Tx sub states/v1.11 by victorjulien · Pull Request #15657 · OISF/suricata

victorjulien · 2026-06-16T21:02:21Z

SV_BRANCH=OISF/suricata-verify#3168

Work in progress branch on https://redmine.openinfosecfoundation.org/issues/8386

Defines 2 sub-states for HTTP2:

"stream" for the regular HTTP-style request/responses
"global" for the stream id 0 settings
Each has it's own state machine.

Issues/open questions:

stream has a closed (data end of stream reached) and complete (both sides closed). This is because after the end of stream is reached, we can still receive window updates. But since this doesn't always happen, we often get no traffic on "complete". So a rule like accept:tx http2:stream:request_complete ... is not reliable. Not sure yet how to handle this.
should http.uri; absent; or http.uri; content:!"/index" causes matches on the global txs? I think no, but this is a behavior changes vs main.
I wonder if the DOH2 TX should be it's own sub type, perhaps even instead of a alproto?

For review:

overhauls DNS over HTTP/2: forces all keywords to explicitly register for DOH2.

TODO

complete registration logic
docs
commit cleanups
CI (probably)

suricata-qa · 2026-06-16T21:15:02Z

ERROR:
ERROR: ASAN TEST FAIL in ASAN_TLPR1_cfg QA test

ERROR: QA failed on ASAN_TLPR1_cfg.

Pipeline = 32077

suricata-qa · 2026-06-17T07:20:03Z

ERROR:
ERROR: ASAN TEST FAIL in ASAN_TLPR1_cfg QA test

ERROR: QA failed on ASAN_TLPR1_cfg.

Pipeline = 32080

victorjulien · 2026-06-17T07:36:12Z

    });
    //we do not expect more data from client
-    tx.progress_ts = HTTP2TxProgress::HTTP2ProgClosed;
+    if let HTTP2Progress::STREAM(ref mut stream_tx) = tx.progress {


not introduced by this PR, but it's really icky that we modify the progress here from the detection path

This is not really the detection path. This function should be put in http2.rs I guess

victorjulien · 2026-06-17T07:38:42Z

+                            stream_tx.progress_tc = HTTP2TxProgress::HTTP2ProgHeaders;
+                        }
+                    } else {
+                        panic!("global");


TODO push promise might get here as well?

push promise is not so nice anyways now, there is https://redmine.openinfosecfoundation.org/issues/7317 about it

victorjulien · 2026-06-17T07:40:14Z

            child_stream_id: 0,
-            progress_tc: HTTP2TxProgress::HTTP2ProgStart,
-            progress_ts: HTTP2TxProgress::HTTP2ProgStart,
+            progress: HTTP2Progress::STREAM(HTTP2StreamProgress::init()),


maybe init should be started or something, to reflect its initialized to that state

victorjulien · 2026-06-17T07:49:48Z

            SCJbSetBool(ctx.js, "is_mpm", app->mpm);
            SCJbSetString(ctx.js, "app_proto", AppProtoToString(app->alproto));
            SCJbSetUint(ctx.js, "progress", app->progress);
+            SCJbSetUint(ctx.js, "sub_state", app->sub_state);


should be a string

victorjulien · 2026-06-17T07:50:03Z

        const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
        uint8_t flags, void *_alstate, void *tx, uint64_t tx_id);

-void DetectFileRegisterProto(


should not be removed

victorjulien · 2026-06-17T07:52:35Z

    { .alproto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }, { .alproto = ALPROTO_UNKNOWN }
 };

-void DetectFileRegisterProto(


undo removal

suricata-qa · 2026-06-17T08:30:03Z

ERROR:
ERROR: ASAN TEST FAIL in ASAN_TLPR1_cfg QA test

ERROR: QA failed on ASAN_TLPR1_cfg.

Pipeline = 32083

suricata-qa · 2026-06-17T16:45:02Z

Information: QA ran without warnings.

Pipeline = 32086

suricata-qa · 2026-06-17T18:45:03Z

Information: QA ran without warnings.

Pipeline = 32089

suricata-qa · 2026-06-17T22:15:04Z

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data	760	730	96.05%

Pipeline = 32091

suricata-qa · 2026-06-18T02:30:03Z

Information: QA ran without warnings.

Pipeline = 32101

suricata-qa · 2026-06-18T07:10:02Z

Information: QA ran without warnings.

Pipeline = 32105

codecov · 2026-06-18T16:27:02Z

Codecov Report

❌ Patch coverage is 91.93690% with 92 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.95%. Comparing base (09f0851) to head (cc83f7f).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15657      +/-   ##
==========================================
- Coverage   82.96%   82.95%   -0.02%     
==========================================
  Files        1003     1003              
  Lines      275031   275666     +635     
==========================================
+ Hits       228192   228669     +477     
- Misses      46839    46997     +158

Flag	Coverage Δ
fuzzcorpus	`61.51% <73.53%> (+0.03%)`	⬆️
livemode	`18.43% <40.84%> (+0.05%)`	⬆️
netns	`22.85% <66.08%> (+0.10%)`	⬆️
pcap	`45.41% <63.10%> (+0.02%)`	⬆️
suricata-verify	`66.96% <90.44%> (+0.01%)`	⬆️
unittests	`58.45% <57.05%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jasonish · 2026-06-18T17:22:31Z

+                        && head.ftype != parser::HTTP2FrameType::GoAway as u8
+                    {
+                        self.set_event(HTTP2Event::InvalidFrameHeader);
+                        input = rem;


In all other cases we use &rem[hlsafe..]. Is hlsafe always 0 in these cases?

Missed this, I've adopted the existing pattern here as well.

Split into 2 sub-states: - stream, which has the "HTTP" requests and responses, including DOH2 - global, which has the settings and other global or control handling Introduce a simpler progress tracking for the global sub state: - HTTP2ProgGlobalStart and HTTP2ProgGlobalComplete. The stream sub state uses the same state machine as before. Ticket: OISF#8386.

Hard coded for now.

Each keyword supporting DOH2 must register explicitly

Now that DNS keywords are no longer registered for DOH2, the keywords need to manually registered for DOH2.

Now that HTTP keywords are no longer automatically registered for HTTP/2, register them manually.

DNS/HTTP2 no longer automatically registers all keywords also for DOH2. Instead, the DNS keywords and HTTP/2 stream keywords are registered for DOH2 explicitly as well. - flow alproto DOH2 + engine DOH2 -> inspect inner DNS - flow alproto DOH2 + engine HTTP2 -> inspect outer HTTP/2 - flow alproto DOH2 + engine UNKNOWN -> inspect outer HTTP/2

For the most part hard coded for HTTP/2 for now.

Register a generic list for each sub state / progress combo.

Otherwise we'd have to re-register the relevant callbacks.

With substate support the fixed table approach for policies was no longer a good fit, so convert to a hash table. The policies are stored per alproto, sub_state, progress and direction.

Now that there is a policy hash, make the alert signature object a member of that to avoid another hash table lookup.

Check that sub state handling is correct.

suricata-qa · 2026-06-26T06:30:03Z

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data	760	898	118.16%
.app_layer.error.ftp.parser	17	0	-

Pipeline = 32263

In preparation of being able to log it.

victorjulien force-pushed the tx-sub-states/v1.11 branch from 10b8507 to b7e0e94 Compare June 17, 2026 07:07