support websocket.log; idaholab#593

mmguero-dev · Oct 11, 2024 · 5040313 · 5040313
1 parent 2e2fce1
commit 5040313
Show file tree

Hide file tree

Showing 7 changed files with 511 additions and 0 deletions.
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -2669,6 +2669,16 @@ zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;fr
 zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type
 zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action
 
+# websocket.log
+# https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info
+zeek.websocket.host=db:zeek.websocket.host;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Host;help:Websocket Host
+zeek.websocket.uri=db:zeek.websocket.uri;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket URI;help:Websocket URI
+zeek.websocket.user_agent=db:zeek.websocket.user_agent;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket User Agent;help:Websocket User Agent
+zeek.websocket.subprotocol=db:zeek.websocket.subprotocol;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Subprotocol;help:Websocket Subprotocol
+zeek.websocket.client_protocols=db:zeek.websocket.client_protocols;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Protocol;help:Websocket Client Protocol
+zeek.websocket.server_extensions=db:zeek.websocket.server_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Server Extension;help:Websocket Server Extension
+zeek.websocket.client_extensions=db:zeek.websocket.client_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Extension;help:Websocket Client Extension
+
 # weird.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
 zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info
@@ -3395,6 +3405,7 @@ o_zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.p
 o_zeek_tds_sql_batch=require:zeek.tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek.tds_sql_batch.header_type,zeek.tds_sql_batch.query
 o_zeek_tftp=require:zeek.tftp;title:Zeek tftp.log;fields:zeek.tftp.block_acked,zeek.tftp.block_sent,zeek.tftp.error_code,zeek.tftp.error_msg,zeek.tftp.fname,zeek.tftp.mode,zeek.tftp.size,zeek.tftp.uid_data,zeek.tftp.wrq
 o_zeek_tunnel=require:zeek.tunnel;title:Zeek tunnel.log;fields:zeek.tunnel.tunnel_type,zeek.tunnel.action
+o_zeek_websocket=require:zeek.websocket;title:Zeek websocket.log;fields:zeek.websocket.host,zeek.websocket.uri,zeek.websocket.user_agent,zeek.websocket.subprotocol,zeek.websocket.client_protocols,zeek.websocket.server_extensions,zeek.websocket.client_extensions
 o_zeek_weird=require:zeek.weird;title:Zeek weird.log;fields:rule.name,zeek.weird.addl,zeek.weird.notice,zeek.weird.source
 o_zeek_wireguard=require:zeek.wireguard;title:Zeek wireguard.log;fields:zeek.wireguard.established,zeek.wireguard.initiations,zeek.wireguard.responses
 o_zeek_x509=require:zeek.x509;title:Zeek x509.log;fields:zeek.x509.certificate_version,zeek.x509.certificate_serial,zeek.x509.certificate_subject.CN,zeek.x509.certificate_subject.C,zeek.x509.certificate_subject.O,zeek.x509.certificate_subject.OU,zeek.x509.certificate_subject.ST,zeek.x509.certificate_subject.SN,zeek.x509.certificate_subject.L,zeek.x509.certificate_subject.DC,zeek.x509.certificate_subject.GN,zeek.x509.certificate_subject.pseudonym,zeek.x509.certificate_subject.serialNumber,zeek.x509.certificate_subject.title,zeek.x509.certificate_subject.initials,zeek.x509.certificate_subject.emailAddress,zeek.x509.certificate_subject.description,zeek.x509.certificate_subject.postalCode,zeek.x509.certificate_subject.street,zeek.x509.certificate_issuer.CN,zeek.x509.certificate_issuer.DC,zeek.x509.certificate_issuer.C,zeek.x509.certificate_issuer.O,zeek.x509.certificate_issuer.OU,zeek.x509.certificate_issuer.ST,zeek.x509.certificate_issuer.SN,zeek.x509.certificate_issuer.L,zeek.x509.certificate_issuer.GN,zeek.x509.certificate_issuer.pseudonym,zeek.x509.certificate_issuer.serialNumber,zeek.x509.certificate_issuer.title,zeek.x509.certificate_issuer.initials,zeek.x509.certificate_issuer.emailAddress,zeek.x509.certificate_not_valid_before,zeek.x509.certificate_not_valid_after,zeek.x509.certificate_key_alg,zeek.x509.certificate_sig_alg,zeek.x509.certificate_key_type,zeek.x509.certificate_key_length,zeek.x509.certificate_exponent,zeek.x509.certificate_curve,zeek.x509.client_cert,zeek.x509.fingerprint,zeek.x509.host_cert,zeek.x509.san_dns,zeek.x509.san_uri,zeek.x509.san_email,zeek.x509.san_ip,zeek.x509.basic_constraints_ca,zeek.x509.basic_constraints_path_len

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -2780,6 +2780,13 @@ class MalcolmSource extends WISESource {
       "zeek.tunnel.action",
       "zeek.tunnel.tunnel_type",
       "zeek.uid",
+      "zeek.websocket.host",
+      "zeek.websocket.uri",
+      "zeek.websocket.user_agent",
+      "zeek.websocket.subprotocol",
+      "zeek.websocket.client_protocols",
+      "zeek.websocket.server_extensions",
+      "zeek.websocket.client_extensions",
       "zeek.weird.addl",
       "zeek.weird.notice",
       "zeek.weird.source",