Project

General

Profile

Actions

Feature #2695

open

websocket support

Added by Victor Julien about 4 years ago. Updated 9 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

At Suricon2018 support for WebSockets was requested.

Jason Ish, Danny Browning and Matt offered to work on this.

Rust would be preferred.


Related issues 2 (1 open1 closed)

Related to Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Feature #3285: rules: XOR keywordClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien about 4 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions #2

Updated by Bryant Smith over 3 years ago

I have a Lua script I've developed to unmask websockets. I can add this to the git repo while a rust parser is being created.

Actions #3

Updated by Jason Ish about 3 years ago

Actions #4

Updated by Victor Julien almost 3 years ago

  • Label Protocol added
Actions #5

Updated by Brandon Murphy 9 months ago

just wanted to bump this request WebSockets is still used by malware, recently case of it is documented here https://isc.sans.edu/forums/diary/Keep+an+Eye+on+WebSockets/28430/

Actions #6

Updated by Brandon Murphy 9 months ago

just another bump - APT actor using websockets

https://cert.gov.ua/article/37704
Translated to English -- https://cert-gov-ua.translate.goog/article/37704?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

I was able to confirm this traffic using WebSockets - can share a pcap privately if needed, but looks like standard websockets use here.

Actions

Also available in: Atom PDF