search

zeek / spicy-analyzers

Growing collection of Spicy-based protocol and file analyzers for Zeek
Other
32 stars 9 forks source link

weird on Spicy HTTP analyzer with websocket traffic #99

Open jgvt opened 2 years ago

jgvt commented 2 years ago

Hi,

Will working on websocket analyzer in spicy (https://github.com/zeek/zeek/discussions/1637) I find that the HTTP analyzer give a parse error with websocket traffic. I try to replay zeek btest (101-switching-protocols) with spicy analyzer to confirme.

the new btest file : basic.zeek.txt and the weird log file that result: weird.log

Any ideas to solve this ?

bbannier commented 2 years ago

FTR, the weird this triggers is

1501770877.532926   CHhAvVGS1DHFjwGM9   192.168.0.5 50798   54.148.114.85   80  parse error: no expected look-ahead token found (/home/projet/Documents/spicy-analyzers/analyzer/http/http.spicy:36:31-38:16)   -   F   zeek    -

That part of the grammar is

public type Replies = unit {
    %port = 80/tcp &responder;

    :  Reply[];
};

What this means that parsing of Replies did not find a lookahead token for the parsing successive Replys.

Since a Websocket negotion starts with a request to switch the protocol and the remove responding with a 101 Switch Protocols the format of Replies (and subsequently also of Requests) is problematic as it expects all messages to be HTTP which is not true after successful protocol switching.

To support parsing traffic with e.g., Websockets one would need to add to this grammar support for 101 Switch Protocols so that after successful protocol switch the parser either switches the expected protocol and internally dispatches to another grammar (here: Websockets), or maybe better hands traffic over this connection to another analyzer after the switch.

jgvt commented 2 years ago

Thanks,

How do we switch from HTTP analyzer to another one ?

When I wrote websocket analyzer in Binpac (for Bro) I record websocket analyzer as a son of HTTP. Can we do the same in Spicy ?

Thank you for your help.

jgvt commented 2 years ago

After research, I think I have to implement the same behavior that in the native HTTP analyzer with upgrade_connection, updated and others variables. For that, I think to use %context because these variables are set across session (http headers and status code). Then, to switch to the websocket analyzer, maybe I will use zeek::forward_packet(identifier: uint32) function.

How can I access in the context of a unit above another ? Do you think this is a good way ?

Thanks for your help