[Zeek] [EXT] HTTP/2 analyzer

Eric Ooi ericooi at gmail.com
Mon Aug 26 10:55:06 PDT 2019


Just submitted — https://github.com/MITRECND/bro-http2/issues/6 <https://github.com/MITRECND/bro-http2/issues/6>

> On Aug 21, 2019, at 2:39 PM, Eric Ooi <ericooi at gmail.com> wrote:
> 
> Thanks, Murad.  I just found the option in Palo Alto to force the downgrade to HTTP/1.1 and Zeek is now seeing that traffic, thanks for the tip.  I’ll still try to grab a PCAP of HTTP/2 traffic and see if I can open an issue.
> 
>> On Aug 21, 2019, at 1:54 PM, Khan, Murad A. <mkhan at mitre.org <mailto:mkhan at mitre.org>> wrote:
>> 
>> Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a pcap, it’ll help with troubleshooting. But there are other things we can check.
>>  
>>  
>> From: Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
>> Date: Wednesday, August 21, 2019 at 2:40 PM
>> To: Murad Khan <mkhan at mitre.org <mailto:mkhan at mitre.org>>
>> Cc: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
>> Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
>>  
>> Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.
>>  
>> Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek.  Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.
>>  
>> It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2.  I suppose I’ll wait for the official analyzer or learn how to write one myself. :P
>>  
>> Thanks,
>> Eric
>>  
>>  
>>> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan at mitre.org <mailto:mkhan at mitre.org>> wrote:
>>>  
>>> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.
>>>  
>>> You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.
>>>  
>>>  
>>> From: <zeek-bounces at zeek.org <mailto:zeek-bounces at zeek.org>> on behalf of Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
>>> Date: Wednesday, August 21, 2019 at 1:57 PM
>>> To: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
>>> Subject: [EXT] [Zeek] HTTP/2 analyzer
>>>  
>>> Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>>>  
>>> I've installed it but it doesn't seem to generate any http2.log files.  I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor.  Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.
>>>  
>>> Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P
>>>  
>>> Thanks!
>>> Eric
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190826/3c10403f/attachment.html 


More information about the Zeek mailing list