[Bro] Bro HTTP/2 Decoder/Analyzer Plugin Released by MITRE

anthony kasza anthony.kasza at gmail.com
Wed Feb 28 19:15:31 PST 2018

This is very awesome. Thanks for sharing, Murad!

Tangentially related, nghttp2's client and server both are able to
communicate over HTTP/2 in the clear and are perfect for generating test


On Feb 28, 2018 15:30, "Khan, Murad A." <mkhan at mitre.org> wrote:


MITRE has created a plugin for Bro that adds an analyzer for the HTTP/2
protocol (RFC 7540) and released it open source at

A little background on HTTP/2 – after using HTTP 1.x for the longest time
companies wanted to come up with a successor protocol that took into
consideration the changes that had occurred with the web since the creation
of the HTTP 1.x specifications (HTTP 1.1, RFC 2616 came out in 1999!). This
led to the creation of SPDY, realizing that SPDY was useful, the IETF took
its concepts and formalized a new protocol and called it “HTTP/2”.  HTTP/2
introduces a number of changes and improvements on top of HTTP 1.x
including providing native multiplexed communication channels. HTTP/2 also
completely changes the transport mechanism, now being a binary protocol
(for those not intimately familiar with HTTP 1.x, it is a text-oriented

The analyzer has two dependencies – libnghttp2, available via apt (Ubuntu)
and yum (CentOS EPEL) and brotli (not available via repos, only via github
at https://github.com/google/brotli). It also currently doesn’t support the
Bro Package Manager (this is on the todo list). After installing the
plugin, it needs to be loaded, which can be done by putting “@load http2”
into your bro policy/script file. This analyzer will create an http2.log
file where http2 transactions will go to. For more information, reference
the README on github.

There are a couple of very important caveats with using this analyzer.
First, you will likely not see any HTTP2 traffic in the clear, pretty much
ever, since the major browsers, afaik, have decided on only using HTTP/2
with TLS ALPN (RFC 7301). So, this means, to use this analyzer you will
need to have some SSL/TLS interception capability in place to decrypt
traffic and provide it to bro which will in turn allow this analyzer to
analyze the traffic. If someone finds this to be untrue and sees a
significant amount of http2 traffic in the clear, I’d like to hear about.
Secondly, this analyzer doesn’t have a dpd.sig file so you’ll need to
specify, explicitly, which ports to analyze – by default ports 80 and 443
are configured which should be good enough for most people. Lastly, this
analyzer, although stable, still has some things on the to-do list and
could probably use some more testing and feedback so if you decide to
install/run it and run into an issue please contact us about it.


For those who have ssl logs and are interested in seeing how much HTTP/2
traffic their organization is seeing, take a look at the “next_protocol”
column in ssl.log which indicates the ALPN negotiated protocol.


Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180228/f39272ca/attachment.html 

More information about the Bro mailing list