
Also, for detection, the http2.* keywords seem to be missing and the documented http.* keywords do not execute for http/2 traffic.
I also stumbled across this link that was created few days after my original post:
[
Feature #6409: Lua support for HTTP/2 - Suricata - Open Information Security Foundation
redmine.openinfosecfoundation.org
](Feature #6409: Lua support for HTTP/2 - Suricata - Open Information Security Foundation)
That should not be the case, I’ve been testing the http.* keywords against HTTP/2 traffic for several months without majar issues. This seems like a very different issue. Keep in mind that HTTP/2 is largely encrypted, so validating that you’ve got clear text HTTP/2 is important and then making sure the protocol and http2.http1-rules options are enabled in the config would be next. Suri 7 ships with those options enabled by default.
Hmm, interesting. I just want to make sure we’re talking about lua detection scripting here with http.* keywords on http/2 traffic.
I’m aware that most http/2 is encrypted, in fact I’m feeding suricata a decrypted tcp stream, so if you can confirm the above, that means part of the problem might be related to how http/2 is being negotiated (through alpn) and suricata can’t pick it up.
Ahhh, yeah, sorry I was confused and thought you were talking outside of Lua scripting there.
So far as I can tell in my testing HTTP/2 doesn’t work with Suricata’s Lua implemntation at all.
I think it’s simply hasn’t been added yet. When I was looking through the source* to figure out why, it only references ALPROTO_HTTP1 and does not include ALPROTO_HTTP2.
Those were my observations as well with anything http/2 and lua (hence the original post), thank you for confirming.