New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
app-layer: websockets protocol support #10014
Conversation
Ticket: 2695 Introduces a device EnumStringU8 to ease the use of enumerations in protocols : logging the string out of the u8, and for detection, parsing the u8 out of the string
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #10014 +/- ##
==========================================
- Coverage 82.47% 82.33% -0.15%
==========================================
Files 970 976 +6
Lines 271355 271720 +365
==========================================
- Hits 223798 223716 -82
- Misses 47557 48004 +447
Flags with carried forward coverage won't be shown. Click here to find out more. |
websocket.mask | ||
-------------- | ||
|
||
A boolean to tell if the payload is masked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I see this is a bool. But why not the mask value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not seem meaningful to me.
What seems meaningful is if the payload is masked or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, keys are often used to identify malware / malware families, so I think we should make it available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
Payload inspection can be per message, not cross message reassembly of sorts seems necessary. The size can be large, and should probably treated like file.data or http.request_body, so with configurable limits. Additionally @zoomequipd mentioned elsewhere today that the original URI and perhaps a few other things from the HTTP request before the switch to websocket would be very helpful in certain malware detections. |
WARNING:
Pipeline 16967 |
Replaced by #10060 |
Should not this be done with flowbits ? |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2695
Describe changes:
OISF/suricata-verify#1528
#9989 with more TODOs done
What is left todo :