diff --git a/src/analyzer/protocol/websocket/websocket-protocol.pac b/src/analyzer/protocol/websocket/websocket-protocol.pac index 01ab76ff9e..93cd4eb94a 100644 --- a/src/analyzer/protocol/websocket/websocket-protocol.pac +++ b/src/analyzer/protocol/websocket/websocket-protocol.pac @@ -80,7 +80,7 @@ type WebSocket_Message = record { first_frame: WebSocket_Frame(true, this); optional_more_frames: case first_frame.hdr.b.fin of { true -> no_more_frames: empty; - false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin) &transient; + false -> more_frames: WebSocket_Frame(false, this)[] &until($element.hdr.b.fin); }; } &let { opcode = first_frame.hdr.b.opcode; diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.events/out b/testing/btest/Baseline/scripts.base.protocols.websocket.events/out index 4bbd3de1cb..41bb69dcbe 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.events/out +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.events/out @@ -89,3 +89,40 @@ websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_le websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close +message-too-big-status.pcap +websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=60956/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=, client_extensions=[permessage-deflate; client_max_window_bits], client_key=iTel1Ova5Nhz/G7VlI2qKg==, server_accept=YsQYYLj7ZCpzTLsVLb+w/ydy79E=] +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4 +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek +websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping +websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 31 +websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1009, reason, over size limit (4 > 2 bytes) +websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 31, data, \x03\xf1over size limit (4 > 2 bytes) +websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2 +websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8 +websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close +two-binary-fragments.pcap +websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=50198/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], host=localhost:8080, uri=/, user_agent=Python/3.10 websockets/12.0, subprotocol=v1, client_protocols=[v1], server_extensions=, client_extensions=[permessage-deflate; client_max_window_bits], client_key=cQGA5Z1nvyUJ9XOVIaLaQA==, server_accept=zWaHVUKxEGPDs+xJeKtzkE1bm54=] +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4 +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek +websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, ping +websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4 +websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek +websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, pong +websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 11 +websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek! +websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, F, rsv, 0, opcode, binary, payload_len, 5 +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 5, data, Hello +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, continuation, payload_len, 7 +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 7, data, there! +websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, binary +websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2 +websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, +websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8 +websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, close +websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2 +websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, +websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8 +websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close diff --git a/testing/btest/Traces/websocket/message-too-big-status.pcap b/testing/btest/Traces/websocket/message-too-big-status.pcap new file mode 100644 index 0000000000..7f51e3f583 Binary files /dev/null and b/testing/btest/Traces/websocket/message-too-big-status.pcap differ diff --git a/testing/btest/Traces/websocket/two-binary-fragments.pcap b/testing/btest/Traces/websocket/two-binary-fragments.pcap new file mode 100644 index 0000000000..043c46e61f Binary files /dev/null and b/testing/btest/Traces/websocket/two-binary-fragments.pcap differ diff --git a/testing/btest/scripts/base/protocols/websocket/events.zeek b/testing/btest/scripts/base/protocols/websocket/events.zeek index 2b6eae6cde..5c4c1fd2cf 100644 --- a/testing/btest/scripts/base/protocols/websocket/events.zeek +++ b/testing/btest/scripts/base/protocols/websocket/events.zeek @@ -6,6 +6,10 @@ # @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-http.pcap %INPUT >>out # @TEST-EXEC: echo "broker-websocket.pcap" >>out # @TEST-EXEC: zeek -b -r $TRACES//websocket/broker-websocket.pcap %INPUT >>out +# @TEST-EXEC: echo "message-too-big-status.pcap" >>out +# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT >>out +# @TEST-EXEC: echo "two-binary-fragments.pcap" >>out +# @TEST-EXEC: zeek -b -r $TRACES//websocket/two-binary-fragments.pcap %INPUT >>out # @TEST-EXEC: btest-diff out # @TEST-EXEC: test ! -f analyzer.log # @TEST-EXEC: test ! -f weird.log