[EXT] HTTP/2 analyzer

Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority.

You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’.

Thanks, Murad! I checked ssl.log and do see a good amount of traffic with “h2” listed, so it looks like I’m definitely seeing this on my network.

Only reason I believe that Palo is still sending it as HTTP/2 traffic is because the monitor tab has a “HTTP/2 Connection Session ID” and each line entry that has a non-zero value for that field seems to be missing a corresponding log in Zeek. Whereas anytime there’s a zero value in that column, presumably denoting HTTP/1.1 traffic, Zeek is able to analyze it successfully.

It’s not a big deal, but I was so excited to have Zeek analyze my decrypted traffic only to find that most of it is HTTP/2. I suppose I’ll wait for the official analyzer or learn how to write one myself. :stuck_out_tongue:


Weird. I’d recommend opening an issue on github, if you can. Ideally, if you can provide a pcap, it’ll help with troubleshooting. But there are other things we can check.

Thanks, Murad. I just found the option in Palo Alto to force the downgrade to HTTP/1.1 and Zeek is now seeing that traffic, thanks for the tip. I’ll still try to grab a PCAP of HTTP/2 traffic and see if I can open an issue.

Just submitted — https://github.com/MITRECND/bro-http2/issues/6