HTTP2 traffic not being decoded properly

[eric-ooi]

I have a Zeek sensor configured to monitor decrypted SSL/TLS traffic from a Palo Alto firewall mirror port. A large volume of this decrypted traffic is HTTP/2 as noted by Palo Alto's "Monitor" tab showing HTTP/2 Connection Session ID values. I've successfully installed bro-http2 via the Zeek package manager with no errors.

Decrypted HTTP/1.1 traffic is successfully analyzed and logged by Zeek as expected, but any logs in the Palo Alto "Monitor" with a non-zero HTTP/2 Connection Session ID value do not have a corresponding record in Zeek data. I've also tried selecting the "Strip ALPN" option to force the downgrade to HTTP/1.1. Doing this results in successful analysis by Zeek since the traffic is now HTTP/1.1.

I've attached a PCAP of decrypted HTTP/2 traffic from linkedin.com that Zeek was unable to analyze via bro-http2. Note that github wouldn't let me upload ".pcap" so I renamed it to ".log." https_linkedin.log

For reference I'm running Zeek/Bro 2.6.3 on CentOS 7 x64.

[Mraoul]

Hey, did you run this with Zeek offline? I ran it with version 2.6.3 on CentOS 7.6 and it produced an http2.log file with ~50 entries. If so, what config did you pass to Zeek -- was the analyzer @load-ed

[eric-ooi]

Doh! I was just using the instructions I found that said to just "@load packages" in my local.bro. How would I test it offline? Can you share the command line?

[eric-ooi]

Ha! I just explicitly stated "@load http2" under "@load packages" and that seems to have gotten it going! Not sure why JUST @load packages didn't work. Can you give it a try on your end to confirm if I'm crazy? :P

[Mraoul]

This is by design since instead of a bro script, it's a full analyzer and unconditionally loading an analyzer can have unintended consequences and be inflexible. This would allow one to only load the analyzer on specific machines (in a cluster) or do further bro-script specific manipulations. I.e., if someone wanted to run zeek in bare mode and then only load specific analyzers. We wanted to keep the behavior as close to the built-in analyzers as much as possible.

Btw, the easiest way to test would be bro -r <pcap.file> -e "@load http2" but that usually throws some warning, so I usually just put @load http2 into a file (e.g., policy.bro) and then run bro -r <pcap.file> policy.bro

[eric-ooi]

Ahh, that makes sense. Thanks so much for your help and for creating this awesome analyzer! Pretty happy with how well it works so far, especially now that I know how to actually enable it, haha. My plan is to include it as part of my Zeekurity Zen Zeries.

Thanks again!