Query on WebSocket Protocol Decoding Support in Suricata 7

scc000 · November 15, 2023, 10:25am

Body: Hello Suricata Community,

I am currently exploring the capabilities of Suricata 7 and am particularly interested in understanding its support for decoding WebSocket protocols. Recently, I have come across several tunneling attacks conducted using WebSockets, and I am keen on analyzing the WebSocket protocol messages involved in these incidents.

Could you please provide information on whether Suricata 7 supports WebSocket protocol decoding? If so, how can one configure Suricata to parse and analyze WebSocket traffic effectively? Any guidance or insights into handling WebSocket-based attacks would be greatly appreciated.

Thank you for your assistance.

jufajardini · November 15, 2023, 11:13am

Hi there,

Currently, Suricata doesn’t support decoding of websocket protocols. This has been recently discussed during our brainstorming sessions with the community, and we’re tracking the need for this feature, but we’re currently mostly gathering requirements and data: Feature #2695: websocket support - Suricata - Open Information Security Foundation

Topic		Replies	Views
Extended decoding of TLS - cipher suites etc	2	158	May 3, 2024
Generic Protocol Command Decode Help	13	14247	March 13, 2021
Does latest version of Suricata support SCTP or MTCP protocols?	1	15	November 19, 2024
Netflow as input for Suricata Help	4	2975	June 11, 2021
Is it possible to work with layer 2 or 3 protocols like OSPF, LLDP, STP? Help	2	788	September 14, 2021

Query on WebSocket Protocol Decoding Support in Suricata 7

Related topics