Initial commit after obtaining release approval

.gitignore

@@ -0,0 +1,2 @@
+*.swp
+plugins/build

CMakeLists.txt

@@ -0,0 +1,55 @@
+
+project(Plugin-HTTP2)
+
+cmake_minimum_required(VERSION 2.8)
+
+if ( NOT BRO_DIST )
+    message(FATAL_ERROR "BRO_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
+
+include(BroPlugin)
+
+find_package(LibNGHTTP2)
+find_package(LibBROTLI)
+
+if (NOT LIBNGHTTP2_FOUND)
+  message(STATUS "LibNGHTTP2 ROOT DIR : ${LibNGHTTP2_ROOT_DIR}")
+  message(STATUS "LibNGHTTP2 INC DIR  : ${LibNGHTTP2_INCLUDE_DIR}")
+  message(STATUS "LibNGHTTP2 LIB DIR  : ${LibNGHTTP2_LIBRARIES}")
+  message(FATAL_ERROR "LibNGHTTP2 not found.")
+endif()
+
+if (NOT LIBBROTLI_FOUND)
+  message(STATUS "LibBROTLI ROOT DIR  : ${LibBROTLI_ROOT_DIR}")
+  message(STATUS "LibBROTLI INC DIR   : ${LibBROTLI_INCLUDE_DIR}")
+  message(STATUS "LibBROTLI LIB DIR   : ${LibBROTLI_LIBRARIES}")
+  message(FATAL_ERROR "LibBROTLI not found.")
+endif()
+
+message(STATUS "---------------------")
+message(STATUS "LibBROTLI ROOT DIR  : ${LibBROTLI_ROOT_DIR}")
+message(STATUS "LibBROTLI INC DIR   : ${LibBROTLI_INCLUDE_DIR}")
+message(STATUS "LibBROTLI LIB DIR   : ${LibBROTLI_LIBRARIES}")
+message(STATUS "---------------------")
+message(STATUS "LibNGHTTP2 ROOT DIR : ${LibNGHTTP2_ROOT_DIR}")
+message(STATUS "LibNGHTTP2 INC DIR  : ${LibNGHTTP2_INCLUDE_DIR}")
+message(STATUS "LibNGHTTP2 LIB DIR  : ${LibNGHTTP2_LIBRARIES}")
+
+include_directories(BEFORE ${LibNGHTTP2_INCLUDE_DIR})
+bro_plugin_begin(http2 HTTP2)
+
+include_directories(BEFORE ${LibBROTLI_INCLUDE_DIR})
+bro_plugin_link_library(${LibBROTLI_LIBRARIES})
+
+bro_plugin_cc(src/Plugin.cc)
+bro_plugin_cc(src/HTTP2_Frame.cc)
+bro_plugin_cc(src/HTTP2_FrameReassembler.cc)
+bro_plugin_cc(src/HTTP2_HeaderStorage.cc)
+bro_plugin_cc(src/HTTP2_Stream.cc)
+bro_plugin_cc(src/HTTP2.cc)
+bro_plugin_bif(src/events.bif src/http2.bif)
+bro_plugin_dist_files(README VERSION)
+bro_plugin_link_library(${LibNGHTTP2_LIBRARIES})
+bro_plugin_end()

LICENSE

@@ -0,0 +1,13 @@
+Copyright 2018 The MITRE Corporation. ALL RIGHTS RESERVED.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+
+
+This project contains content developed by The MITRE Corporation. If this code is used in a deployment or embedded within another project, it is requested that you send an email to opensource@mitre.org in order to let us know where this software is being used.
+Approved for Public Release; Distribution Unlimited. Case Number 18-0354

Makefile

@@ -0,0 +1,29 @@
+#
+# Convenience Makefile providing a few common top-level targets.
+#
+
+cmake_build_dir=build
+arch=`uname -s | tr A-Z a-z`-`uname -m`
+
+all: build-it
+
+build-it:
+	@test -e $(cmake_build_dir)/config.status || ./configure
+	-@test -e $(cmake_build_dir)/CMakeCache.txt && \
+      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
+      echo Updating stale CMake cache && \
+      touch $(cmake_build_dir)/CMakeCache.txt
+
+	( cd $(cmake_build_dir) && make )
+
+install:
+	( cd $(cmake_build_dir) && make install )
+
+clean:
+	( cd $(cmake_build_dir) && make clean )
+
+distclean:
+	rm -rf $(cmake_build_dir)
+
+test:
+	make -C tests

README

@@ -0,0 +1,87 @@
+
+http2::HTTP2
+=================================
+
+This plugin provides an HTTP2 (RFC 7540 - https://tools.ietf.org/html/rfc7540)
+decoder/analyzer for Bro.
+
+The events exposed attempt to mimic the events exposed by the native HTTP analyzer
+
+Installation
+____________
+
+Requirements
+````````````
+NGHTTP2 1.11.0 or greater is required. The plugin uses the decompression 
+libraries and some portions of the API used are not supported prior to that 
+version.
+
+    nghttp2 Library - https://github.com/nghttp2/nghttp2
+
+On Ubuntu 16.04:
+
+    # sudo apt-get install nghttp2
+
+
+Brotli is required. Support has been added to use it for data frame 
+decompression.
+
+    brotli Library  - https://github.com/google/brotli
+
+On Ubuntu 16.04
+
+    Manually build and install the library as specified in the above reference.
+
+
+Manual Install
+``````````````
+
+To manually build and install the plugin:
+
+    cd <HTTP2 Plugin Directory>
+    ./configure --bro-dist=</path/to/bro/source>
+    make
+    make install
+
+You should see the following output from bro if successfully installed:
+
+    > bro -NN http2::HTTP2
+    http2::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, no version information)
+        [Analyzer] HTTP2 (ANALYZER_HTTP2, enabled)
+        [Event] http2_request
+        [Event] http2_reply
+        [Event] http2_conversation_end
+        [Event] http2_header
+        [Event] http2_all_headers
+        [Event] http2_begin_entity
+        [Event] http2_end_entity
+        [Event] http2_entity_data
+        [Event] http2_content_type
+        [Event] http2_event
+        [Event] http2_data_event
+        [Event] http2_priority_event
+        [Event] http2_rststream_event
+        [Event] http2_settings_event
+        [Event] http2_pushpromise_event
+        [Event] http2_ping_event
+        [Event] http2_goaway_event
+        [Event] http2_windowupdate_event
+        [Event] http2_continuation_event
+
+
+Bro Package Manager (Future)
+````````````````````````````
+
+Install this plugin through the Bro Package Manager::
+
+    # bro-pkg install mitre/bro-http2
+
+
+Usage
+_____
+
+To use/load the http2 analyzer, add the following to your config:
+
+    @load http2
+
+The analyzer will create a new log file "http2.log"

VERSION

@@ -0,0 +1 @@
+0.1

bro-pkg.meta

@@ -0,0 +1,7 @@
+[package]
+description = A HTTP2 protocol analyzer for the Bro IDS.
+tags = bro plugin, protocol analyzer, http2
+script_dir = scripts
+depends = bro >=2.5.0
+external_depends = libnghttp2>=1.11.0 libbrotlidec>=1.0.0
+

cmake/FindLibBROTLI.cmake

@@ -0,0 +1,45 @@
+# - Try to find LibBROTLI headers and libraries.
+#
+# Usage of this module as follows:
+#
+#     find_package(LibBROTLI)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  LibBROTLI_ROOT_DIR  Set this variable to the root installation of
+#                      LibBROTLI if the module has problems finding
+#                      the proper installation path.
+#
+# Variables defined by this module:
+#
+#  LIBBROTLI_FOUND              System has LibBROTLI libs/headers
+#  LibBROTLI_LIBRARIES          The LibBROTLI libraries
+#  LibBROTLI_INCLUDE_DIR        The location of LibBROTLI headers
+
+find_path(LibBROTLI_ROOT_DIR
+    NAMES include decode.h encode.h port.h types.h
+)
+
+find_path(LibBROTLI_INCLUDE_DIR
+    NAMES decode.h encode.h port.h types.h
+    HINTS ${LibBROTLI_ROOT_DIR}/include/brotli
+)
+
+find_library(LibBROTLI_LIBRARIES
+    NAMES brotlidec
+    PATHS ${LibBROTLI_ROOT_DIR}/lib
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(
+    LibBROTLI DEFAULT_MSG
+    LibBROTLI_LIBRARIES
+    LibBROTLI_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    LibBROTLI_ROOT_DIR
+    LibBROTLI_INCLUDE_DIR
+    LibBROTLI_LIBRARIES
+)

cmake/FindLibNGHTTP2.cmake

@@ -0,0 +1,44 @@
+# - Try to find LibNGHTTP2 headers and libraries.
+#
+# Usage of this module as follows:
+#
+#     find_package(LibNGHTTP2)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  LibNGHTTP2_ROOT_DIR  Set this variable to the root installation of
+#                       LibNGHTTP2 if the module has problems finding
+#                       the proper installation path.
+#
+# Variables defined by this module:
+#
+#  LIBNGHTTP2_FOUND              System has LibNGHTTP2 libs/headers
+#  LibNGHTTP2_LIBRARIES          The LibNGHTTP2 libraries
+#  LibNGHTTP2_INCLUDE_DIR        The location of LibNGHTTP2 headers
+
+find_path(LibNGHTTP2_ROOT_DIR
+    NAMES include nghttp2.h
+)
+
+find_path(LibNGHTTP2_INCLUDE_DIR
+    NAMES nghttp2.h nghttp2ver.h
+    HINTS ${LibNGHTTP2_ROOT_DIR}/include/nghttp2/
+)
+
+find_library(LibNGHTTP2_LIBRARIES
+    NAMES nghttp2
+    HINTS ${LibNGHTTP2_ROOT_DIR}/lib
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(LibNGHTTP2 DEFAULT_MSG
+    LibNGHTTP2_LIBRARIES
+    LibNGHTTP2_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    LibNGHTTP2_ROOT_DIR
+    LibNGHTTP2_LIBRARIES
+    LibNGHTTP2_INCLUDE_DIR
+)

cmake/lib_config.h.in

@@ -0,0 +1,18 @@
+/* 
+** This file is Auto-generated. Do not modify. Any modifications need to be 
+** made to the lib_config.h.in file contained in the cmake directory. 
+*/
+#ifndef LIB_CONFIG_H
+#define LIB_CONFIG_H
+#define TRUE 1
+#define FALSE 0
+// define your Library Installed flags
+#define LIB_BROTLI_INSTALLED @LIBBROTLI_FOUND@
+
+// Add global method to access Library Installed Flag
+unsigned int getLibBrotliInstalled()
+{
+    return @LIBBROTLI_FOUND@;
+}
+
+#endif // LIB_CONFIG_H