suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
84 
85 /* counter names. Only used at init. */
87 /* counter id's. Used that runtime. */
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
134  } else {
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
140  } else {
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
147  } else {
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
159  TcpSession *ssn = f->protoctx;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
219  size_ts > 100000 && size_tc == 0)
220  {
223  goto failure;
224 
226  size_tc > 100000 && size_ts == 0)
227  {
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
238  {
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
249  {
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
260  {
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
327  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
328  f, data, data_len,
329  IPPROTO_TCP, flags);
330  PACKET_PROFILING_APP_PD_END(app_tctx);
331 
332  if (*alproto != ALPROTO_UNKNOWN) {
333  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
336 
338  /* if we already invoked the parser, we go with that proto */
339  f->alproto = *alproto_otherdir;
340  } else {
341  /* no data sent to parser yet, we can still choose
342  * we're trusting the server more. */
343  if (flags & STREAM_TOCLIENT)
344  f->alproto = *alproto;
345  else
346  f->alproto = *alproto_otherdir;
347  }
348  } else {
349  f->alproto = *alproto;
350  }
351 
355  FlagPacketFlow(p, f, flags);
356 
357  /* account flow if we have both sides */
358  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
359  AppLayerIncFlowCounter(tv, f);
360  }
361 
362  /* if we have seen data from the other direction first, send
363  * data for that direction first to the parser. This shouldn't
364  * be an issue, since each stream processing happens
365  * independently of the other stream direction. At this point of
366  * call, you need to know that this function's already being
367  * called by the very same StreamReassembly() function that we
368  * will now call shortly for the opposing direction. */
369  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
370  !(flags & ssn->data_first_seen_dir))
371  {
372  SCLogDebug("protocol %s needs first data in other direction",
373  AppProtoToString(*alproto));
374 
375  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
376  p, ssn, stream) != 0)
377  {
378  DisableAppLayer(tv, f, p);
379  goto failure;
380  }
381  }
382 
383  /* if the parser operates such that it needs to see data from
384  * a particular direction first, we check if we have seen
385  * data from that direction first for the flow. IF it is not
386  * the same, we set an event and exit.
387  *
388  * \todo We need to figure out a more robust solution for this,
389  * as this can lead to easy evasion tactics, where the
390  * attackeer can first send some dummy data in the wrong
391  * direction first to mislead our proto detection process.
392  * While doing this we need to update the parsers as well,
393  * since the parsers must be robust to see such wrong
394  * direction data.
395  * Either ways the moment we see the
396  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
397  * flow, it shows something's fishy.
398  */
400  uint8_t first_data_dir;
401  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
402 
403  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
406  DisableAppLayer(tv, f, p);
407  goto failure;
408  }
409  /* This can happen if the current direction is not the
410  * right direction, and the data from the other(also
411  * the right direction) direction is available to be sent
412  * to the app layer, but it is not ack'ed yet and hence
413  * the forced call to STreamTcpAppLayerReassemble still
414  * hasn't managed to send data from the other direction
415  * to the app layer. */
416  if (first_data_dir && !(first_data_dir & flags)) {
419  FLOW_RESET_PP_DONE(f, flags);
420  FLOW_RESET_PM_DONE(f, flags);
421  FLOW_RESET_PE_DONE(f, flags);
422  goto failure;
423  }
424  }
425 
426  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
428 
429  /* finally, invoke the parser */
430  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
431  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
432  flags, data, data_len);
433  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
434  if (r < 0)
435  goto failure;
436 
437  } else {
438  /* if the ssn is midstream, we may end up with a case where the
439  * start of an HTTP request is missing. We won't detect HTTP based
440  * on the request. However, the reply is fine, so we detect
441  * HTTP anyway. This leads to passing the incomplete request to
442  * the htp parser.
443  *
444  * This has been observed, where the http parser then saw many
445  * bogus requests in the incomplete data.
446  *
447  * To counter this case, a midstream session MUST find it's
448  * protocol in the toserver direction. If not, we assume the
449  * start of the request/toserver is incomplete and no reliable
450  * detection and parsing is possible. So we give up.
451  */
452  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
454  {
455  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
456  SCLogDebug("midstream end pd %p", ssn);
457  /* midstream and toserver detection failed: give up */
458  DisableAppLayer(tv, f, p);
459  goto end;
460  }
461  }
462 
463  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
464  uint8_t first_data_dir;
465  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
466 
467  /* this would handle this test case -
468  * http parser which says it wants to see toserver data first only.
469  * tcp handshake
470  * toclient data first received. - RUBBISH DATA which
471  * we don't detect as http
472  * toserver data next sent - we detect this as http.
473  * at this stage we see that toclient is the first data seen
474  * for this session and we try and redetect the app protocol,
475  * but we are unable to detect the app protocol like before.
476  * But since we have managed to detect the protocol for the
477  * other direction as http, we try to use that. At this
478  * stage we check if the direction of this stream matches
479  * to that acceptable by the app parser. If it is not the
480  * acceptable direction we error out.
481  */
483  (first_data_dir) && !(first_data_dir & flags))
484  {
485  DisableAppLayer(tv, f, p);
486  goto failure;
487  }
488 
489  /* if protocol detection is marked done for our direction we
490  * pass our data on. We're only succeeded in finding one
491  * direction: the opposing stream
492  *
493  * If PD was not yet complete, we don't do anything.
494  */
495  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
496  if (data_len > 0)
498 
499  if (*alproto_otherdir != ALPROTO_FAILED) {
500  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
501  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
502  f->alproto, flags,
503  data, data_len);
504  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
505 
510 
511  *alproto = *alproto_otherdir;
512  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
513  p->pcap_cnt, *alproto, *alproto_otherdir, r);
514  if (r < 0)
515  goto failure;
516  }
517  *alproto = ALPROTO_FAILED;
519  AppLayerIncFlowCounter(tv, f);
520  FlagPacketFlow(p, f, flags);
521 
522  }
523  } else {
524  /* both sides unknown, let's see if we need to give up */
525  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
526  }
527  }
528 end:
529  return 0;
530 
531 failure:
532  return -1;
533 }
534 
535 /** \brief handle TCP data for the app-layer.
536  *
537  * First run protocol detection and then when the protocol is known invoke
538  * the app layer parser.
539  */
541  Packet *p, Flow *f,
542  TcpSession *ssn, TcpStream *stream,
543  uint8_t *data, uint32_t data_len,
544  uint8_t flags)
545 {
546  SCEnter();
547 
549 
550  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
552  int r = 0;
553 
554  SCLogDebug("data_len %u flags %02X", data_len, flags);
556  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
557  goto end;
558  }
559 
560  if (flags & STREAM_TOSERVER) {
561  alproto = f->alproto_ts;
562  } else {
563  alproto = f->alproto_tc;
564  }
565 
566  /* If a gap notification, relay the notification on to the
567  * app-layer if known. */
568  if (flags & STREAM_GAP) {
569  if (alproto == ALPROTO_UNKNOWN) {
571  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
572  /* if the other side didn't already find the proto, we're done */
573  if (f->alproto == ALPROTO_UNKNOWN)
574  goto end;
575 
576  }
577  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
578  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
579  flags, data, data_len);
580  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
581  goto end;
582  }
583 
584  /* if we don't know the proto yet and we have received a stream
585  * initializer message, we run proto detection.
586  * We receive 2 stream init msgs (one for each direction) but we
587  * only run the proto detection once. */
588  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
589  /* run protocol detection */
590  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
591  data, data_len, flags) != 0) {
592  goto failure;
593  }
594  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
595  f->alproto_orig = f->alproto;
596  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
598  /* rerun protocol detection */
599  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
600  data, data_len, flags) != 0) {
601  SCLogDebug("proto detect failure");
602  goto failure;
603  }
604  SCLogDebug("protocol change, old %s, new %s",
606 
607  if (f->alproto_expect != ALPROTO_UNKNOWN &&
608  f->alproto != f->alproto_expect)
609  {
612 
613  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
616 
617  }
618  }
619  } else {
620  SCLogDebug("stream data (len %" PRIu32 " alproto "
621  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
622 #ifdef PRINT
623  if (data_len > 0) {
624  printf("=> Stream Data (app layer) -- start %s%s\n",
625  flags & STREAM_TOCLIENT ? "toclient" : "",
626  flags & STREAM_TOSERVER ? "toserver" : "");
627  PrintRawDataFp(stdout, data, data_len);
628  printf("=> Stream Data -- end\n");
629  }
630 #endif
631  /* if we don't have a data object here we are not getting it
632  * a start msg should have gotten us one */
633  if (f->alproto != ALPROTO_UNKNOWN) {
634  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
635  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
636  flags, data, data_len);
637  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
638  }
639  }
640 
641  goto end;
642  failure:
643  r = -1;
644  end:
645  SCReturnInt(r);
646 }
647 
648 /**
649  * \brief Handle a app layer UDP message
650  *
651  * If the protocol is yet unknown, the proto detection code is run first.
652  *
653  * \param dp_ctx Thread app layer detect context
654  * \param f *locked* flow
655  * \param p UDP packet
656  *
657  * \retval 0 ok
658  * \retval -1 error
659  */
661 {
662  SCEnter();
663 
664  int r = 0;
665 
666  uint8_t flags = 0;
667  if (p->flowflags & FLOW_PKT_TOSERVER) {
668  flags |= STREAM_TOSERVER;
669  } else {
670  flags |= STREAM_TOCLIENT;
671  }
672 
673  if (f->alproto == ALPROTO_FAILED) {
674  SCReturnInt(0);
675 
676  /* if the protocol is still unknown, run detection */
677  } else if (f->alproto == ALPROTO_UNKNOWN) {
678  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
679  p->payload_len);
680 
683  f,
684  p->payload, p->payload_len,
685  IPPROTO_UDP, flags);
687 
688  if (f->alproto != ALPROTO_UNKNOWN) {
689  AppLayerIncFlowCounter(tv, f);
690 
692  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
693  flags, p->payload, p->payload_len);
696  } else {
697  f->alproto = ALPROTO_FAILED;
698  AppLayerIncFlowCounter(tv, f);
699  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
700  }
701  /* we do only inspection in one direction, so flag both
702  * sides as done here */
703  FlagPacketFlow(p, f, STREAM_TOSERVER);
704  FlagPacketFlow(p, f, STREAM_TOCLIENT);
705  } else {
706  SCLogDebug("data (len %" PRIu32 " ), alproto "
707  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
708 
709  /* run the parser */
711  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
712  flags, p->payload, p->payload_len);
715  }
716 
717  SCReturnInt(r);
718 }
719 
720 /***** Utility *****/
721 
722 AppProto AppLayerGetProtoByName(char *alproto_name)
723 {
724  SCEnter();
726  SCReturnCT(r, "AppProto");
727 }
728 
730 {
731  SCEnter();
732  const char * r = AppLayerProtoDetectGetProtoName(alproto);
733  SCReturnCT(r, "char *");
734 }
735 
737 {
738  SCEnter();
739 
741  AppProto alprotos[ALPROTO_MAX];
742 
744 
745  printf("=========Supported App Layer Protocols=========\n");
746  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
747  if (alprotos[alproto] == 1)
748  printf("%s\n", AppLayerGetProtoName(alproto));
749  }
750 
751  SCReturn;
752 }
753 
754 /***** Setup/General Registration *****/
755 
756 int AppLayerSetup(void)
757 {
758  SCEnter();
759 
762 
765 
767 
768  SCReturnInt(0);
769 }
770 
772 {
773  SCEnter();
774 
777 
779 
780  SCReturnInt(0);
781 }
782 
784 {
785  SCEnter();
786 
787  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
788  if (app_tctx == NULL)
789  goto error;
790  memset(app_tctx, 0, sizeof(*app_tctx));
791 
792  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
793  goto error;
794  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
795  goto error;
796 
797  goto done;
798  error:
799  AppLayerDestroyCtxThread(app_tctx);
800  app_tctx = NULL;
801  done:
802  SCReturnPtr(app_tctx, "void *");
803 }
804 
806 {
807  SCEnter();
808 
809  if (app_tctx == NULL)
810  SCReturn;
811 
812  if (app_tctx->alpd_tctx != NULL)
814  if (app_tctx->alp_tctx != NULL)
816  SCFree(app_tctx);
817 
818  SCReturn;
819 }
820 
822 {
823  PACKET_PROFILING_APP_RESET(app_tctx);
824 }
825 
827 {
828  PACKET_PROFILING_APP_STORE(app_tctx, p);
829 }
830 
831 /** \brief HACK to work around our broken unix manager (re)init loop
832  */
834 {
842  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
843 }
844 
845 #define IPPROTOS_MAX 2
847 {
848  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
849  uint8_t ipproto;
851  AppProto alprotos[ALPROTO_MAX];
852  const char *str = "app_layer.flow.";
853 
855 
856  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
857  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
858  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
859  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
860 
861  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
862  if (alprotos[alproto] == 1) {
863  const char *tx_str = "app_layer.tx.";
864  const char *alproto_str = AppLayerGetProtoName(alproto);
865 
866  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
867  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
868  {
869  snprintf(applayer_counter_names[ipproto_map][alproto].name,
870  sizeof(applayer_counter_names[ipproto_map][alproto].name),
871  "%s%s%s", str, alproto_str, ipproto_suffix);
872  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
873  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
874  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
875  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
876  }
877  } else {
878  snprintf(applayer_counter_names[ipproto_map][alproto].name,
879  sizeof(applayer_counter_names[ipproto_map][alproto].name),
880  "%s%s", str, alproto_str);
881  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
882  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
883  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
884  "%s%s", tx_str, alproto_str);
885  }
886  }
887  } else if (alproto == ALPROTO_FAILED) {
888  snprintf(applayer_counter_names[ipproto_map][alproto].name,
889  sizeof(applayer_counter_names[ipproto_map][alproto].name),
890  "%s%s%s", str, "failed", ipproto_suffix);
891  }
892  }
893  }
894 }
895 
897 {
898  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
899  uint8_t ipproto;
901  AppProto alprotos[ALPROTO_MAX];
902 
904 
905  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
906  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
907 
908  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
909  if (alprotos[alproto] == 1) {
910  applayer_counters[ipproto_map][alproto].counter_id =
911  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
912 
913  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
914  applayer_counters[ipproto_map][alproto].counter_tx_id =
915  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
916  }
917  } else if (alproto == ALPROTO_FAILED) {
918  applayer_counters[ipproto_map][alproto].counter_id =
919  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
920  }
921  }
922  }
923 }
924 
926 {
927  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
928  memset(applayer_counters, 0, sizeof(applayer_counters));
929 }
930 
931 /***** Unittests *****/
932 
933 #ifdef UNITTESTS
934 #include "pkt-var.h"
935 #include "stream-tcp.h"
936 #include "stream-tcp-util.h"
937 #include "stream.h"
938 #include "util-unittest.h"
939 
940 #define TEST_START \
941  Packet *p = SCMalloc(SIZE_OF_PACKET);\
942  FAIL_IF_NULL(p);\
943  Flow f;\
944  ThreadVars tv;\
945  StreamTcpThread *stt = NULL;\
946  TCPHdr tcph;\
947  PacketQueue pq;\
948  memset(&pq,0,sizeof(PacketQueue));\
949  memset(p, 0, SIZE_OF_PACKET);\
950  memset (&f, 0, sizeof(Flow));\
951  memset(&tv, 0, sizeof (ThreadVars));\
952  memset(&tcph, 0, sizeof (TCPHdr));\
953 \
954  FLOW_INITIALIZE(&f);\
955  f.flags = FLOW_IPV4;\
956  f.proto = IPPROTO_TCP;\
957  p->flow = &f;\
958  p->tcph = &tcph;\
959 \
960  StreamTcpInitConfig(TRUE);\
961  IPPairInitConfig(TRUE); \
962  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
963 \
964  /* handshake */\
965  tcph.th_win = htons(5480);\
966  tcph.th_flags = TH_SYN;\
967  p->flowflags = FLOW_PKT_TOSERVER;\
968  p->payload_len = 0;\
969  p->payload = NULL;\
970  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
971  TcpSession *ssn = (TcpSession *)f.protoctx;\
972 \
973  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
974  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
975  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
976  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
977  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
978  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
979  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
980  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
981  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
982  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
983  FAIL_IF(ssn->data_first_seen_dir != 0);\
984 \
985  /* handshake */\
986  p->tcph->th_ack = htonl(1);\
987  p->tcph->th_flags = TH_SYN | TH_ACK;\
988  p->flowflags = FLOW_PKT_TOCLIENT;\
989  p->payload_len = 0;\
990  p->payload = NULL;\
991  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
992  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
993  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
994  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
995  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
996  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
997  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
998  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
999  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1000  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1001  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1002  FAIL_IF(ssn->data_first_seen_dir != 0);\
1003 \
1004  /* handshake */\
1005  p->tcph->th_ack = htonl(1);\
1006  p->tcph->th_seq = htonl(1);\
1007  p->tcph->th_flags = TH_ACK;\
1008  p->flowflags = FLOW_PKT_TOSERVER;\
1009  p->payload_len = 0;\
1010  p->payload = NULL;\
1011  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1012  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1013  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1014  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1015  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1016  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1017  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1018  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1019  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1020  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1021  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1022  FAIL_IF(ssn->data_first_seen_dir != 0);
1023 #define TEST_END \
1024  StreamTcpSessionClear(p->flow->protoctx);\
1025  StreamTcpThreadDeinit(&tv, (void *)stt); \
1026  StreamTcpFreeConfig(TRUE);\
1027  PACKET_DESTRUCTOR(p);\
1028  SCFree(p);\
1029  FLOW_DESTROY(&f); \
1030  StatsThreadCleanup(&tv);
1031 
1032 /**
1033  * \test GET -> HTTP/1.1
1034  */
1035 static int AppLayerTest01(void)
1036 {
1037  TEST_START;
1038 
1039  /* full request */
1040  uint8_t request[] = {
1041  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1042  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1043  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1044  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1045  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1046  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1047  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1048  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1049  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1050  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1051  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1052  p->tcph->th_ack = htonl(1);
1053  p->tcph->th_seq = htonl(1);
1054  p->tcph->th_flags = TH_PUSH | TH_ACK;
1056  p->payload_len = sizeof(request);
1057  p->payload = request;
1058  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1070 
1071  /* full response - request ack */
1072  uint8_t response[] = {
1073  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1074  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1075  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1076  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1077  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1078  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1079  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1080  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1081  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1082  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1083  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1084  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1085  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1086  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1087  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1088  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1089  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1090  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1091  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1092  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1093  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1094  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1095  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1096  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1097  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1098  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1099  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1100  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1101  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1102  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1103  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1104  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1105  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1106  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1107  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1108  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1109  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1110  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1111  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1112  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1113  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1114  p->tcph->th_ack = htonl(88);
1115  p->tcph->th_seq = htonl(1);
1116  p->tcph->th_flags = TH_PUSH | TH_ACK;
1118  p->payload_len = sizeof(response);
1119  p->payload = response;
1120  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1132 
1133  /* response ack */
1134  p->tcph->th_ack = htonl(328);
1135  p->tcph->th_seq = htonl(88);
1136  p->tcph->th_flags = TH_ACK;
1138  p->payload_len = 0;
1139  p->payload = NULL;
1140  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1152 
1153  TEST_END;
1154  PASS;
1155 }
1156 
1157 /**
1158  * \test GE -> T -> HTTP/1.1
1159  */
1160 static int AppLayerTest02(void)
1161 {
1162  TEST_START;
1163 
1164  /* partial request */
1165  uint8_t request1[] = { 0x47, 0x45, };
1166  p->tcph->th_ack = htonl(1);
1167  p->tcph->th_seq = htonl(1);
1168  p->tcph->th_flags = TH_PUSH | TH_ACK;
1170  p->payload_len = sizeof(request1);
1171  p->payload = request1;
1172  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1184 
1185  /* response ack against partial request */
1186  p->tcph->th_ack = htonl(3);
1187  p->tcph->th_seq = htonl(1);
1188  p->tcph->th_flags = TH_ACK;
1190  p->payload_len = 0;
1191  p->payload = NULL;
1192  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1204 
1205  /* complete partial request */
1206  uint8_t request2[] = {
1207  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1208  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1209  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1210  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1211  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1212  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1213  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1214  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1215  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1216  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1217  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1218  p->tcph->th_ack = htonl(1);
1219  p->tcph->th_seq = htonl(3);
1220  p->tcph->th_flags = TH_PUSH | TH_ACK;
1222  p->payload_len = sizeof(request2);
1223  p->payload = request2;
1224  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1236 
1237  /* response - request ack */
1238  uint8_t response[] = {
1239  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1240  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1241  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1242  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1243  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1244  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1245  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1246  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1247  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1248  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1249  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1250  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1251  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1252  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1253  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1254  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1255  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1256  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1257  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1258  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1259  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1260  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1261  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1262  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1263  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1264  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1265  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1266  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1267  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1268  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1269  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1270  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1271  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1272  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1273  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1274  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1275  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1276  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1277  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1278  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1279  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1280  p->tcph->th_ack = htonl(88);
1281  p->tcph->th_seq = htonl(1);
1282  p->tcph->th_flags = TH_PUSH | TH_ACK;
1284  p->payload_len = sizeof(response);
1285  p->payload = response;
1286  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1298 
1299  /* response ack */
1300  p->tcph->th_ack = htonl(328);
1301  p->tcph->th_seq = htonl(88);
1302  p->tcph->th_flags = TH_ACK;
1304  p->payload_len = 0;
1305  p->payload = NULL;
1306  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1318 
1319  TEST_END;
1320  PASS;
1321 }
1322 
1323 /**
1324  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1325  */
1326 static int AppLayerTest03(void)
1327 {
1328  TEST_START;
1329 
1330  /* request */
1331  uint8_t request[] = {
1332  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1333  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1334  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1335  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1336  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1337  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1338  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1339  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1340  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1341  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1342  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1343  p->tcph->th_ack = htonl(1);
1344  p->tcph->th_seq = htonl(1);
1345  p->tcph->th_flags = TH_PUSH | TH_ACK;
1347  p->payload_len = sizeof(request);
1348  p->payload = request;
1349  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1361 
1362  /* rubbish response */
1363  uint8_t response[] = {
1364  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1365  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1366  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1367  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1368  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1369  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1370  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1371  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1372  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1373  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1374  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1375  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1376  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1377  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1378  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1379  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1380  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1381  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1382  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1383  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1384  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1385  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1386  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1387  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1388  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1389  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1390  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1391  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1392  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1393  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1394  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1395  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1396  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1397  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1398  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1399  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1400  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1401  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1402  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1403  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1404  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1405  p->tcph->th_ack = htonl(88);
1406  p->tcph->th_seq = htonl(1);
1407  p->tcph->th_flags = TH_PUSH | TH_ACK;
1409  p->payload_len = sizeof(response);
1410  p->payload = response;
1411  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1423 
1424  /* response ack */
1425  p->tcph->th_ack = htonl(328);
1426  p->tcph->th_seq = htonl(88);
1427  p->tcph->th_flags = TH_ACK;
1429  p->payload_len = 0;
1430  p->payload = NULL;
1431  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1443 
1444  TEST_END;
1445  PASS;
1446 }
1447 
1448 /**
1449  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1450  */
1451 static int AppLayerTest04(void)
1452 {
1453  TEST_START;
1454 
1455  /* request */
1456  uint8_t request[] = {
1457  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1458  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1459  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1460  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1461  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1462  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1463  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1464  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1465  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1466  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1467  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1468  PrintRawDataFp(stdout, request, sizeof(request));
1469  p->tcph->th_ack = htonl(1);
1470  p->tcph->th_seq = htonl(1);
1471  p->tcph->th_flags = TH_PUSH | TH_ACK;
1473  p->payload_len = sizeof(request);
1474  p->payload = request;
1475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1486  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1487 
1488  /* partial response */
1489  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1490  PrintRawDataFp(stdout, response1, sizeof(response1));
1491  p->tcph->th_ack = htonl(88);
1492  p->tcph->th_seq = htonl(1);
1493  p->tcph->th_flags = TH_PUSH | TH_ACK;
1495  p->payload_len = sizeof(response1);
1496  p->payload = response1;
1497  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1500  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1501  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1508  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1509 
1510  /* partial response ack */
1511  p->tcph->th_ack = htonl(5);
1512  p->tcph->th_seq = htonl(88);
1513  p->tcph->th_flags = TH_ACK;
1515  p->payload_len = 0;
1516  p->payload = NULL;
1517  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1520  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1521  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1527  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1528  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1529 
1530  /* remaining response */
1531  uint8_t response2[] = {
1532  0x2f, 0x31, 0x2e, 0x31,
1533  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1534  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1535  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1536  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1537  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1538  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1539  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1540  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1541  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1542  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1543  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1544  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1545  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1546  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1547  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1548  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1549  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1550  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1551  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1552  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1553  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1554  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1555  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1556  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1557  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1558  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1559  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1560  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1561  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1562  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1563  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1564  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1565  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1566  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1567  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1568  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1569  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1570  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1571  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1572  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1573  PrintRawDataFp(stdout, response2, sizeof(response2));
1574  p->tcph->th_ack = htonl(88);
1575  p->tcph->th_seq = htonl(5);
1576  p->tcph->th_flags = TH_PUSH | TH_ACK;
1578  p->payload_len = sizeof(response2);
1579  p->payload = response2;
1580  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1583  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1584  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1590  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1591  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1592 
1593  /* response ack */
1594  p->tcph->th_ack = htonl(328);
1595  p->tcph->th_seq = htonl(88);
1596  p->tcph->th_flags = TH_ACK;
1598  p->payload_len = 0;
1599  p->payload = NULL;
1600  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1601  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1603  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1604  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1605  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1610  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1611  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1612 
1613  TEST_END;
1614  PASS;
1615 }
1616 
1617 /**
1618  * \test RUBBISH -> HTTP/1.1
1619  */
1620 static int AppLayerTest05(void)
1621 {
1622  TEST_START;
1623 
1624  /* full request */
1625  uint8_t request[] = {
1626  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1627  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1628  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1629  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1630  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1631  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1632  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1633  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1634  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1635  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1636  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1637  PrintRawDataFp(stdout, request, sizeof(request));
1638  p->tcph->th_ack = htonl(1);
1639  p->tcph->th_seq = htonl(1);
1640  p->tcph->th_flags = TH_PUSH | TH_ACK;
1642  p->payload_len = sizeof(request);
1643  p->payload = request;
1644  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1656 
1657  /* full response - request ack */
1658  uint8_t response[] = {
1659  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1660  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1661  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1662  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1663  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1664  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1665  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1666  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1667  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1668  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1669  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1670  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1671  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1672  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1673  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1674  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1675  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1676  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1677  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1678  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1679  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1680  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1681  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1682  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1683  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1684  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1685  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1686  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1687  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1688  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1689  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1690  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1691  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1692  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1693  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1694  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1695  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1696  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1697  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1698  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1699  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1700  PrintRawDataFp(stdout, response, sizeof(response));
1701  p->tcph->th_ack = htonl(88);
1702  p->tcph->th_seq = htonl(1);
1703  p->tcph->th_flags = TH_PUSH | TH_ACK;
1705  p->payload_len = sizeof(response);
1706  p->payload = response;
1707  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1719 
1720  /* response ack */
1721  p->tcph->th_ack = htonl(328);
1722  p->tcph->th_seq = htonl(88);
1723  p->tcph->th_flags = TH_ACK;
1725  p->payload_len = 0;
1726  p->payload = NULL;
1727  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1739 
1740  TEST_END;
1741  PASS;
1742 }
1743 
1744 /**
1745  * \test HTTP/1.1 -> GET
1746  */
1747 static int AppLayerTest06(void)
1748 {
1749  TEST_START;
1750 
1751  /* full response - request ack */
1752  uint8_t response[] = {
1753  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1754  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1755  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1756  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1757  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1758  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1759  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1760  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1761  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1762  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1763  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1764  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1765  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1766  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1767  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1768  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1769  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1770  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1771  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1772  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1773  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1774  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1775  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1776  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1777  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1778  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1779  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1780  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1781  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1782  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1783  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1784  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1785  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1786  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1787  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1788  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1789  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1790  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1791  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1792  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1793  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1794  p->tcph->th_ack = htonl(1);
1795  p->tcph->th_seq = htonl(1);
1796  p->tcph->th_flags = TH_PUSH | TH_ACK;
1798  p->payload_len = sizeof(response);
1799  p->payload = response;
1800  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1812 
1813  /* full request - response ack*/
1814  uint8_t request[] = {
1815  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1816  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1817  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1818  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1819  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1820  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1821  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1822  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1823  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1824  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1825  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1826  p->tcph->th_ack = htonl(328);
1827  p->tcph->th_seq = htonl(1);
1828  p->tcph->th_flags = TH_PUSH | TH_ACK;
1830  p->payload_len = sizeof(request);
1831  p->payload = request;
1832  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1844 
1845  p->tcph->th_ack = htonl(1 + sizeof(request));
1846  p->tcph->th_seq = htonl(328);
1847  p->tcph->th_flags = TH_PUSH | TH_ACK;
1849  p->payload_len = 0;
1850  p->payload = NULL;
1851  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1863 
1864  TEST_END;
1865  PASS;
1866 }
1867 
1868 /**
1869  * \test GET -> DCERPC
1870  */
1871 static int AppLayerTest07(void)
1872 {
1873  TEST_START;
1874 
1875  /* full request */
1876  uint8_t request[] = {
1877  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1878  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1879  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1880  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1881  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1882  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1883  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1884  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1885  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1886  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1887  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1888  p->tcph->th_ack = htonl(1);
1889  p->tcph->th_seq = htonl(1);
1890  p->tcph->th_flags = TH_PUSH | TH_ACK;
1892  p->payload_len = sizeof(request);
1893  p->payload = request;
1894  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1906 
1907  /* full response - request ack */
1908  uint8_t response[] = {
1909  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1910  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1911  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1912  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1913  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1914  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1915  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1916  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1917  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1918  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1919  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1920  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1921  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1922  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1923  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1924  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1925  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1926  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1927  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1928  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1929  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1930  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1931  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1932  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1933  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1934  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1935  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1936  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1937  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1938  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1939  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1940  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1941  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1942  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1943  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1944  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1945  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1946  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1947  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1948  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1949  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1950  p->tcph->th_ack = htonl(88);
1951  p->tcph->th_seq = htonl(1);
1952  p->tcph->th_flags = TH_PUSH | TH_ACK;
1954  p->payload_len = sizeof(response);
1955  p->payload = response;
1956  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1968 
1969  /* response ack */
1970  p->tcph->th_ack = htonl(328);
1971  p->tcph->th_seq = htonl(88);
1972  p->tcph->th_flags = TH_ACK;
1974  p->payload_len = 0;
1975  p->payload = NULL;
1976  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1988 
1989  TEST_END;
1990  PASS;
1991 }
1992 
1993 /**
1994  * \test SMB -> HTTP/1.1
1995  */
1996 static int AppLayerTest08(void)
1997 {
1998  TEST_START;
1999 
2000  /* full request */
2001  uint8_t request[] = {
2002  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2003  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2004  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2005  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2006  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2007  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2008  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2009  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2010  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2011  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2012  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2013  p->tcph->th_ack = htonl(1);
2014  p->tcph->th_seq = htonl(1);
2015  p->tcph->th_flags = TH_PUSH | TH_ACK;
2017  p->payload_len = sizeof(request);
2018  p->payload = request;
2019  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2031 
2032  /* full response - request ack */
2033  uint8_t response[] = {
2034  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2035  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2036  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2037  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2038  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2039  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2040  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2041  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2042  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2043  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2044  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2045  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2046  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2047  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2048  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2049  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2050  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2051  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2052  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2053  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2054  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2055  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2056  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2057  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2058  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2059  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2060  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2061  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2062  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2063  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2064  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2065  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2066  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2067  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2068  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2069  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2070  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2071  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2072  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2073  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2074  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2075  p->tcph->th_ack = htonl(88);
2076  p->tcph->th_seq = htonl(1);
2077  p->tcph->th_flags = TH_PUSH | TH_ACK;
2079  p->payload_len = sizeof(response);
2080  p->payload = response;
2081  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2093 
2094  /* response ack */
2095  p->tcph->th_ack = htonl(328);
2096  p->tcph->th_seq = htonl(88);
2097  p->tcph->th_flags = TH_ACK;
2099  p->payload_len = 0;
2100  p->payload = NULL;
2101  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2113 
2114  TEST_END;
2115  PASS;
2116 }
2117 
2118 /**
2119  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2120  * RUBBISH(TC - PM and PP DONE) ->
2121  * RUBBISH(TS - PM and PP DONE)
2122  */
2123 static int AppLayerTest09(void)
2124 {
2125  TEST_START;
2126 
2127  /* full request */
2128  uint8_t request1[] = {
2129  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2130  p->tcph->th_ack = htonl(1);
2131  p->tcph->th_seq = htonl(1);
2132  p->tcph->th_flags = TH_PUSH | TH_ACK;
2134  p->payload_len = sizeof(request1);
2135  p->payload = request1;
2136  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2148 
2149  /* response - request ack */
2150  p->tcph->th_ack = htonl(9);
2151  p->tcph->th_seq = htonl(1);
2152  p->tcph->th_flags = TH_PUSH | TH_ACK;
2154  p->payload_len = 0;
2155  p->payload = NULL;
2156  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2168 
2169  /* full request */
2170  uint8_t request2[] = {
2171  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2172  p->tcph->th_ack = htonl(1);
2173  p->tcph->th_seq = htonl(9);
2174  p->tcph->th_flags = TH_PUSH | TH_ACK;
2176  p->payload_len = sizeof(request2);
2177  p->payload = request2;
2178  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2190 
2191  /* full response - request ack */
2192  uint8_t response[] = {
2193  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2194  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2195  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2196  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2197  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2198  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2199  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2200  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2201  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2202  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2203  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2204  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2205  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2206  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2207  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2208  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2209  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2210  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2211  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2212  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2213  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2214  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2215  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2216  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2217  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2218  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2219  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2220  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2221  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2222  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2223  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2224  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2225  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2226  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2227  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2228  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2229  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2230  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2231  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2232  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2233  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2234  p->tcph->th_ack = htonl(18);
2235  p->tcph->th_seq = htonl(1);
2236  p->tcph->th_flags = TH_PUSH | TH_ACK;
2238  p->payload_len = sizeof(response);
2239  p->payload = response;
2240  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2252 
2253  /* response ack */
2254  p->tcph->th_ack = htonl(328);
2255  p->tcph->th_seq = htonl(18);
2256  p->tcph->th_flags = TH_ACK;
2258  p->payload_len = 0;
2259  p->payload = NULL;
2260  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2272 
2273  TEST_END;
2274  PASS;
2275 }
2276 
2277 /**
2278  * \test RUBBISH(TC - PM and PP DONE) ->
2279  * RUBBISH(TS - PM and PP DONE)
2280  */
2281 static int AppLayerTest10(void)
2282 {
2283  TEST_START;
2284 
2285  /* full request */
2286  uint8_t request1[] = {
2287  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2288  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2289  p->tcph->th_ack = htonl(1);
2290  p->tcph->th_seq = htonl(1);
2291  p->tcph->th_flags = TH_PUSH | TH_ACK;
2293  p->payload_len = sizeof(request1);
2294  p->payload = request1;
2295  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2307 
2308  /* response - request ack */
2309  p->tcph->th_ack = htonl(18);
2310  p->tcph->th_seq = htonl(1);
2311  p->tcph->th_flags = TH_PUSH | TH_ACK;
2313  p->payload_len = 0;
2314  p->payload = NULL;
2315  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2327 
2328  /* full response - request ack */
2329  uint8_t response[] = {
2330  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2331  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2332  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2333  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2334  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2335  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2336  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2337  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2338  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2339  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2340  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2341  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2342  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2343  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2344  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2345  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2346  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2347  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2348  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2349  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2350  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2351  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2352  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2353  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2354  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2355  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2356  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2357  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2358  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2359  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2360  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2361  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2362  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2363  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2364  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2365  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2366  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2367  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2368  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2369  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2370  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2371  p->tcph->th_ack = htonl(18);
2372  p->tcph->th_seq = htonl(1);
2373  p->tcph->th_flags = TH_PUSH | TH_ACK;
2375  p->payload_len = sizeof(response);
2376  p->payload = response;
2377  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2389 
2390  /* response ack */
2391  p->tcph->th_ack = htonl(328);
2392  p->tcph->th_seq = htonl(18);
2393  p->tcph->th_flags = TH_ACK;
2395  p->payload_len = 0;
2396  p->payload = NULL;
2397  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2409 
2410  TEST_END;
2411  PASS;
2412 }
2413 
2414 /**
2415  * \test RUBBISH(TC - PM and PP DONE) ->
2416  * RUBBISH(TS - PM and PP NOT DONE) ->
2417  * RUBBISH(TS - PM and PP DONE)
2418  */
2419 static int AppLayerTest11(void)
2420 {
2421  TEST_START;
2422 
2423  /* full request */
2424  uint8_t request1[] = {
2425  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2426  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2427  p->tcph->th_ack = htonl(1);
2428  p->tcph->th_seq = htonl(1);
2429  p->tcph->th_flags = TH_PUSH | TH_ACK;
2431  p->payload_len = sizeof(request1);
2432  p->payload = request1;
2433  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2445 
2446  /* response - request ack */
2447  p->tcph->th_ack = htonl(18);
2448  p->tcph->th_seq = htonl(1);
2449  p->tcph->th_flags = TH_PUSH | TH_ACK;
2451  p->payload_len = 0;
2452  p->payload = NULL;
2453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2465 
2466  /* full response - request ack */
2467  uint8_t response1[] = {
2468  0x55, 0x74, 0x54, 0x50, };
2469  p->tcph->th_ack = htonl(18);
2470  p->tcph->th_seq = htonl(1);
2471  p->tcph->th_flags = TH_PUSH | TH_ACK;
2473  p->payload_len = sizeof(response1);
2474  p->payload = response1;
2475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2487 
2488  /* response ack from request */
2489  p->tcph->th_ack = htonl(5);
2490  p->tcph->th_seq = htonl(18);
2491  p->tcph->th_flags = TH_ACK;
2493  p->payload_len = 0;
2494  p->payload = NULL;
2495  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2507 
2508  uint8_t response2[] = {
2509  0x2f, 0x31, 0x2e, 0x31,
2510  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2511  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2512  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2513  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2514  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2515  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2516  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2517  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2518  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2519  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2520  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2521  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2522  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2523  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2524  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2525  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2526  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2527  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2528  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2529  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2530  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2531  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2532  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2533  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2534  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2535  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2536  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2537  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2538  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2539  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2540  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2541  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2542  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2543  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2544  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2545  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2546  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2547  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2548  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2549  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2550  p->tcph->th_ack = htonl(18);
2551  p->tcph->th_seq = htonl(5);
2552  p->tcph->th_flags = TH_PUSH | TH_ACK;
2554  p->payload_len = sizeof(response2);
2555  p->payload = response2;
2556  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2568 
2569  /* response ack from request */
2570  p->tcph->th_ack = htonl(328);
2571  p->tcph->th_seq = htonl(18);
2572  p->tcph->th_flags = TH_ACK;
2574  p->payload_len = 0;
2575  p->payload = NULL;
2576  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2588 
2589  TEST_END;
2590  PASS;
2591 }
2592 
2594 {
2595  SCEnter();
2596 
2597  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2598  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2599  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2600  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2601  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2602  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2603  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2604  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2605  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2606  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2607  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2608 
2609  SCReturn;
2610 }
2611 
2612 #endif /* UNITTESTS */
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:98
AppProto alproto_expect
Definition: flow.h:416
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
AppProto alproto_tc
Definition: flow.h:409
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:572
#define TEST_END
Definition: app-layer.c:1023
uint16_t counter_id
Definition: app-layer.c:81
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
#define BUG_ON(x)
uint8_t proto
Definition: flow.h:346
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:771
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
#define PASS
Pass the test.
int AppLayerParserDeSetup(void)
#define STREAMTCP_STREAM_FLAG_GAP
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:821
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:540
void StreamTcpDisableAppLayer(Flow *f)
uint64_t HTPMemuseGlobalCounter(void)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:97
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define IPPROTOS_MAX
Definition: app-layer.c:845
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:756
uint64_t ticks_spent
Definition: app-layer.c:66
uint64_t pcap_cnt
Definition: decode.h:566
uint64_t DNSMemcapGetMemcapStateCounter(void)
uint16_t AppProto
uint64_t FTPMemuseGlobalCounter(void)
TCPHdr * tcph
Definition: decode.h:525
int EngineModeIsIPS(void)
Definition: suricata.c:241
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:826
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:722
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
uint64_t ticks_start
Definition: app-layer.c:64
uint64_t DNSMemcapGetMemcapGlobalCounter(void)
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
#define STREAMTCP_FLAG_MIDSTREAM
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:736
#define SCReturnCT(x, type)
Definition: util-debug.h:351
void * protoctx
Definition: flow.h:398
uint64_t ExpectationGetCounter(void)
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
#define PACKET_PROFILING_APP_PD_START(dp)
void AppLayerParserRegisterProtocolParsers(void)
AppProto alproto
Definition: app-layer.c:67
struct AppLayerCounters_ AppLayerCounters
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4670
AppProto alproto_orig
Definition: flow.h:413
AppProto alproto_ts
Definition: flow.h:408
#define str(s)
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:250
uint16_t counter_tx_id
Definition: app-layer.c:82
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:783
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:240
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1125
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define DEBUG_ASSERT_FLOW_LOCKED(f)
#define SCEnter(...)
Definition: util-debug.h:337
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2593
uint64_t HTPMemcapGlobalCounter(void)
#define TH_ACK
Definition: decode-tcp.h:39
uint8_t flowflags
Definition: decode.h:438
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
struct AppLayerCounterNames_ AppLayerCounterNames
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
#define TH_PUSH
Definition: decode-tcp.h:38
uint64_t FTPMemcapGlobalCounter(void)
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1000
int8_t data_first_seen_dir
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
#define SCReturnInt(x)
Definition: util-debug.h:341
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction)
Returns the app layer protocol given a buffer.
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
int AppLayerParserSetup(void)
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:925
#define SCMalloc(a)
Definition: util-mem.h:174
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
#define SCFree(a)
Definition: util-mem.h:236
#define PACKET_PROFILING_APP_STORE(dp, p)
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:241
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:805
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:833
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAM_START
Definition: stream.h:29
void AppLayerSetupCounters(void)
Definition: app-layer.c:846
#define STREAM_TOSERVER
Definition: stream.h:31
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
#define TEST_START
Definition: app-layer.c:940
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:248
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6289
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:729
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
#define PACKET_PROFILING_APP_END(dp, id)
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:249
#define PACKET_PROFILING_APP_RESET(dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:660
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
AppProto alproto
application level protocol
Definition: flow.h:407
The app layer protocol detection thread context.
uint32_t flags
Definition: decode.h:442
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:546
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
#define likely(expr)
Definition: util-optimize.h:32
uint64_t ticks_end
Definition: app-layer.c:65
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6283
uint64_t DNSMemcapGetMemuseCounter(void)
int AppLayerParserProtocolIsTxAware(uint8_t ipproto, AppProto alproto)
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
uint8_t protomap
Definition: flow.h:402
Flow data structure.
Definition: flow.h:327
uint8_t * payload
Definition: decode.h:545
uint32_t flags
Definition: flow.h:377
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
#define PACKET_PROFILING_APP_PD_END(dp)
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:896
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1126
#define PACKET_PROFILING_APP_START(dp, id)