http2¶
This module converts supported input types to ‘http’ data to be used by modules downstream.
The supported input types are:
- TCP
The format of the ‘http’ data follows the same data format as the http module
Module flags/options:
-h, --help show this help message and exit
-v, --verbose Be verbose about incoming packets and errors
--forgiving Attempt to detect http2 in non-standard looking
traffic
-a HASH_FUNCTION, --hash-function=HASH_FUNCTION
Hash Function to use on bodies (default 'md5',
available: 'sha1', 'sha256', 'sha512')
-p PORTS, --ports=PORTS
List of ports to check, comma separated, e.g.,
"443,4443", pass an emptry string to scan all ports
(default '80')
Notes: This is a preliminary decoder and is rather naive in its decoding of HTTP/2 traffic given the complexity of the protocol – but since it creates ‘http’ type data it can be used with the http_extractor module, making it easier to read/parse HTTP/2 traffic. Also note this module requires the ‘hpack’ library to do RFC 7541 hpack decoding of header data as specified by the http 2 RFC (7540)
ToDo: * Information about Frames and Streams
- Output new http2 type?
- Support for sslim data as input