[Zeek] [EXT] HTTP/2 analyzer

Eric Ooi ericooi at gmail.com
Wed Aug 21 12:39:48 PDT 2019 

Thanks, Murad.  I just found the option in Palo Alto to force the downgrade to HTTP/1.1 and Zeek is now seeing that traffic, thanks for the tip.  I’ll still try to grab a PCAP of HTTP/2 traffic and see if I can open an issue.

> On Aug 21, 2019, at 1:54 PM, Khan, Murad A. <mkhan at mitre.org> wrote:
> 
> Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a pcap, it’ll help with troubleshooting. But there are other things we can check.
>  
>  
> From: Eric Ooi <ericooi at gmail.com>
> Date: Wednesday, August 21, 2019 at 2:40 PM
> To: Murad Khan <mkhan at mitre.org>
> Cc: "zeek at zeek.org" <zeek at zeek.org>
> Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
>  
> Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.
>  
> Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek.  Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.
>  
> It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2.  I suppose I’ll wait for the official analyzer or learn how to write one myself. :P
>  
> Thanks,
> Eric
>  
>  
>> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan at mitre.org <mailto:mkhan at mitre.org>> wrote:
>>  
>> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.
>>  
>> You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.
>>  
>>  
>> From: <zeek-bounces at zeek.org <mailto:zeek-bounces at zeek.org>> on behalf of Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
>> Date: Wednesday, August 21, 2019 at 1:57 PM
>> To: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
>> Subject: [EXT] [Zeek] HTTP/2 analyzer
>>  
>> Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>>  
>> I've installed it but it doesn't seem to generate any http2.log files.  I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor.  Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.
>>  
>> Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P
>>  
>> Thanks!
>> Eric

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190821/1c3143c8/attachment.html

More information about the Zeek mailing list