Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

weird on Spicy HTTP analyzer with websocket traffic #99

Open
jgvt opened this issue Nov 17, 2021 · 3 comments
Open

weird on Spicy HTTP analyzer with websocket traffic #99

jgvt opened this issue Nov 17, 2021 · 3 comments

Comments

@jgvt
Copy link

jgvt commented Nov 17, 2021

Hi,

Will working on websocket analyzer in spicy (zeek/zeek#1637) I find that the HTTP analyzer give a parse error with websocket traffic.
I try to replay zeek btest (101-switching-protocols) with spicy analyzer to confirme.

the new btest file :
basic.zeek.txt
and the weird log file that result:
weird.log

Any ideas to solve this ?
@bbannier
Copy link
Member

bbannier commented Nov 17, 2021
edited
Loading

FTR, the weird this triggers is

1501770877.532926	CHhAvVGS1DHFjwGM9	192.168.0.5	50798	54.148.114.85	80	parse error: no expected look-ahead token found (/home/projet/Documents/spicy-analyzers/analyzer/http/http.spicy:36:31-38:16)	-	F	zeek	-

That part of the grammar is

public type Replies = unit {
    %port = 80/tcp &responder;

    :  Reply[];
};

What this means that parsing of Replies did not find a lookahead token for the parsing successive Replys.

Since a Websocket negotion starts with a request to switch the protocol and the remove responding with a 101 Switch Protocols the format of Replies (and subsequently also of Requests) is problematic as it expects all messages to be HTTP which is not true after successful protocol switching.

To support parsing traffic with e.g., Websockets one would need to add to this grammar support for 101 Switch Protocols so that after successful protocol switch the parser either switches the expected protocol and internally dispatches to another grammar (here: Websockets), or maybe better hands traffic over this connection to another analyzer after the switch.

@bbannier bbannier transferred this issue from zeek/spicy-plugin Nov 17, 2021
@jgvt
Copy link
Author

jgvt commented Nov 17, 2021

Thanks,

How do we switch from HTTP analyzer to another one ?

When I wrote websocket analyzer in Binpac (for Bro) I record websocket analyzer as a son of HTTP.
Can we do the same in Spicy ?

Thank you for your help.

@jgvt
Copy link
Author

jgvt commented Nov 24, 2021

After research, I think I have to implement the same behavior that in the native HTTP analyzer with upgrade_connection, updated and others variables. For that, I think to use %context because these variables are set across session (http headers and status code).
Then, to switch to the websocket analyzer, maybe I will use zeek::forward_packet(identifier: uint32) function.

How can I access in the context of a unit above another ?
Do you think this is a good way ?

Thanks for your help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbannier @jgvt