From 18b2d0733287e3dd805865322778e89c56467398 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 6 Dec 2023 22:07:02 +0100
Subject: [PATCH] Adds test for websocket

Ticket: 2695
---
 tests/websocket/README.md             |  11 +++++++
 tests/websocket/basic_websockets.pcap | Bin 0 -> 2978 bytes
 tests/websocket/test.rules            |   6 ++++
 tests/websocket/test.yaml             |  43 ++++++++++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 tests/websocket/README.md
 create mode 100644 tests/websocket/basic_websockets.pcap
 create mode 100644 tests/websocket/test.rules
 create mode 100644 tests/websocket/test.yaml

diff --git a/tests/websocket/README.md b/tests/websocket/README.md
new file mode 100644
index 000000000..165425215
--- /dev/null
+++ b/tests/websocket/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test websocket protocol
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2695
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2695
diff --git a/tests/websocket/basic_websockets.pcap b/tests/websocket/basic_websockets.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0f98f99eefc50179bdce91ef33256865174ac3ca
GIT binary patch
literal 2978
zcmaLZTZ|J`7y#f|7J;pln}J|7%TXcOjlImR)5}`1-Ceq{+ipX<m-5oI)6;f(n=&(W
zcN;I+m>3Pl#0y4!=tf@PMJ1xfR{{#+ixC7CLc%4)OQI&m%LB&sKhtjMPGC-Y($4hE
z*Z=%;{?oa5`qK|rQLCxtwzNc1U2w4GOc<AZ4^aYqCcU$*qlPJ}ukk%aJ-6n`G0VB$
z!_!~8-@kl{iY||eu3DmY^fr~l=E?<K86^Uds3<ti))n0XinXb{VXj=%m3@X-$V9rL
zn?TvnR4##Xxtr4aa;)T?%&7aD#t%g4J$_$h`x5o-dlVHKjw7dvm6{}CG!l<Tos5IA
zT1I45^Pw4>R%Nk>HC4l^<`Ctw)iNkoDp=Gcx#B|;)tr*bV5=pnq;lny4^?Elm=g1F
zW{|wuVX&sirOq!V;K%HN9Ik*Lmg`cflybTpH0qm@Dj9i3MUgmSXa_xj;Do>rpjm<M
zM}ca!gr{(NRMMO-&h6j?)Hga350BYUNh)F#!eUYGM}v7qE@P+1<DeZp$MO!wMWa|M
zn^L6Z%Z4+#=J#&e<q$kpOKTDxv$a~r6)7jd1oN6!Reet9{Spzwq8%cN=?St=Vnx++
z!f;kgKooIRvkzB9IU`kaK9s9VRU69SY$>H-8%itfF=MGp?ocX+eF#_V6EPdE3>@^+
z4lhZxT$JE^GI>ZVr~EAM;=CRgM>`mf6Ig~}1;N1xUa!l`d3o1^J`Oam7w=u)I#a)Q
zX2rD*#sR-4s*1laBPnpF`=2MrVrAuVIpgoE$Q9fV+>Dwe>m#XRmE^!54CLK|LvmDP
zC+i|xs-;Wb>Ve^+v@bqUPZWZM#8jjlDU`|)Har`t2g~81pfny2%tfXW^>ATNF;R{b
zg9SOXe<C3ah9cDiq2h47<{1nW<k7_Rfw^hc<qj6qy|LKdu~=wQO@};rI1Wt)c5y@S
zvfDk77+#<moW&f@Lh4*}3a9z3$a6fMVlyo7$<iKPY~@1pGp$eQj;z4yfn>KcY_+Vs
z<D+=ahce-4Ua9TRj1*&mxoK|lpmRJsk@NeFgNJ7|Tp`I(eW;3+GGq#Fy1lg`29Q{i
zpdymx)NFD_uY+V-(p0O(Y9SlfmRt|@6O=XSolW1kt~M@_GJoP-!<GY^MfcGtl=(}?
zC~CQ~p|ltjn~^jz4+|4T6<L!-xdgv71S`{r_9&7K#-NB?LoCg5h<5p0f)CDw!ts^G
ze`vY*+Xd9F2IK6T_25JMLhfL`6x@^MUD3i|EhFUE0;72ZbwY-WSuOJxvAMh8jE&6u
zv)et?5KNf#&Zf^>Xk6AeN$<+-t@|j9JW1yLc!8qkU%mCkkze1r@MGif;@wlkT*$1a
z!Z3vN&Ze8Y8&`DGX~^YC$mI!Q9{U{3t+i&c+wya1$(~VCS<TLH1P{GziZAN8!w~QZ
z2;)4#GjM<B-|V@Tm@0kAcy@jA%+43?@@)OMhb|HP$ej(;UKmSyXVW7eXk68C#t`{=
zi2N+Ud)<I<#$sN!kzz%yB}m}D)f=fGh@^Km9p)R?bl7c(`YepRPT*%rnqOJ<$Z21#
z{&BLpdo75I*VgKPp6x%-7ORWF#tmKEX$bW?gnEI9UlDP;CY7;`tU)KkIAH;{RwA<w
z{O>+kXXfA3{ih86KW%^9#AkcJfBlAO{I_)f$(4TB=C;q9_?!j&*LIo4e@FLs82qQ(
z{-Y*7|1kJVi>C4atox4{e0T_I=KsupCcbMu_`h5=^?%d-Z3aKt_HUc`f))I2J*N5j
zUH7*d{JFM&&ct_b0DpeFnZE#!kMJZ&8T_}~{zoRhXCwIkn&y82p59=?{@dV#+RFc1
xCcbwQ_&2YZ<$qzL?*C=*p<<i<>G=oyEWH{07ymHzH|hSL1|O=f<!4QN=6`!o{|Nv9

literal 0
HcmV?d00001

diff --git a/tests/websocket/test.rules b/tests/websocket/test.rules
new file mode 100644
index 000000000..5165ca648
--- /dev/null
+++ b/tests/websocket/test.rules
@@ -0,0 +1,6 @@
+alert websocket any any -> any any (msg:"header frame"; flow:established,to_server; frame:websocket.header; content:"|81 88|"; sid:1;)
+alert websocket any any -> any any (msg:"pdu frame"; flow:established,to_client; frame:websocket.pdu; content:"|81 15|version,hybi-draft-13"; sid:2;)
+alert websocket any any -> any any (msg:"ws opcode"; flow:established,to_client; websocket.opcode:text; sid:3;)
+alert websocket any any -> any any (msg:"ws mask"; flow:established,to_server; websocket.mask:>0; sid:4;)
+alert websocket any any -> any any (msg:"ws fin"; flow:established,to_server; websocket.flags:fin; sid:5;)
+alert websocket any any -> any any (msg:"ws pl"; flow:established,to_server; websocket.payload; content:"version,"; sid:6;)
diff --git a/tests/websocket/test.yaml b/tests/websocket/test.yaml
new file mode 100644
index 000000000..901e29f3e
--- /dev/null
+++ b/tests/websocket/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: websocket
+      websocket.mask: 3803616749
+      websocket.opcode: text
+- filter:
+    count: 14
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6