Feature #2695
openwebsocket support
Added by Victor Julien about 5 years ago. Updated 4 days ago.
Description
At Suricon2018 support for WebSockets was requested.
Jason Ish, Danny Browning and Matt offered to work on this.
Rust would be preferred.
Files
| basic_websockets.pcap (2.91 KB) basic_websockets.pcap | Brandon Murphy, 11/10/2023 05:52 AM |
Updated by Victor Julien about 5 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Bryant Smith over 4 years ago
I have a Lua script I've developed to unmask websockets. I can add this to the git repo while a rust parser is being created.
Updated by Jason Ish about 4 years ago
- Related to Feature #3285: rules: XOR keyword added
Updated by Brandon Murphy over 1 year ago
just wanted to bump this request WebSockets is still used by malware, recently case of it is documented here https://isc.sans.edu/forums/diary/Keep+an+Eye+on+WebSockets/28430/
Updated by Brandon Murphy over 1 year ago
just another bump - APT actor using websockets
https://cert.gov.ua/article/37704
Translated to English -- https://cert-gov-ua.translate.goog/article/37704?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
I was able to confirm this traffic using WebSockets - can share a pcap privately if needed, but looks like standard websockets use here.
Updated by Brandon Murphy 11 months ago
redteam tooling using WebSockets
https://github.com/dobin/antnium
Updated by Brandon Murphy 4 months ago
just another example of a RAT using websockets
https://asec.ahnlab.com/en/52899/
Source Code: https://github.com/XZB-1248/Spark/
Updated by Philippe Antoine 26 days ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Philippe Antoine 26 days ago
@Brandon Murphy do you have pcaps for this ?
Updated by Brandon Murphy 26 days ago
- File basic_websockets.pcap basic_websockets.pcap added
yeah sure thing! Keep in mind this pcap might not be representative of all websocket complexities, it's pretty basic, but should demonstrate it well enough.
I can share some SparkRAT (mentioned above) pcaps privately.
Updated by Peter Manev 23 days ago
Also this pcap - thanks to AnyRun - https://app.any.run/tasks/caf8a256-6249-47ec-8de0-80b5d6049874/
Updated by Victor Julien 22 days ago
What would be the expectation wrt detection?
Minimum I can think of is keywords for:
- message header
- message payload raw
- message payload unmasked
But would there be a requirement to reassemble (unmasked) message payloads into a continues buffer as well?
Updated by Victor Julien 19 days ago
- Assignee changed from Community Ticket to OISF Dev
- Priority changed from Normal to High
- Target version changed from TBD to 8.0.0-beta1
Updated by Victor Julien 4 days ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Brandon Murphy 4 days ago
Victor Julien wrote in #note-15:
What would be the expectation wrt detection?
Minimum I can think of is keywords for:
- message header
- message payload raw
- message payload unmasked
message payload unmasked would be key to detection.
would be nice to see logic that handles to_client/to_server in these messages as well.
outside of what you have, i could see the actual key being a buffer (while typically dynamic, actors do stupid things sometimes)
But would there be a requirement to reassemble (unmasked) message payloads into a continues buffer as well?
I'm not sure I understand this question. like a single buffer with the contents of all messages?