MITRE has created a plugin for Bro that adds an analyzer for the HTTP/2 protocol (RFC 7540) and released it open source at https://github.com/MITRECND/bro-http2
A little background on HTTP/2 – after using HTTP 1.x for the longest time companies wanted to come up with a successor protocol that took into consideration the changes that had occurred with the web since the creation of the HTTP 1.x specifications (HTTP 1.1, RFC 2616 came out in 1999!). This led to the creation of SPDY, realizing that SPDY was useful, the IETF took its concepts and formalized a new protocol and called it “HTTP/2”. HTTP/2 introduces a number of changes and improvements on top of HTTP 1.x including providing native multiplexed communication channels. HTTP/2 also completely changes the transport mechanism, now being a binary protocol (for those not intimately familiar with HTTP 1.x, it is a text-oriented protocol).
The analyzer has two dependencies – libnghttp2, available via apt (Ubuntu) and yum (CentOS EPEL) and brotli (not available via repos, only via github at https://github.com/google/brotli). It also currently doesn’t support the Bro Package Manager (this is on the todo list). After installing the plugin, it needs to be loaded, which can be done by putting “@load http2” into your bro policy/script file. This analyzer will create an http2.log file where http2 transactions will go to. For more information, reference the README on github.
There are a couple of very important caveats with using this analyzer. First, you will likely not see any HTTP2 traffic in the clear, pretty much ever, since the major browsers, afaik, have decided on only using HTTP/2 with TLS ALPN (RFC 7301). So, this means, to use this analyzer you will need to have some SSL/TLS interception capability in place to decrypt traffic and provide it to bro which will in turn allow this analyzer to analyze the traffic. If someone finds this to be untrue and sees a significant amount of http2 traffic in the clear, I’d like to hear about. Secondly, this analyzer doesn’t have a dpd.sig file so you’ll need to specify, explicitly, which ports to analyze – by default ports 80 and 443 are configured which should be good enough for most people. Lastly, this analyzer, although stable, still has some things on the to-do list and could probably use some more testing and feedback so if you decide to install/run it and run into an issue please contact us about it.
For those who have ssl logs and are interested in seeing how much HTTP/2 traffic their organization is seeing, take a look at the “next_protocol” column in ssl.log which indicates the ALPN negotiated protocol.