HTTP: Recognize and skip upgrade/websocket connections.

This adds a slight patch to the HTTP analyzer, which recognizez when a connection is upgraded to a different protocol (using a 101 reply with a few specific headers being set). In this case, the analyzer stops further processing of the connection (which will result in DPD errors) and raises a new event: event http_connection_upgrade(c: connection, protocol: string); Protocol contains the name of the protocol that is being upgraded to, as specified in one of the header values.
2025-10-02 14:48:21 +00:00 · 2017-08-04 07:04:28 -07:00 · 2017-08-04 07:04:28 -07:00 · eab80c8834
commit eab80c8834
parent dbac2b1abb
8 changed files with 122 additions and 42 deletions
--- a/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
+++ b/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
@ -0,0 +1,13 @@
+# This tests that the HTTP analyzer does not generate a dpd error as a
+# result of seeing an upgraded connection.
+#
+# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff .stdout
+
+event http_connection_upgrade(c: connection, protocol: string)
+	{
+	print fmt("Connection upgraded to %s", protocol);
+	}