[Zeek] [EXT] HTTP/2 analyzer
Eric Ooi
ericooi at gmail.com
Mon Aug 26 10:55:06 PDT 2019
Just submitted — https://github.com/MITRECND/bro-http2/issues/6 <https://github.com/MITRECND/bro-http2/issues/6>
> On Aug 21, 2019, at 2:39 PM, Eric Ooi <ericooi at gmail.com> wrote:
>
> Thanks, Murad. I just found the option in Palo Alto to force the downgrade to HTTP/1.1 and Zeek is now seeing that traffic, thanks for the tip. I’ll still try to grab a PCAP of HTTP/2 traffic and see if I can open an issue.
>
>> On Aug 21, 2019, at 1:54 PM, Khan, Murad A. <mkhan at mitre.org <mailto:mkhan at mitre.org>> wrote:
>>
>> Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a pcap, it’ll help with troubleshooting. But there are other things we can check.
>>
>>
>> From: Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
>> Date: Wednesday, August 21, 2019 at 2:40 PM
>> To: Murad Khan <mkhan at mitre.org <mailto:mkhan at mitre.org>>
>> Cc: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
>> Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
>>
>> Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.
>>
>> Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek. Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.
>>
>> It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn how to write one myself. :P
>>
>> Thanks,
>> Eric
>>
>>
>>> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan at mitre.org <mailto:mkhan at mitre.org>> wrote:
>>>
>>> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.
>>>
>>> You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.
>>>
>>>
>>> From: <zeek-bounces at zeek.org <mailto:zeek-bounces at zeek.org>> on behalf of Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
>>> Date: Wednesday, August 21, 2019 at 1:57 PM
>>> To: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
>>> Subject: [EXT] [Zeek] HTTP/2 analyzer
>>>
>>> Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>>>
>>> I've installed it but it doesn't seem to generate any http2.log files. I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.
>>>
>>> Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P
>>>
>>> Thanks!
>>> Eric
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190826/3c10403f/attachment.html
More information about the Zeek
mailing list