main.zeek

WebSocket

Implements base functionality for WebSocket analysis.

Upon a websocket_established() event, logs all gathered information into websocket.log and configures the WebSocket analyzer with the headers collected via http events.

Namespace:: WebSocket
Imports:: base/protocols/http, base/protocols/websocket/consts.zeek

Summary

Types

WebSocket::Info: record

The record type for the WebSocket log.

Redefinitions

`HTTP::upgrade_analyzers`: `table` `&redef`
`Log::ID`: `enum`	`WebSocket::LOG`
`connection`: `record`	New Fields: `connection` websocket: `WebSocket::Info` `&optional`

Events

WebSocket::log_websocket: event

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

`WebSocket::configure_analyzer`: `hook`	Experimental: Hook to intercept WebSocket analyzer configuration.
`WebSocket::log_policy`: `Log::PolicyHook`	Log policy hook.

Detailed Interface

Types

WebSocket::Info 

Type:

record

Fields:

ts: time &log: Timestamp

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

host: string &log &optional: Same as in the HTTP log.

uri: string &log &optional: Same as in the HTTP log.

user_agent: string &log &optional: Same as in the HTTP log.

subprotocol: string &log &optional: The WebSocket subprotocol as selected by the server.

client_protocols: vector of string &log &optional: The protocols requested by the client, if any.

server_extensions: vector of string &log &optional: The extensions selected by the the server, if any.

client_extensions: vector of string &log &optional: The extensions requested by the client, if any.

client_key: string &optional: The Sec-WebSocket-Key header from the client.

server_accept: string &optional: The Sec-WebSocket-Accept header from the server.

The record type for the WebSocket log.

Events

WebSocket::log_websocket 

Type:: event (rec: WebSocket::Info)

Event that can be handled to access the WebSocket record as it is sent on to the logging framework.

Hooks

WebSocket::configure_analyzer 

Type:: hook (c: connection, aid: count, config: WebSocket::AnalyzerConfig) : bool
Parameters:: Experimental – Hook to intercept WebSocket analyzer configuration.

Breaking from this hook disables the WebSocket analyzer immediately. To modify the configuration of the analyzer, use the WebSocket::AnalyzerConfig type.

While this API allows quite some flexibility currently, should be considered experimental and may change in the future with or without a deprecation phase.

Parameters:

c – The connection
aid – The analyzer ID for the WebSocket analyzer.
config – The configuration record, also containing information about the subprotocol and extensions.

WebSocket::log_policy 

Type:: Log::PolicyHook

Log policy hook.