[Zeek] [EXT] HTTP/2 analyzer

Khan, Murad A. mkhan at mitre.org
Wed Aug 21 11:54:54 PDT 2019


Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a pcap, it’ll help with troubleshooting. But there are other things we can check.


From: Eric Ooi <ericooi at gmail.com>
Date: Wednesday, August 21, 2019 at 2:40 PM
To: Murad Khan <mkhan at mitre.org>
Cc: "zeek at zeek.org" <zeek at zeek.org>
Subject: Re: [EXT] [Zeek] HTTP/2 analyzer

Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.

Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek.  Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.

It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2.  I suppose I’ll wait for the official analyzer or learn how to write one myself. :P

Thanks,
Eric


On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan at mitre.org<mailto:mkhan at mitre.org>> wrote:

Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.

You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.


From: <zeek-bounces at zeek.org<mailto:zeek-bounces at zeek.org>> on behalf of Eric Ooi <ericooi at gmail.com<mailto:ericooi at gmail.com>>
Date: Wednesday, August 21, 2019 at 1:57 PM
To: "zeek at zeek.org<mailto:zeek at zeek.org>" <zeek at zeek.org<mailto:zeek at zeek.org>>
Subject: [EXT] [Zeek] HTTP/2 analyzer

Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2

I've installed it but it doesn't seem to generate any http2.log files.  I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor.  Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.

Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P

Thanks!
Eric

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190821/3236e436/attachment.html 


More information about the Zeek mailing list