[Zeek] [EXT] HTTP/2 analyzer

Eric Ooi ericooi at gmail.com
Wed Aug 21 11:39:06 PDT 2019 

Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.

Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek.  Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.

It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2.  I suppose I’ll wait for the official analyzer or learn how to write one myself. :P

Thanks,
Eric


> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan at mitre.org> wrote:
> 
> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.
>  
> You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.
>  
>  
> From: <zeek-bounces at zeek.org <mailto:zeek-bounces at zeek.org>> on behalf of Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
> Date: Wednesday, August 21, 2019 at 1:57 PM
> To: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
> Subject: [EXT] [Zeek] HTTP/2 analyzer
>  
> Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>  
> I've installed it but it doesn't seem to generate any http2.log files.  I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor.  Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.
>  
> Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P
>  
> Thanks!
> Eric

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190821/d1da6800/attachment-0001.html

More information about the Zeek mailing list