Open jgvt opened 2 years ago
FTR, the weird this triggers is
1501770877.532926 CHhAvVGS1DHFjwGM9 192.168.0.5 50798 54.148.114.85 80 parse error: no expected look-ahead token found (/home/projet/Documents/spicy-analyzers/analyzer/http/http.spicy:36:31-38:16) - F zeek -
That part of the grammar is
public type Replies = unit {
%port = 80/tcp &responder;
: Reply[];
};
What this means that parsing of Replies
did not find a lookahead token for the parsing successive Reply
s.
Since a Websocket negotion starts with a request to switch the protocol and the remove responding with a 101 Switch Protocols
the format of Replies
(and subsequently also of Requests
) is problematic as it expects all messages to be HTTP which is not true after successful protocol switching.
To support parsing traffic with e.g., Websockets one would need to add to this grammar support for 101 Switch Protocols
so that after successful protocol switch the parser either switches the expected protocol and internally dispatches to another grammar (here: Websockets), or maybe better hands traffic over this connection to another analyzer after the switch.
Thanks,
How do we switch from HTTP analyzer to another one ?
When I wrote websocket analyzer in Binpac (for Bro) I record websocket analyzer as a son of HTTP. Can we do the same in Spicy ?
Thank you for your help.
After research, I think I have to implement the same behavior that in the native HTTP analyzer with upgrade_connection, updated and others variables. For that, I think to use %context because these variables are set across session (http headers and status code). Then, to switch to the websocket analyzer, maybe I will use zeek::forward_packet(identifier: uint32) function.
How can I access in the context of a unit above another ? Do you think this is a good way ?
Thanks for your help
Hi,
Will working on websocket analyzer in spicy (https://github.com/zeek/zeek/discussions/1637) I find that the HTTP analyzer give a parse error with websocket traffic. I try to replay zeek btest (101-switching-protocols) with spicy analyzer to confirme.
the new btest file : basic.zeek.txt and the weird log file that result: weird.log
Any ideas to solve this ?