Project

General

Profile

Actions
Copy link

Feature #2695

open

websocket support

Added by Victor Julien over 4 years ago. Updated 5 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Jason Ish
Target version:
TBD
Effort:
Difficulty:
Label:
Protocol

Description

At Suricon2018 support for WebSockets was requested.

Jason Ish, Danny Browning and Matt offered to work on this.

Rust would be preferred.

Related issues 2 (1 open1 closed)

Related to Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Feature #3285: rules: XOR keywordClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions
Copy link
 #2

Updated by Bryant Smith about 4 years ago

I have a Lua script I've developed to unmask websockets. I can add this to the git repo while a rust parser is being created.

Actions
Copy link
 #3

Updated by Jason Ish over 3 years ago

Actions
Copy link
 #4

Updated by Victor Julien over 3 years ago

  • Label Protocol added
Actions
Copy link
 #5

Updated by Brandon Murphy about 1 year ago

just wanted to bump this request WebSockets is still used by malware, recently case of it is documented here https://isc.sans.edu/forums/diary/Keep+an+Eye+on+WebSockets/28430/

Actions
Copy link
 #6

Updated by Brandon Murphy about 1 year ago

just another bump - APT actor using websockets

https://cert.gov.ua/article/37704
Translated to English -- https://cert-gov-ua.translate.goog/article/37704?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

I was able to confirm this traffic using WebSockets - can share a pcap privately if needed, but looks like standard websockets use here.

Actions
Copy link
 #7

Updated by Brandon Murphy 5 months ago

redteam tooling using WebSockets
https://github.com/dobin/antnium

Actions
Copy link

Also available in: Atom PDF