websocket: Add Spicy parser version, too.

The Spicy analyzer is added as a child analyzer when enabled and the
WebSocket.cc logic dispatches between the BinPac and Spicy version.

It substantially slower when tested against a somewhat artificial
2.4GB PCAP. The first flamegraph indicates that the unmask() function
stands out with 35% of all samples, and above it shared_ptr samples.

testing/btest/scripts/base/protocols/websocket/events-spicy.zeek

@@ -0,0 +1,50 @@
+# @TEST-DOC: Test WebSocket events of BinPac and Spicy analyzer versions
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+#
+# @TEST-EXEC: echo "jupyter-websocket.pcap" >>out
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/jupyter-websocket.pcap %INPUT >>out
+# @TEST-EXEC: echo "message-too-big-status.pcap" >>out
+# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT >>out
+#
+# @TEST-EXEC: echo "jupyter-websocket.pcap" >>out.spicy
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/jupyter-websocket.pcap %INPUT WebSocket::use_spicy_analyzer=T >>out.spicy
+# @TEST-EXEC: echo "message-too-big-status.pcap" >>out.spicy
+# @TEST-EXEC: zeek -b -r $TRACES//websocket/message-too-big-status.pcap %INPUT WebSocket::use_spicy_analyzer=T >>out.spicy
+# @TEST-EXEC: diff -u out.spicy out >&2
+# @TEST-EXEC: test ! -f analyzer.log
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/websocket
+
+redef record connection += {
+  ws_data_len: count &default=0;
+};
+
+event websocket_established(c: connection, aid: count)
+	{
+	print "websocket_established", c$uid, aid, c$websocket;
+	}
+
+event websocket_message(c: connection, is_orig: bool, opcode: count)
+	{
+	print "websocket_message", c$uid, is_orig, "opcode", WebSocket::opcodes[opcode], "data_len", c$ws_data_len;
+	c$ws_data_len = 0;
+	}
+
+event websocket_frame(c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)
+	{
+	print "websocket_frame", c$uid, is_orig, "fin", fin, "rsv", rsv, "opcode", WebSocket::opcodes[opcode], "payload_len", payload_len;
+	}
+
+event websocket_frame_data(c: connection, is_orig: bool, data: string)
+	{
+	# Spicy and binpac differ for data events, just ensure they end up having the same total data length.
+	# print "websocket_frame_data", c$uid, is_orig, "len", |data|, "data", data[:120];
+	c$ws_data_len += |data|;
+	}
+
+event websocket_close(c: connection, is_orig: bool, status: count, reason: string)
+	{
+	print "websocket_close", c$uid, is_orig, "status", status, "reason", reason;
+	}

testing/btest/scripts/base/protocols/websocket/wstunnel-ssh-spicy.zeek

@@ -0,0 +1,34 @@
+# @TEST-DOC: Test SSH connection tunneled within WebSocket using wstunnel, comparing BinPac and Spicy.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+#
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-ssh.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid client server auth_success auth_attempts kex_alg host_key_alg < ssh.log > ssh.log.cut
+# @TEST-EXEC: rm -v *log
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/wstunnel-ssh.pcap WebSocket::use_spicy_analyzer=T %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut.spicy
+# @TEST-EXEC: zeek-cut -m ts uid client server auth_success auth_attempts kex_alg host_key_alg < ssh.log > ssh.log.cut.spicy
+#
+# @TEST-EXEC: diff -u conn.log.cut.spicy  conn.log.cut >&2
+# @TEST-EXEC: diff -u ssh.log.cut.spicy  ssh.log.cut >&2
+# @TEST-EXEC: btest-diff conn.log.cut.spicy
+# @TEST-EXEC: btest-diff ssh.log.cut.spicy
+# @TEST-EXEC: test ! -f analyzer.log
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/conn
+@load base/protocols/ssh
+@load base/protocols/websocket
+
+# Make conn.log compatible, the spicy version uses SPICY_ANALYZER, so need
+# to normalize the c$service entry (and do it in either case to keep determinism).
+event connection_state_remove(c: connection) &priority=10
+	{
+	if ( "SPICY_WEBSOCKET" in c$service || "WEBSOCKET" in c$service )
+		{
+		delete c$service["SPICY_WEBSOCKET"];
+		delete c$service["WEBSOCKET"];
+		add c$service["WEBSOCKET"];
+		}
+	}