Suricata

1. Summary

The WebSocket parser accepts any combination of MASK flag and direction. RFC 6455 section 5.1 requires client-to-server frames to be masked and server-to-client frames to not be masked.

1. Affected Code

Files: `rust/src/websocket/parser.rs:48-97`, `rust/src/websocket/websocket.rs`

1. Impact

This enables two evasion vectors:

1. A server injects masked frames with payload that a real browser would discard; Suricata de-XORs and feeds content to the detector that the client never processes.
2. A client sends unmasked frames; Suricata accepts what the real server would close with 1002 Protocol Error.

1. Suggested Fix

Track connection direction and validate the mask flag accordingly.

1. Environment

Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026).

1. Credit

Reported by Chris Ramos.