I'm struggling with the task of auditing TCP packets using Snort IDS. The goal is: send audit event (1) on some content (2) depending on HTTP protocol version. But I can't handle it with the means of Snort.
Using Snort 2.9.17 I've tried the approach based on metadata: service keyword in Snort rules:
alert tcp any any <> any any (msg:"Alert HTTP 1.1"; file_data; content:"apple"; metadata: service http; priority:130; sid:1000001;)
alert tcp any any <> any any (msg:"Alert HTTP 2.0"; file_data; content:"apple"; metadata: service http2; priority:130; sid:1000002;)
After that I try to get 2 web-pages (with HTTP 1.1 and HTTP 2.0 versions) via browser, but 2 rules are triggered on both pages. I was expecting, that rule for HTTP 2.0 will trigger on HTTP 2.0 web-page, and rule for HTTP 1.1 on its own page.
Also I've noticed, that if rules do not have content field, than they are triggered on the first TCP-packet of each connection (TCP ACK packet), meaning, that rule field metadata had not been taken into account - and filtering was done based on only protocol field (tcp).
Could anyone, please, tell me, does Snort 2.9 support http2 protocol? What could be wrong in this approach? Does anyone know, how HTTP 1.1/2.0 could be identified by Snort with other means? I would appreciate any help.
P.S. As HTTP 2.0 works over TLS, I decrypt such packets in DAQ-module and send them to Snort in plain text, so it should be able to analize its contents