app-layer: websockets protocol support #10014
Conversation
Ticket: 2695 Introduces a device EnumStringU8 to ease the use of enumerations in protocols : logging the string out of the u8, and for detection, parsing the u8 out of the string
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #10014 +/- ##
==========================================
- Coverage 82.47% 82.33% -0.15%
==========================================
Files 970 976 +6
Lines 271355 271720 +365
==========================================
- Hits 223798 223716 -82
- Misses 47557 48004 +447
Flags with carried forward coverage won't be shown. Click here to find out more. |
| websocket.mask | ||
| -------------- | ||
|
|
||
| A boolean to tell if the payload is masked. |
There was a problem hiding this comment.
Ah I see this is a bool. But why not the mask value?
There was a problem hiding this comment.
This does not seem meaningful to me.
What seems meaningful is if the payload is masked or not.
There was a problem hiding this comment.
In general, keys are often used to identify malware / malware families, so I think we should make it available.
Payload inspection can be per message, not cross message reassembly of sorts seems necessary. The size can be large, and should probably treated like file.data or http.request_body, so with configurable limits. Additionally @zoomequipd mentioned elsewhere today that the original URI and perhaps a few other things from the HTTP request before the switch to websocket would be very helpful in certain malware detections. |
|
WARNING:
Pipeline 16967 |
|
Replaced by #10060 |
Should not this be done with flowbits ? |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2695
Describe changes:
OISF/suricata-verify#1528
#9989 with more TODOs done
What is left todo :