suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
80 
81 typedef struct AppLayerCounters_ {
82  uint16_t counter_id;
83  uint16_t counter_tx_id;
85 
86 /* counter names. Only used at init. */
88 /* counter id's. Used that runtime. */
90 
91 void AppLayerSetupCounters(void);
92 void AppLayerDeSetupCounters(void);
93 
94 /***** L7 layer dispatchers *****/
95 
96 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
97  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
99  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
100 }
101 
102 /**
103  * \note id can be 0 if protocol parser is disabled but detection
104  * is enabled.
105  */
106 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
107 {
108  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
109  if (likely(tv && id > 0)) {
110  StatsIncr(tv, id);
111  }
112 }
113 
114 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
117  if (likely(tv && id > 0)) {
118  StatsAddUI64(tv, id, step);
119  }
120 }
121 
122 /* in IDS mode protocol detection is done in reverse order:
123  * when TCP data is ack'd. We want to flag the correct packet,
124  * so in this case we set a flag in the flow so that the first
125  * packet in the correct direction can be tagged.
126  *
127  * For IPS things are much simpler, and we don't use the flow
128  * flag. We just tag the packet directly. */
129 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
130 {
131  if (EngineModeIsIPS()) {
132  if (flags & STREAM_TOSERVER) {
133  if (p->flowflags & FLOW_PKT_TOSERVER) {
135  } else {
137  }
138  } else {
139  if (p->flowflags & FLOW_PKT_TOCLIENT) {
141  } else {
143  }
144  }
145  } else {
146  if (flags & STREAM_TOSERVER) {
148  } else {
150  }
151  }
152 }
153 
154 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
155 {
156  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
157  f, f->alproto, f->alproto_ts, f->alproto_tc);
160  TcpSession *ssn = f->protoctx;
162  f->alproto = ALPROTO_FAILED;
163  AppLayerIncFlowCounter(tv, f);
164 
165  if (f->alproto_tc != ALPROTO_FAILED) {
166  if (f->alproto_tc == ALPROTO_UNKNOWN) {
168  }
169  FlagPacketFlow(p, f, STREAM_TOCLIENT);
170  }
171  if (f->alproto_ts != ALPROTO_FAILED) {
172  if (f->alproto_ts == ALPROTO_UNKNOWN) {
174  }
175  FlagPacketFlow(p, f, STREAM_TOSERVER);
176  }
177  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
178  f, f->alproto, f->alproto_ts, f->alproto_tc);
179 }
180 
181 /* See if we're going to have to give up:
182  *
183  * If we're getting a lot of data in one direction and the
184  * proto for this direction is unknown, proto detect will
185  * hold up segments in the segment list in the stream.
186  * They are held so that if we detect the protocol on the
187  * opposing stream, we can still parse this side of the stream
188  * as well. However, some sessions are very unbalanced. FTP
189  * data channels, large PUT/POST request and many others, can
190  * lead to cases where we would have to store many megabytes
191  * worth of segments before we see the opposing stream. This
192  * leads to risks of resource starvation.
193  *
194  * Here a cutoff point is enforced. If we've stored 100k in
195  * one direction and we've seen no data in the other direction,
196  * we give up.
197  *
198  * Giving up means we disable applayer an set an applayer event
199  */
200 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
201  Flow *f, TcpSession *ssn, Packet *p)
202 {
203  if (ssn->state < TCP_ESTABLISHED) {
204  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
205  return;
206  }
207 
208  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
209  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
210  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
211 
212  /* at least 100000 whatever the conditions
213  * and can be more if window is bigger and if configuration allows it */
214  const uint32_t size_tc_limit =
216  const uint32_t size_ts_limit =
218 
219  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
220  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
221  {
222  goto failure;
223 
224  /* we bail out whatever the pp and pm states if
225  * we received too much data */
226  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
228  goto failure;
229 
231  size_ts > size_ts_limit && size_tc == 0) {
234  goto failure;
235 
237  size_tc > size_tc_limit && size_ts == 0) {
240  goto failure;
241 
242  /* little data in ts direction, pp done, pm not done (max
243  * depth not reached), ts direction done, lots of data in
244  * tc direction. */
245  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
250  goto failure;
251 
252  /* little data in tc direction, pp done, pm not done (max
253  * depth not reached), tc direction done, lots of data in
254  * ts direction. */
255  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
260  goto failure;
261  }
262  return;
263 
264 failure:
265  DisableAppLayer(tv, f, p);
266  return;
267 }
268 
269 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
270  TcpReassemblyThreadCtx *ra_ctx,
271  Packet *p, TcpSession *ssn, TcpStream *stream)
272 {
273  TcpStream *opposing_stream = NULL;
274  if (stream == &ssn->client) {
275  opposing_stream = &ssn->server;
276  } else {
277  opposing_stream = &ssn->client;
278  }
279 
280  /* if the opposing side is not going to work, then
281  * we just have to give up. */
282  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
283  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
284  return -1;
285  }
286 
287  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
290  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
291  opposing_stream, p, dir);
292  return ret;
293 }
294 
295 /** \todo data const
296  * \retval int -1 error
297  * \retval int 0 ok
298  */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
307 
308  if (flags & STREAM_TOSERVER) {
309  alproto = &f->alproto_ts;
310  alproto_otherdir = &f->alproto_tc;
311  } else {
312  alproto = &f->alproto_tc;
313  alproto_otherdir = &f->alproto_ts;
314  }
315 
316  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
317 #ifdef PRINT
318  if (data_len > 0) {
319  printf("=> Init Stream Data (app layer) -- start %s%s\n",
320  flags & STREAM_TOCLIENT ? "toclient" : "",
321  flags & STREAM_TOSERVER ? "toserver" : "");
322  PrintRawDataFp(stdout, data, data_len);
323  printf("=> Init Stream Data -- end\n");
324  }
325 #endif
326 
327  bool reverse_flow = false;
329  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
330  f, data, data_len,
331  IPPROTO_TCP, flags, &reverse_flow);
332  PACKET_PROFILING_APP_PD_END(app_tctx);
333  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
334 
335  if (*alproto != ALPROTO_UNKNOWN) {
336  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
339 
341  /* if we already invoked the parser, we go with that proto */
342  f->alproto = *alproto_otherdir;
343  } else {
344  /* no data sent to parser yet, we can still choose
345  * we're trusting the server more. */
346  if (flags & STREAM_TOCLIENT)
347  f->alproto = *alproto;
348  else
349  f->alproto = *alproto_otherdir;
350  }
351  } else {
352  f->alproto = *alproto;
353  }
354 
358  FlagPacketFlow(p, f, flags);
359  /* if protocol detection indicated that we need to reverse
360  * the direction of the flow, do it now. We flip the flow,
361  * packet and the direction flags */
362  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
363  SCLogDebug("reversing flow after proto detect told us so");
364  PacketSwap(p);
365  FlowSwap(f);
367  if (*stream == &ssn->client) {
368  *stream = &ssn->server;
369  } else {
370  *stream = &ssn->client;
371  }
372  direction = 1 - direction;
373  }
374 
375  /* account flow if we have both sides */
376  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
377  AppLayerIncFlowCounter(tv, f);
378  }
379 
380  /* if we have seen data from the other direction first, send
381  * data for that direction first to the parser. This shouldn't
382  * be an issue, since each stream processing happens
383  * independently of the other stream direction. At this point of
384  * call, you need to know that this function's already being
385  * called by the very same StreamReassembly() function that we
386  * will now call shortly for the opposing direction. */
388  !(flags & ssn->data_first_seen_dir))
389  {
390  SCLogDebug("protocol %s needs first data in other direction",
391  AppProtoToString(*alproto));
392 
393  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
394  p, ssn, *stream) != 0)
395  {
396  DisableAppLayer(tv, f, p);
397  SCReturnInt(-1);
398  }
399  }
400 
401  /* if the parser operates such that it needs to see data from
402  * a particular direction first, we check if we have seen
403  * data from that direction first for the flow. IF it is not
404  * the same, we set an event and exit.
405  *
406  * \todo We need to figure out a more robust solution for this,
407  * as this can lead to easy evasion tactics, where the
408  * attackeer can first send some dummy data in the wrong
409  * direction first to mislead our proto detection process.
410  * While doing this we need to update the parsers as well,
411  * since the parsers must be robust to see such wrong
412  * direction data.
413  * Either ways the moment we see the
414  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
415  * flow, it shows something's fishy.
416  */
418  uint8_t first_data_dir;
419  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
420 
421  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
424  DisableAppLayer(tv, f, p);
425  SCReturnInt(-1);
426  }
427  /* This can happen if the current direction is not the
428  * right direction, and the data from the other(also
429  * the right direction) direction is available to be sent
430  * to the app layer, but it is not ack'ed yet and hence
431  * the forced call to STreamTcpAppLayerReassemble still
432  * hasn't managed to send data from the other direction
433  * to the app layer. */
434  if (first_data_dir && !(first_data_dir & flags)) {
440  SCReturnInt(-1);
441  }
442  }
443 
444  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
446 
447  /* finally, invoke the parser */
448  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
449  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
450  flags, data, data_len);
451  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
452  if (r < 0) {
453  SCReturnInt(-1);
454  } else if (r == 0) {
455  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
456  }
457  } else {
458  /* if the ssn is midstream, we may end up with a case where the
459  * start of an HTTP request is missing. We won't detect HTTP based
460  * on the request. However, the reply is fine, so we detect
461  * HTTP anyway. This leads to passing the incomplete request to
462  * the htp parser.
463  *
464  * This has been observed, where the http parser then saw many
465  * bogus requests in the incomplete data.
466  *
467  * To counter this case, a midstream session MUST find it's
468  * protocol in the toserver direction. If not, we assume the
469  * start of the request/toserver is incomplete and no reliable
470  * detection and parsing is possible. So we give up.
471  */
472  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
474  {
476  SCLogDebug("midstream end pd %p", ssn);
477  /* midstream and toserver detection failed: give up */
478  DisableAppLayer(tv, f, p);
479  SCReturnInt(0);
480  }
481  }
482 
483  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
484  uint8_t first_data_dir;
485  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
486 
487  /* this would handle this test case -
488  * http parser which says it wants to see toserver data first only.
489  * tcp handshake
490  * toclient data first received. - RUBBISH DATA which
491  * we don't detect as http
492  * toserver data next sent - we detect this as http.
493  * at this stage we see that toclient is the first data seen
494  * for this session and we try and redetect the app protocol,
495  * but we are unable to detect the app protocol like before.
496  * But since we have managed to detect the protocol for the
497  * other direction as http, we try to use that. At this
498  * stage we check if the direction of this stream matches
499  * to that acceptable by the app parser. If it is not the
500  * acceptable direction we error out.
501  */
503  (first_data_dir) && !(first_data_dir & flags))
504  {
505  DisableAppLayer(tv, f, p);
506  SCReturnInt(-1);
507  }
508 
509  /* if protocol detection is marked done for our direction we
510  * pass our data on. We're only succeeded in finding one
511  * direction: the opposing stream
512  *
513  * If PD was not yet complete, we don't do anything.
514  */
515  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
516  if (data_len > 0)
518 
519  if (*alproto_otherdir != ALPROTO_FAILED) {
520  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
521  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
522  f->alproto, flags,
523  data, data_len);
524  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
525  if (r == 0) {
526  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
527  }
528 
533 
534  *alproto = *alproto_otherdir;
535  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
536  p->pcap_cnt, *alproto, *alproto_otherdir, r);
537  if (r < 0) {
538  SCReturnInt(-1);
539  }
540  }
541  *alproto = ALPROTO_FAILED;
543  AppLayerIncFlowCounter(tv, f);
544  FlagPacketFlow(p, f, flags);
545 
546  }
547  } else {
548  /* both sides unknown, let's see if we need to give up */
549  if (FlowChangeProto(f)) {
550  /* TCPProtoDetectCheckBailConditions does not work well because
551  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
552  * so, we set a lower limit to the data we inspect
553  * We could instead have set ssn->server.sb.stream_offset = 0;
554  */
555  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
556  DisableAppLayer(tv, f, p);
557  }
558  } else {
559  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
560  }
561  }
562  }
563  SCReturnInt(0);
564 }
565 
566 /** \brief handle TCP data for the app-layer.
567  *
568  * First run protocol detection and then when the protocol is known invoke
569  * the app layer parser.
570  *
571  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
572  * reversed.
573  */
575  Packet *p, Flow *f,
576  TcpSession *ssn, TcpStream **stream,
577  uint8_t *data, uint32_t data_len,
578  uint8_t flags)
579 {
580  SCEnter();
581 
583  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
584 
585  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
586  AppProto alproto;
587  int r = 0;
588 
589  SCLogDebug("data_len %u flags %02X", data_len, flags);
591  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
592  goto end;
593  }
594 
595  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
596 
597  if (flags & STREAM_TOSERVER) {
598  alproto = f->alproto_ts;
599  } else {
600  alproto = f->alproto_tc;
601  }
602 
603  /* If a gap notification, relay the notification on to the
604  * app-layer if known. */
605  if (flags & STREAM_GAP) {
606  if (alproto == ALPROTO_UNKNOWN) {
608  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
609  /* if the other side didn't already find the proto, we're done */
610  if (f->alproto == ALPROTO_UNKNOWN) {
611  goto failure;
612  }
613  }
614  if (FlowChangeProto(f)) {
616  SCLogDebug("Cannot handle gap while changing protocol");
617  goto failure;
618  }
619  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
620  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
621  flags, data, data_len);
622  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
623  /* ignore parser result for gap */
624  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
625  goto end;
626  }
627 
628  /* if we don't know the proto yet and we have received a stream
629  * initializer message, we run proto detection.
630  * We receive 2 stream init msgs (one for each direction) but we
631  * only run the proto detection once. */
632  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
634  /* run protocol detection */
635  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
636  data, data_len, flags) != 0) {
637  goto failure;
638  }
639  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
640  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
641  void *alstate_orig = f->alstate;
642  AppLayerParserState *alparser = f->alparser;
643  // we delay AppLayerParserStateCleanup because we may need previous parser state
647  /* rerun protocol detection */
648  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
649  if (f->alproto == ALPROTO_UNKNOWN) {
650  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
651  // not enough data, revert AppLayerProtoDetectReset to rerun detection
652  f->alparser = alparser;
653  f->alproto = f->alproto_orig;
654  f->alproto_tc = f->alproto_orig;
655  f->alproto_ts = f->alproto_orig;
656  } else {
658  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
659  if (alstate_orig == f->alstate) {
660  // we just freed it
661  f->alstate = NULL;
662  }
663  }
664  if (rd != 0) {
665  SCLogDebug("proto detect failure");
666  goto failure;
667  }
668  SCLogDebug("protocol change, old %s, new %s",
670 
671  if (f->alproto_expect != ALPROTO_UNKNOWN &&
672  f->alproto != f->alproto_expect)
673  {
676 
677  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
680 
681  }
682  }
683  } else {
684  SCLogDebug("stream data (len %" PRIu32 " alproto "
685  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
686 #ifdef PRINT
687  if (data_len > 0) {
688  printf("=> Stream Data (app layer) -- start %s%s\n",
689  flags & STREAM_TOCLIENT ? "toclient" : "",
690  flags & STREAM_TOSERVER ? "toserver" : "");
691  PrintRawDataFp(stdout, data, data_len);
692  printf("=> Stream Data -- end\n");
693  }
694 #endif
695  /* if we don't have a data object here we are not getting it
696  * a start msg should have gotten us one */
697  if (f->alproto != ALPROTO_UNKNOWN) {
698  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
699  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
700  flags, data, data_len);
701  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
702  if (r == 0) {
703  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
704  }
705  }
706  }
707 
708  goto end;
709  failure:
710  r = -1;
711  end:
712  SCReturnInt(r);
713 }
714 
715 /**
716  * \brief Handle a app layer UDP message
717  *
718  * If the protocol is yet unknown, the proto detection code is run first.
719  *
720  * \param dp_ctx Thread app layer detect context
721  * \param f *locked* flow
722  * \param p UDP packet
723  *
724  * \retval 0 ok
725  * \retval -1 error
726  */
728 {
729  SCEnter();
730 
731  if (f->alproto == ALPROTO_FAILED) {
732  SCReturnInt(0);
733  }
734 
735  int r = 0;
736  uint8_t flags = 0;
737  if (p->flowflags & FLOW_PKT_TOSERVER) {
739  } else {
741  }
742 
743  AppLayerProfilingReset(tctx);
744 
745  /* if the protocol is still unknown, run detection */
746  if (f->alproto == ALPROTO_UNKNOWN) {
747  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
748  p->payload_len);
749 
750  bool reverse_flow = false;
753  f, p->payload, p->payload_len,
754  IPPROTO_UDP, flags, &reverse_flow);
756 
757  if (f->alproto != ALPROTO_UNKNOWN) {
758  AppLayerIncFlowCounter(tv, f);
759 
760  if (reverse_flow) {
761  SCLogDebug("reversing flow after proto detect told us so");
762  PacketSwap(p);
763  FlowSwap(f);
765  }
766 
768  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
769  flags, p->payload, p->payload_len);
771  } else {
772  f->alproto = ALPROTO_FAILED;
773  AppLayerIncFlowCounter(tv, f);
774  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
775  }
777  /* we do only inspection in one direction, so flag both
778  * sides as done here */
779  FlagPacketFlow(p, f, STREAM_TOSERVER);
780  FlagPacketFlow(p, f, STREAM_TOCLIENT);
781  } else {
782  SCLogDebug("data (len %" PRIu32 " ), alproto "
783  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
784 
785  /* run the parser */
787  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
788  flags, p->payload, p->payload_len);
791  }
792 
793  SCReturnInt(r);
794 }
795 
796 /***** Utility *****/
797 
798 AppProto AppLayerGetProtoByName(char *alproto_name)
799 {
800  SCEnter();
802  SCReturnCT(r, "AppProto");
803 }
804 
805 const char *AppLayerGetProtoName(AppProto alproto)
806 {
807  SCEnter();
808  const char * r = AppLayerProtoDetectGetProtoName(alproto);
809  SCReturnCT(r, "char *");
810 }
811 
813 {
814  SCEnter();
815 
816  AppProto alproto;
817  AppProto alprotos[ALPROTO_MAX];
818 
820 
821  printf("=========Supported App Layer Protocols=========\n");
822  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
823  if (alprotos[alproto] == 1)
824  printf("%s\n", AppLayerGetProtoName(alproto));
825  }
826 
827  SCReturn;
828 }
829 
830 /***** Setup/General Registration *****/
831 
832 int AppLayerSetup(void)
833 {
834  SCEnter();
835 
838 
841 
843 
844  SCReturnInt(0);
845 }
846 
848 {
849  SCEnter();
850 
853 
855 
856  SCReturnInt(0);
857 }
858 
860 {
861  SCEnter();
862 
863  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
864  if (app_tctx == NULL)
865  goto error;
866  memset(app_tctx, 0, sizeof(*app_tctx));
867 
868  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
869  goto error;
870  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
871  goto error;
872 
873  goto done;
874  error:
875  AppLayerDestroyCtxThread(app_tctx);
876  app_tctx = NULL;
877  done:
878  SCReturnPtr(app_tctx, "void *");
879 }
880 
882 {
883  SCEnter();
884 
885  if (app_tctx == NULL)
886  SCReturn;
887 
888  if (app_tctx->alpd_tctx != NULL)
890  if (app_tctx->alp_tctx != NULL)
892  SCFree(app_tctx);
893 
894  SCReturn;
895 }
896 
898 {
899  PACKET_PROFILING_APP_RESET(app_tctx);
900 }
901 
903 {
904  PACKET_PROFILING_APP_STORE(app_tctx, p);
905 }
906 
907 /** \brief HACK to work around our broken unix manager (re)init loop
908  */
910 {
915  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
916 }
917 
918 #define IPPROTOS_MAX 2
920 {
921  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
922  uint8_t ipproto;
923  AppProto alproto;
924  AppProto alprotos[ALPROTO_MAX];
925  const char *str = "app_layer.flow.";
926 
928 
929  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
930  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
931  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
932  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
933 
934  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
935  if (alprotos[alproto] == 1) {
936  const char *tx_str = "app_layer.tx.";
937  const char *alproto_str = AppLayerGetProtoName(alproto);
938 
939  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
940  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
941  {
942  snprintf(applayer_counter_names[ipproto_map][alproto].name,
943  sizeof(applayer_counter_names[ipproto_map][alproto].name),
944  "%s%s%s", str, alproto_str, ipproto_suffix);
945  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
946  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
947  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
948  } else {
949  snprintf(applayer_counter_names[ipproto_map][alproto].name,
950  sizeof(applayer_counter_names[ipproto_map][alproto].name),
951  "%s%s", str, alproto_str);
952  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
953  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
954  "%s%s", tx_str, alproto_str);
955  }
956  } else if (alproto == ALPROTO_FAILED) {
957  snprintf(applayer_counter_names[ipproto_map][alproto].name,
958  sizeof(applayer_counter_names[ipproto_map][alproto].name),
959  "%s%s%s", str, "failed", ipproto_suffix);
960  }
961  }
962  }
963 }
964 
966 {
967  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
968  uint8_t ipproto;
969  AppProto alproto;
970  AppProto alprotos[ALPROTO_MAX];
971 
973 
974  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
975  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
976 
977  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
978  if (alprotos[alproto] == 1) {
979  applayer_counters[ipproto_map][alproto].counter_id =
980  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
981 
982  applayer_counters[ipproto_map][alproto].counter_tx_id =
983  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
984  } else if (alproto == ALPROTO_FAILED) {
985  applayer_counters[ipproto_map][alproto].counter_id =
986  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
987  }
988  }
989  }
990 }
991 
993 {
995  memset(applayer_counters, 0, sizeof(applayer_counters));
996 }
997 
998 /***** Unittests *****/
999 
1000 #ifdef UNITTESTS
1001 #include "pkt-var.h"
1002 #include "stream-tcp.h"
1003 #include "stream-tcp-util.h"
1004 #include "stream.h"
1005 #include "util-unittest.h"
1006 
1007 #define TEST_START \
1008  Packet *p = SCMalloc(SIZE_OF_PACKET); \
1009  FAIL_IF_NULL(p); \
1010  Flow f; \
1011  ThreadVars tv; \
1012  StreamTcpThread *stt = NULL; \
1013  TCPHdr tcph; \
1014  PacketQueueNoLock pq; \
1015  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1016  memset(p, 0, SIZE_OF_PACKET); \
1017  memset(&f, 0, sizeof(Flow)); \
1018  memset(&tv, 0, sizeof(ThreadVars)); \
1019  memset(&tcph, 0, sizeof(TCPHdr)); \
1020  \
1021  FLOW_INITIALIZE(&f); \
1022  f.flags = FLOW_IPV4; \
1023  f.proto = IPPROTO_TCP; \
1024  p->flow = &f; \
1025  p->tcph = &tcph; \
1026  \
1027  StreamTcpInitConfig(true); \
1028  IPPairInitConfig(true); \
1029  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1030  \
1031  /* handshake */ \
1032  tcph.th_win = htons(5480); \
1033  tcph.th_flags = TH_SYN; \
1034  p->flowflags = FLOW_PKT_TOSERVER; \
1035  p->payload_len = 0; \
1036  p->payload = NULL; \
1037  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1038  TcpSession *ssn = (TcpSession *)f.protoctx; \
1039  \
1040  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1041  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1042  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1043  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1044  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1045  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1046  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1047  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1048  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1049  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1050  FAIL_IF(ssn->data_first_seen_dir != 0); \
1051  \
1052  /* handshake */ \
1053  p->tcph->th_ack = htonl(1); \
1054  p->tcph->th_flags = TH_SYN | TH_ACK; \
1055  p->flowflags = FLOW_PKT_TOCLIENT; \
1056  p->payload_len = 0; \
1057  p->payload = NULL; \
1058  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1059  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1060  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1061  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1062  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1063  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1064  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1065  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1066  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1067  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1068  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1069  FAIL_IF(ssn->data_first_seen_dir != 0); \
1070  \
1071  /* handshake */ \
1072  p->tcph->th_ack = htonl(1); \
1073  p->tcph->th_seq = htonl(1); \
1074  p->tcph->th_flags = TH_ACK; \
1075  p->flowflags = FLOW_PKT_TOSERVER; \
1076  p->payload_len = 0; \
1077  p->payload = NULL; \
1078  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1079  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1080  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1081  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1082  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1083  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1084  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1085  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1086  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1087  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1088  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1089  FAIL_IF(ssn->data_first_seen_dir != 0);
1090 #define TEST_END \
1091  StreamTcpSessionClear(p->flow->protoctx); \
1092  StreamTcpThreadDeinit(&tv, (void *)stt); \
1093  StreamTcpFreeConfig(true); \
1094  PACKET_DESTRUCTOR(p); \
1095  SCFree(p); \
1096  FLOW_DESTROY(&f); \
1097  StatsThreadCleanup(&tv);
1098 
1099 /**
1100  * \test GET -> HTTP/1.1
1101  */
1102 static int AppLayerTest01(void)
1103 {
1104  TEST_START;
1105 
1106  /* full request */
1107  uint8_t request[] = {
1108  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1109  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1110  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1111  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1112  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1113  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1114  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1115  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1116  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1117  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1118  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1119  p->tcph->th_ack = htonl(1);
1120  p->tcph->th_seq = htonl(1);
1121  p->tcph->th_flags = TH_PUSH | TH_ACK;
1123  p->payload_len = sizeof(request);
1124  p->payload = request;
1125  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1137 
1138  /* full response - request ack */
1139  uint8_t response[] = {
1140  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1141  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1142  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1143  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1144  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1145  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1146  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1147  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1148  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1149  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1150  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1151  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1152  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1153  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1154  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1155  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1156  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1157  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1158  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1159  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1160  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1161  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1162  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1163  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1164  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1165  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1166  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1167  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1168  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1169  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1170  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1171  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1172  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1173  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1174  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1175  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1176  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1177  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1178  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1179  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1180  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1181  p->tcph->th_ack = htonl(88);
1182  p->tcph->th_seq = htonl(1);
1183  p->tcph->th_flags = TH_PUSH | TH_ACK;
1185  p->payload_len = sizeof(response);
1186  p->payload = response;
1187  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1199 
1200  /* response ack */
1201  p->tcph->th_ack = htonl(328);
1202  p->tcph->th_seq = htonl(88);
1203  p->tcph->th_flags = TH_ACK;
1205  p->payload_len = 0;
1206  p->payload = NULL;
1207  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1219 
1220  TEST_END;
1221  PASS;
1222 }
1223 
1224 /**
1225  * \test GE -> T -> HTTP/1.1
1226  */
1227 static int AppLayerTest02(void)
1228 {
1229  TEST_START;
1230 
1231  /* partial request */
1232  uint8_t request1[] = { 0x47, 0x45, };
1233  p->tcph->th_ack = htonl(1);
1234  p->tcph->th_seq = htonl(1);
1235  p->tcph->th_flags = TH_PUSH | TH_ACK;
1237  p->payload_len = sizeof(request1);
1238  p->payload = request1;
1239  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1251 
1252  /* response ack against partial request */
1253  p->tcph->th_ack = htonl(3);
1254  p->tcph->th_seq = htonl(1);
1255  p->tcph->th_flags = TH_ACK;
1257  p->payload_len = 0;
1258  p->payload = NULL;
1259  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1271 
1272  /* complete partial request */
1273  uint8_t request2[] = {
1274  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1275  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1276  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1277  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1278  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1279  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1280  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1281  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1282  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1283  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1284  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1285  p->tcph->th_ack = htonl(1);
1286  p->tcph->th_seq = htonl(3);
1287  p->tcph->th_flags = TH_PUSH | TH_ACK;
1289  p->payload_len = sizeof(request2);
1290  p->payload = request2;
1291  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1303 
1304  /* response - request ack */
1305  uint8_t response[] = {
1306  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1307  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1308  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1309  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1310  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1311  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1312  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1313  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1314  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1315  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1316  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1317  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1318  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1319  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1320  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1321  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1322  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1323  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1324  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1325  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1326  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1327  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1328  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1329  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1330  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1331  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1332  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1333  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1334  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1335  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1336  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1337  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1338  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1339  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1340  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1341  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1342  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1343  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1344  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1345  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1346  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1347  p->tcph->th_ack = htonl(88);
1348  p->tcph->th_seq = htonl(1);
1349  p->tcph->th_flags = TH_PUSH | TH_ACK;
1351  p->payload_len = sizeof(response);
1352  p->payload = response;
1353  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1365 
1366  /* response ack */
1367  p->tcph->th_ack = htonl(328);
1368  p->tcph->th_seq = htonl(88);
1369  p->tcph->th_flags = TH_ACK;
1371  p->payload_len = 0;
1372  p->payload = NULL;
1373  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1385 
1386  TEST_END;
1387  PASS;
1388 }
1389 
1390 /**
1391  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1392  */
1393 static int AppLayerTest03(void)
1394 {
1395  TEST_START;
1396 
1397  /* request */
1398  uint8_t request[] = {
1399  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1400  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1401  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1402  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1403  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1404  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1405  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1406  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1407  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1408  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1409  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1410  p->tcph->th_ack = htonl(1);
1411  p->tcph->th_seq = htonl(1);
1412  p->tcph->th_flags = TH_PUSH | TH_ACK;
1414  p->payload_len = sizeof(request);
1415  p->payload = request;
1416  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1428 
1429  /* rubbish response */
1430  uint8_t response[] = {
1431  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1432  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1433  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1434  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1435  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1436  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1437  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1438  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1439  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1440  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1441  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1442  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1443  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1444  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1445  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1446  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1447  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1448  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1449  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1450  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1451  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1452  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1453  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1454  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1455  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1456  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1457  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1458  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1459  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1460  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1461  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1462  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1463  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1464  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1465  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1466  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1467  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1468  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1469  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1470  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1471  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1472  p->tcph->th_ack = htonl(88);
1473  p->tcph->th_seq = htonl(1);
1474  p->tcph->th_flags = TH_PUSH | TH_ACK;
1476  p->payload_len = sizeof(response);
1477  p->payload = response;
1478  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1490 
1491  /* response ack */
1492  p->tcph->th_ack = htonl(328);
1493  p->tcph->th_seq = htonl(88);
1494  p->tcph->th_flags = TH_ACK;
1496  p->payload_len = 0;
1497  p->payload = NULL;
1498  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1510 
1511  TEST_END;
1512  PASS;
1513 }
1514 
1515 /**
1516  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1517  */
1518 static int AppLayerTest04(void)
1519 {
1520  TEST_START;
1521 
1522  /* request */
1523  uint8_t request[] = {
1524  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1525  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1526  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1527  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1528  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1529  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1530  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1531  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1532  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1533  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1534  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1535  PrintRawDataFp(stdout, request, sizeof(request));
1536  p->tcph->th_ack = htonl(1);
1537  p->tcph->th_seq = htonl(1);
1538  p->tcph->th_flags = TH_PUSH | TH_ACK;
1540  p->payload_len = sizeof(request);
1541  p->payload = request;
1542  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1553  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1554 
1555  /* partial response */
1556  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1557  PrintRawDataFp(stdout, response1, sizeof(response1));
1558  p->tcph->th_ack = htonl(88);
1559  p->tcph->th_seq = htonl(1);
1560  p->tcph->th_flags = TH_PUSH | TH_ACK;
1562  p->payload_len = sizeof(response1);
1563  p->payload = response1;
1564  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1567  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1568  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1575  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1576 
1577  /* partial response ack */
1578  p->tcph->th_ack = htonl(5);
1579  p->tcph->th_seq = htonl(88);
1580  p->tcph->th_flags = TH_ACK;
1582  p->payload_len = 0;
1583  p->payload = NULL;
1584  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1587  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1588  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1594  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1595  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1596 
1597  /* remaining response */
1598  uint8_t response2[] = {
1599  0x2f, 0x31, 0x2e, 0x31,
1600  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1601  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1602  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1603  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1604  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1605  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1606  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1607  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1608  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1609  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1610  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1611  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1612  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1613  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1614  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1615  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1616  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1617  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1618  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1619  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1620  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1621  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1622  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1623  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1624  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1625  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1626  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1627  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1628  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1629  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1630  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1631  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1632  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1633  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1634  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1635  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1636  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1637  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1638  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1639  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1640  PrintRawDataFp(stdout, response2, sizeof(response2));
1641  p->tcph->th_ack = htonl(88);
1642  p->tcph->th_seq = htonl(5);
1643  p->tcph->th_flags = TH_PUSH | TH_ACK;
1645  p->payload_len = sizeof(response2);
1646  p->payload = response2;
1647  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1650  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1651  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1657  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1658  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1659 
1660  /* response ack */
1661  p->tcph->th_ack = htonl(328);
1662  p->tcph->th_seq = htonl(88);
1663  p->tcph->th_flags = TH_ACK;
1665  p->payload_len = 0;
1666  p->payload = NULL;
1667  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1668  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1670  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1671  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1672  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1677  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1678  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1679 
1680  TEST_END;
1681  PASS;
1682 }
1683 
1684 /**
1685  * \test RUBBISH -> HTTP/1.1
1686  */
1687 static int AppLayerTest05(void)
1688 {
1689  TEST_START;
1690 
1691  /* full request */
1692  uint8_t request[] = {
1693  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1694  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1695  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1696  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1697  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1698  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1699  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1700  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1701  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1702  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1703  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1704  PrintRawDataFp(stdout, request, sizeof(request));
1705  p->tcph->th_ack = htonl(1);
1706  p->tcph->th_seq = htonl(1);
1707  p->tcph->th_flags = TH_PUSH | TH_ACK;
1709  p->payload_len = sizeof(request);
1710  p->payload = request;
1711  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1723 
1724  /* full response - request ack */
1725  uint8_t response[] = {
1726  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1727  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1728  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1729  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1730  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1731  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1732  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1733  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1734  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1735  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1736  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1737  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1738  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1739  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1740  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1741  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1742  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1743  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1744  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1745  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1746  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1747  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1748  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1749  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1750  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1751  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1752  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1753  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1754  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1755  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1756  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1757  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1758  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1759  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1760  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1761  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1762  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1763  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1764  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1765  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1766  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1767  PrintRawDataFp(stdout, response, sizeof(response));
1768  p->tcph->th_ack = htonl(88);
1769  p->tcph->th_seq = htonl(1);
1770  p->tcph->th_flags = TH_PUSH | TH_ACK;
1772  p->payload_len = sizeof(response);
1773  p->payload = response;
1774  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1786 
1787  /* response ack */
1788  p->tcph->th_ack = htonl(328);
1789  p->tcph->th_seq = htonl(88);
1790  p->tcph->th_flags = TH_ACK;
1792  p->payload_len = 0;
1793  p->payload = NULL;
1794  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1806 
1807  TEST_END;
1808  PASS;
1809 }
1810 
1811 /**
1812  * \test HTTP/1.1 -> GET
1813  */
1814 static int AppLayerTest06(void)
1815 {
1816  TEST_START;
1817 
1818  /* full response - request ack */
1819  uint8_t response[] = {
1820  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1821  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1822  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1823  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1824  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1825  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1826  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1827  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1828  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1829  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1830  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1831  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1832  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1833  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1834  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1835  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1836  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1837  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1838  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1839  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1840  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1841  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1842  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1843  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1844  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1845  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1846  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1847  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1848  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1849  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1850  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1851  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1852  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1853  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1854  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1855  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1856  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1857  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1858  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1859  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1860  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1861  p->tcph->th_ack = htonl(1);
1862  p->tcph->th_seq = htonl(1);
1863  p->tcph->th_flags = TH_PUSH | TH_ACK;
1865  p->payload_len = sizeof(response);
1866  p->payload = response;
1867  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1879 
1880  /* full request - response ack*/
1881  uint8_t request[] = {
1882  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1883  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1884  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1885  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1886  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1887  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1888  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1889  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1890  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1891  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1892  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1893  p->tcph->th_ack = htonl(328);
1894  p->tcph->th_seq = htonl(1);
1895  p->tcph->th_flags = TH_PUSH | TH_ACK;
1897  p->payload_len = sizeof(request);
1898  p->payload = request;
1899  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1911 
1912  p->tcph->th_ack = htonl(1 + sizeof(request));
1913  p->tcph->th_seq = htonl(328);
1914  p->tcph->th_flags = TH_PUSH | TH_ACK;
1916  p->payload_len = 0;
1917  p->payload = NULL;
1918  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1930 
1931  TEST_END;
1932  PASS;
1933 }
1934 
1935 /**
1936  * \test GET -> DCERPC
1937  */
1938 static int AppLayerTest07(void)
1939 {
1940  TEST_START;
1941 
1942  /* full request */
1943  uint8_t request[] = {
1944  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1945  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1946  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1947  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1948  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1949  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1950  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1951  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1952  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1953  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1954  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1955  p->tcph->th_ack = htonl(1);
1956  p->tcph->th_seq = htonl(1);
1957  p->tcph->th_flags = TH_PUSH | TH_ACK;
1959  p->payload_len = sizeof(request);
1960  p->payload = request;
1961  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1973 
1974  /* full response - request ack */
1975  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
1976  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
1977  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
1978  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
1979  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1980  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
1981  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
1982  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
1983  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
1984  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
1985  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
1986  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
1987  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1988  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
1989  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
1990  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
1991  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
1992  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
1993  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
1994  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
1995  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1996  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1997  p->tcph->th_ack = htonl(88);
1998  p->tcph->th_seq = htonl(1);
1999  p->tcph->th_flags = TH_PUSH | TH_ACK;
2001  p->payload_len = sizeof(response);
2002  p->payload = response;
2003  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2015 
2016  /* response ack */
2017  p->tcph->th_ack = htonl(328);
2018  p->tcph->th_seq = htonl(88);
2019  p->tcph->th_flags = TH_ACK;
2021  p->payload_len = 0;
2022  p->payload = NULL;
2023  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2035 
2036  TEST_END;
2037  PASS;
2038 }
2039 
2040 /**
2041  * \test SMB -> HTTP/1.1
2042  */
2043 static int AppLayerTest08(void)
2044 {
2045  TEST_START;
2046 
2047  /* full request */
2048  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2049  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2050  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2051  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2052  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2053  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2054  p->tcph->th_ack = htonl(1);
2055  p->tcph->th_seq = htonl(1);
2056  p->tcph->th_flags = TH_PUSH | TH_ACK;
2058  p->payload_len = sizeof(request);
2059  p->payload = request;
2060  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2072 
2073  /* full response - request ack */
2074  uint8_t response[] = {
2075  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2076  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2077  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2078  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2079  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2080  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2081  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2082  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2083  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2084  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2085  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2086  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2087  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2088  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2089  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2090  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2091  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2092  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2093  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2094  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2095  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2096  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2097  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2098  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2099  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2100  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2101  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2102  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2103  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2104  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2105  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2106  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2107  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2108  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2109  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2110  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2111  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2112  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2113  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2114  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2115  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2116  p->tcph->th_ack = htonl(88);
2117  p->tcph->th_seq = htonl(1);
2118  p->tcph->th_flags = TH_PUSH | TH_ACK;
2120  p->payload_len = sizeof(response);
2121  p->payload = response;
2122  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2134 
2135  /* response ack */
2136  p->tcph->th_ack = htonl(328);
2137  p->tcph->th_seq = htonl(88);
2138  p->tcph->th_flags = TH_ACK;
2140  p->payload_len = 0;
2141  p->payload = NULL;
2142  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2154 
2155  TEST_END;
2156  PASS;
2157 }
2158 
2159 /**
2160  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2161  * RUBBISH(TC - PM and PP DONE) ->
2162  * RUBBISH(TS - PM and PP DONE)
2163  */
2164 static int AppLayerTest09(void)
2165 {
2166  TEST_START;
2167 
2168  /* full request */
2169  uint8_t request1[] = {
2170  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2171  p->tcph->th_ack = htonl(1);
2172  p->tcph->th_seq = htonl(1);
2173  p->tcph->th_flags = TH_PUSH | TH_ACK;
2175  p->payload_len = sizeof(request1);
2176  p->payload = request1;
2177  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2189 
2190  /* response - request ack */
2191  p->tcph->th_ack = htonl(9);
2192  p->tcph->th_seq = htonl(1);
2193  p->tcph->th_flags = TH_PUSH | TH_ACK;
2195  p->payload_len = 0;
2196  p->payload = NULL;
2197  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2209 
2210  /* full request */
2211  uint8_t request2[] = {
2212  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2213  p->tcph->th_ack = htonl(1);
2214  p->tcph->th_seq = htonl(9);
2215  p->tcph->th_flags = TH_PUSH | TH_ACK;
2217  p->payload_len = sizeof(request2);
2218  p->payload = request2;
2219  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2231 
2232  /* full response - request ack */
2233  uint8_t response[] = {
2234  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2235  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2236  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2237  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2238  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2239  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2240  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2241  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2242  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2243  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2244  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2245  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2246  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2247  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2248  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2249  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2250  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2251  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2252  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2253  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2254  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2255  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2256  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2257  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2258  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2259  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2260  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2261  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2262  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2263  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2264  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2265  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2266  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2267  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2268  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2269  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2270  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2271  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2272  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2273  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2274  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2275  p->tcph->th_ack = htonl(18);
2276  p->tcph->th_seq = htonl(1);
2277  p->tcph->th_flags = TH_PUSH | TH_ACK;
2279  p->payload_len = sizeof(response);
2280  p->payload = response;
2281  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2293 
2294  /* response ack */
2295  p->tcph->th_ack = htonl(328);
2296  p->tcph->th_seq = htonl(18);
2297  p->tcph->th_flags = TH_ACK;
2299  p->payload_len = 0;
2300  p->payload = NULL;
2301  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2313 
2314  TEST_END;
2315  PASS;
2316 }
2317 
2318 /**
2319  * \test RUBBISH(TC - PM and PP DONE) ->
2320  * RUBBISH(TS - PM and PP DONE)
2321  */
2322 static int AppLayerTest10(void)
2323 {
2324  TEST_START;
2325 
2326  /* full request */
2327  uint8_t request1[] = {
2328  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2329  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2330  p->tcph->th_ack = htonl(1);
2331  p->tcph->th_seq = htonl(1);
2332  p->tcph->th_flags = TH_PUSH | TH_ACK;
2334  p->payload_len = sizeof(request1);
2335  p->payload = request1;
2336  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2348 
2349  /* response - request ack */
2350  p->tcph->th_ack = htonl(18);
2351  p->tcph->th_seq = htonl(1);
2352  p->tcph->th_flags = TH_PUSH | TH_ACK;
2354  p->payload_len = 0;
2355  p->payload = NULL;
2356  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2368 
2369  /* full response - request ack */
2370  uint8_t response[] = {
2371  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2372  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2373  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2374  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2375  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2376  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2377  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2378  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2379  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2380  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2381  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2382  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2383  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2384  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2385  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2386  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2387  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2388  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2389  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2390  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2391  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2392  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2393  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2394  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2395  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2396  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2397  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2398  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2399  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2400  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2401  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2402  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2403  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2404  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2405  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2406  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2407  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2408  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2409  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2410  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2411  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2412  p->tcph->th_ack = htonl(18);
2413  p->tcph->th_seq = htonl(1);
2414  p->tcph->th_flags = TH_PUSH | TH_ACK;
2416  p->payload_len = sizeof(response);
2417  p->payload = response;
2418  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2430 
2431  /* response ack */
2432  p->tcph->th_ack = htonl(328);
2433  p->tcph->th_seq = htonl(18);
2434  p->tcph->th_flags = TH_ACK;
2436  p->payload_len = 0;
2437  p->payload = NULL;
2438  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2450 
2451  TEST_END;
2452  PASS;
2453 }
2454 
2455 /**
2456  * \test RUBBISH(TC - PM and PP DONE) ->
2457  * RUBBISH(TS - PM and PP NOT DONE) ->
2458  * RUBBISH(TS - PM and PP DONE)
2459  */
2460 static int AppLayerTest11(void)
2461 {
2462  TEST_START;
2463 
2464  /* full request */
2465  uint8_t request1[] = {
2466  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2467  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2468  p->tcph->th_ack = htonl(1);
2469  p->tcph->th_seq = htonl(1);
2470  p->tcph->th_flags = TH_PUSH | TH_ACK;
2472  p->payload_len = sizeof(request1);
2473  p->payload = request1;
2474  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2486 
2487  /* response - request ack */
2488  p->tcph->th_ack = htonl(18);
2489  p->tcph->th_seq = htonl(1);
2490  p->tcph->th_flags = TH_PUSH | TH_ACK;
2492  p->payload_len = 0;
2493  p->payload = NULL;
2494  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2506 
2507  /* full response - request ack */
2508  uint8_t response1[] = {
2509  0x55, 0x74, 0x54, 0x50, };
2510  p->tcph->th_ack = htonl(18);
2511  p->tcph->th_seq = htonl(1);
2512  p->tcph->th_flags = TH_PUSH | TH_ACK;
2514  p->payload_len = sizeof(response1);
2515  p->payload = response1;
2516  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2528 
2529  /* response ack from request */
2530  p->tcph->th_ack = htonl(5);
2531  p->tcph->th_seq = htonl(18);
2532  p->tcph->th_flags = TH_ACK;
2534  p->payload_len = 0;
2535  p->payload = NULL;
2536  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2548 
2549  uint8_t response2[] = {
2550  0x2f, 0x31, 0x2e, 0x31,
2551  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2552  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2553  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2554  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2555  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2556  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2557  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2558  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2559  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2560  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2561  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2562  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2563  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2564  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2565  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2566  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2567  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2568  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2569  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2570  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2571  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2572  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2573  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2574  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2575  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2576  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2577  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2578  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2579  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2580  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2581  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2582  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2583  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2584  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2585  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2586  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2587  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2588  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2589  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2590  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2591  p->tcph->th_ack = htonl(18);
2592  p->tcph->th_seq = htonl(5);
2593  p->tcph->th_flags = TH_PUSH | TH_ACK;
2595  p->payload_len = sizeof(response2);
2596  p->payload = response2;
2597  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2609 
2610  /* response ack from request */
2611  p->tcph->th_ack = htonl(328);
2612  p->tcph->th_seq = htonl(18);
2613  p->tcph->th_flags = TH_ACK;
2615  p->payload_len = 0;
2616  p->payload = NULL;
2617  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2629 
2630  TEST_END;
2631  PASS;
2632 }
2633 
2635 {
2636  SCEnter();
2637 
2638  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2639  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2640  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2641  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2642  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2643  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2644  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2645  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2646  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2647  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2648  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2649 
2650  SCReturn;
2651 }
2652 
2653 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:82
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:281
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:202
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:241
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_
Definition: app-layer.c:81
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1827
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:83
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:89
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:574
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1000
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:902
Flow_::proto
uint8_t proto
Definition: flow.h:372
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:77
Packet_::payload
uint8_t * payload
Definition: decode.h:553
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6359
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:451
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:60
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
Flow_::protomap
uint8_t protomap
Definition: flow.h:452
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1110
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:186
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:965
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:463
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:169
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:897
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1473
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:277
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5954
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2634
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:812
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:919
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:447
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:119
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:72
Flow_::protoctx
void * protoctx
Definition: flow.h:448
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:554
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:580
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:798
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:847
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1153
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:272
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:482
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1576
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:832
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1213
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:175
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:574
AppLayerParserState_
Definition: app-layer-parser.c:153
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:273
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:909
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:456
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:859
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4853
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:918
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1968
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:1007
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:103
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:217
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:280
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:416
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:727
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:105
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:590
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:175
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:466
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:251
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1195
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:282
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:533
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1857
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:102
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1154
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1452
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:261
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2175
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1530
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2048
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2145
str
#define str(s)
Definition: suricata-common.h:268
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:398
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:458
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6365
Flow_::alstate
void * alstate
Definition: flow.h:483
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:881
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:428
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:805
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:114
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:67
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:188
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1090
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2102
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:212
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:459
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1633
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:457
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:942
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:992
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2170
app-layer.h