From a6c1d12206d121891567c9f90f2b53b844279cec Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 18 Jan 2024 21:09:11 +0100
Subject: [PATCH] btest/websocket: Test for coalesced reply-ping

Add a constructed PCAP where the HTTP/websocket server send a WebSocket
ping message directly with the packet of the HTTP reply. Ensure this is
interpreted the same as if the WebSocket message is in a separate packet
following the HTTP reply.

For the server side this should work, for the client side we'd need to
synchronize suspend parsing the client side as we currently cannot quite
know whether it's a pipelined HTTP request following, or upgraded protocol
data and we don't have "suspend parsing" functionality here.
---
 .../out-coalesced                             |  16 +++++++++
 .../out-separate                              |  16 +++++++++
 .../weird.log                                 |  11 ++++++
 .../websocket/reply-ping-coalesced.pcap       | Bin 0 -> 1860 bytes
 .../Traces/websocket/reply-ping-separate.pcap | Bin 0 -> 2024 bytes
 .../websocket/coalesced-reply-ping.zeek       |  33 ++++++++++++++++++
 6 files changed, 76 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/weird.log
 create mode 100644 testing/btest/Traces/websocket/reply-ping-coalesced.pcap
 create mode 100644 testing/btest/Traces/websocket/reply-ping-separate.pcap
 create mode 100644 testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek

diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced
new file mode 100644
index 0000000000..024146cbf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced
@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, text, payload_len, 11
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, text, payload_len, 12
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 12, data, Hello there!
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate
new file mode 100644
index 0000000000..024146cbf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate
@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 4, data, Zeek
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, text, payload_len, 11
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 11, data, Hello Zeek!
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, text, payload_len, 12
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 12, data, Hello there!
+websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, T, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 2, data, \x03\xe8
+websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_len, 2
+websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason, 
+websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/weird.log b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/weird.log
new file mode 100644
index 0000000000..16031b4969
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	45838	127.0.0.1	8080	protocol_data_with_HTTP_upgrade_reply	6	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/websocket/reply-ping-coalesced.pcap b/testing/btest/Traces/websocket/reply-ping-coalesced.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9fbb2ac70a8df63273ac8947da86b5f10d6f7aec
GIT binary patch
literal 1860
zcmaKtO-vhC5Xavd>QJ}Nms*JnVH-8MAY&UsiyWs4R0dN5nAi@1C?fXquvcF1y56k~
zrvmDMwrOLc9-_ulh?GNosZ?-~66KI6AD5gW5k-!AtD<};haLh_L4?jcywvL$k2TVI
z_wDcf=RdQ%%l8(pnn*3tV{?-b4*pmV=V-?zGx-LNF-xP4cnEP9`j3<2W+C=H+<>{b
zyD_t|(B;LI^QN_ba{m%ys{J5eYpSyxc|3d_&vP|3yO7*hl}red-M4gdV`g#p3+d<$
zp!dx0e>eL!ZzLmKC!YdxC+vh-8cg$%!T{5p)X7E7JwRWY+RLr-pMXYgOD|GUtNnK~
z83#)+O9P4A>4Fc5;l7H*dTuq=woS|-vD*{i?YuV-@Y$WsPOHVMsG5tH6d@!<@vz;|
z?yy>diAXXuMqPZGhE+v~QO#=kT9IWcXrdy!_~Lb|#ZLv>5Doj;8e1=&bn(3-?f&uJ
zrWUb(Ky32&iz8n~g~7<NW95ra(WJ^?&erlvo(YZ0cu{rn37U*kRSiX`ZH$gfA&nm8
z1xci`HX092jHX3-Oi7Q1MNKWI_>zjI2#Vz5Q&4D7rAb>y1nzV3zDX^r$oAG|r{n($
zRlBpL8ES_gxZVb?@7%}id31fgO?SOGAxj$z-ErvS`hiyl*K<g8UpABH&_K-6V3YAQ
z`wJ4U%vB`TbL+pIF%tC-@=k}7_oqcoh>CKA*J}ndgpz)Jx7AOprFdXytO`Bc?z1f<
z2s8m6bp%pvsZ_9QLiPHFJiP;7gj173Yh0KNc0enQ_aqEXTP;7<j!+uIqPwB!ooy@(
zvd1Bz7rpg3bjM#v?qRTT<-iGJ(MYsq%>+)fe9y+O3MUznRwUMQE1|!Q#Gig>;{H1L
z?byv8WH;Y86F)#POM|t@Q}8qP*)n#TsRefY_BJ~Yk6Lc}=WBny{pii|rO2bXKjgd5
zp5PXJu*J@XWPimi=3DhGw&uz`40AQh=889NfyDDb^nqH;(qN)Hvlkfg^NK{6E7u+)
zar$E~l_Z7NqBKcAL;jryRo}vaiiXdEDUm5KWoDOwpP!xiaAWhF<x?cT267ij#w-n{
zygi#?%57!JBj7~_$m<vD%E+dgmq>jF)G7|oF{-1C8e`Ob+<L>Bk&47a533OiLFRy@
u6N^Kf0SBb1ecVdJ=KI8!s>JL?rqQkwi&G$h#yOmV2KcfSzY;iT`TqdzgX{wU

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/websocket/reply-ping-separate.pcap b/testing/btest/Traces/websocket/reply-ping-separate.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5fa723bc2cd1ef48d4498f8165f991cee1454d43
GIT binary patch
literal 2024
zcmaKtPfQbO7{<Srx{}r=x|byy*QxQKtff?NL%OhnZm|m1Lg_-hkaqYejqOb7Old)l
zxSEJ=vU<?OaPoi9NaCvNCM#hN9{sN*9!%umK|Q!jb_2wLUG{yycG#J*^iAGm+L`%%
z&-*;z%uL+Bb-_$5M6HDdLQL=@yWtw```Jcz!!fqDN{N?{TIE4KssF6ukHc^S_Qd?U
z)8k_wH{q4%&B|2$Bq3(YvO5-YskQpS=0EX&Q%T8kBo7uP6N2R0-&FFt(-ZUeqE}{s
zUVi@be}@Lv>d8n~$tQrk9ah5D7Smj<JY<@uRdQZ)InZYZSDI$790ZM~oL;1&*3nxw
z(hZhiYYT~{4&@ON>z@`RmYHVee$o?ndfPY`=WA;VxZD+PyVWO3vWJU{d^p~Nhc%To
zm3C_=8BK+|sE5nYh$Qm+scg6I5Cwtqa!eFFT>iY>8l=3lokoJ}8fO#j_i&NWz}|+W
z-^=f+>ibG^HE(Hcs!q4m)fq4To~9%Qb5|Kpd9yMV@TBD7k~Ec|k`#_oXBX{`hh_Q=
z$H!w-kUJCMY-c7WbcvbHNKBTDlt4<9MP7`1xIP#(B+-<!Aqw|-xIn+$BMPpn3U}rI
z6G|@kmI|2NZbjE`gX>G@=#bI%HGb9g{0^BNA5;90<J{$--gP9tylo?s5Foa;*v@$7
zNF#Ce&4R=-)7;06dZL;j=dN^f!Awl%dtySAQ)dP<cuijET%LAo{y-P31Q{;o><sff
zO@c@1j+D<;6&Kng9ofb}e`}&8)ap<7?)|R11)|j7lhiq#Gw=<JyR?DIWA-5Yt&W>}
z5ETEt=+!e|;Pj<2{kUl0ED(L*9JaQYfgVR6i=<H{<|4UzhD8Df?t7spp0MnrbU$+E
ziz|J?l>Vi1HA;t>(z|*t5?|f1k!FyHtu3bXTjePuzAZ>BGfltWswbX2Hc)!b&L#fo
zM)ulYYy@@}>rdET<r!m78rU7+>+m436TN!&kstRAZEIfkA;_&Cp_?|o`4X2Xhb5Md
z&XHk8H>peHjUEQ0W4QM(oz*Xa#N9v)fLd&AF+;XHvW!?;kO<NJesqyIg>S_pD||E_
z7dg3yrl<q?NADK>QamqccnnM#K~uU;>G)GaKP><HddTt`$rpj#2$He2#gx}L`k8XC
zLHP)H(F^3cFOD0?=8|_v9R+F;hX)wdXQ19-)K%bcR!>FZLQ$gff;nLLRw}*V!06yA
dc-#(sN?iGCQH=+f#+?R@qo6Uxc0oo@{12S!LTms4

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek b/testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek
new file mode 100644
index 0000000000..f425013c6b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek
@@ -0,0 +1,33 @@
+# @TEST-DOC: The reply-ping-coalesced pcap contains a WebSocket ping message right after the HTTP reply, in the same packet.
+
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-separate.pcap %INPUT >>out-separate
+# @TEST-EXEC: test ! -f weird.log
+#
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/reply-ping-coalesced.pcap %INPUT >>out-coalesced
+# @TEST-EXEC: btest-diff out-separate
+# @TEST-EXEC: btest-diff out-coalesced
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: diff out-separate out-coalesced
+# @TEST-EXEC: test ! -f analyzer.log
+
+@load base/protocols/websocket
+
+event websocket_handshake(c: connection, aid: count)
+	{
+	print "websocket_handshake", c$uid, aid;
+	}
+
+event websocket_frame(c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)
+	{
+	print "websocket_frame", c$uid, is_orig, "fin", fin, "rsv", rsv, "opcode", WebSocket::opcodes[opcode], "payload_len", payload_len;
+	}
+
+event websocket_frame_data(c: connection, is_orig: bool, data: string)
+	{
+	print "websocket_frame_data", c$uid, is_orig, "len", |data|, "data", data[:120];
+	}
+
+event websocket_close(c: connection, is_orig: bool, status: count, reason: string)
+	{
+	print "websocket_close", c$uid, is_orig, "status", status, "reason", reason;
+	}