search

MITRECND / bro-http2

Plugin for Zeek/Bro which provides http2 decoder/analyzer
Other
30 stars 22 forks source link

I try to install it in Zeek 6.2 and I get an error #25

Open iyuvalk opened 1 month ago

iyuvalk commented 1 month ago

Hi. We have a lot of protobuf (GRPC) traffic that we want to monitor. Currently we're using Zeek 6.2 from here: https://hub.docker.com/layers/zeek/zeek/6.2/images/sha256-b4b9322d4028bb8256317d71081205a43bf96dbe7d294b17fe1a334175647396?context=explore

and when we try to install bro-http2 which is needed as a requirement for zeek-plugin-protobuf-sqli (from here: https://github.com/hmadrigal/zeek-plugin-protobuf-sqli) we get the following error. What should we do?

root@f347460cd16a:/# cat /usr/local/zeek/var/lib/zkg/logs/bro-http2-build.log
=== STDERR ===
Usage: zeek-config [OPTIONS]

Basic options:

  --build_type          Zeek build type as per cmake, lower case (e.g. 'relwithdebinfo')
  --prefix              Toplevel Zeek distribution installation directory
  --version             Zeek version number
  --zeek_dist           Toplevel directory of source tree the distribution built from
  --zeekpath            ZEEKPATH environment variable paths for this distribution

Specific directories in the Zeek distribution:

  --btest_tools_dir     Zeek-related BTest tooling
  --cmake_dir           Zeek's cmake modules
  --config_dir          Configuration files for cluster topology, zkg, etc
  --include_dir         C/C++ header folders for Zeek and related components, colon-separated
  --lib_dir             Toplevel folder for shared libraries, Python packages, etc
  --plugin_dir          Native-code Zeek plugins
  --python_dir          Python packages (Broker, ZeekControl, zkg, etc)
  --script_dir          Toplevel folder for Zeek scripts
  --site_dir            Site-specific Zeek scripts

Toplevel installation directories for third-party components:

  --binpac_root         BinPAC compiler
  --broker_root         Broker communication framework

Feature tests:

  --have-spicy-analyzers  Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result

CMake Warning at /usr/local/zeek/share/zeek/cmake/ZeekPlugin.cmake:139 (message):
  Package requires CMake 3.5 which is less than Zeek's requirement (3.15.0).
  This will likely cause build failures and should be fixed.
Call Stack (most recent call first):
  CMakeLists.txt:7 (include)

CMake Warning:
  Manually-specified variables were not used by the project:

    BRO_CONFIG_CMAKE_DIR
    BRO_CONFIG_INCLUDE_DIR
    BRO_CONFIG_LIB_DIR
    CAF_ROOT_DIR

make: [Makefile:12: build-it] Error 1 (ignored)
/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/src/HTTP2.cc: In member function ‘virtual void analyzer::mitrecnd::HTTP2_Analyzer::DeliverStream(int, const u_char*, bool)’:
/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/src/HTTP2.cc:146:13: error: ‘ProtocolConfirmation’ was not declared in this scope; did you mean ‘LN_protocolInformation’?
  146 |             ProtocolConfirmation(); // Notify system that this is HTTP2.
      |             ^~~~~~~~~~~~~~~~~~~~
      |             LN_protocolInformation
/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/src/HTTP2.cc:158:17: error: ‘ProtocolViolation’ was not declared in this scope
  158 |                 ProtocolViolation("Unable to parse http 2 frame from data stream, fatal error");
      |                 ^~~~~~~~~~~~~~~~~
make[3]: *** [CMakeFiles/mitrecnd_HTTP2.dir/build.make:268: CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2.cc.o] Error 1
make[2]: *** [CMakeFiles/Makefile2:88: CMakeFiles/mitrecnd_HTTP2.dir/all] Error 2
make[1]: *** [Makefile:156: all] Error 2
make: *** [Makefile:13: build-it] Error 2
=== STDOUT ===
Build Directory        : build
Zeek Source Directory   : 
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success
-- Found Threads: TRUE  
-- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "3.0.11")  
-- Found BinPAC: /usr/local/zeek/bin/binpac  
-- Found BifCl at /usr/local/zeek/bin/bifcl
-- Setting plugin CMAKE_BUILD_TYPE to Release
-- Found LibNGHTTP2: /usr/lib/x86_64-linux-gnu/libnghttp2.so (found version "1.52.0") 
-- Found LibBROTLI: /usr/lib/x86_64-linux-gnu/libbrotlidec.so  
-- ---------------------
-- LibBROTLI ROOT DIR  : /usr
-- LibBROTLI INC DIR   : /usr/include/brotli
-- LibBROTLI LIB DIR   : /usr/lib/x86_64-linux-gnu/libbrotlidec.so
-- ---------------------
-- LibNGHTTP2 ROOT DIR : /usr
-- LibNGHTTP2 INC DIR  : /usr/include/nghttp2
-- LibNGHTTP2 LIB DIR  : /usr/lib/x86_64-linux-gnu/libnghttp2.so
-- Install prefix for plugin mitrecnd_HTTP2: /usr/local/zeek/lib/zeek/plugins
-- Tarball path for plugin mitrecnd_HTTP2: /usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build/mitrecnd_HTTP2.tgz
-- Configuring done
-- Generating done
-- Build files have been written to: /usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build
( cd build && make )
make[1]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[2]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[3]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[3]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[3]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[3]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
[  0%] Built target mitrecnd_HTTP2_symlink
make[3]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
[  6%] [BIFCL] Processing /usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/src/http2.bif
[ 12%] [BIFCL] Processing /usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/src/events.bif
make[3]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[3]: Entering directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
[ 18%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/events.bif.cc.o
[ 25%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/events.bif.init.cc.o
[ 31%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/events.bif.register.cc.o
[ 37%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/http2.bif.cc.o
[ 43%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/http2.bif.init.cc.o
[ 50%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/http2.bif.register.cc.o
[ 56%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/Plugin.cc.o
[ 62%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2_Frame.cc.o
[ 68%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2_FrameReassembler.cc.o
[ 75%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2_HeaderStorage.cc.o
[ 81%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2_Stream.cc.o
[ 87%] Building CXX object CMakeFiles/mitrecnd_HTTP2.dir/src/HTTP2.cc.o
make[3]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[2]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
make[1]: Leaving directory '/usr/local/zeek/var/lib/zkg/testing/zeek-plugin-protobuf-sqli.git/clones/bro-http2/build'
stachdude commented 2 weeks ago

Same on LTS zeek version 6.0.4

awelzel commented 2 weeks ago

For Zeek 6.1 and 6.2, the PR from @eric-ooi #24 needs to be merged.

For Zeek 6.0, one can manually specify using the latest version by entering zkg install bro-http2 --version master. There's no up-to-date tag in this repository. The last tag 0.6.0 is from Oct 6, 2021 and that's what zkg picks by default.

@malwarefrank / @Mraoul - could you merge #24 and make a new release/tag thereafter so that this plugin once again works for recent Zeek versions? Thanks!

eric-ooi commented 2 weeks ago

Thanks for the shout out @awelzel. 🙂 As a workaround, I've been using "zkg install https://github.com/eric-ooi/bro-http2.git --version master" to pull from my fork.

malwarefrank commented 2 weeks ago

@awelzel @eric-ooi Done. Let us know if that's working and we can close this

eric-ooi commented 2 weeks ago

Just installed without issue for me -- thanks @malwarefrank!

stachdude commented 2 weeks ago

Same here, works fine now. Thanks !