base/protocols/websocket/main.zeek

WebSocket

Implements base functionality for WebSocket analysis.

Upon a websocket_established() event, logs all gathered information into websocket.log and configures the WebSocket analyzer with the headers collected via http events.

Namespace

WebSocket

Imports

base/protocols/http, base/protocols/websocket/consts.zeek

Summary

Types

WebSocket::Info: record

The record type for the WebSocket log.

Redefinitions

HTTP::upgrade_analyzers: table &redef

Log::ID: enum

connection: record

New Fields

connection

websocket: WebSocket::Info &optional

Events

WebSocket::log_websocket: event

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

WebSocket::configure_analyzer: hook

Experimental: Hook to intercept WebSocket analyzer configuration.

WebSocket::log_policy: Log::PolicyHook

Log policy hook.

Detailed Interface

Types

WebSocket::Info
Type

record

ts: time &log

Timestamp

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

host: string &log &optional

Same as in the HTTP log.

uri: string &log &optional

Same as in the HTTP log.

user_agent: string &log &optional

Same as in the HTTP log.

subprotocol: string &log &optional

The WebSocket subprotocol as selected by the server.

client_protocols: vector of string &log &optional

The protocols requested by the client, if any.

server_extensions: vector of string &log &optional

The extensions selected by the the server, if any.

client_extensions: vector of string &log &optional

The extensions requested by the client, if any.

client_key: string &optional

The Sec-WebSocket-Key header from the client.

server_accept: string &optional

The Sec-WebSocket-Accept header from the server.

The record type for the WebSocket log.

Events

WebSocket::log_websocket
Type

event (rec: WebSocket::Info)

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

WebSocket::configure_analyzer
Type

hook (c: connection, aid: count, config: WebSocket::AnalyzerConfig) : bool

Parameters

Experimental – Hook to intercept WebSocket analyzer configuration.

Breaking from this hook disables the WebSocket analyzer immediately. To modify the configuration of the analyzer, use the WebSocket::AnalyzerConfig type.

While this API allows quite some flexibility currently, should be considered experimental and may change in the future with or without a deprecation phase.

Parameters
  • c – The connection

  • aid – The analyzer ID for the WebSocket analyzer.

  • config – The configuration record, also containing information about the subprotocol and extensions.

WebSocket::log_policy
Type

Log::PolicyHook

Log policy hook.