Talk With an Expert

A Spicy Approach to WebSockets: Enhancing Bro's WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy

A Spicy Approach to WebSockets: Enhancing Bro's WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy (PDF, 4.04MB)Published: 22 Sep, 2017
Created by
Jennifer Gates

Although the Request for Comments (RFC) defining WebSockets was released in 2011, there has been little focus on using the Bro Intrusion Detection System (IDS) to analyze WebSockets traffic. However, there has been progress in exploiting the WebSockets protocol. The ability to customize and expand Bro's capabilities to analyze new protocols is one of its chief benefits. The developers of Bro are also working on a new framework called Spicy that allows security professionals to generate new protocol parsers. This paper focuses on the development of Spicy and Bro scripts that allow visibility into WebSockets traffic. The research conducted compared the data that can be logged with existing Bro protocol analyzers to data that can be logged after writing a WebSockets protocol analyzer in Spicy. The research shows increased effectiveness in detecting malicious WebSockets traffic using Bro when the traffic is parsed with a Spicy script. Writing Bro logging scripts tailored to a particular WebSockets application further increases their effectiveness.