Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/src/analyzer/protocol/websocket/WebSocket.h
Arne Welzel efc2681152 WebSocket: Introduce new analyzer and log 
This adds a new WebSocket analyzer that is enabled with the HTTP upgrade
mechanism introduced previously. It is a first implementation in BinPac with
manual chunking of frame payload. Configuration of the analyzer is sketched
via the new websocket_handshake() event and a configuration BiF called
WebSocket::__configure_analyzer(). In short, script land collects WebSocket
related HTTP headers and can forward these to the analyzer to change its
parsing behavior at websocket_handshake() time. For now, however, there's
no actual logic that would change behavior based on agreed upon extensions
exchanged via HTTP headers (e.g. frame compression). WebSocket::Configure()
simply attaches a PIA_TCP analyzer to the WebSocket analyzer for dynamic
protocol detection (or a custom analyzer if set). The added pcaps show this
in action for tunneled ssh, http and https using wstunnel. One test pcap is
Broker's WebSocket traffic from our own test suite, the other is the
Jupyter websocket traffic from the ticket/discussion.

This commit further adds a basic websocket.log that aggregates the WebSocket
specific headers (Sec-WebSocket-*) headers into a single log.

Closes #3424
2024-01-22 18:54:38 +01:00

38 lines
1.1 KiB
C++
Raw Blame History

// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include <memory>
#include "zeek/analyzer/protocol/tcp/TCP.h"
#include "zeek/analyzer/protocol/websocket/websocket_pac.h"
namespace zeek::analyzer::websocket {
/**
* A WebSocket analyzer to be used directly on top of HTTP.
*/
class WebSocket_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
public:
WebSocket_Analyzer(zeek::Connection* conn);
~WebSocket_Analyzer() = default;
/**
* Allows script land to configure the WebSocket analyzer before analysis.
*
* @param config Zeek value of type WebSocket::AnalyzerConfig
*/
bool Configure(zeek::RecordValPtr config);
void Init() override;
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
static zeek::analyzer::Analyzer* Instantiate(Connection* conn) { return new WebSocket_Analyzer(conn); }
private:
std::unique_ptr<binpac::WebSocket::WebSocket_Conn> interp;
bool had_gap = false;
};
} // namespace zeek::analyzer::websocket
Reference in a new issue View git blame Copy permalink