mitrecnd / bro-http2 Goto Github PK

View Code? Open in Web Editor NEW

30.0 30.0 21.0 175 KB

Plugin for Zeek/Bro which provides http2 decoder/analyzer

License: Other

CMake 3.63% Makefile 0.47% C++ 82.68% C 0.43% Shell 1.20% Zeek 11.46% Standard ML 0.13%

bro-http2's People

Contributors

Stargazers

Watchers

bro-http2's Issues

Possible issue in brotli decoding

I believe that a buffer is used incorrectly in

bro-http2/src/HTTP2_Stream.cc

Lines 230 to 248 in 54b9d68

 void HTTP2_HalfStream::translateBrotliBody(int len, const char* data) 

 { 

 BrotliDecoderResult result; 

 size_t total_out = 0; 

 size_t available_in = len; 

 const uint8_t* next_in = (const uint8_t*) data; 

 size_t available_out = MAX_FRAME_SIZE; 

 uint8_t *next_out = this->brotli_buffer; 

 result = BrotliDecoderDecompressStream(this->brotli, 

 &available_in, 

 &next_in, 

 &available_out, 

 &next_out, 

 &total_out); 

 if (result == BROTLI_DECODER_RESULT_SUCCESS) { 

 DeliverBodyClear((int)available_out, (const char *)this->brotli_buffer, false); 

 } 

 }

According to the docs:
https://github.com/google/brotli/blob/9cd01c0437e8b6010434d3491a348a5645de624b/c/include/brotli/decode.h#L231-L235

available_out is the "remaining size of output buffer", and total_out is "number of bytes decompressed so far"

available_out is what is passed to DeliverBodyClear and then to SubmitData. I believe this is what is causing extracted files to contain many megabytes of trailing null bytes.

Incomplete code

it is an incomplete code, such as there is no nghttp2.h、Reporter.h、util.h and so on

support-zeek-40 branch compile errors (no BroString.h ) on latest zeek

Hello,

I noticed that the plugin has a "support-zeek-40" branch which seem compatible with zeek 4.x. However, I tested it with latest zeek master(via git clone --recursive https://github.com/zeek/zeek), and this plugin couldn't compile successfully.

I used the specific branch:

$ git branch
* support-zeek-40

Both required packages: Nghttp2 and Brotli were installed, and the configure output:

$ ./configure --zeek-dist=/home/zeek/Documents/zeek-master
Build Directory        : build
Zeek Source Directory   : /home/zeek/Documents/zeek-master
-- The C compiler identification is GNU 9.3.0
-- The CXX compiler identification is GNU 9.3.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Performing Test cxx17_already_works
-- Performing Test cxx17_already_works - Failed
-- Performing Test cxx17_works
-- Performing Test cxx17_works - Success
-- Zeek executable      :
-- Zeek source          : /home/zeek/Documents/zeek-master
-- Zeek build           : /home/zeek/Documents/zeek-master/build
-- Zeek install prefix  : /usr/local/zeek
-- Zeek plugin directory: /usr/local/zeek/lib/zeek/plugins
-- Zeek debug mode      : false
-- Found LibNGHTTP2: /usr/lib/x86_64-linux-gnu/libnghttp2.so (found version "1.40.0")
-- Found LibBROTLI: /usr/local/lib/libbrotlidec.so
-- ---------------------
-- LibBROTLI ROOT DIR  : /usr/local
-- LibBROTLI INC DIR   : /usr/local/include/brotli
-- LibBROTLI LIB DIR   : /usr/local/lib/libbrotlidec.so
-- ---------------------
-- LibNGHTTP2 ROOT DIR : /usr
-- LibNGHTTP2 INC DIR  : /usr/include/nghttp2
-- LibNGHTTP2 LIB DIR  : /usr/lib/x86_64-linux-gnu/libnghttp2.so
-- Configuring done
-- Generating done
-- Build files have been written to: /home/zeek/Documents/bro-http2/build

However, when I tried to compile, errors were shown as:

$ make
[  5%] Built target bif-plugin-mitrecnd_HTTP2-events.bif
[  5%] Built target generate_outputs
[ 10%] Built target bif-plugin-mitrecnd_HTTP2-http2.bif
[ 15%] Creating __bro_plugin__ for mitrecnd::HTTP2
[ 15%] Built target bro-plugin-mitrecnd_HTTP2
[ 15%] Built target copy-scripts-mitrecnd_HTTP2
[ 15%] Built target bif-init-mitrecnd_HTTP2
[ 21%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o
In file included from /home/zeek/Documents/bro-http2/src/HTTP2_Stream.h:10,
                 from /home/zeek/Documents/bro-http2/src/HTTP2.h:19,
                 from /home/zeek/Documents/bro-http2/src/Plugin.cc:2:
/home/zeek/Documents/bro-http2/src/HTTP2_HeaderStorage.h:6:10: fatal error: BroString.h: No such file or directory
    6 | #include "BroString.h"
      |          ^~~~~~~~~~~~~
compilation terminated.
make[2]: *** [CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/build.make:101: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:143: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/all] Error 2
make: *** [Makefile:152: all] Error 2

It seems issue 9 is a similar issue, which had been fixed, but on zeek 3.x. So I assume that the plugin hasn't support zeek 4.x yet? And if it's possible, how to fix this error?

Thanks for your help!

Installation / build fails

I've tried to install this both using the bro-pkg way ( bro-pkg install https://github.com/MITRECND/bro-http2 ) and the manual install and both fails.

I've double checked the prereqs and the ./configure portion doesn't seem to complain about something either.

When I run the 'make' step I get the following output.

(base) root@abn-brodev1:~/test/bro-http2# make
Makefile:11: recipe for target 'build-it' failed
make: [build-it] Error 1 (ignored)
( cd build && make )
make[1]: Entering directory '/root/test/bro-http2/build'
make[2]: Entering directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target bif-plugin-mitrecnd_HTTP2-events.bif
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
[ 5%] [BIFCL] Processing src/events.bif
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 5%] Built target bif-plugin-mitrecnd_HTTP2-events.bif
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target bif-plugin-mitrecnd_HTTP2-http2.bif
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
[ 10%] [BIFCL] Processing src/http2.bif
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 10%] Built target bif-plugin-mitrecnd_HTTP2-http2.bif
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target bro-plugin-mitrecnd_HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
[ 15%] Creating bro_plugin for mitrecnd::HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 15%] Built target bro-plugin-mitrecnd_HTTP2
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target copy-scripts-mitrecnd_HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 15%] Built target copy-scripts-mitrecnd_HTTP2
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target copy-bif-mitrecnd_HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
[ 20%] Creating build/lib/bif for mitrecnd::HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 20%] Built target copy-bif-mitrecnd_HTTP2
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target generate_outputs
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 20%] Built target generate_outputs
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target bif-init-mitrecnd_HTTP2
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
make[3]: Leaving directory '/root/test/bro-http2/build'
[ 20%] Built target bif-init-mitrecnd_HTTP2
make[3]: Entering directory '/root/test/bro-http2/build'
Scanning dependencies of target mitrecnd-HTTP2.linux-x86_64
make[3]: Leaving directory '/root/test/bro-http2/build'
make[3]: Entering directory '/root/test/bro-http2/build'
[ 25%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o
[ 30%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_Frame.cc.o
[ 35%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_FrameReassembler.cc.o
[ 40%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_HeaderStorage.cc.o
[ 45%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_Stream.cc.o
/root/test/bro-http2/src/HTTP2_Stream.cc: In member function ‘bool analyzer::mitrecnd::HTTP2_HalfStream::processHeaders(uint8_t**, uint32_t&, bool, std::__cxx11::string&, std::__cxx11::string&)’:
/root/test/bro-http2/src/HTTP2_Stream.cc:70:50: error: ‘nghttp2_hd_inflate_hd2’ was not declared in this scope
endHeaders);
^
CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/build.make:194: recipe for target 'CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_Stream.cc.o' failed
make[3]: *** [CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/HTTP2_Stream.cc.o] Error 1
make[3]: Leaving directory '/root/test/bro-http2/build'
CMakeFiles/Makefile2:270: recipe for target 'CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/all' failed
make[2]: *** [CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/all] Error 2
make[2]: Leaving directory '/root/test/bro-http2/build'
Makefile:149: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/root/test/bro-http2/build'
Makefile:11: recipe for target 'build-it' failed
make: *** [build-it] Error 2

I'm running this on a fully patched Ubuntu 16.04.

Zeek v5 compatibility

Zeek v5.0 was just released and I'm seeing the following errors when trying to run zeekctl deploy:

[zeek@sensor zeek-5.0.0]$ zeekctl deploy
checking configurations ...
logger scripts failed.
error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: cannot load plugin library /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: undefined symbol: _ZN4zeek8analyzer3tcp23TCP_ApplicationAnalyzer17AnalyzerViolationEPKcS4_i
fatal error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: aborting after plugin errors

manager scripts failed.
error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: cannot load plugin library /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: undefined symbol: _ZN4zeek8analyzer3tcp23TCP_ApplicationAnalyzer17AnalyzerViolationEPKcS4_i
fatal error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: aborting after plugin errors

proxy-1 scripts failed.
error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: cannot load plugin library /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: undefined symbol: _ZN4zeek8analyzer3tcp23TCP_ApplicationAnalyzer17AnalyzerViolationEPKcS4_i
fatal error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: aborting after plugin errors

worker-1-1 scripts failed.
error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: cannot load plugin library /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: /opt/zeek/lib64/zeek/plugins/packages/bro-http2//lib/mitrecnd-HTTP2.linux-x86_64.so: undefined symbol: _ZN4zeek8analyzer3tcp23TCP_ApplicationAnalyzer17AnalyzerViolationEPKcS4_i
fatal error in /opt/zeek/share/zeek/base/init-bare.zeek, line 1: aborting after plugin errors

Please let me know if you need additional information to help troubleshoot the errors. Thanks!

HTTP2 traffic not being decoded properly

I have a Zeek sensor configured to monitor decrypted SSL/TLS traffic from a Palo Alto firewall mirror port. A large volume of this decrypted traffic is HTTP/2 as noted by Palo Alto's "Monitor" tab showing HTTP/2 Connection Session ID values. I've successfully installed bro-http2 via the Zeek package manager with no errors.

Decrypted HTTP/1.1 traffic is successfully analyzed and logged by Zeek as expected, but any logs in the Palo Alto "Monitor" with a non-zero HTTP/2 Connection Session ID value do not have a corresponding record in Zeek data. I've also tried selecting the "Strip ALPN" option to force the downgrade to HTTP/1.1. Doing this results in successful analysis by Zeek since the traffic is now HTTP/1.1.

I've attached a PCAP of decrypted HTTP/2 traffic from linkedin.com that Zeek was unable to analyze via bro-http2. Note that github wouldn't let me upload ".pcap" so I renamed it to ".log."
https_linkedin.log

For reference I'm running Zeek/Bro 2.6.3 on CentOS 7 x64.

Zeek 3.2 compatibility

Zeek v3.2 was just released -- https://zeek.org/2020/08/10/zeek-3-2-released

I tried installing the package for Zeek 3.2 and got the following errors (looks like quite a bit was changed in this release):

=== STDERR ===
make: [Makefile:12: build-it] Error 1 (ignored)
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_HeaderStorage.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Stream.h:10,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:19,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/BroString.h:1:2: warning: #warning "BroString.h is deprecated and will be removed in v4.1. Use ZeekString.h instead." [-Wcpp]
    1 | #warning "BroString.h is deprecated and will be removed in v4.1. Use ZeekString.h instead."
      |  ^~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:13:39: warning: ‘using Configuration = class zeek::plugin::Configuration’ is deprecated: Remove in v4.1. Use zeek::plugin::Configuration instead [-Wdeprecated-declarations]
   13 |     plugin::Configuration Configure() override;
      |                                       ^~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/plugin/Plugin.h:902:7: note: declared here
  902 | using Configuration [[deprecated("Remove in v4.1. Use zeek::plugin::Configuration instead")]] = zeek::plugin::Configuration;
      |       ^~~~~~~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_FrameReassembler.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:18,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:23: error: ‘pair’ was not declared in this scope; did you mean ‘std::pair’?
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                       ^~~~
      |                       std::pair
In file included from /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_algobase.h:64,
                 from /opt/rh/devtoolset-9/root/usr/include/c++/9/list:60,
                 from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_pair.h:208:12: note: ‘std::pair’ declared here
  208 |     struct pair
      |            ^~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_FrameReassembler.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:18,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:38: error: template argument 1 is invalid
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                                      ^~~~~~~~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:46: error: expected unqualified-id before ‘>’ token
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                                              ^~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:170:17: error: ‘pair’ was not declared in this scope; did you mean ‘std::pair’?
  170 |     std::vector<pair<uint16_t, uint32_t>> unrec_settings;
      |                 ^~~~
      |                 std::pair
In file included from /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_algobase.h:64,
                 from /opt/rh/devtoolset-9/root/usr/include/c++/9/list:60,
                 from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:5,
:
=== STDERR ===
make: [Makefile:12: build-it] Error 1 (ignored)
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_HeaderStorage.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Stream.h:10,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:19,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/BroString.h:1:2: warning: #warning "BroString.h is deprecated and will be removed in v4.1. Use ZeekString.h instead." [-Wcpp]
    1 | #warning "BroString.h is deprecated and will be removed in v4.1. Use ZeekString.h instead."
      |  ^~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:13:39: warning: ‘using Configuration = class zeek::plugin::Configuration’ is deprecated: Remove in v4.1. Use zeek::plugin::Configuration instead [-Wdeprecated-declarations]
   13 |     plugin::Configuration Configure() override;
      |                                       ^~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/plugin/Plugin.h:902:7: note: declared here
  902 | using Configuration [[deprecated("Remove in v4.1. Use zeek::plugin::Configuration instead")]] = zeek::plugin::Configuration;
      |       ^~~~~~~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_FrameReassembler.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:18,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:23: error: ‘pair’ was not declared in this scope; did you mean ‘std::pair’?
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                       ^~~~
      |                       std::pair
In file included from /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_algobase.h:64,
                 from /opt/rh/devtoolset-9/root/usr/include/c++/9/list:60,
                 from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_pair.h:208:12: note: ‘std::pair’ declared here
  208 |     struct pair
      |            ^~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_FrameReassembler.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:18,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:38: error: template argument 1 is invalid
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                                      ^~~~~~~~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:152:46: error: expected unqualified-id before ‘>’ token
  152 |     const std::vector<pair<uint16_t, uint32_t>>& getUnrecognizedSettings(void){return (this->unrec_settings);};
      |                                              ^~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:170:17: error: ‘pair’ was not declared in this scope; did you mean ‘std::pair’?
  170 |     std::vector<pair<uint16_t, uint32_t>> unrec_settings;
      |                 ^~~~
      |                 std::pair
In file included from /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_algobase.h:64,
                 from /opt/rh/devtoolset-9/root/usr/include/c++/9/list:60,
                 from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/opt/rh/devtoolset-9/root/usr/include/c++/9/bits/stl_pair.h:208:12: note: ‘std::pair’ declared here
  208 |     struct pair
      |            ^~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_FrameReassembler.h:6,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:18,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:170:32: error: template argument 1 is invalid
  170 |     std::vector<pair<uint16_t, uint32_t>> unrec_settings;
      |                                ^~~~~~~~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Frame.h:170:40: error: expected unqualified-id before ‘>’ token
  170 |     std::vector<pair<uint16_t, uint32_t>> unrec_settings;
      |                                        ^~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Stream.h:10,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:19,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_HeaderStorage.h:78:53: warning: ‘using RecordVal = class zeek::RecordVal’ is deprecated: Remove in v4.1. Use zeek::RecordVal instead. [-Wdeprecated-declarations]
   78 |     RecordVal* BuildHeaderVal(HTTP2_HeaderStorage& h);
      |                                                     ^
In file included from /home/zeek/zeek-3.2.0/src/NetVar.h:5,
                 from /home/zeek/zeek-3.2.0/src/bro-bif.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/build/events.bif.h:7,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:12,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/Val.h:1441:7: note: declared here
 1441 | using RecordVal [[deprecated("Remove in v4.1. Use zeek::RecordVal instead.")]] = zeek::RecordVal;
      |       ^~~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_Stream.h:10,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:19,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2_HeaderStorage.h:86:36: warning: ‘using TableVal = class zeek::TableVal’ is deprecated: Remove in v4.1. Use zeek::TableVal instead. [-Wdeprecated-declarations]
   86 |     TableVal* BuildHeaderTable(void);
      |                                    ^
In file included from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:9,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/Stats.h:15:33: note: declared here
   15 | ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek);
      |                                 ^~~~~~~~
/home/zeek/zeek-3.2.0/build/zeek-config.h:281:8: note: in definition of macro ‘ZEEK_FORWARD_DECLARE_NAMESPACED’
  281 |  using cls [[deprecated("Remove in v4.1. Use " #ns "::" #cls " instead.")]] = ns::cls;
      |        ^~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:109:39: warning: ‘using BroString = class zeek::String’ is deprecated: Remove in v4.1. Use zeek::String instead. [-Wdeprecated-declarations]
  109 |                        bool push=false);
      |                                       ^
In file included from /home/zeek/zeek-3.2.0/src/NetVar.h:5,
                 from /home/zeek/zeek-3.2.0/src/bro-bif.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/build/events.bif.h:7,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:12,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/Val.h:33:7: note: declared here
   33 | using BroString [[deprecated("Remove in v4.1. Use zeek::String instead.")]] = zeek::String;
      |       ^~~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:146:66: warning: ‘using RecordVal = class zeek::RecordVal’ is deprecated: Remove in v4.1. Use zeek::RecordVal instead. [-Wdeprecated-declarations]
  146 |     void HTTP2_StreamEnd(unsigned stream, RecordVal* stream_stats);
      |                                                                  ^
In file included from /home/zeek/zeek-3.2.0/src/NetVar.h:5,
                 from /home/zeek/zeek-3.2.0/src/bro-bif.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/build/events.bif.h:7,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:12,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/Val.h:1441:7: note: declared here
 1441 | using RecordVal [[deprecated("Remove in v4.1. Use zeek::RecordVal instead.")]] = zeek::RecordVal;
      |       ^~~~~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:172:70: warning: ‘using TableVal = class zeek::TableVal’ is deprecated: Remove in v4.1. Use zeek::TableVal instead. [-Wdeprecated-declarations]
  172 |     void HTTP2_AllHeaders(bool orig, unsigned stream, TableVal* hlist);
      |                                                                      ^
In file included from /home/zeek/zeek-3.2.0/src/plugin/Plugin.h:9,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/Stats.h:15:33: note: declared here
   15 | ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek);
      |                                 ^~~~~~~~
/home/zeek/zeek-3.2.0/build/zeek-config.h:281:8: note: in definition of macro ‘ZEEK_FORWARD_DECLARE_NAMESPACED’
  281 |  using cls [[deprecated("Remove in v4.1. Use " #ns "::" #cls " instead.")]] = ns::cls;
      |        ^~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:303:84: warning: ‘using RecordVal = class zeek::RecordVal’ is deprecated: Remove in v4.1. Use zeek::RecordVal instead. [-Wdeprecated-declarations]
  303 |     void HTTP2_Settings_Event(bool orig, uint32_t stream, RecordVal* settingsRecord);
      |                                                                                    ^
In file included from /home/zeek/zeek-3.2.0/src/NetVar.h:5,
                 from /home/zeek/zeek-3.2.0/src/bro-bif.h:5,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/build/events.bif.h:7,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/HTTP2.h:12,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:2:
/home/zeek/zeek-3.2.0/src/Val.h:1441:7: note: declared here
 1441 | using RecordVal [[deprecated("Remove in v4.1. Use zeek::RecordVal instead.")]] = zeek::RecordVal;
      |       ^~~~~~~~~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:9:41: warning: ‘using Configuration = class zeek::plugin::Configuration’ is deprecated: Remove in v4.1. Use zeek::plugin::Configuration instead [-Wdeprecated-declarations]
    9 | plugin::Configuration Plugin::Configure()
      |                                         ^
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/plugin/Plugin.h:902:7: note: declared here
  902 | using Configuration [[deprecated("Remove in v4.1. Use zeek::plugin::Configuration instead")]] = zeek::plugin::Configuration;
      |       ^~~~~~~~~~~~~
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc: In member function ‘virtual plugin::Configuration plugin::mitrecnd_HTTP2::Plugin::Configure()’:
/home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:13:27: warning: ‘using Configuration = class zeek::plugin::Configuration’ is deprecated: Remove in v4.1. Use zeek::plugin::Configuration instead [-Wdeprecated-declarations]
   13 |     plugin::Configuration config;
      |                           ^~~~~~
In file included from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.h:4,
                 from /home/zeek/.zkg/testing/bro-http2/clones/bro-http2/src/Plugin.cc:1:
/home/zeek/zeek-3.2.0/src/plugin/Plugin.h:902:7: note: declared here
  902 | using Configuration [[deprecated("Remove in v4.1. Use zeek::plugin::Configuration instead")]] = zeek::plugin::Configuration;
      |       ^~~~~~~~~~~~~
make[3]: *** [CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/build.make:91: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o] Error 1
make[2]: *** [CMakeFiles/Makefile2:293: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/all] Error 2
make[1]: *** [Makefile:137: all] Error 2
make: *** [Makefile:13: build-it] Error 2
=== STDOUT ===
Build Directory        : build
Zeek Source Directory   : /home/zeek/zeek-3.2.0
-- The C compiler identification is GNU 9.3.1
-- The CXX compiler identification is GNU 9.3.1
-- Check for working C compiler: /opt/rh/devtoolset-9/root/usr/bin/cc
-- Check for working C compiler: /opt/rh/devtoolset-9/root/usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /opt/rh/devtoolset-9/root/usr/bin/c++
-- Check for working CXX compiler: /opt/rh/devtoolset-9/root/usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Performing Test cxx17_already_works
-- Performing Test cxx17_already_works - Failed
-- Performing Test cxx17_works
-- Performing Test cxx17_works - Success
-- Zeek executable      :
-- Zeek source          : /home/zeek/zeek-3.2.0
-- Zeek build           : /home/zeek/zeek-3.2.0/build
-- Zeek install prefix  : /opt/zeek
-- Zeek plugin directory: /opt/zeek/lib/zeek/plugins
-- Zeek debug mode      : false
-- Found LibNGHTTP2: /usr/lib64/libnghttp2.so (found version "1.33.0")
-- Found LibBROTLI: /usr/local/lib/libbrotlidec.so
-- ---------------------
-- LibBROTLI ROOT DIR  : /usr/local
-- LibBROTLI INC DIR   : /usr/local/include/brotli
-- LibBROTLI LIB DIR   : /usr/local/lib/libbrotlidec.so
-- ---------------------
-- LibNGHTTP2 ROOT DIR : /usr
-- LibNGHTTP2 INC DIR  : /usr/include/nghttp2
-- LibNGHTTP2 LIB DIR  : /usr/lib64/libnghttp2.so
-- Configuring done
-- Generating done

Thanks for looking into this.

support for h2c

I was looking at one of the sample pcaps from WireShark, http2-h2c.pcap. Would you be able to update this plugin to support h2c also?

https://wiki.wireshark.org/HTTP2?action=AttachFile&do=get&target=http2-h2c.pcap

Support 4.1.x

With Zeek v4.1.1 recently released, it'd be great to get support for the 4.1.x releases. Submitting this for tracking and to show that there's demand for it. :)

Thanks, @Mraoul!

Compiling plugin for Zeek 5.0.1 - BroString.h: No such file or directory

Manually compiling the plugin for 5.0.1 and receiving the error below. I only used the basic configure option to point to the bro-dist directory which has worked in prior versions of bro. Compiling on RHEL8 with the latest versions installed of the required packages (can list package versions if necessary):

./configure --bro-dist=/opt/src/zeek-5.0.1/

(snip)
[ 21%] Building CXX object CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o
In file included from /opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/src/HTTP2_Stream.h:10,
                 from /opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/src/HTTP2.h:19,
                 from /opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/src/Plugin.cc:2:
/opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/src/HTTP2_HeaderStorage.h:6:10: fatal error: BroString.h: No such file or directory
 #include "BroString.h"
          ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/build.make:114: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/src/Plugin.cc.o] Error 1
make[3]: Leaving directory '/opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/build'
make[2]: *** [CMakeFiles/Makefile2:124: CMakeFiles/mitrecnd-HTTP2.linux-x86_64.dir/all] Error 2
make[2]: Leaving directory '/opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/build'
make[1]: *** [Makefile:166: all] Error 2
make[1]: Leaving directory '/opt/src/zeek-5.0.1/aux/plugins/bro-http2-master/build'
make: *** [Makefile:13: build-it] Error 2

Fails to install for Zeek 3.1.1

Hello,

I recently updated Zeek to 3.1.1 and was unable to run Zeek with this package enabled. I tried removing and reinstalling via zkg and it fails to build, suggesting I check the build.log. In there I see:

=== STDERR ===
=== STDOUT ===
Cannot determine Bro source directory, use --bro-dist=DIR.
/home/zeek/.zkg/logs/bro-http2-build.log (END)

I tried adding "bro_dist" into the zkg config file but that didn't seem to help. Any ideas?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble

	void HTTP2_HalfStream::translateBrotliBody(int len, const char* data)
	{
	BrotliDecoderResult result;
	size_t total_out = 0;
	size_t available_in = len;
	const uint8_t* next_in = (const uint8_t*) data;
	size_t available_out = MAX_FRAME_SIZE;
	uint8_t *next_out = this->brotli_buffer;

	result = BrotliDecoderDecompressStream(this->brotli,
	&available_in,
	&next_in,
	&available_out,
	&next_out,
	&total_out);
	if (result == BROTLI_DECODER_RESULT_SUCCESS) {
	DeliverBodyClear((int)available_out, (const char *)this->brotli_buffer, false);
	}
	}