[Zeek] [EXT] HTTP/2 analyzer

Khan, Murad A. mkhan at mitre.org
Wed Aug 21 11:09:50 PDT 2019


Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.

You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.


From: <zeek-bounces at zeek.org> on behalf of Eric Ooi <ericooi at gmail.com>
Date: Wednesday, August 21, 2019 at 1:57 PM
To: "zeek at zeek.org" <zeek at zeek.org>
Subject: [EXT] [Zeek] HTTP/2 analyzer

Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2

I've installed it but it doesn't seem to generate any http2.log files.  I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor.  Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.

Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P

Thanks!
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190821/eb744c11/attachment.html 


More information about the Zeek mailing list