weird on Spicy HTTP analyzer with websocket traffic

[jgvt]

Hi,

Will working on websocket analyzer in spicy (zeek/zeek#1637) I find that the HTTP analyzer give a parse error with websocket traffic.
I try to replay zeek btest (101-switching-protocols) with spicy analyzer to confirme.

the new btest file :
basic.zeek.txt
and the weird log file that result:
weird.log

Any ideas to solve this ?

[bbannier]

FTR, the weird this triggers is

1501770877.532926	CHhAvVGS1DHFjwGM9	192.168.0.5	50798	54.148.114.85	80	parse error: no expected look-ahead token found (/home/projet/Documents/spicy-analyzers/analyzer/http/http.spicy:36:31-38:16)	-	F	zeek	-

That part of the grammar is

public type Replies = unit {
    %port = 80/tcp &responder;

    :  Reply[];
};

What this means that parsing of Replies did not find a lookahead token for the parsing successive Replys.

Since a Websocket negotion starts with a request to switch the protocol and the remove responding with a 101 Switch Protocols the format of Replies (and subsequently also of Requests) is problematic as it expects all messages to be HTTP which is not true after successful protocol switching.

To support parsing traffic with e.g., Websockets one would need to add to this grammar support for 101 Switch Protocols so that after successful protocol switch the parser either switches the expected protocol and internally dispatches to another grammar (here: Websockets), or maybe better hands traffic over this connection to another analyzer after the switch.

[jgvt]

Thanks,

How do we switch from HTTP analyzer to another one ?

When I wrote websocket analyzer in Binpac (for Bro) I record websocket analyzer as a son of HTTP.
Can we do the same in Spicy ?

Thank you for your help.

[jgvt]

After research, I think I have to implement the same behavior that in the native HTTP analyzer with upgrade_connection, updated and others variables. For that, I think to use %context because these variables are set across session (http headers and status code).
Then, to switch to the websocket analyzer, maybe I will use zeek::forward_packet(identifier: uint32) function.

How can I access in the context of a unit above another ?
Do you think this is a good way ?

Thanks for your help