From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 6 Dec 2023 21:07:02 +0000 (+0100)
Subject: Adds test for websocket
X-Git-Tag: suricata-6.0.19~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1777%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds test for websocket

Ticket: 2695
---

diff --git a/tests/websocket/README.md b/tests/websocket/README.md
new file mode 100644
index 000000000..165425215
--- /dev/null
+++ b/tests/websocket/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test websocket protocol
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2695
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2695
diff --git a/tests/websocket/basic_websockets.pcap b/tests/websocket/basic_websockets.pcap
new file mode 100644
index 000000000..0f98f99ee
Binary files /dev/null and b/tests/websocket/basic_websockets.pcap differ
diff --git a/tests/websocket/test.rules b/tests/websocket/test.rules
new file mode 100644
index 000000000..5165ca648
--- /dev/null
+++ b/tests/websocket/test.rules
@@ -0,0 +1,6 @@
+alert websocket any any -> any any (msg:"header frame"; flow:established,to_server; frame:websocket.header; content:"|81 88|"; sid:1;)
+alert websocket any any -> any any (msg:"pdu frame"; flow:established,to_client; frame:websocket.pdu; content:"|81 15|version,hybi-draft-13"; sid:2;)
+alert websocket any any -> any any (msg:"ws opcode"; flow:established,to_client; websocket.opcode:text; sid:3;)
+alert websocket any any -> any any (msg:"ws mask"; flow:established,to_server; websocket.mask:>0; sid:4;)
+alert websocket any any -> any any (msg:"ws fin"; flow:established,to_server; websocket.flags:fin; sid:5;)
+alert websocket any any -> any any (msg:"ws pl"; flow:established,to_server; websocket.payload; content:"version,"; sid:6;)
diff --git a/tests/websocket/test.yaml b/tests/websocket/test.yaml
new file mode 100644
index 000000000..901e29f3e
--- /dev/null
+++ b/tests/websocket/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: websocket
+      websocket.mask: 3803616749
+      websocket.opcode: text
+- filter:
+    count: 14
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6