main.zeek

WebSocket

Implements base functionality for WebSocket analysis.

Upon a websocket_established() event, logs all gathered information into websocket.log and configures the WebSocket analyzer with the headers collected via http events.

Namespace: WebSocket
Imports: base/protocols/http, base/protocols/websocket/consts.zeek

Summary

Types

WebSocket::Info: record

The record type for the WebSocket log.

Redefinitions

`HTTP::upgrade_analyzers`: `table` `&redef`
`Log::ID`: `enum`	`WebSocket::LOG`
`connection`: `record`	New Fields `connection` websocket: `WebSocket::Info` `&optional`

Events

WebSocket::log_websocket: event

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

`WebSocket::configure_analyzer`: `hook`	Experimental: Hook to intercept WebSocket analyzer configuration.
`WebSocket::log_policy`: `Log::PolicyHook`	Log policy hook.

Detailed Interface

Types

WebSocket::Info 

Type

record

ts: time &log: Timestamp
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
host: string &log &optional: Same as in the HTTP log.
uri: string &log &optional: Same as in the HTTP log.
user_agent: string &log &optional: Same as in the HTTP log.
subprotocol: string &log &optional: The WebSocket subprotocol as selected by the server.
client_protocols: vector of string &log &optional: The protocols requested by the client, if any.
server_extensions: vector of string &log &optional: The extensions selected by the the server, if any.
client_extensions: vector of string &log &optional: The extensions requested by the client, if any.
client_key: string &optional: The Sec-WebSocket-Key header from the client.
server_accept: string &optional: The Sec-WebSocket-Accept header from the server.

The record type for the WebSocket log.

Events

WebSocket::log_websocket 

Type: event (rec: WebSocket::Info)

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

WebSocket::configure_analyzer 

Type: hook (c: connection, aid: count, config: WebSocket::AnalyzerConfig) : bool
Parameters: Experimental – Hook to intercept WebSocket analyzer configuration.

Breaking from this hook disables the WebSocket analyzer immediately. To modify the configuration of the analyzer, use the WebSocket::AnalyzerConfig type.

While this API allows quite some flexibility currently, should be considered experimental and may change in the future with or without a deprecation phase.

Parameters

c – The connection
aid – The analyzer ID for the WebSocket analyzer.
config – The configuration record, also containing information about the subprotocol and extensions.

WebSocket::log_policy 

Type: Log::PolicyHook

Log policy hook.