Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2
I’ve installed it but it doesn’t seem to generate any http2.log files. I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven’t yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be.
Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug.
Thanks!
Eric