On Aug 21, 2019, at 2:39 PM, Eric Ooi
Thanks, Murad. I just found the option in Palo Alto to force the downgrade to HTTP/1.1
and Zeek is now seeing that traffic, thanks for the tip. I’ll still try to grab a PCAP of
HTTP/2 traffic and see if I can open an issue.
On Aug 21, 2019, at 1:54 PM, Khan, Murad A.
<mkhan(a)mitre.org <mailto:firstname.lastname@example.org>> wrote:
Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide
a pcap, it’ll help with troubleshooting. But there are other things we can check.
From: Eric Ooi <ericooi(a)gmail.com <mailto:email@example.com>>
Date: Wednesday, August 21, 2019 at 2:40 PM
To: Murad Khan <mkhan(a)mitre.org <mailto:firstname.lastname@example.org>>
Cc: "zeek(a)zeek.org <mailto:email@example.com>" <zeek(a)zeek.org
Subject: Re: [EXT] [Zeek] HTTP/2 analyzer
Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so
it looks like I’m definitely seeing this on my network.
Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the
monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero
value for that field seems to be missing a corresponding log in Zeek. Whereas anytime
there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to
analyze it successfully.
It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only
to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn
how to write one myself. :P
> On Aug 21, 2019, at 1:09 PM, Khan, Murad A. <mkhan(a)mitre.org
> Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so
you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their
roadmap but not a high priority.
> You can check if you actually have HTTP/2 negotiated connections by monitoring the
pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN
designator for standard http2 is ‘h2’.
> From: <zeek-bounces(a)zeek.org <mailto:firstname.lastname@example.org>> on behalf of
Eric Ooi <ericooi(a)gmail.com <mailto:email@example.com>>
> Date: Wednesday, August 21, 2019 at 1:57 PM
> To: "zeek(a)zeek.org <mailto:firstname.lastname@example.org>" <zeek(a)zeek.org
> Subject: [EXT] [Zeek] HTTP/2 analyzer
> Has anyone tried the HTTP/2 analyzer from MITRE?:
> I've installed it but it doesn't seem to generate any http2.log files. I
have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my
Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I
haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my
decrypted traffic seems to be.
> Curious if anyone else has tried this or if the developers of the plugin are on the
list for me to bug. :P