Decode HTTP2 on zeek #13854

masedira · 2024-10-22T23:35:52Z

masedira
Oct 22, 2024

Version

2.4.110

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

20

Storage for /

100

Storage for /nsm

300

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Reviving this old thread which was unanswered 2y ago and is now locked

==========================

Hi all,

I am trying to analyze HTTP2 traffic, but it seems the zeek http2 decoder is not installed.
There is a package called bro-http2 https://github.com/MITRECND/bro-http2 which can perform that task,

it works on my standalone zeek server, but I don't know how to add it to zeek within the security onion environment.

Is there a way to install additional zeek packages on top of the default ones that come with security onion?

Thanks

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by reyesj2

Nov 14, 2024

@masedira With .120 you should see http2 support in Zeek with the mitrecnd/bro-http2 plugin

View full answer

TOoSmOotH · 2024-10-23T13:22:11Z

TOoSmOotH
Oct 23, 2024
Maintainer

There is no current way to add your own plugins. We will look at possibly adding this plugin when we migrate to Zeek 7. There is more to it then just enabling the plugin though. We have to make sure the new log file is picked up and is being parsed properly. Then add it to all the dashboards etc.

3 replies

masedira Oct 25, 2024
Author

Thanks @TOoSmOotH ,

To further explain the issue, I have an inline SSL decryption solution which sends a copy of the decrypted traffic to SO.

I first noticed that files are not being extracted and after some troubleshooting I realized that most of the sessions are HTTP2.

So not having the http2 decoder in so-zeek will make this a big blindspot.

I have a standalone zeek server as well and upon installing the pluging things started working for that decrypted traffic.

My suggestion would be to include the plugin in a basic way initially to solve this issue , i.e. just leave the default zeek log files / not adding it to the dashboard ..etc... which can come at a later stage.

reyesj2 Nov 14, 2024
Maintainer

@masedira With .120 you should see http2 support in Zeek with the mitrecnd/bro-http2 plugin

Answer selected by reyesj2

masedira Nov 14, 2024
Author

Thanks @reyesj2 this is amazing news.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Decode HTTP2 on zeek #13854

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Decode HTTP2 on zeek #13854

Uh oh!

masedira Oct 22, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 3 replies

Uh oh!

TOoSmOotH Oct 23, 2024 Maintainer

Uh oh!

masedira Oct 25, 2024 Author

Uh oh!

reyesj2 Nov 14, 2024 Maintainer

Uh oh!

masedira Nov 14, 2024 Author

masedira
Oct 22, 2024

Replies: 1 comment 3 replies

TOoSmOotH
Oct 23, 2024
Maintainer

masedira Oct 25, 2024
Author

reyesj2 Nov 14, 2024
Maintainer

masedira Nov 14, 2024
Author