21 Aug
2019
21 Aug
'19
8:09 p.m.
Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you
might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap
but not a high priority.
You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
From: <zeek-bounces(a)zeek.org> on behalf of Eric Ooi <ericooi(a)gmail.com>
Date: Wednesday, August 21, 2019 at 1:57 PM
To: "zeek(a)zeek.org" <zeek(a)zeek.org>
Subject: [EXT] [Zeek] HTTP/2 analyzer
Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2
I've installed it but it doesn't seem to generate any http2.log files. I have a
Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek
sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet
seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic
seems to be.
Curious if anyone else has tried this or if the developers of the plugin are on the list
for me to bug. :P
Thanks!
Eric
21 Aug
21 Aug
8:39 p.m.
New subject: [EXT] HTTP/2 analyzer
Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so
it looks like I’m definitely seeing this on my network.
Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the
monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero
value for that field seems to be missing a corresponding log in Zeek. Whereas anytime
there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to
analyze it successfully.
It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only
to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn
how to write one myself. :P
Thanks,
Eric
On Aug 21, 2019, at 1:09 PM, Khan, Murad A.
<mkhan(a)mitre.org> wrote:
Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you
might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap
but not a high priority.
You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
From: <zeek-bounces(a)zeek.org <mailto:zeek-bounces@zeek.org>> on behalf of
Eric Ooi <ericooi(a)gmail.com <mailto:ericooi@gmail.com>>
Date: Wednesday, August 21, 2019 at 1:57 PM
To: "zeek(a)zeek.org <mailto:zeek@zeek.org>" <zeek(a)zeek.org
<mailto:zeek@zeek.org>>
Subject: [EXT] [Zeek] HTTP/2 analyzer
Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2
<https://github.com/MITRECND/bro-http2>
I've installed it but it doesn't seem to generate any http2.log files. I have
a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek
sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet
seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic
seems to be.
Curious if anyone else has tried this or if the developers of the plugin are on the list
for me to bug. :P
Thanks!
Eric
8:54 p.m.
New subject: [EXT] HTTP/2 analyzer
Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a
pcap, it’ll help with troubleshooting. But there are other things we can check.
From: Eric Ooi <ericooi(a)gmail.com>
Date: Wednesday, August 21, 2019 at 2:40 PM
To: Murad Khan <mkhan(a)mitre.org>
Cc: "zeek(a)zeek.org" <zeek(a)zeek.org>
Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so
it looks like I’m definitely seeing this on my network.
Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the
monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero
value for that field seems to be missing a corresponding log in Zeek. Whereas anytime
there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to
analyze it successfully.
It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only
to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn
how to write one myself. :P
Thanks,
Eric
On Aug 21, 2019, at 1:09 PM, Khan, Murad A.
<mkhan@mitre.org<mailto:mkhan@mitre.org>> wrote:
Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you
might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap
but not a high priority.
You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
From: <zeek-bounces@zeek.org<mailto:zeek-bounces@zeek.org>> on behalf of Eric
Ooi <ericooi@gmail.com<mailto:ericooi@gmail.com>>
Date: Wednesday, August 21, 2019 at 1:57 PM
To: "zeek@zeek.org<mailto:zeek@zeek.org>"
<zeek@zeek.org<mailto:zeek@zeek.org>>
Subject: [EXT] [Zeek] HTTP/2 analyzer
Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2
I've installed it but it doesn't seem to generate any http2.log files. I have a
Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek
sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet
seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic
seems to be.
Curious if anyone else has tried this or if the developers of the plugin are on the list
for me to bug. :P
Thanks!
Eric
9:39 p.m.
New subject: [EXT] HTTP/2 analyzer
Thanks, Murad. I just found the option in Palo Alto to force the downgrade to HTTP/1.1
and Zeek is now seeing that traffic, thanks for the tip. I’ll still try to grab a PCAP of
HTTP/2 traffic and see if I can open an issue.
On Aug 21, 2019, at 1:54 PM, Khan, Murad A.
<mkhan(a)mitre.org> wrote:
Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide
a pcap, it’ll help with troubleshooting. But there are other things we can check.
From: Eric Ooi <ericooi(a)gmail.com>
Date: Wednesday, August 21, 2019 at 2:40 PM
To: Murad Khan <mkhan(a)mitre.org>
Cc: "zeek(a)zeek.org" <zeek(a)zeek.org>
Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so
it looks like I’m definitely seeing this on my network.
Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the
monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero
value for that field seems to be missing a corresponding log in Zeek. Whereas anytime
there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to
analyze it successfully.
It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only
to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn
how to write one myself. :P
Thanks,
Eric
> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan(a)mitre.org
<mailto:mkhan@mitre.org>> wrote:
>
> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so
you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their
roadmap but not a high priority.
>
> You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
>
>
> From: <zeek-bounces(a)zeek.org <mailto:zeek-bounces@zeek.org>> on behalf of
Eric Ooi <ericooi(a)gmail.com <mailto:ericooi@gmail.com>>
> Date: Wednesday, August 21, 2019 at 1:57 PM
> To: "zeek(a)zeek.org <mailto:zeek@zeek.org>" <zeek(a)zeek.org
<mailto:zeek@zeek.org>>
> Subject: [EXT] [Zeek] HTTP/2 analyzer
>
> Has anyone tried the HTTP/2 analyzer from MITRE?:
https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>
> I've installed it but it doesn't seem to generate any http2.log files. I
have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my
Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I
haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my
decrypted traffic seems to be.
>
> Curious if anyone else has tried this or if the developers of the plugin are on the
list for me to bug. :P
>
> Thanks!
> Eric
26 Aug
26 Aug
7:55 p.m.
New subject: [EXT] HTTP/2 analyzer
Just submitted — https://github.com/MITRECND/bro-http2/issues/6
<https://github.com/MITRECND/bro-http2/issues/6>
On Aug 21, 2019, at 2:39 PM, Eric Ooi
<ericooi(a)gmail.com> wrote:
Thanks, Murad. I just found the option in Palo Alto to force the downgrade to HTTP/1.1
and Zeek is now seeing that traffic, thanks for the tip. I’ll still try to grab a PCAP of
HTTP/2 traffic and see if I can open an issue.
On Aug 21, 2019, at 1:54 PM, Khan, Murad A.
<mkhan(a)mitre.org <mailto:mkhan@mitre.org>> wrote:
Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide
a pcap, it’ll help with troubleshooting. But there are other things we can check.
From: Eric Ooi <ericooi(a)gmail.com <mailto:ericooi@gmail.com>>
Date: Wednesday, August 21, 2019 at 2:40 PM
To: Murad Khan <mkhan(a)mitre.org <mailto:mkhan@mitre.org>>
Cc: "zeek(a)zeek.org <mailto:zeek@zeek.org>" <zeek(a)zeek.org
<mailto:zeek@zeek.org>>
Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so
it looks like I’m definitely seeing this on my network.
Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the
monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero
value for that field seems to be missing a corresponding log in Zeek. Whereas anytime
there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to
analyze it successfully.
It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only
to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn
how to write one myself. :P
Thanks,
Eric
> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan(a)mitre.org
<mailto:mkhan@mitre.org>> wrote:
>
> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so
you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their
roadmap but not a high priority.
>
> You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
>
>
> From: <zeek-bounces(a)zeek.org <mailto:zeek-bounces@zeek.org>> on behalf of
Eric Ooi <ericooi(a)gmail.com <mailto:ericooi@gmail.com>>
> Date: Wednesday, August 21, 2019 at 1:57 PM
> To: "zeek(a)zeek.org <mailto:zeek@zeek.org>" <zeek(a)zeek.org
<mailto:zeek@zeek.org>>
> Subject: [EXT] [Zeek] HTTP/2 analyzer
>
> Has anyone tried the HTTP/2 analyzer from MITRE?:
https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>
>
> I've installed it but it doesn't seem to generate any http2.log files. I
have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my
Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I
haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my
decrypted traffic seems to be.
>
> Curious if anyone else has tried this or if the developers of the plugin are on the
list for me to bug. :P
>
> Thanks!
> Eric
656
days inactive
661
days old
4 comments
2 participants
participants (2)
-
Eric Ooi -
Khan, Murad A.