From 33b0d6944310c77d3376a1682be73df9df3242eb Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 6 Dec 2023 22:07:02 +0100
Subject: [PATCH] Adds test for websocket

Ticket: 2695
---
 tests/websocket/README.md             |  11 +++++++
 tests/websocket/basic_websockets.pcap | Bin 0 -> 2978 bytes
 tests/websocket/test.rules            |   6 ++++
 tests/websocket/test.yaml             |  43 ++++++++++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 tests/websocket/README.md
 create mode 100644 tests/websocket/basic_websockets.pcap
 create mode 100644 tests/websocket/test.rules
 create mode 100644 tests/websocket/test.yaml

diff --git a/tests/websocket/README.md b/tests/websocket/README.md
new file mode 100644
index 000000000..165425215
--- /dev/null
+++ b/tests/websocket/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test websocket protocol
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2695
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2695
diff --git a/tests/websocket/basic_websockets.pcap b/tests/websocket/basic_websockets.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0f98f99eefc50179bdce91ef33256865174ac3ca
GIT binary patch
literal 2978
zc-no{TWs586aZj%9org~?t(TAfjTobsTH~S7UxpJNZK^*+N9Bv-u4nD_MgOwV`sLP
zwh<RqNC-59#AOJ0$i!Z@m%+pU@j7j=F<uZG+q!AeE}9rffP}a_3{j4qCbU*&w^foq
z$DhwR{*Qb4?57{C!Pa8UV`&M)I^cEPxfl`yk6<jkXR+1C1}uVMz4h-g?D=)O#%vdQ
z4o`pW{ov{uEYXZetXaZ#_B52k*2*PA8Px?{!V=&#j*i4uQ0xumO>5<{q3ko|(qSl@
zLFsNNS3tSii5Y)prSqHm54zHGqOG!H3H$ba42womxLZX^Rp1aloJu9!q>HrMhGkU?
z;Ik;J%3KL)s)kg}#mQy6Z9tYJ#A$*o1@MVVUdiytZc8Ycd^r=qCE3YkxB{#U=r2wP
z))ZM>`NafW%o)lf3H+E`6GSoN_P7YVcS?|Wc~-^aDV!u+L_ZD-EYpwAu}mKxs#HWY
zg|ef9=JwED7tP|mqr<7#m;)Du62ha1E6IKMKtYkq$nEpF2p2<BjEnRTcrugAC_?kJ
z2%m3!?<G7g)&~hSida#t-8QZWc>xM6Xj(-LxZUj<kwlymGD;fj&Pk-GMo&oEZVPc7
zs%XxL#L2uM<pX%WCR7|ak8)y0Lk>Kvv|`3GQvOgT50^)hb0X<LQvbmq;qvQ^mP-Px
zr_+bDawbSI9@_8o(1eSmX_g{Mie+6S>-T&7w4d=j>}`MJeD44Amse^l#T6&Oj~=fo
z!Cqca;7<3wpnvA1)t}3Juvd~L)Cb(Gn%3KrR*|arAQ%o6yaR)Bf}<vD93@t>qQ7z=
zQWEy1CTcUqaB*fTUXB;Va-53I#cSbmY%na0r$Y1bshL`=I8>S`$4lX&9Nj-L!wy8_
zl>^aIBvthdgo^U$%=CfzY0Bdb7uAtua%3zSom8_?UjaTxCqsMaLHKn#eNYj@5+uqY
z8s(r+50ODxCdV-}Lu4qPVthHm$8gKN(1OiAWmj|scF)SznD6)~nh)T7EKyLZ`}yHg
zGBiI;PabrS=O*&OpgA})ry)sijvBx#NGU_7;HEp5cSJwVi2_VSx}2Fy&l+=(&I+1p
zx7ls_m~YK@VfSHb@3(tcT(4iz$NZ`HOphEG^Uh=Xn7@1+!<v%~qebG$SwZ6purcw3
zB5N`yi*Thu$RmIcDS`uH@VH#XDT1PL!V~bY0a%H~QmcpmP;>ZO1Jo+lTzzA&2k?DS
zZ@3_ahq8<(Q5>l9Y@RBTnvYc{<e*;bf{klj0PzmJ?$7RaVS`Z0V7t26`c>m0>0kYL
z>pTVlr}es@EMnNgYj?gl^2@uIeykr}d~ilLkMbL_7=*;ynS1Nk4AX7u<!NwF>E`jz
z!Q57D47;N+pB0?ElF4aKlGgF)E0*}8fxAozpMrpkI?luWU3jbO#>|xXCF$Gq$+Np(
ze85n(6Fx%J@gw)Tu@Q(JX@~dMuNydN%KRc+;Jl9acmdynxPt7^hZSGmf;!y0b`utc
z*l;_TsoyYQuPN*E5O7n6pVQm?>YB&S2CB7>)0MsJL0r7C-uPFOXeWm2w+wN&Db<^x
zUed*{ba96!l#xT<gKm;^!v<X5iR1?Gzx!~5m4DmtpEmh_xBPJnpXvhtja!!a-!c4M
ztNo5GEuXRQX&d;j@3GAPp5gB_`Omcc$1Qy3QSg@*E%X1$@SiaGk*0s{Ukl%}5&WO8
zTl&8m{&tg}ZuxgDeAW*B_Abl*{AT#uO#Xb!zhL2eyTM=BVdWoPYxtPSf2ZZ2wD5hK
z!2idx|3|xx2lihk|76R5+rsy62LJXoOMjE$|7r5iH~q5<5BDiz3-~YnZs~6}{69?o
L?UtXj@X7xGdr<!g

literal 0
Hc-jL100001

diff --git a/tests/websocket/test.rules b/tests/websocket/test.rules
new file mode 100644
index 000000000..5165ca648
--- /dev/null
+++ b/tests/websocket/test.rules
@@ -0,0 +1,6 @@
+alert websocket any any -> any any (msg:"header frame"; flow:established,to_server; frame:websocket.header; content:"|81 88|"; sid:1;)
+alert websocket any any -> any any (msg:"pdu frame"; flow:established,to_client; frame:websocket.pdu; content:"|81 15|version,hybi-draft-13"; sid:2;)
+alert websocket any any -> any any (msg:"ws opcode"; flow:established,to_client; websocket.opcode:text; sid:3;)
+alert websocket any any -> any any (msg:"ws mask"; flow:established,to_server; websocket.mask:>0; sid:4;)
+alert websocket any any -> any any (msg:"ws fin"; flow:established,to_server; websocket.flags:fin; sid:5;)
+alert websocket any any -> any any (msg:"ws pl"; flow:established,to_server; websocket.payload; content:"version,"; sid:6;)
diff --git a/tests/websocket/test.yaml b/tests/websocket/test.yaml
new file mode 100644
index 000000000..901e29f3e
--- /dev/null
+++ b/tests/websocket/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: websocket
+      websocket.mask: 3803616749
+      websocket.opcode: text
+- filter:
+    count: 14
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
-- 
2.47.2