Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek
Johanna Amann af77a7a83b Analyzer failure logging: tweaks and test fixes 
The main part of this commit are changes in tests. A lot of the tests
that previously relied on analyzer.log or dpd.log now use the new
analyzer-failed.log.

I verified all the changes and, as far as I can tell, everything
behaves as it should. This includes the external test baselines.

This change also enables logging of file and packet analyzer to
analyzer_failed.log and fixes some small behavior issues.

The analyzer_failed event is no longer raised when the removal of an
analyzer is vetoed.

If an analyzer is no longer active when an analyzer violation is raised,
currently the analyzer_failed event is raised. This can, e.g., happen
when an analyzer error happens at the very end of the connection. This
makes the behavior more similar to what happened in the past, and also
intuitively seems to make sense.

A bug introduced in the failed service logging was fixed.
2025-06-03 15:56:42 +01:00

31 lines
1.1 KiB
Text
Raw Blame History

# This tests that the HTTP analyzer upgrades to the WebSocket analyzer.
#
# Further, we implement a WebSocket::configure_analyzer() hook to prevent
# DPD on the inner connection.
#
# @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
# @TEST-EXEC: test ! -f weird.log
# @TEST-EXEC: test ! -f analyzer_failed.log
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff websocket.log
# @TEST-EXEC: btest-diff .stdout
event http_connection_upgrade(c: connection, protocol: string)
{
print fmt("Connection upgraded to %s", protocol);
}
hook WebSocket::configure_analyzer(c: connection, aid: count, config: WebSocket::AnalyzerConfig)
{
if ( ! config?$subprotocol )
return;
print "WebSocket::configure_analyzer", c$uid, aid, config$subprotocol;
if ( config$subprotocol == "x-kaazing-handshake" )
# The originator's WebSocket frames match HTTP, so DPD would
# enable HTTP for the frame's payload, but the responder's frames
# contain some ack/status junk just before HTTP response that
# trigger a violation. Disable DPD for to prevent a analyzer_failed.log
# entry.
config$use_dpd = F;
}
Reference in a new issue View git blame Copy permalink