suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
80 
81 typedef struct AppLayerCounters_ {
82  uint16_t counter_id;
83  uint16_t counter_tx_id;
85 
86 /* counter names. Only used at init. */
88 /* counter id's. Used that runtime. */
90 
91 void AppLayerSetupCounters(void);
92 void AppLayerDeSetupCounters(void);
93 
94 /***** L7 layer dispatchers *****/
95 
96 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
97  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
99  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
100 }
101 
102 /**
103  * \note id can be 0 if protocol parser is disabled but detection
104  * is enabled.
105  */
106 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
107 {
108  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
109  if (likely(tv && id > 0)) {
110  StatsIncr(tv, id);
111  }
112 }
113 
114 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
117  if (likely(tv && id > 0)) {
118  StatsAddUI64(tv, id, step);
119  }
120 }
121 
122 /* in IDS mode protocol detection is done in reverse order:
123  * when TCP data is ack'd. We want to flag the correct packet,
124  * so in this case we set a flag in the flow so that the first
125  * packet in the correct direction can be tagged.
126  *
127  * For IPS things are much simpler, and we don't use the flow
128  * flag. We just tag the packet directly. */
129 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
130 {
131  if (EngineModeIsIPS()) {
132  if (flags & STREAM_TOSERVER) {
133  if (p->flowflags & FLOW_PKT_TOSERVER) {
135  } else {
137  }
138  } else {
139  if (p->flowflags & FLOW_PKT_TOCLIENT) {
141  } else {
143  }
144  }
145  } else {
146  if (flags & STREAM_TOSERVER) {
148  } else {
150  }
151  }
152 }
153 
154 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
155 {
156  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
157  f, f->alproto, f->alproto_ts, f->alproto_tc);
160  TcpSession *ssn = f->protoctx;
162  f->alproto = ALPROTO_FAILED;
163  AppLayerIncFlowCounter(tv, f);
164 
165  if (f->alproto_tc != ALPROTO_FAILED) {
166  if (f->alproto_tc == ALPROTO_UNKNOWN) {
168  }
169  FlagPacketFlow(p, f, STREAM_TOCLIENT);
170  }
171  if (f->alproto_ts != ALPROTO_FAILED) {
172  if (f->alproto_ts == ALPROTO_UNKNOWN) {
174  }
175  FlagPacketFlow(p, f, STREAM_TOSERVER);
176  }
177  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
178  f, f->alproto, f->alproto_ts, f->alproto_tc);
179 }
180 
181 /* See if we're going to have to give up:
182  *
183  * If we're getting a lot of data in one direction and the
184  * proto for this direction is unknown, proto detect will
185  * hold up segments in the segment list in the stream.
186  * They are held so that if we detect the protocol on the
187  * opposing stream, we can still parse this side of the stream
188  * as well. However, some sessions are very unbalanced. FTP
189  * data channels, large PUT/POST request and many others, can
190  * lead to cases where we would have to store many megabytes
191  * worth of segments before we see the opposing stream. This
192  * leads to risks of resource starvation.
193  *
194  * Here a cutoff point is enforced. If we've stored 100k in
195  * one direction and we've seen no data in the other direction,
196  * we give up.
197  *
198  * Giving up means we disable applayer an set an applayer event
199  */
200 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
201  Flow *f, TcpSession *ssn, Packet *p)
202 {
203  if (ssn->state < TCP_ESTABLISHED) {
204  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
205  return;
206  }
207 
208  const uint64_t size_ts = STREAM_HAS_SEEN_DATA(&ssn->client) ?
209  STREAM_RIGHT_EDGE(&ssn->client) : 0;
210  const uint64_t size_tc = STREAM_HAS_SEEN_DATA(&ssn->server) ?
211  STREAM_RIGHT_EDGE(&ssn->server) : 0;
212  SCLogDebug("size_ts %"PRIu64", size_tc %"PRIu64, size_ts, size_tc);
213 
214  DEBUG_VALIDATE_BUG_ON(size_ts > 1000000UL);
215  DEBUG_VALIDATE_BUG_ON(size_tc > 1000000UL);
216 
217  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
218  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
219  {
220  goto failure;
221 
223  size_ts > 100000 && size_tc == 0)
224  {
227  goto failure;
228 
230  size_tc > 100000 && size_ts == 0)
231  {
234  goto failure;
235 
236  /* little data in ts direction, pp done, pm not done (max
237  * depth not reached), ts direction done, lots of data in
238  * tc direction. */
239  } else if (size_tc > 100000 &&
242  {
245  goto failure;
246 
247  /* little data in tc direction, pp done, pm not done (max
248  * depth not reached), tc direction done, lots of data in
249  * ts direction. */
250  } else if (size_ts > 100000 &&
253  {
256  goto failure;
257 
258  /* in case of really low TS data (e.g. 4 bytes) we can have
259  * the PP complete, PM not complete (depth not reached) and
260  * the TC side also not recognized (proto unknown) */
261  } else if (size_tc > 100000 &&
264  {
267  goto failure;
268  }
269  return;
270 
271 failure:
272  DisableAppLayer(tv, f, p);
273  return;
274 }
275 
276 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
277  TcpReassemblyThreadCtx *ra_ctx,
278  Packet *p, TcpSession *ssn, TcpStream *stream)
279 {
280  TcpStream *opposing_stream = NULL;
281  if (stream == &ssn->client) {
282  opposing_stream = &ssn->server;
283  } else {
284  opposing_stream = &ssn->client;
285  }
286 
287  /* if the opposing side is not going to work, then
288  * we just have to give up. */
289  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
290  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
291  return -1;
292  }
293 
294  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
297  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
298  opposing_stream, p, dir);
299  return ret;
300 }
301 
302 /** \todo data const
303  * \retval int -1 error
304  * \retval int 0 ok
305  */
306 static int TCPProtoDetect(ThreadVars *tv,
307  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
308  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
309  uint8_t *data, uint32_t data_len, uint8_t flags)
310 {
311  AppProto *alproto;
312  AppProto *alproto_otherdir;
313  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
314 
315  if (flags & STREAM_TOSERVER) {
316  alproto = &f->alproto_ts;
317  alproto_otherdir = &f->alproto_tc;
318  } else {
319  alproto = &f->alproto_tc;
320  alproto_otherdir = &f->alproto_ts;
321  }
322 
323  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
324 #ifdef PRINT
325  if (data_len > 0) {
326  printf("=> Init Stream Data (app layer) -- start %s%s\n",
327  flags & STREAM_TOCLIENT ? "toclient" : "",
328  flags & STREAM_TOSERVER ? "toserver" : "");
329  PrintRawDataFp(stdout, data, data_len);
330  printf("=> Init Stream Data -- end\n");
331  }
332 #endif
333 
334  bool reverse_flow = false;
336  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
337  f, data, data_len,
338  IPPROTO_TCP, flags, &reverse_flow);
339  PACKET_PROFILING_APP_PD_END(app_tctx);
340  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
341 
342  if (*alproto != ALPROTO_UNKNOWN) {
343  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
346 
348  /* if we already invoked the parser, we go with that proto */
349  f->alproto = *alproto_otherdir;
350  } else {
351  /* no data sent to parser yet, we can still choose
352  * we're trusting the server more. */
353  if (flags & STREAM_TOCLIENT)
354  f->alproto = *alproto;
355  else
356  f->alproto = *alproto_otherdir;
357  }
358  } else {
359  f->alproto = *alproto;
360  }
361 
365  FlagPacketFlow(p, f, flags);
366  /* if protocol detection indicated that we need to reverse
367  * the direction of the flow, do it now. We flip the flow,
368  * packet and the direction flags */
369  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
370  SCLogDebug("reversing flow after proto detect told us so");
371  PacketSwap(p);
372  FlowSwap(f);
374  if (*stream == &ssn->client) {
375  *stream = &ssn->server;
376  } else {
377  *stream = &ssn->client;
378  }
379  direction = 1 - direction;
380  }
381 
382  /* account flow if we have both sides */
383  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
384  AppLayerIncFlowCounter(tv, f);
385  }
386 
387  /* if we have seen data from the other direction first, send
388  * data for that direction first to the parser. This shouldn't
389  * be an issue, since each stream processing happens
390  * independently of the other stream direction. At this point of
391  * call, you need to know that this function's already being
392  * called by the very same StreamReassembly() function that we
393  * will now call shortly for the opposing direction. */
395  !(flags & ssn->data_first_seen_dir))
396  {
397  SCLogDebug("protocol %s needs first data in other direction",
398  AppProtoToString(*alproto));
399 
400  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
401  p, ssn, *stream) != 0)
402  {
403  DisableAppLayer(tv, f, p);
404  SCReturnInt(-1);
405  }
406  }
407 
408  /* if the parser operates such that it needs to see data from
409  * a particular direction first, we check if we have seen
410  * data from that direction first for the flow. IF it is not
411  * the same, we set an event and exit.
412  *
413  * \todo We need to figure out a more robust solution for this,
414  * as this can lead to easy evasion tactics, where the
415  * attackeer can first send some dummy data in the wrong
416  * direction first to mislead our proto detection process.
417  * While doing this we need to update the parsers as well,
418  * since the parsers must be robust to see such wrong
419  * direction data.
420  * Either ways the moment we see the
421  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
422  * flow, it shows something's fishy.
423  */
425  uint8_t first_data_dir;
426  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
427 
428  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
431  DisableAppLayer(tv, f, p);
432  SCReturnInt(-1);
433  }
434  /* This can happen if the current direction is not the
435  * right direction, and the data from the other(also
436  * the right direction) direction is available to be sent
437  * to the app layer, but it is not ack'ed yet and hence
438  * the forced call to STreamTcpAppLayerReassemble still
439  * hasn't managed to send data from the other direction
440  * to the app layer. */
441  if (first_data_dir && !(first_data_dir & flags)) {
447  SCReturnInt(-1);
448  }
449  }
450 
451  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
453 
454  /* finally, invoke the parser */
455  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
456  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
457  flags, data, data_len);
458  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
459  if (r < 0) {
460  SCReturnInt(-1);
461  } else if (r == 0) {
462  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
463  }
464  } else {
465  /* if the ssn is midstream, we may end up with a case where the
466  * start of an HTTP request is missing. We won't detect HTTP based
467  * on the request. However, the reply is fine, so we detect
468  * HTTP anyway. This leads to passing the incomplete request to
469  * the htp parser.
470  *
471  * This has been observed, where the http parser then saw many
472  * bogus requests in the incomplete data.
473  *
474  * To counter this case, a midstream session MUST find it's
475  * protocol in the toserver direction. If not, we assume the
476  * start of the request/toserver is incomplete and no reliable
477  * detection and parsing is possible. So we give up.
478  */
479  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
481  {
483  SCLogDebug("midstream end pd %p", ssn);
484  /* midstream and toserver detection failed: give up */
485  DisableAppLayer(tv, f, p);
486  SCReturnInt(0);
487  }
488  }
489 
490  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
491  uint8_t first_data_dir;
492  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
493 
494  /* this would handle this test case -
495  * http parser which says it wants to see toserver data first only.
496  * tcp handshake
497  * toclient data first received. - RUBBISH DATA which
498  * we don't detect as http
499  * toserver data next sent - we detect this as http.
500  * at this stage we see that toclient is the first data seen
501  * for this session and we try and redetect the app protocol,
502  * but we are unable to detect the app protocol like before.
503  * But since we have managed to detect the protocol for the
504  * other direction as http, we try to use that. At this
505  * stage we check if the direction of this stream matches
506  * to that acceptable by the app parser. If it is not the
507  * acceptable direction we error out.
508  */
510  (first_data_dir) && !(first_data_dir & flags))
511  {
512  DisableAppLayer(tv, f, p);
513  SCReturnInt(-1);
514  }
515 
516  /* if protocol detection is marked done for our direction we
517  * pass our data on. We're only succeeded in finding one
518  * direction: the opposing stream
519  *
520  * If PD was not yet complete, we don't do anything.
521  */
522  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
523  if (data_len > 0)
525 
526  if (*alproto_otherdir != ALPROTO_FAILED) {
527  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
528  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
529  f->alproto, flags,
530  data, data_len);
531  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
532  if (r == 0) {
533  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
534  }
535 
540 
541  *alproto = *alproto_otherdir;
542  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
543  p->pcap_cnt, *alproto, *alproto_otherdir, r);
544  if (r < 0) {
545  SCReturnInt(-1);
546  }
547  }
548  *alproto = ALPROTO_FAILED;
550  AppLayerIncFlowCounter(tv, f);
551  FlagPacketFlow(p, f, flags);
552 
553  }
554  } else {
555  /* both sides unknown, let's see if we need to give up */
556  if (FlowChangeProto(f)) {
557  /* TCPProtoDetectCheckBailConditions does not work well because
558  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
559  * so, we set a lower limit to the data we inspect
560  * We could instead have set ssn->server.sb.stream_offset = 0;
561  */
562  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
563  DisableAppLayer(tv, f, p);
564  }
565  } else {
566  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
567  }
568  }
569  }
570  SCReturnInt(0);
571 }
572 
573 /** \brief handle TCP data for the app-layer.
574  *
575  * First run protocol detection and then when the protocol is known invoke
576  * the app layer parser.
577  *
578  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
579  * reversed.
580  */
582  Packet *p, Flow *f,
583  TcpSession *ssn, TcpStream **stream,
584  uint8_t *data, uint32_t data_len,
585  uint8_t flags)
586 {
587  SCEnter();
588 
590  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
591 
592  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
593  AppProto alproto;
594  int r = 0;
595 
596  SCLogDebug("data_len %u flags %02X", data_len, flags);
598  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
599  goto end;
600  }
601 
602  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
603 
604  if (flags & STREAM_TOSERVER) {
605  alproto = f->alproto_ts;
606  } else {
607  alproto = f->alproto_tc;
608  }
609 
610  /* If a gap notification, relay the notification on to the
611  * app-layer if known. */
612  if (flags & STREAM_GAP) {
613  if (alproto == ALPROTO_UNKNOWN) {
615  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
616  /* if the other side didn't already find the proto, we're done */
617  if (f->alproto == ALPROTO_UNKNOWN) {
618  goto failure;
619  }
620  }
621  if (FlowChangeProto(f)) {
623  SCLogDebug("Cannot handle gap while changing protocol");
624  goto failure;
625  }
626  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
627  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
628  flags, data, data_len);
629  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
630  /* ignore parser result for gap */
631  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
632  goto end;
633  }
634 
635  /* if we don't know the proto yet and we have received a stream
636  * initializer message, we run proto detection.
637  * We receive 2 stream init msgs (one for each direction) but we
638  * only run the proto detection once. */
639  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
641  /* run protocol detection */
642  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
643  data, data_len, flags) != 0) {
644  goto failure;
645  }
646  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
647  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
648  void *alstate_orig = f->alstate;
649  AppLayerParserState *alparser = f->alparser;
650  // we delay AppLayerParserStateCleanup because we may need previous parser state
654  /* rerun protocol detection */
655  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
656  if (f->alproto == ALPROTO_UNKNOWN) {
657  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
658  // not enough data, revert AppLayerProtoDetectReset to rerun detection
659  f->alparser = alparser;
660  f->alproto = f->alproto_orig;
661  f->alproto_tc = f->alproto_orig;
662  f->alproto_ts = f->alproto_orig;
663  } else {
665  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
666  if (alstate_orig == f->alstate) {
667  // we just freed it
668  f->alstate = NULL;
669  }
670  }
671  if (rd != 0) {
672  SCLogDebug("proto detect failure");
673  goto failure;
674  }
675  SCLogDebug("protocol change, old %s, new %s",
677 
678  if (f->alproto_expect != ALPROTO_UNKNOWN &&
679  f->alproto != f->alproto_expect)
680  {
683 
684  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
687 
688  }
689  }
690  } else {
691  SCLogDebug("stream data (len %" PRIu32 " alproto "
692  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
693 #ifdef PRINT
694  if (data_len > 0) {
695  printf("=> Stream Data (app layer) -- start %s%s\n",
696  flags & STREAM_TOCLIENT ? "toclient" : "",
697  flags & STREAM_TOSERVER ? "toserver" : "");
698  PrintRawDataFp(stdout, data, data_len);
699  printf("=> Stream Data -- end\n");
700  }
701 #endif
702  /* if we don't have a data object here we are not getting it
703  * a start msg should have gotten us one */
704  if (f->alproto != ALPROTO_UNKNOWN) {
705  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
706  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
707  flags, data, data_len);
708  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
709  if (r == 0) {
710  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
711  }
712  }
713  }
714 
715  goto end;
716  failure:
717  r = -1;
718  end:
719  SCReturnInt(r);
720 }
721 
722 /**
723  * \brief Handle a app layer UDP message
724  *
725  * If the protocol is yet unknown, the proto detection code is run first.
726  *
727  * \param dp_ctx Thread app layer detect context
728  * \param f *locked* flow
729  * \param p UDP packet
730  *
731  * \retval 0 ok
732  * \retval -1 error
733  */
735 {
736  SCEnter();
737 
738  if (f->alproto == ALPROTO_FAILED) {
739  SCReturnInt(0);
740  }
741 
742  int r = 0;
743  uint8_t flags = 0;
744  if (p->flowflags & FLOW_PKT_TOSERVER) {
746  } else {
748  }
749 
750  AppLayerProfilingReset(tctx);
751 
752  /* if the protocol is still unknown, run detection */
753  if (f->alproto == ALPROTO_UNKNOWN) {
754  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
755  p->payload_len);
756 
757  bool reverse_flow = false;
760  f, p->payload, p->payload_len,
761  IPPROTO_UDP, flags, &reverse_flow);
763 
764  if (f->alproto != ALPROTO_UNKNOWN) {
765  AppLayerIncFlowCounter(tv, f);
766 
767  if (reverse_flow) {
768  SCLogDebug("reversing flow after proto detect told us so");
769  PacketSwap(p);
770  FlowSwap(f);
772  }
773 
775  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
776  flags, p->payload, p->payload_len);
778  } else {
779  f->alproto = ALPROTO_FAILED;
780  AppLayerIncFlowCounter(tv, f);
781  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
782  }
784  /* we do only inspection in one direction, so flag both
785  * sides as done here */
786  FlagPacketFlow(p, f, STREAM_TOSERVER);
787  FlagPacketFlow(p, f, STREAM_TOCLIENT);
788  } else {
789  SCLogDebug("data (len %" PRIu32 " ), alproto "
790  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
791 
792  /* run the parser */
794  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
795  flags, p->payload, p->payload_len);
798  }
799 
800  SCReturnInt(r);
801 }
802 
803 /***** Utility *****/
804 
805 AppProto AppLayerGetProtoByName(char *alproto_name)
806 {
807  SCEnter();
809  SCReturnCT(r, "AppProto");
810 }
811 
812 const char *AppLayerGetProtoName(AppProto alproto)
813 {
814  SCEnter();
815  const char * r = AppLayerProtoDetectGetProtoName(alproto);
816  SCReturnCT(r, "char *");
817 }
818 
820 {
821  SCEnter();
822 
823  AppProto alproto;
824  AppProto alprotos[ALPROTO_MAX];
825 
827 
828  printf("=========Supported App Layer Protocols=========\n");
829  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
830  if (alprotos[alproto] == 1)
831  printf("%s\n", AppLayerGetProtoName(alproto));
832  }
833 
834  SCReturn;
835 }
836 
837 /***** Setup/General Registration *****/
838 
839 int AppLayerSetup(void)
840 {
841  SCEnter();
842 
845 
848 
850 
851  SCReturnInt(0);
852 }
853 
855 {
856  SCEnter();
857 
860 
862 
863  SCReturnInt(0);
864 }
865 
867 {
868  SCEnter();
869 
870  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
871  if (app_tctx == NULL)
872  goto error;
873  memset(app_tctx, 0, sizeof(*app_tctx));
874 
875  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
876  goto error;
877  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
878  goto error;
879 
880  goto done;
881  error:
882  AppLayerDestroyCtxThread(app_tctx);
883  app_tctx = NULL;
884  done:
885  SCReturnPtr(app_tctx, "void *");
886 }
887 
889 {
890  SCEnter();
891 
892  if (app_tctx == NULL)
893  SCReturn;
894 
895  if (app_tctx->alpd_tctx != NULL)
897  if (app_tctx->alp_tctx != NULL)
899  SCFree(app_tctx);
900 
901  SCReturn;
902 }
903 
905 {
906  PACKET_PROFILING_APP_RESET(app_tctx);
907 }
908 
910 {
911  PACKET_PROFILING_APP_STORE(app_tctx, p);
912 }
913 
914 /** \brief HACK to work around our broken unix manager (re)init loop
915  */
917 {
922  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
923 }
924 
925 #define IPPROTOS_MAX 2
927 {
928  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
929  uint8_t ipproto;
930  AppProto alproto;
931  AppProto alprotos[ALPROTO_MAX];
932  const char *str = "app_layer.flow.";
933 
935 
936  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
937  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
938  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
939  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
940 
941  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
942  if (alprotos[alproto] == 1) {
943  const char *tx_str = "app_layer.tx.";
944  const char *alproto_str = AppLayerGetProtoName(alproto);
945 
946  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
947  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
948  {
949  snprintf(applayer_counter_names[ipproto_map][alproto].name,
950  sizeof(applayer_counter_names[ipproto_map][alproto].name),
951  "%s%s%s", str, alproto_str, ipproto_suffix);
952  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
953  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
954  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
955  } else {
956  snprintf(applayer_counter_names[ipproto_map][alproto].name,
957  sizeof(applayer_counter_names[ipproto_map][alproto].name),
958  "%s%s", str, alproto_str);
959  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
960  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
961  "%s%s", tx_str, alproto_str);
962  }
963  } else if (alproto == ALPROTO_FAILED) {
964  snprintf(applayer_counter_names[ipproto_map][alproto].name,
965  sizeof(applayer_counter_names[ipproto_map][alproto].name),
966  "%s%s%s", str, "failed", ipproto_suffix);
967  }
968  }
969  }
970 }
971 
973 {
974  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
975  uint8_t ipproto;
976  AppProto alproto;
977  AppProto alprotos[ALPROTO_MAX];
978 
980 
981  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
982  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
983 
984  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
985  if (alprotos[alproto] == 1) {
986  applayer_counters[ipproto_map][alproto].counter_id =
987  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
988 
989  applayer_counters[ipproto_map][alproto].counter_tx_id =
990  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
991  } else if (alproto == ALPROTO_FAILED) {
992  applayer_counters[ipproto_map][alproto].counter_id =
993  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
994  }
995  }
996  }
997 }
998 
1000 {
1001  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1002  memset(applayer_counters, 0, sizeof(applayer_counters));
1003 }
1004 
1005 /***** Unittests *****/
1006 
1007 #ifdef UNITTESTS
1008 #include "pkt-var.h"
1009 #include "stream-tcp.h"
1010 #include "stream-tcp-util.h"
1011 #include "stream.h"
1012 #include "util-unittest.h"
1013 
1014 #define TEST_START \
1015  Packet *p = SCMalloc(SIZE_OF_PACKET);\
1016  FAIL_IF_NULL(p);\
1017  Flow f;\
1018  ThreadVars tv;\
1019  StreamTcpThread *stt = NULL;\
1020  TCPHdr tcph;\
1021  PacketQueueNoLock pq;\
1022  memset(&pq,0,sizeof(PacketQueueNoLock));\
1023  memset(p, 0, SIZE_OF_PACKET);\
1024  memset (&f, 0, sizeof(Flow));\
1025  memset(&tv, 0, sizeof (ThreadVars));\
1026  memset(&tcph, 0, sizeof (TCPHdr));\
1027 \
1028  FLOW_INITIALIZE(&f);\
1029  f.flags = FLOW_IPV4;\
1030  f.proto = IPPROTO_TCP;\
1031  p->flow = &f;\
1032  p->tcph = &tcph;\
1033 \
1034  StreamTcpInitConfig(TRUE);\
1035  IPPairInitConfig(TRUE); \
1036  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
1037 \
1038  /* handshake */\
1039  tcph.th_win = htons(5480);\
1040  tcph.th_flags = TH_SYN;\
1041  p->flowflags = FLOW_PKT_TOSERVER;\
1042  p->payload_len = 0;\
1043  p->payload = NULL;\
1044  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1045  TcpSession *ssn = (TcpSession *)f.protoctx;\
1046 \
1047  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1048  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1049  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1050  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1051  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1052  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1053  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1054  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1055  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1056  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1057  FAIL_IF(ssn->data_first_seen_dir != 0);\
1058 \
1059  /* handshake */\
1060  p->tcph->th_ack = htonl(1);\
1061  p->tcph->th_flags = TH_SYN | TH_ACK;\
1062  p->flowflags = FLOW_PKT_TOCLIENT;\
1063  p->payload_len = 0;\
1064  p->payload = NULL;\
1065  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1066  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1067  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1068  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1069  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1070  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1071  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1072  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1073  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1074  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1075  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1076  FAIL_IF(ssn->data_first_seen_dir != 0);\
1077 \
1078  /* handshake */\
1079  p->tcph->th_ack = htonl(1);\
1080  p->tcph->th_seq = htonl(1);\
1081  p->tcph->th_flags = TH_ACK;\
1082  p->flowflags = FLOW_PKT_TOSERVER;\
1083  p->payload_len = 0;\
1084  p->payload = NULL;\
1085  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1086  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1087  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1088  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1089  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1090  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1091  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1092  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1093  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1094  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1095  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1096  FAIL_IF(ssn->data_first_seen_dir != 0);
1097 #define TEST_END \
1098  StreamTcpSessionClear(p->flow->protoctx);\
1099  StreamTcpThreadDeinit(&tv, (void *)stt); \
1100  StreamTcpFreeConfig(TRUE);\
1101  PACKET_DESTRUCTOR(p);\
1102  SCFree(p);\
1103  FLOW_DESTROY(&f); \
1104  StatsThreadCleanup(&tv);
1105 
1106 /**
1107  * \test GET -> HTTP/1.1
1108  */
1109 static int AppLayerTest01(void)
1110 {
1111  TEST_START;
1112 
1113  /* full request */
1114  uint8_t request[] = {
1115  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1116  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1117  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1118  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1119  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1120  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1121  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1122  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1123  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1124  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1125  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1126  p->tcph->th_ack = htonl(1);
1127  p->tcph->th_seq = htonl(1);
1128  p->tcph->th_flags = TH_PUSH | TH_ACK;
1130  p->payload_len = sizeof(request);
1131  p->payload = request;
1132  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1144 
1145  /* full response - request ack */
1146  uint8_t response[] = {
1147  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1148  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1149  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1150  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1151  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1152  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1153  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1154  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1155  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1156  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1157  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1158  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1159  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1160  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1161  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1162  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1163  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1164  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1165  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1166  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1167  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1168  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1169  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1170  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1171  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1172  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1173  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1174  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1175  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1176  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1177  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1178  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1179  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1180  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1181  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1182  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1183  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1184  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1185  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1186  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1187  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1188  p->tcph->th_ack = htonl(88);
1189  p->tcph->th_seq = htonl(1);
1190  p->tcph->th_flags = TH_PUSH | TH_ACK;
1192  p->payload_len = sizeof(response);
1193  p->payload = response;
1194  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1206 
1207  /* response ack */
1208  p->tcph->th_ack = htonl(328);
1209  p->tcph->th_seq = htonl(88);
1210  p->tcph->th_flags = TH_ACK;
1212  p->payload_len = 0;
1213  p->payload = NULL;
1214  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1226 
1227  TEST_END;
1228  PASS;
1229 }
1230 
1231 /**
1232  * \test GE -> T -> HTTP/1.1
1233  */
1234 static int AppLayerTest02(void)
1235 {
1236  TEST_START;
1237 
1238  /* partial request */
1239  uint8_t request1[] = { 0x47, 0x45, };
1240  p->tcph->th_ack = htonl(1);
1241  p->tcph->th_seq = htonl(1);
1242  p->tcph->th_flags = TH_PUSH | TH_ACK;
1244  p->payload_len = sizeof(request1);
1245  p->payload = request1;
1246  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1258 
1259  /* response ack against partial request */
1260  p->tcph->th_ack = htonl(3);
1261  p->tcph->th_seq = htonl(1);
1262  p->tcph->th_flags = TH_ACK;
1264  p->payload_len = 0;
1265  p->payload = NULL;
1266  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1278 
1279  /* complete partial request */
1280  uint8_t request2[] = {
1281  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1282  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1283  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1284  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1285  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1286  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1287  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1288  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1289  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1290  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1291  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1292  p->tcph->th_ack = htonl(1);
1293  p->tcph->th_seq = htonl(3);
1294  p->tcph->th_flags = TH_PUSH | TH_ACK;
1296  p->payload_len = sizeof(request2);
1297  p->payload = request2;
1298  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1310 
1311  /* response - request ack */
1312  uint8_t response[] = {
1313  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1314  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1315  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1316  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1317  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1318  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1319  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1320  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1321  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1322  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1323  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1324  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1325  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1326  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1327  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1328  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1329  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1330  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1331  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1332  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1333  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1334  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1335  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1336  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1337  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1338  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1339  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1340  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1341  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1342  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1343  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1344  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1345  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1346  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1347  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1348  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1349  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1350  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1351  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1352  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1353  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1354  p->tcph->th_ack = htonl(88);
1355  p->tcph->th_seq = htonl(1);
1356  p->tcph->th_flags = TH_PUSH | TH_ACK;
1358  p->payload_len = sizeof(response);
1359  p->payload = response;
1360  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1372 
1373  /* response ack */
1374  p->tcph->th_ack = htonl(328);
1375  p->tcph->th_seq = htonl(88);
1376  p->tcph->th_flags = TH_ACK;
1378  p->payload_len = 0;
1379  p->payload = NULL;
1380  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1392 
1393  TEST_END;
1394  PASS;
1395 }
1396 
1397 /**
1398  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1399  */
1400 static int AppLayerTest03(void)
1401 {
1402  TEST_START;
1403 
1404  /* request */
1405  uint8_t request[] = {
1406  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1407  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1408  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1409  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1410  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1411  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1412  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1413  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1414  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1415  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1416  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1417  p->tcph->th_ack = htonl(1);
1418  p->tcph->th_seq = htonl(1);
1419  p->tcph->th_flags = TH_PUSH | TH_ACK;
1421  p->payload_len = sizeof(request);
1422  p->payload = request;
1423  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1435 
1436  /* rubbish response */
1437  uint8_t response[] = {
1438  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1439  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1440  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1441  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1442  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1443  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1444  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1445  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1446  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1447  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1448  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1449  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1450  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1451  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1452  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1453  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1454  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1455  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1456  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1457  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1458  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1459  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1460  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1461  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1462  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1463  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1464  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1465  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1466  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1467  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1468  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1469  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1470  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1471  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1472  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1473  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1474  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1475  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1476  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1477  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1478  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1479  p->tcph->th_ack = htonl(88);
1480  p->tcph->th_seq = htonl(1);
1481  p->tcph->th_flags = TH_PUSH | TH_ACK;
1483  p->payload_len = sizeof(response);
1484  p->payload = response;
1485  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1497 
1498  /* response ack */
1499  p->tcph->th_ack = htonl(328);
1500  p->tcph->th_seq = htonl(88);
1501  p->tcph->th_flags = TH_ACK;
1503  p->payload_len = 0;
1504  p->payload = NULL;
1505  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1517 
1518  TEST_END;
1519  PASS;
1520 }
1521 
1522 /**
1523  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1524  */
1525 static int AppLayerTest04(void)
1526 {
1527  TEST_START;
1528 
1529  /* request */
1530  uint8_t request[] = {
1531  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1532  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1533  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1534  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1535  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1536  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1537  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1538  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1539  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1540  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1541  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1542  PrintRawDataFp(stdout, request, sizeof(request));
1543  p->tcph->th_ack = htonl(1);
1544  p->tcph->th_seq = htonl(1);
1545  p->tcph->th_flags = TH_PUSH | TH_ACK;
1547  p->payload_len = sizeof(request);
1548  p->payload = request;
1549  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1560  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1561 
1562  /* partial response */
1563  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1564  PrintRawDataFp(stdout, response1, sizeof(response1));
1565  p->tcph->th_ack = htonl(88);
1566  p->tcph->th_seq = htonl(1);
1567  p->tcph->th_flags = TH_PUSH | TH_ACK;
1569  p->payload_len = sizeof(response1);
1570  p->payload = response1;
1571  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1574  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1575  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1582  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1583 
1584  /* partial response ack */
1585  p->tcph->th_ack = htonl(5);
1586  p->tcph->th_seq = htonl(88);
1587  p->tcph->th_flags = TH_ACK;
1589  p->payload_len = 0;
1590  p->payload = NULL;
1591  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1594  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1595  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1601  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1602  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1603 
1604  /* remaining response */
1605  uint8_t response2[] = {
1606  0x2f, 0x31, 0x2e, 0x31,
1607  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1608  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1609  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1610  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1611  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1612  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1613  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1614  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1615  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1616  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1617  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1618  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1619  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1620  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1621  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1622  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1623  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1624  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1625  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1626  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1627  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1628  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1629  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1630  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1631  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1632  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1633  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1634  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1635  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1636  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1637  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1638  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1639  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1640  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1641  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1642  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1643  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1644  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1645  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1646  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1647  PrintRawDataFp(stdout, response2, sizeof(response2));
1648  p->tcph->th_ack = htonl(88);
1649  p->tcph->th_seq = htonl(5);
1650  p->tcph->th_flags = TH_PUSH | TH_ACK;
1652  p->payload_len = sizeof(response2);
1653  p->payload = response2;
1654  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1657  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1658  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1664  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1665  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1666 
1667  /* response ack */
1668  p->tcph->th_ack = htonl(328);
1669  p->tcph->th_seq = htonl(88);
1670  p->tcph->th_flags = TH_ACK;
1672  p->payload_len = 0;
1673  p->payload = NULL;
1674  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1675  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1677  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1678  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1679  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1684  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1685  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1686 
1687  TEST_END;
1688  PASS;
1689 }
1690 
1691 /**
1692  * \test RUBBISH -> HTTP/1.1
1693  */
1694 static int AppLayerTest05(void)
1695 {
1696  TEST_START;
1697 
1698  /* full request */
1699  uint8_t request[] = {
1700  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1701  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1702  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1703  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1704  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1705  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1706  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1707  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1708  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1709  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1710  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1711  PrintRawDataFp(stdout, request, sizeof(request));
1712  p->tcph->th_ack = htonl(1);
1713  p->tcph->th_seq = htonl(1);
1714  p->tcph->th_flags = TH_PUSH | TH_ACK;
1716  p->payload_len = sizeof(request);
1717  p->payload = request;
1718  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1730 
1731  /* full response - request ack */
1732  uint8_t response[] = {
1733  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1734  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1735  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1736  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1737  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1738  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1739  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1740  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1741  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1742  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1743  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1744  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1745  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1746  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1747  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1748  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1749  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1750  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1751  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1752  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1753  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1754  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1755  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1756  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1757  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1758  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1759  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1760  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1761  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1762  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1763  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1764  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1765  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1766  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1767  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1768  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1769  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1770  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1771  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1772  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1773  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1774  PrintRawDataFp(stdout, response, sizeof(response));
1775  p->tcph->th_ack = htonl(88);
1776  p->tcph->th_seq = htonl(1);
1777  p->tcph->th_flags = TH_PUSH | TH_ACK;
1779  p->payload_len = sizeof(response);
1780  p->payload = response;
1781  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1793 
1794  /* response ack */
1795  p->tcph->th_ack = htonl(328);
1796  p->tcph->th_seq = htonl(88);
1797  p->tcph->th_flags = TH_ACK;
1799  p->payload_len = 0;
1800  p->payload = NULL;
1801  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1813 
1814  TEST_END;
1815  PASS;
1816 }
1817 
1818 /**
1819  * \test HTTP/1.1 -> GET
1820  */
1821 static int AppLayerTest06(void)
1822 {
1823  TEST_START;
1824 
1825  /* full response - request ack */
1826  uint8_t response[] = {
1827  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1828  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1829  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1830  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1831  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1832  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1833  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1834  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1835  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1836  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1837  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1838  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1839  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1840  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1841  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1842  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1843  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1844  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1845  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1846  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1847  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1848  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1849  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1850  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1851  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1852  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1853  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1854  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1855  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1856  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1857  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1858  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1859  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1860  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1861  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1862  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1863  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1864  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1865  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1866  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1867  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1868  p->tcph->th_ack = htonl(1);
1869  p->tcph->th_seq = htonl(1);
1870  p->tcph->th_flags = TH_PUSH | TH_ACK;
1872  p->payload_len = sizeof(response);
1873  p->payload = response;
1874  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1886 
1887  /* full request - response ack*/
1888  uint8_t request[] = {
1889  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1890  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1891  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1892  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1893  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1894  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1895  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1896  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1897  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1898  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1899  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1900  p->tcph->th_ack = htonl(328);
1901  p->tcph->th_seq = htonl(1);
1902  p->tcph->th_flags = TH_PUSH | TH_ACK;
1904  p->payload_len = sizeof(request);
1905  p->payload = request;
1906  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1918 
1919  p->tcph->th_ack = htonl(1 + sizeof(request));
1920  p->tcph->th_seq = htonl(328);
1921  p->tcph->th_flags = TH_PUSH | TH_ACK;
1923  p->payload_len = 0;
1924  p->payload = NULL;
1925  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1937 
1938  TEST_END;
1939  PASS;
1940 }
1941 
1942 /**
1943  * \test GET -> DCERPC
1944  */
1945 static int AppLayerTest07(void)
1946 {
1947  TEST_START;
1948 
1949  /* full request */
1950  uint8_t request[] = {
1951  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1952  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1953  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1954  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1955  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1956  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1957  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1958  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1959  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1960  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1961  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1962  p->tcph->th_ack = htonl(1);
1963  p->tcph->th_seq = htonl(1);
1964  p->tcph->th_flags = TH_PUSH | TH_ACK;
1966  p->payload_len = sizeof(request);
1967  p->payload = request;
1968  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1980 
1981  /* full response - request ack */
1982  uint8_t response[] = {
1983  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1984  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1985  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1986  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1987  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1988  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1989  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1990  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1991  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1992  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1993  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1994  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1995  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1996  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1997  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1998  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1999  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2000  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2001  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2002  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2003  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2004  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2005  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2006  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2007  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2008  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2009  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2010  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2011  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2012  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2013  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2014  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2015  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2016  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2017  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2018  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2019  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2020  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2021  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2022  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2023  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2024  p->tcph->th_ack = htonl(88);
2025  p->tcph->th_seq = htonl(1);
2026  p->tcph->th_flags = TH_PUSH | TH_ACK;
2028  p->payload_len = sizeof(response);
2029  p->payload = response;
2030  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2042 
2043  /* response ack */
2044  p->tcph->th_ack = htonl(328);
2045  p->tcph->th_seq = htonl(88);
2046  p->tcph->th_flags = TH_ACK;
2048  p->payload_len = 0;
2049  p->payload = NULL;
2050  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2062 
2063  TEST_END;
2064  PASS;
2065 }
2066 
2067 /**
2068  * \test SMB -> HTTP/1.1
2069  */
2070 static int AppLayerTest08(void)
2071 {
2072  TEST_START;
2073 
2074  /* full request */
2075  uint8_t request[] = {
2076  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2077  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2078  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2079  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2080  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2081  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2082  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2083  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2084  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2085  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2086  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2087  p->tcph->th_ack = htonl(1);
2088  p->tcph->th_seq = htonl(1);
2089  p->tcph->th_flags = TH_PUSH | TH_ACK;
2091  p->payload_len = sizeof(request);
2092  p->payload = request;
2093  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2105 
2106  /* full response - request ack */
2107  uint8_t response[] = {
2108  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2109  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2110  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2111  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2112  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2113  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2114  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2115  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2116  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2117  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2118  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2119  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2120  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2121  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2122  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2123  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2124  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2125  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2126  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2127  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2128  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2129  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2130  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2131  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2132  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2133  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2134  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2135  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2136  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2137  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2138  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2139  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2140  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2141  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2142  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2143  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2144  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2145  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2146  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2147  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2148  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2149  p->tcph->th_ack = htonl(88);
2150  p->tcph->th_seq = htonl(1);
2151  p->tcph->th_flags = TH_PUSH | TH_ACK;
2153  p->payload_len = sizeof(response);
2154  p->payload = response;
2155  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2167 
2168  /* response ack */
2169  p->tcph->th_ack = htonl(328);
2170  p->tcph->th_seq = htonl(88);
2171  p->tcph->th_flags = TH_ACK;
2173  p->payload_len = 0;
2174  p->payload = NULL;
2175  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2187 
2188  TEST_END;
2189  PASS;
2190 }
2191 
2192 /**
2193  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2194  * RUBBISH(TC - PM and PP DONE) ->
2195  * RUBBISH(TS - PM and PP DONE)
2196  */
2197 static int AppLayerTest09(void)
2198 {
2199  TEST_START;
2200 
2201  /* full request */
2202  uint8_t request1[] = {
2203  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2204  p->tcph->th_ack = htonl(1);
2205  p->tcph->th_seq = htonl(1);
2206  p->tcph->th_flags = TH_PUSH | TH_ACK;
2208  p->payload_len = sizeof(request1);
2209  p->payload = request1;
2210  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2222 
2223  /* response - request ack */
2224  p->tcph->th_ack = htonl(9);
2225  p->tcph->th_seq = htonl(1);
2226  p->tcph->th_flags = TH_PUSH | TH_ACK;
2228  p->payload_len = 0;
2229  p->payload = NULL;
2230  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2242 
2243  /* full request */
2244  uint8_t request2[] = {
2245  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2246  p->tcph->th_ack = htonl(1);
2247  p->tcph->th_seq = htonl(9);
2248  p->tcph->th_flags = TH_PUSH | TH_ACK;
2250  p->payload_len = sizeof(request2);
2251  p->payload = request2;
2252  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2264 
2265  /* full response - request ack */
2266  uint8_t response[] = {
2267  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2268  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2269  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2270  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2271  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2272  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2273  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2274  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2275  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2276  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2277  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2278  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2279  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2280  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2281  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2282  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2283  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2284  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2285  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2286  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2287  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2288  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2289  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2290  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2291  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2292  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2293  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2294  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2295  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2296  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2297  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2298  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2299  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2300  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2301  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2302  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2303  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2304  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2305  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2306  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2307  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2308  p->tcph->th_ack = htonl(18);
2309  p->tcph->th_seq = htonl(1);
2310  p->tcph->th_flags = TH_PUSH | TH_ACK;
2312  p->payload_len = sizeof(response);
2313  p->payload = response;
2314  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2326 
2327  /* response ack */
2328  p->tcph->th_ack = htonl(328);
2329  p->tcph->th_seq = htonl(18);
2330  p->tcph->th_flags = TH_ACK;
2332  p->payload_len = 0;
2333  p->payload = NULL;
2334  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2346 
2347  TEST_END;
2348  PASS;
2349 }
2350 
2351 /**
2352  * \test RUBBISH(TC - PM and PP DONE) ->
2353  * RUBBISH(TS - PM and PP DONE)
2354  */
2355 static int AppLayerTest10(void)
2356 {
2357  TEST_START;
2358 
2359  /* full request */
2360  uint8_t request1[] = {
2361  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2362  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2363  p->tcph->th_ack = htonl(1);
2364  p->tcph->th_seq = htonl(1);
2365  p->tcph->th_flags = TH_PUSH | TH_ACK;
2367  p->payload_len = sizeof(request1);
2368  p->payload = request1;
2369  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2381 
2382  /* response - request ack */
2383  p->tcph->th_ack = htonl(18);
2384  p->tcph->th_seq = htonl(1);
2385  p->tcph->th_flags = TH_PUSH | TH_ACK;
2387  p->payload_len = 0;
2388  p->payload = NULL;
2389  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2401 
2402  /* full response - request ack */
2403  uint8_t response[] = {
2404  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2405  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2406  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2407  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2408  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2409  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2410  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2411  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2412  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2413  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2414  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2415  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2416  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2417  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2418  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2419  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2420  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2421  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2422  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2423  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2424  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2425  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2426  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2427  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2428  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2429  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2430  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2431  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2432  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2433  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2434  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2435  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2436  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2437  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2438  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2439  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2440  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2441  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2442  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2443  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2444  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2445  p->tcph->th_ack = htonl(18);
2446  p->tcph->th_seq = htonl(1);
2447  p->tcph->th_flags = TH_PUSH | TH_ACK;
2449  p->payload_len = sizeof(response);
2450  p->payload = response;
2451  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2463 
2464  /* response ack */
2465  p->tcph->th_ack = htonl(328);
2466  p->tcph->th_seq = htonl(18);
2467  p->tcph->th_flags = TH_ACK;
2469  p->payload_len = 0;
2470  p->payload = NULL;
2471  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2483 
2484  TEST_END;
2485  PASS;
2486 }
2487 
2488 /**
2489  * \test RUBBISH(TC - PM and PP DONE) ->
2490  * RUBBISH(TS - PM and PP NOT DONE) ->
2491  * RUBBISH(TS - PM and PP DONE)
2492  */
2493 static int AppLayerTest11(void)
2494 {
2495  TEST_START;
2496 
2497  /* full request */
2498  uint8_t request1[] = {
2499  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2500  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2501  p->tcph->th_ack = htonl(1);
2502  p->tcph->th_seq = htonl(1);
2503  p->tcph->th_flags = TH_PUSH | TH_ACK;
2505  p->payload_len = sizeof(request1);
2506  p->payload = request1;
2507  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2519 
2520  /* response - request ack */
2521  p->tcph->th_ack = htonl(18);
2522  p->tcph->th_seq = htonl(1);
2523  p->tcph->th_flags = TH_PUSH | TH_ACK;
2525  p->payload_len = 0;
2526  p->payload = NULL;
2527  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2539 
2540  /* full response - request ack */
2541  uint8_t response1[] = {
2542  0x55, 0x74, 0x54, 0x50, };
2543  p->tcph->th_ack = htonl(18);
2544  p->tcph->th_seq = htonl(1);
2545  p->tcph->th_flags = TH_PUSH | TH_ACK;
2547  p->payload_len = sizeof(response1);
2548  p->payload = response1;
2549  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2561 
2562  /* response ack from request */
2563  p->tcph->th_ack = htonl(5);
2564  p->tcph->th_seq = htonl(18);
2565  p->tcph->th_flags = TH_ACK;
2567  p->payload_len = 0;
2568  p->payload = NULL;
2569  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2581 
2582  uint8_t response2[] = {
2583  0x2f, 0x31, 0x2e, 0x31,
2584  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2585  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2586  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2587  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2588  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2589  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2590  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2591  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2592  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2593  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2594  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2595  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2596  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2597  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2598  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2599  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2600  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2601  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2602  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2603  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2604  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2605  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2606  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2607  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2608  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2609  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2610  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2611  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2612  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2613  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2614  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2615  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2616  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2617  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2618  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2619  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2620  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2621  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2622  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2623  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2624  p->tcph->th_ack = htonl(18);
2625  p->tcph->th_seq = htonl(5);
2626  p->tcph->th_flags = TH_PUSH | TH_ACK;
2628  p->payload_len = sizeof(response2);
2629  p->payload = response2;
2630  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2642 
2643  /* response ack from request */
2644  p->tcph->th_ack = htonl(328);
2645  p->tcph->th_seq = htonl(18);
2646  p->tcph->th_flags = TH_ACK;
2648  p->payload_len = 0;
2649  p->payload = NULL;
2650  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2662 
2663  TEST_END;
2664  PASS;
2665 }
2666 
2668 {
2669  SCEnter();
2670 
2671  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2672  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2673  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2674  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2675  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2676  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2677  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2678  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2679  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2680  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2681  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2682 
2683  SCReturn;
2684 }
2685 
2686 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:82
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:281
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:202
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_
Definition: app-layer.c:81
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1827
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:83
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:89
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:573
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:997
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:909
Flow_::proto
uint8_t proto
Definition: flow.h:372
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:77
Packet_::payload
uint8_t * payload
Definition: decode.h:552
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6278
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:450
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
Flow_::protomap
uint8_t protomap
Definition: flow.h:452
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1110
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:972
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:463
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:169
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:904
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1473
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5873
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2667
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:819
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:926
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:446
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:72
Flow_::protoctx
void * protoctx
Definition: flow.h:448
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:553
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:579
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:805
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:854
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1150
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:272
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:482
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1576
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:839
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1199
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:175
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:581
AppLayerParserState_
Definition: app-layer-parser.c:155
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
STREAM_HAS_SEEN_DATA
#define STREAM_HAS_SEEN_DATA(stream)
Definition: stream-tcp-private.h:92
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:273
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:916
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:456
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:866
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4780
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:925
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1968
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:1014
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:103
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:280
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:415
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:734
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:175
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:466
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1195
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:282
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:532
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1857
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:102
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1151
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1452
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:261
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2175
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1530
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2048
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2145
str
#define str(s)
Definition: suricata-common.h:268
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:398
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:458
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6284
Flow_::alstate
void * alstate
Definition: flow.h:483
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:888
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:428
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:812
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:114
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:67
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:246
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:188
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1097
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2102
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
STREAM_RIGHT_EDGE
#define STREAM_RIGHT_EDGE(stream)
Definition: stream-tcp-private.h:90
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:212
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:459
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1633
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:457
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:999
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2170
app-layer.h