mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
37521f58e5
DPD enables HTTP based on the content of the WebSocket frames. However, it's not HTTP, the protocol is x-kaazing-handshake and the server sends some form of status/acknowledge to the client first, so the HTTP and the HTTP analyzer receives that as the first bytes of the response and bails, oh well.
31 lines
1.1 KiB
Text
31 lines
1.1 KiB
Text
# This tests that the HTTP analyzer upgrades to the WebSocket analyzer.
|
|
#
|
|
# Further, we implement a WebSocket::configure_analyzer() hook to prevent
|
|
# DPD on the inner connection.
|
|
#
|
|
# @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
|
|
# @TEST-EXEC: test ! -f weird.log
|
|
# @TEST-EXEC: test ! -f dpd.log
|
|
# @TEST-EXEC: btest-diff http.log
|
|
# @TEST-EXEC: btest-diff websocket.log
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
event http_connection_upgrade(c: connection, protocol: string)
|
|
{
|
|
print fmt("Connection upgraded to %s", protocol);
|
|
}
|
|
|
|
hook WebSocket::configure_analyzer(c: connection, aid: count, config: WebSocket::AnalyzerConfig)
|
|
{
|
|
if ( ! config?$subprotocol )
|
|
return;
|
|
|
|
print "WebSocket::configure_analyzer", c$uid, aid, config$subprotocol;
|
|
if ( config$subprotocol == "x-kaazing-handshake" )
|
|
# The originator's WebSocket frames match HTTP, so DPD would
|
|
# enable HTTP for the frame's payload, but the responder's frames
|
|
# contain some ack/status junk just before HTTP response that
|
|
# trigger a violation. Disable DPD for to prevent a dpd.log
|
|
# entry.
|
|
config$use_dpd = F;
|
|
}
|