base/protocols/websocket/main.zeek
- WebSocket
Implements base functionality for WebSocket analysis.
Upon a websocket_established() event, logs all gathered information into websocket.log and configures the WebSocket analyzer with the headers collected via http events.
- Namespace
WebSocket
- Imports
Summary
Types
The record type for the WebSocket log. |
Redefinitions
|
Events
Event that can be handled to access the WebSocket record as it is sent on to the logging framework. |
Hooks
Experimental: Hook to intercept WebSocket analyzer configuration. |
|
Log policy hook. |
Detailed Interface
Types
- WebSocket::Info
- Type
-
- ts:
time
&log
Timestamp
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- host:
string
&log
&optional
Same as in the HTTP log.
- uri:
string
&log
&optional
Same as in the HTTP log.
- user_agent:
string
&log
&optional
Same as in the HTTP log.
- subprotocol:
string
&log
&optional
The WebSocket subprotocol as selected by the server.
- client_protocols:
vector
ofstring
&log
&optional
The protocols requested by the client, if any.
- server_extensions:
vector
ofstring
&log
&optional
The extensions selected by the the server, if any.
- client_extensions:
vector
ofstring
&log
&optional
The extensions requested by the client, if any.
- client_key:
string
&optional
The Sec-WebSocket-Key header from the client.
- server_accept:
string
&optional
The Sec-WebSocket-Accept header from the server.
- ts:
The record type for the WebSocket log.
Events
- WebSocket::log_websocket
- Type
event
(rec:WebSocket::Info
)
Event that can be handled to access the WebSocket record as it is sent on to the logging framework.
Hooks
- WebSocket::configure_analyzer
- Type
hook
(c:connection
, aid:count
, config:WebSocket::AnalyzerConfig
) :bool
- Parameters
Experimental – Hook to intercept WebSocket analyzer configuration.
Breaking from this hook disables the WebSocket analyzer immediately. To modify the configuration of the analyzer, use the
WebSocket::AnalyzerConfig
type.While this API allows quite some flexibility currently, should be considered experimental and may change in the future with or without a deprecation phase.
- Parameters
c – The connection
aid – The analyzer ID for the WebSocket analyzer.
config – The configuration record, also containing information about the subprotocol and extensions.
- WebSocket::log_policy
- Type
Log policy hook.