8.37. WebSocket Keywords

8.37.1. websocket.payload

A sticky buffer on the unmasked payload, limited by suricata.yaml config value websocket.max-payload-size.

Examples:

websocket.payload; pcre:"/^123[0-9]*/";
websocket.payload content:"swordfish";

websocket.payload is a 'sticky buffer' and can be used as fast_pattern.

8.37.2. websocket.flags

Matches on the websocket flags. It uses a 8-bit unsigned integer as value. Only the four upper bits are used.

The value can also be a list of strings (comma-separated), where each string is the name of a specific bit like fin and comp, and can be prefixed by ! for negation.

websocket.flags uses an unsigned 8-bits integer

Examples:

websocket.flags:128;
websocket.flags:&0x40=0x40;
websocket.flags:fin,!comp;

8.37.3. websocket.mask

Matches on the websocket mask if any. It uses a 32-bit unsigned integer as value (big-endian).

websocket.mask uses an unsigned 32-bits integer

Examples:

websocket.mask:123456;
websocket.mask:>0;

8.37.4. websocket.opcode

Matches on the websocket opcode. It uses a 8-bit unsigned integer as value. Only 16 values are relevant. It can also be specified by text from the enumeration

websocket.opcode uses an unsigned 8-bits integer

Examples:

websocket.opcode:1;
websocket.opcode:>8;
websocket.opcode:ping;