8.37. WebSocket Keywords
8.37.1. websocket.payload
A sticky buffer on the unmasked payload,
limited by suricata.yaml config value websocket.max-payload-size
.
Examples:
websocket.payload; pcre:"/^123[0-9]*/";
websocket.payload content:"swordfish";
websocket.payload
is a 'sticky buffer' and can be used as fast_pattern
.
8.37.2. websocket.flags
Matches on the websocket flags. It uses a 8-bit unsigned integer as value. Only the four upper bits are used.
The value can also be a list of strings (comma-separated), where each string is the name of a specific bit like fin and comp, and can be prefixed by ! for negation.
websocket.flags uses an unsigned 8-bits integer
Examples:
websocket.flags:128;
websocket.flags:&0x40=0x40;
websocket.flags:fin,!comp;
8.37.3. websocket.mask
Matches on the websocket mask if any. It uses a 32-bit unsigned integer as value (big-endian).
websocket.mask uses an unsigned 32-bits integer
Examples:
websocket.mask:123456;
websocket.mask:>0;
8.37.4. websocket.opcode
Matches on the websocket opcode. It uses a 8-bit unsigned integer as value. Only 16 values are relevant. It can also be specified by text from the enumeration
websocket.opcode uses an unsigned 8-bits integer
Examples:
websocket.opcode:1;
websocket.opcode:>8;
websocket.opcode:ping;