mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
efc2681152
This adds a new WebSocket analyzer that is enabled with the HTTP upgrade mechanism introduced previously. It is a first implementation in BinPac with manual chunking of frame payload. Configuration of the analyzer is sketched via the new websocket_handshake() event and a configuration BiF called WebSocket::__configure_analyzer(). In short, script land collects WebSocket related HTTP headers and can forward these to the analyzer to change its parsing behavior at websocket_handshake() time. For now, however, there's no actual logic that would change behavior based on agreed upon extensions exchanged via HTTP headers (e.g. frame compression). WebSocket::Configure() simply attaches a PIA_TCP analyzer to the WebSocket analyzer for dynamic protocol detection (or a custom analyzer if set). The added pcaps show this in action for tunneled ssh, http and https using wstunnel. One test pcap is Broker's WebSocket traffic from our own test suite, the other is the Jupyter websocket traffic from the ticket/discussion. This commit further adds a basic websocket.log that aggregates the WebSocket specific headers (Sec-WebSocket-*) headers into a single log. Closes #3424 |
||
|---|---|---|
| .. | ||
| conn | ||
| dce-rpc | ||
| dhcp | ||
| dnp3 | ||
| dns | ||
| finger | ||
| ftp | ||
| http | ||
| imap | ||
| irc | ||
| krb | ||
| ldap | ||
| modbus | ||
| mqtt | ||
| mysql | ||
| ntlm | ||
| ntp | ||
| pop3 | ||
| quic | ||
| radius | ||
| rdp | ||
| rfb | ||
| sip | ||
| smb | ||
| smtp | ||
| snmp | ||
| socks | ||
| ssh | ||
| ssl | ||
| syslog | ||
| tunnels | ||
| websocket | ||
| xmpp | ||