suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
57 struct AppLayerThreadCtx_ {
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  AppLayerProtoDetectThreadCtx *alpd_tctx;
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61  AppLayerParserThreadCtx *alp_tctx;
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
67  AppProto alproto;
68  uint64_t proto_detect_ticks_start;
69  uint64_t proto_detect_ticks_end;
70  uint64_t proto_detect_ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
78 } AppLayerCounterNames;
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
83 } AppLayerCounters;
84 
85 /* counter names. Only used at init. */
86 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
87 /* counter id's. Used that runtime. */
88 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  p->flags |= PKT_PROTO_DETECT_TS_DONE;
134  } else {
135  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  p->flags |= PKT_PROTO_DETECT_TC_DONE;
140  } else {
141  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
146  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
147  } else {
148  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
157  FlowCleanupAppLayer(f);
158  StreamTcpDisableAppLayer(f);
159  TcpSession *ssn = f->protoctx;
160  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  f->alproto_tc = ALPROTO_FAILED;
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  f->alproto_ts = ALPROTO_FAILED;
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
218  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
219  size_ts > 100000 && size_tc == 0)
220  {
221  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
222  APPLAYER_PROTO_DETECTION_SKIPPED);
223  goto failure;
224 
225  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
226  size_tc > 100000 && size_ts == 0)
227  {
228  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
229  APPLAYER_PROTO_DETECTION_SKIPPED);
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
236  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
237  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
238  {
239  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
240  APPLAYER_PROTO_DETECTION_SKIPPED);
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
247  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
248  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
249  {
250  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
251  APPLAYER_PROTO_DETECTION_SKIPPED);
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
258  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
259  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
260  {
261  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
262  APPLAYER_PROTO_DETECTION_SKIPPED);
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
291  UPDATE_DIR_OPPOSING :
292  UPDATE_DIR_PACKET;
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  bool reverse_flow = false;
327  PACKET_PROFILING_APP_PD_START(app_tctx);
328  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
329  f, data, data_len,
330  IPPROTO_TCP, flags, &reverse_flow);
331  PACKET_PROFILING_APP_PD_END(app_tctx);
332  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
333 
334  if (*alproto != ALPROTO_UNKNOWN) {
335  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
336  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
337  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
338 
339  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
340  /* if we already invoked the parser, we go with that proto */
341  f->alproto = *alproto_otherdir;
342  } else {
343  /* no data sent to parser yet, we can still choose
344  * we're trusting the server more. */
345  if (flags & STREAM_TOCLIENT)
346  f->alproto = *alproto;
347  else
348  f->alproto = *alproto_otherdir;
349  }
350  } else {
351  f->alproto = *alproto;
352  }
353 
354  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
355  TcpSessionSetReassemblyDepth(ssn,
356  AppLayerParserGetStreamDepth(f));
357  FlagPacketFlow(p, f, flags);
358  /* if protocol detection indicated that we need to reverse
359  * the direction of the flow, do it now. We flip the flow,
360  * packet and the direction flags */
361  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
362  SCLogDebug("reversing flow after proto detect told us so");
363  PacketSwap(p);
364  FlowSwap(f);
365  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
366  if (*stream == &ssn->client) {
367  *stream = &ssn->server;
368  } else {
369  *stream = &ssn->client;
370  }
371  }
372 
373  /* account flow if we have both sides */
374  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
375  AppLayerIncFlowCounter(tv, f);
376  }
377 
378  /* if we have seen data from the other direction first, send
379  * data for that direction first to the parser. This shouldn't
380  * be an issue, since each stream processing happens
381  * independently of the other stream direction. At this point of
382  * call, you need to know that this function's already being
383  * called by the very same StreamReassembly() function that we
384  * will now call shortly for the opposing direction. */
385  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
386  !(flags & ssn->data_first_seen_dir))
387  {
388  SCLogDebug("protocol %s needs first data in other direction",
389  AppProtoToString(*alproto));
390 
391  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
392  p, ssn, *stream) != 0)
393  {
394  DisableAppLayer(tv, f, p);
395  goto failure;
396  }
397  }
398 
399  /* if the parser operates such that it needs to see data from
400  * a particular direction first, we check if we have seen
401  * data from that direction first for the flow. IF it is not
402  * the same, we set an event and exit.
403  *
404  * \todo We need to figure out a more robust solution for this,
405  * as this can lead to easy evasion tactics, where the
406  * attackeer can first send some dummy data in the wrong
407  * direction first to mislead our proto detection process.
408  * While doing this we need to update the parsers as well,
409  * since the parsers must be robust to see such wrong
410  * direction data.
411  * Either ways the moment we see the
412  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
413  * flow, it shows something's fishy.
414  */
415  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
416  uint8_t first_data_dir;
417  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
418 
419  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
420  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
421  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
422  DisableAppLayer(tv, f, p);
423  goto failure;
424  }
425  /* This can happen if the current direction is not the
426  * right direction, and the data from the other(also
427  * the right direction) direction is available to be sent
428  * to the app layer, but it is not ack'ed yet and hence
429  * the forced call to STreamTcpAppLayerReassemble still
430  * hasn't managed to send data from the other direction
431  * to the app layer. */
432  if (first_data_dir && !(first_data_dir & flags)) {
433  FlowCleanupAppLayer(f);
434  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
435  FLOW_RESET_PP_DONE(f, flags);
436  FLOW_RESET_PM_DONE(f, flags);
437  FLOW_RESET_PE_DONE(f, flags);
438  goto failure;
439  }
440  }
441 
442  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
443  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
444 
445  /* finally, invoke the parser */
446  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
447  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
448  flags, data, data_len);
449  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
450  if (r < 0)
451  goto failure;
452  (*stream)->app_progress_rel += data_len;
453 
454  } else {
455  /* if the ssn is midstream, we may end up with a case where the
456  * start of an HTTP request is missing. We won't detect HTTP based
457  * on the request. However, the reply is fine, so we detect
458  * HTTP anyway. This leads to passing the incomplete request to
459  * the htp parser.
460  *
461  * This has been observed, where the http parser then saw many
462  * bogus requests in the incomplete data.
463  *
464  * To counter this case, a midstream session MUST find it's
465  * protocol in the toserver direction. If not, we assume the
466  * start of the request/toserver is incomplete and no reliable
467  * detection and parsing is possible. So we give up.
468  */
469  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
470  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
471  {
472  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
473  SCLogDebug("midstream end pd %p", ssn);
474  /* midstream and toserver detection failed: give up */
475  DisableAppLayer(tv, f, p);
476  goto end;
477  }
478  }
479 
480  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
481  uint8_t first_data_dir;
482  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
483 
484  /* this would handle this test case -
485  * http parser which says it wants to see toserver data first only.
486  * tcp handshake
487  * toclient data first received. - RUBBISH DATA which
488  * we don't detect as http
489  * toserver data next sent - we detect this as http.
490  * at this stage we see that toclient is the first data seen
491  * for this session and we try and redetect the app protocol,
492  * but we are unable to detect the app protocol like before.
493  * But since we have managed to detect the protocol for the
494  * other direction as http, we try to use that. At this
495  * stage we check if the direction of this stream matches
496  * to that acceptable by the app parser. If it is not the
497  * acceptable direction we error out.
498  */
499  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
500  (first_data_dir) && !(first_data_dir & flags))
501  {
502  DisableAppLayer(tv, f, p);
503  goto failure;
504  }
505 
506  /* if protocol detection is marked done for our direction we
507  * pass our data on. We're only succeeded in finding one
508  * direction: the opposing stream
509  *
510  * If PD was not yet complete, we don't do anything.
511  */
512  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
513  if (data_len > 0)
514  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
515 
516  if (*alproto_otherdir != ALPROTO_FAILED) {
517  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
518  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
519  f->alproto, flags,
520  data, data_len);
521  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
522  if (r >= 0) {
523  (*stream)->app_progress_rel += data_len;
524  }
525 
526  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
527  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
528  TcpSessionSetReassemblyDepth(ssn,
529  AppLayerParserGetStreamDepth(f));
530 
531  *alproto = *alproto_otherdir;
532  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
533  p->pcap_cnt, *alproto, *alproto_otherdir, r);
534  if (r < 0)
535  goto failure;
536  }
537  *alproto = ALPROTO_FAILED;
538  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
539  AppLayerIncFlowCounter(tv, f);
540  FlagPacketFlow(p, f, flags);
541 
542  }
543  } else {
544  /* both sides unknown, let's see if we need to give up */
545  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
546  }
547  }
548 end:
549  return 0;
550 
551 failure:
552  return -1;
553 }
554 
555 /** \brief handle TCP data for the app-layer.
556  *
557  * First run protocol detection and then when the protocol is known invoke
558  * the app layer parser.
559  *
560  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
561  * reversed.
562  */
563 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
564  Packet *p, Flow *f,
565  TcpSession *ssn, TcpStream **stream,
566  uint8_t *data, uint32_t data_len,
567  uint8_t flags)
568 {
569  SCEnter();
570 
571  DEBUG_ASSERT_FLOW_LOCKED(f);
572  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
573 
574  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
575  AppProto alproto;
576  int r = 0;
577 
578  SCLogDebug("data_len %u flags %02X", data_len, flags);
579  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
580  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
581  goto end;
582  }
583 
584  if (flags & STREAM_TOSERVER) {
585  alproto = f->alproto_ts;
586  } else {
587  alproto = f->alproto_tc;
588  }
589 
590  /* If a gap notification, relay the notification on to the
591  * app-layer if known. */
592  if (flags & STREAM_GAP) {
593  if (alproto == ALPROTO_UNKNOWN) {
594  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
595  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
596  /* if the other side didn't already find the proto, we're done */
597  if (f->alproto == ALPROTO_UNKNOWN) {
598  goto failure;
599  }
600  }
601  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
602  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
603  flags, data, data_len);
604  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
605  /* ignore parser result for gap */
606  (*stream)->app_progress_rel += data_len;
607  goto end;
608  }
609 
610  /* if we don't know the proto yet and we have received a stream
611  * initializer message, we run proto detection.
612  * We receive 2 stream init msgs (one for each direction) but we
613  * only run the proto detection once. */
614  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
615  /* run protocol detection */
616  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
617  data, data_len, flags) != 0) {
618  goto failure;
619  }
620  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
621  f->alproto_orig = f->alproto;
622  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
623  AppLayerProtoDetectReset(f);
624  /* rerun protocol detection */
625  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
626  data, data_len, flags) != 0) {
627  SCLogDebug("proto detect failure");
628  goto failure;
629  }
630  SCLogDebug("protocol change, old %s, new %s",
631  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
632 
633  if (f->alproto_expect != ALPROTO_UNKNOWN &&
634  f->alproto != f->alproto_expect)
635  {
636  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
637  APPLAYER_UNEXPECTED_PROTOCOL);
638 
639  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
640  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
641  APPLAYER_NO_TLS_AFTER_STARTTLS);
642 
643  }
644  }
645  } else {
646  SCLogDebug("stream data (len %" PRIu32 " alproto "
647  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
648 #ifdef PRINT
649  if (data_len > 0) {
650  printf("=> Stream Data (app layer) -- start %s%s\n",
651  flags & STREAM_TOCLIENT ? "toclient" : "",
652  flags & STREAM_TOSERVER ? "toserver" : "");
653  PrintRawDataFp(stdout, data, data_len);
654  printf("=> Stream Data -- end\n");
655  }
656 #endif
657  /* if we don't have a data object here we are not getting it
658  * a start msg should have gotten us one */
659  if (f->alproto != ALPROTO_UNKNOWN) {
660  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
661  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
662  flags, data, data_len);
663  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
664  if (r >= 0) {
665  (*stream)->app_progress_rel += data_len;
666  }
667  }
668  }
669 
670  goto end;
671  failure:
672  r = -1;
673  end:
674  SCReturnInt(r);
675 }
676 
677 /**
678  * \brief Handle a app layer UDP message
679  *
680  * If the protocol is yet unknown, the proto detection code is run first.
681  *
682  * \param dp_ctx Thread app layer detect context
683  * \param f *locked* flow
684  * \param p UDP packet
685  *
686  * \retval 0 ok
687  * \retval -1 error
688  */
689 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
690 {
691  SCEnter();
692 
693  if (f->alproto == ALPROTO_FAILED) {
694  SCReturnInt(0);
695  }
696 
697  int r = 0;
698  uint8_t flags = 0;
699  if (p->flowflags & FLOW_PKT_TOSERVER) {
700  flags |= STREAM_TOSERVER;
701  } else {
702  flags |= STREAM_TOCLIENT;
703  }
704 
705  AppLayerProfilingReset(tctx);
706 
707  /* if the protocol is still unknown, run detection */
708  if (f->alproto == ALPROTO_UNKNOWN) {
709  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
710  p->payload_len);
711 
712  bool reverse_flow = false;
713  PACKET_PROFILING_APP_PD_START(tctx);
714  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
715  f, p->payload, p->payload_len,
716  IPPROTO_UDP, flags, &reverse_flow);
717  PACKET_PROFILING_APP_PD_END(tctx);
718 
719  if (f->alproto != ALPROTO_UNKNOWN) {
720  AppLayerIncFlowCounter(tv, f);
721 
722  if (reverse_flow) {
723  SCLogDebug("reversing flow after proto detect told us so");
724  PacketSwap(p);
725  FlowSwap(f);
726  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
727  }
728 
729  PACKET_PROFILING_APP_START(tctx, f->alproto);
730  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
731  flags, p->payload, p->payload_len);
732  PACKET_PROFILING_APP_END(tctx, f->alproto);
733  } else {
734  f->alproto = ALPROTO_FAILED;
735  AppLayerIncFlowCounter(tv, f);
736  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
737  }
738  PACKET_PROFILING_APP_STORE(tctx, p);
739  /* we do only inspection in one direction, so flag both
740  * sides as done here */
741  FlagPacketFlow(p, f, STREAM_TOSERVER);
742  FlagPacketFlow(p, f, STREAM_TOCLIENT);
743  } else {
744  SCLogDebug("data (len %" PRIu32 " ), alproto "
745  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
746 
747  /* run the parser */
748  PACKET_PROFILING_APP_START(tctx, f->alproto);
749  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
750  flags, p->payload, p->payload_len);
751  PACKET_PROFILING_APP_END(tctx, f->alproto);
752  PACKET_PROFILING_APP_STORE(tctx, p);
753  }
754 
755  SCReturnInt(r);
756 }
757 
758 /***** Utility *****/
759 
760 AppProto AppLayerGetProtoByName(char *alproto_name)
761 {
762  SCEnter();
763  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
764  SCReturnCT(r, "AppProto");
765 }
766 
767 const char *AppLayerGetProtoName(AppProto alproto)
768 {
769  SCEnter();
770  const char * r = AppLayerProtoDetectGetProtoName(alproto);
771  SCReturnCT(r, "char *");
772 }
773 
774 void AppLayerListSupportedProtocols(void)
775 {
776  SCEnter();
777 
778  AppProto alproto;
779  AppProto alprotos[ALPROTO_MAX];
780 
781  AppLayerProtoDetectSupportedAppProtocols(alprotos);
782 
783  printf("=========Supported App Layer Protocols=========\n");
784  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
785  if (alprotos[alproto] == 1)
786  printf("%s\n", AppLayerGetProtoName(alproto));
787  }
788 
789  SCReturn;
790 }
791 
792 /***** Setup/General Registration *****/
793 
794 int AppLayerSetup(void)
795 {
796  SCEnter();
797 
798  AppLayerProtoDetectSetup();
799  AppLayerParserSetup();
800 
801  AppLayerParserRegisterProtocolParsers();
802  AppLayerProtoDetectPrepareState();
803 
804  AppLayerSetupCounters();
805 
806  SCReturnInt(0);
807 }
808 
809 int AppLayerDeSetup(void)
810 {
811  SCEnter();
812 
813  AppLayerProtoDetectDeSetup();
814  AppLayerParserDeSetup();
815 
816  AppLayerDeSetupCounters();
817 
818  SCReturnInt(0);
819 }
820 
821 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
822 {
823  SCEnter();
824 
825  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
826  if (app_tctx == NULL)
827  goto error;
828  memset(app_tctx, 0, sizeof(*app_tctx));
829 
830  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
831  goto error;
832  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
833  goto error;
834 
835  goto done;
836  error:
837  AppLayerDestroyCtxThread(app_tctx);
838  app_tctx = NULL;
839  done:
840  SCReturnPtr(app_tctx, "void *");
841 }
842 
843 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
844 {
845  SCEnter();
846 
847  if (app_tctx == NULL)
848  SCReturn;
849 
850  if (app_tctx->alpd_tctx != NULL)
851  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
852  if (app_tctx->alp_tctx != NULL)
853  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
854  SCFree(app_tctx);
855 
856  SCReturn;
857 }
858 
859 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
860 {
861  PACKET_PROFILING_APP_RESET(app_tctx);
862 }
863 
864 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
865 {
866  PACKET_PROFILING_APP_STORE(app_tctx, p);
867 }
868 
869 /** \brief HACK to work around our broken unix manager (re)init loop
870  */
871 void AppLayerRegisterGlobalCounters(void)
872 {
873  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
874  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
875  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
876  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
877  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
878 }
879 
880 #define IPPROTOS_MAX 2
881 void AppLayerSetupCounters()
882 {
883  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
884  uint8_t ipproto;
885  AppProto alproto;
886  AppProto alprotos[ALPROTO_MAX];
887  const char *str = "app_layer.flow.";
888 
889  AppLayerProtoDetectSupportedAppProtocols(alprotos);
890 
891  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
892  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
893  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
894  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
895 
896  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
897  if (alprotos[alproto] == 1) {
898  const char *tx_str = "app_layer.tx.";
899  const char *alproto_str = AppLayerGetProtoName(alproto);
900 
901  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
902  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
903  {
904  snprintf(applayer_counter_names[ipproto_map][alproto].name,
905  sizeof(applayer_counter_names[ipproto_map][alproto].name),
906  "%s%s%s", str, alproto_str, ipproto_suffix);
907  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
908  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
909  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
910  } else {
911  snprintf(applayer_counter_names[ipproto_map][alproto].name,
912  sizeof(applayer_counter_names[ipproto_map][alproto].name),
913  "%s%s", str, alproto_str);
914  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
915  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
916  "%s%s", tx_str, alproto_str);
917  }
918  } else if (alproto == ALPROTO_FAILED) {
919  snprintf(applayer_counter_names[ipproto_map][alproto].name,
920  sizeof(applayer_counter_names[ipproto_map][alproto].name),
921  "%s%s%s", str, "failed", ipproto_suffix);
922  }
923  }
924  }
925 }
926 
927 void AppLayerRegisterThreadCounters(ThreadVars *tv)
928 {
929  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
930  uint8_t ipproto;
931  AppProto alproto;
932  AppProto alprotos[ALPROTO_MAX];
933 
934  AppLayerProtoDetectSupportedAppProtocols(alprotos);
935 
936  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
937  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
938 
939  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
940  if (alprotos[alproto] == 1) {
941  applayer_counters[ipproto_map][alproto].counter_id =
942  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
943 
944  applayer_counters[ipproto_map][alproto].counter_tx_id =
945  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
946  } else if (alproto == ALPROTO_FAILED) {
947  applayer_counters[ipproto_map][alproto].counter_id =
948  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
949  }
950  }
951  }
952 }
953 
954 void AppLayerDeSetupCounters()
955 {
956  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
957  memset(applayer_counters, 0, sizeof(applayer_counters));
958 }
959 
960 /***** Unittests *****/
961 
962 #ifdef UNITTESTS
963 #include "pkt-var.h"
964 #include "stream-tcp.h"
965 #include "stream-tcp-util.h"
966 #include "stream.h"
967 #include "util-unittest.h"
968 
969 #define TEST_START \
970  Packet *p = SCMalloc(SIZE_OF_PACKET);\
971  FAIL_IF_NULL(p);\
972  Flow f;\
973  ThreadVars tv;\
974  StreamTcpThread *stt = NULL;\
975  TCPHdr tcph;\
976  PacketQueue pq;\
977  memset(&pq,0,sizeof(PacketQueue));\
978  memset(p, 0, SIZE_OF_PACKET);\
979  memset (&f, 0, sizeof(Flow));\
980  memset(&tv, 0, sizeof (ThreadVars));\
981  memset(&tcph, 0, sizeof (TCPHdr));\
982 \
983  FLOW_INITIALIZE(&f);\
984  f.flags = FLOW_IPV4;\
985  f.proto = IPPROTO_TCP;\
986  p->flow = &f;\
987  p->tcph = &tcph;\
988 \
989  StreamTcpInitConfig(TRUE);\
990  IPPairInitConfig(TRUE); \
991  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
992 \
993  /* handshake */\
994  tcph.th_win = htons(5480);\
995  tcph.th_flags = TH_SYN;\
996  p->flowflags = FLOW_PKT_TOSERVER;\
997  p->payload_len = 0;\
998  p->payload = NULL;\
999  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1000  TcpSession *ssn = (TcpSession *)f.protoctx;\
1001 \
1002  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1003  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1004  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1005  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1006  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1007  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1008  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1009  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1010  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1011  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1012  FAIL_IF(ssn->data_first_seen_dir != 0);\
1013 \
1014  /* handshake */\
1015  p->tcph->th_ack = htonl(1);\
1016  p->tcph->th_flags = TH_SYN | TH_ACK;\
1017  p->flowflags = FLOW_PKT_TOCLIENT;\
1018  p->payload_len = 0;\
1019  p->payload = NULL;\
1020  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1021  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1022  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1023  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1024  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1025  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1026  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1027  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1028  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1029  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1030  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1031  FAIL_IF(ssn->data_first_seen_dir != 0);\
1032 \
1033  /* handshake */\
1034  p->tcph->th_ack = htonl(1);\
1035  p->tcph->th_seq = htonl(1);\
1036  p->tcph->th_flags = TH_ACK;\
1037  p->flowflags = FLOW_PKT_TOSERVER;\
1038  p->payload_len = 0;\
1039  p->payload = NULL;\
1040  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1041  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1042  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1043  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1044  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1045  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1046  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1047  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1048  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1049  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1050  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1051  FAIL_IF(ssn->data_first_seen_dir != 0);
1052 #define TEST_END \
1053  StreamTcpSessionClear(p->flow->protoctx);\
1054  StreamTcpThreadDeinit(&tv, (void *)stt); \
1055  StreamTcpFreeConfig(TRUE);\
1056  PACKET_DESTRUCTOR(p);\
1057  SCFree(p);\
1058  FLOW_DESTROY(&f); \
1059  StatsThreadCleanup(&tv);
1060 
1061 /**
1062  * \test GET -> HTTP/1.1
1063  */
1064 static int AppLayerTest01(void)
1065 {
1066  TEST_START;
1067 
1068  /* full request */
1069  uint8_t request[] = {
1070  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1071  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1072  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1073  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1074  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1075  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1076  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1077  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1078  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1079  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1080  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1081  p->tcph->th_ack = htonl(1);
1082  p->tcph->th_seq = htonl(1);
1083  p->tcph->th_flags = TH_PUSH | TH_ACK;
1084  p->flowflags = FLOW_PKT_TOSERVER;
1085  p->payload_len = sizeof(request);
1086  p->payload = request;
1087  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1088  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1089  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1090  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1091  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1092  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1093  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1094  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1095  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1096  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1097  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1098  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1099 
1100  /* full response - request ack */
1101  uint8_t response[] = {
1102  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1103  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1104  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1105  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1106  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1107  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1108  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1109  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1110  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1111  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1112  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1113  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1114  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1115  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1116  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1117  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1118  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1119  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1120  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1121  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1122  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1123  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1124  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1125  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1126  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1127  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1128  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1129  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1130  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1131  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1132  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1133  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1134  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1135  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1136  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1137  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1138  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1139  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1140  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1141  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1142  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1143  p->tcph->th_ack = htonl(88);
1144  p->tcph->th_seq = htonl(1);
1145  p->tcph->th_flags = TH_PUSH | TH_ACK;
1146  p->flowflags = FLOW_PKT_TOCLIENT;
1147  p->payload_len = sizeof(response);
1148  p->payload = response;
1149  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1150  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1151  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1152  FAIL_IF(f.alproto != ALPROTO_HTTP);
1153  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1154  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1155  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1156  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1157  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1158  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1159  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1160  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1161 
1162  /* response ack */
1163  p->tcph->th_ack = htonl(328);
1164  p->tcph->th_seq = htonl(88);
1165  p->tcph->th_flags = TH_ACK;
1166  p->flowflags = FLOW_PKT_TOSERVER;
1167  p->payload_len = 0;
1168  p->payload = NULL;
1169  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1170  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1171  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1172  FAIL_IF(f.alproto != ALPROTO_HTTP);
1173  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1174  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1175  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1176  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1177  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1178  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1179  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1180  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1181 
1182  TEST_END;
1183  PASS;
1184 }
1185 
1186 /**
1187  * \test GE -> T -> HTTP/1.1
1188  */
1189 static int AppLayerTest02(void)
1190 {
1191  TEST_START;
1192 
1193  /* partial request */
1194  uint8_t request1[] = { 0x47, 0x45, };
1195  p->tcph->th_ack = htonl(1);
1196  p->tcph->th_seq = htonl(1);
1197  p->tcph->th_flags = TH_PUSH | TH_ACK;
1198  p->flowflags = FLOW_PKT_TOSERVER;
1199  p->payload_len = sizeof(request1);
1200  p->payload = request1;
1201  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1202  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1203  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1204  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1205  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1206  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1207  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1208  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1209  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1210  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1211  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1212  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1213 
1214  /* response ack against partial request */
1215  p->tcph->th_ack = htonl(3);
1216  p->tcph->th_seq = htonl(1);
1217  p->tcph->th_flags = TH_ACK;
1218  p->flowflags = FLOW_PKT_TOCLIENT;
1219  p->payload_len = 0;
1220  p->payload = NULL;
1221  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1222  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1223  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1224  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1225  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1226  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1227  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1228  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1229  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1230  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1231  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1232  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1233 
1234  /* complete partial request */
1235  uint8_t request2[] = {
1236  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1237  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1238  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1239  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1240  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1241  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1242  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1243  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1244  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1245  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1246  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1247  p->tcph->th_ack = htonl(1);
1248  p->tcph->th_seq = htonl(3);
1249  p->tcph->th_flags = TH_PUSH | TH_ACK;
1250  p->flowflags = FLOW_PKT_TOSERVER;
1251  p->payload_len = sizeof(request2);
1252  p->payload = request2;
1253  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1254  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1255  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1256  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1257  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1258  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1259  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1260  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1261  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1262  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1263  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1264  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1265 
1266  /* response - request ack */
1267  uint8_t response[] = {
1268  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1269  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1270  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1271  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1272  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1273  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1274  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1275  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1276  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1277  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1278  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1279  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1280  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1281  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1282  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1283  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1284  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1285  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1286  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1287  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1288  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1289  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1290  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1291  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1292  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1293  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1294  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1295  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1296  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1297  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1298  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1299  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1300  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1301  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1302  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1303  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1304  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1305  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1306  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1307  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1308  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1309  p->tcph->th_ack = htonl(88);
1310  p->tcph->th_seq = htonl(1);
1311  p->tcph->th_flags = TH_PUSH | TH_ACK;
1312  p->flowflags = FLOW_PKT_TOCLIENT;
1313  p->payload_len = sizeof(response);
1314  p->payload = response;
1315  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1316  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1317  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1318  FAIL_IF(f.alproto != ALPROTO_HTTP);
1319  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1320  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1321  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1322  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1323  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1324  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1325  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1326  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1327 
1328  /* response ack */
1329  p->tcph->th_ack = htonl(328);
1330  p->tcph->th_seq = htonl(88);
1331  p->tcph->th_flags = TH_ACK;
1332  p->flowflags = FLOW_PKT_TOSERVER;
1333  p->payload_len = 0;
1334  p->payload = NULL;
1335  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1336  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1337  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1338  FAIL_IF(f.alproto != ALPROTO_HTTP);
1339  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1340  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1341  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1342  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1343  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1344  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1345  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1346  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1347 
1348  TEST_END;
1349  PASS;
1350 }
1351 
1352 /**
1353  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1354  */
1355 static int AppLayerTest03(void)
1356 {
1357  TEST_START;
1358 
1359  /* request */
1360  uint8_t request[] = {
1361  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1362  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1363  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1364  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1365  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1366  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1367  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1368  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1369  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1370  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1371  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1372  p->tcph->th_ack = htonl(1);
1373  p->tcph->th_seq = htonl(1);
1374  p->tcph->th_flags = TH_PUSH | TH_ACK;
1375  p->flowflags = FLOW_PKT_TOSERVER;
1376  p->payload_len = sizeof(request);
1377  p->payload = request;
1378  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1379  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1380  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1381  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1382  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1383  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1384  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1385  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1386  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1387  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1388  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1389  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1390 
1391  /* rubbish response */
1392  uint8_t response[] = {
1393  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1394  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1395  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1396  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1397  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1398  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1399  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1400  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1401  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1402  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1403  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1404  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1405  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1406  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1407  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1408  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1409  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1410  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1411  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1412  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1413  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1414  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1415  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1416  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1417  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1418  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1419  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1420  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1421  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1422  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1423  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1424  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1425  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1426  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1427  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1428  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1429  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1430  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1431  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1432  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1433  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1434  p->tcph->th_ack = htonl(88);
1435  p->tcph->th_seq = htonl(1);
1436  p->tcph->th_flags = TH_PUSH | TH_ACK;
1437  p->flowflags = FLOW_PKT_TOCLIENT;
1438  p->payload_len = sizeof(response);
1439  p->payload = response;
1440  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1441  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1442  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1443  FAIL_IF(f.alproto != ALPROTO_HTTP);
1444  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1445  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1446  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1447  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1448  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1449  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1450  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1451  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1452 
1453  /* response ack */
1454  p->tcph->th_ack = htonl(328);
1455  p->tcph->th_seq = htonl(88);
1456  p->tcph->th_flags = TH_ACK;
1457  p->flowflags = FLOW_PKT_TOSERVER;
1458  p->payload_len = 0;
1459  p->payload = NULL;
1460  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1461  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1462  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1463  FAIL_IF(f.alproto != ALPROTO_HTTP);
1464  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1465  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1466  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1467  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1468  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1469  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1470  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1471  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1472 
1473  TEST_END;
1474  PASS;
1475 }
1476 
1477 /**
1478  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1479  */
1480 static int AppLayerTest04(void)
1481 {
1482  TEST_START;
1483 
1484  /* request */
1485  uint8_t request[] = {
1486  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1487  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1488  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1489  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1490  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1491  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1492  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1493  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1494  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1495  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1496  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1497  PrintRawDataFp(stdout, request, sizeof(request));
1498  p->tcph->th_ack = htonl(1);
1499  p->tcph->th_seq = htonl(1);
1500  p->tcph->th_flags = TH_PUSH | TH_ACK;
1501  p->flowflags = FLOW_PKT_TOSERVER;
1502  p->payload_len = sizeof(request);
1503  p->payload = request;
1504  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1505  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1506  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1507  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1508  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1509  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1510  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1511  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1512  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1513  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1514  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1515  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1516 
1517  /* partial response */
1518  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1519  PrintRawDataFp(stdout, response1, sizeof(response1));
1520  p->tcph->th_ack = htonl(88);
1521  p->tcph->th_seq = htonl(1);
1522  p->tcph->th_flags = TH_PUSH | TH_ACK;
1523  p->flowflags = FLOW_PKT_TOCLIENT;
1524  p->payload_len = sizeof(response1);
1525  p->payload = response1;
1526  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1527  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1528  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1529  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1530  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1531  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1532  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1533  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1534  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1535  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1536  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1537  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1538 
1539  /* partial response ack */
1540  p->tcph->th_ack = htonl(5);
1541  p->tcph->th_seq = htonl(88);
1542  p->tcph->th_flags = TH_ACK;
1543  p->flowflags = FLOW_PKT_TOSERVER;
1544  p->payload_len = 0;
1545  p->payload = NULL;
1546  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1547  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1548  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1549  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1550  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1551  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1552  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1553  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1554  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1555  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1556  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1557  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1558 
1559  /* remaining response */
1560  uint8_t response2[] = {
1561  0x2f, 0x31, 0x2e, 0x31,
1562  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1563  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1564  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1565  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1566  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1567  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1568  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1569  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1570  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1571  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1572  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1573  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1574  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1575  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1576  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1577  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1578  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1579  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1580  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1581  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1582  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1583  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1584  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1585  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1586  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1587  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1588  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1589  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1590  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1591  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1592  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1593  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1594  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1595  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1596  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1597  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1598  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1599  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1600  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1601  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1602  PrintRawDataFp(stdout, response2, sizeof(response2));
1603  p->tcph->th_ack = htonl(88);
1604  p->tcph->th_seq = htonl(5);
1605  p->tcph->th_flags = TH_PUSH | TH_ACK;
1606  p->flowflags = FLOW_PKT_TOCLIENT;
1607  p->payload_len = sizeof(response2);
1608  p->payload = response2;
1609  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1610  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1611  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1612  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1613  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1614  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1615  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1616  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1617  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1618  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1619  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1620  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1621 
1622  /* response ack */
1623  p->tcph->th_ack = htonl(328);
1624  p->tcph->th_seq = htonl(88);
1625  p->tcph->th_flags = TH_ACK;
1626  p->flowflags = FLOW_PKT_TOSERVER;
1627  p->payload_len = 0;
1628  p->payload = NULL;
1629  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1630  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1631  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1632  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1633  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1634  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1635  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1636  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1637  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1638  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1639  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1640  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1641 
1642  TEST_END;
1643  PASS;
1644 }
1645 
1646 /**
1647  * \test RUBBISH -> HTTP/1.1
1648  */
1649 static int AppLayerTest05(void)
1650 {
1651  TEST_START;
1652 
1653  /* full request */
1654  uint8_t request[] = {
1655  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1656  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1657  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1658  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1659  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1660  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1661  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1662  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1663  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1664  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1665  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1666  PrintRawDataFp(stdout, request, sizeof(request));
1667  p->tcph->th_ack = htonl(1);
1668  p->tcph->th_seq = htonl(1);
1669  p->tcph->th_flags = TH_PUSH | TH_ACK;
1670  p->flowflags = FLOW_PKT_TOSERVER;
1671  p->payload_len = sizeof(request);
1672  p->payload = request;
1673  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1674  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1675  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1676  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1677  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1678  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1679  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1680  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1681  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1682  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1683  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1684  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1685 
1686  /* full response - request ack */
1687  uint8_t response[] = {
1688  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1689  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1690  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1691  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1692  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1693  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1694  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1695  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1696  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1697  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1698  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1699  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1700  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1701  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1702  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1703  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1704  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1705  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1706  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1707  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1708  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1709  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1710  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1711  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1712  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1713  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1714  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1715  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1716  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1717  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1718  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1719  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1720  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1721  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1722  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1723  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1724  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1725  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1726  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1727  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1728  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1729  PrintRawDataFp(stdout, response, sizeof(response));
1730  p->tcph->th_ack = htonl(88);
1731  p->tcph->th_seq = htonl(1);
1732  p->tcph->th_flags = TH_PUSH | TH_ACK;
1733  p->flowflags = FLOW_PKT_TOCLIENT;
1734  p->payload_len = sizeof(response);
1735  p->payload = response;
1736  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1737  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1738  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1739  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1740  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1741  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1742  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1743  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1744  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1745  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1746  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1747  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1748 
1749  /* response ack */
1750  p->tcph->th_ack = htonl(328);
1751  p->tcph->th_seq = htonl(88);
1752  p->tcph->th_flags = TH_ACK;
1753  p->flowflags = FLOW_PKT_TOSERVER;
1754  p->payload_len = 0;
1755  p->payload = NULL;
1756  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1757  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1758  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1759  FAIL_IF(f.alproto != ALPROTO_HTTP);
1760  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1761  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1762  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1763  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1764  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1765  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1766  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1767  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1768 
1769  TEST_END;
1770  PASS;
1771 }
1772 
1773 /**
1774  * \test HTTP/1.1 -> GET
1775  */
1776 static int AppLayerTest06(void)
1777 {
1778  TEST_START;
1779 
1780  /* full response - request ack */
1781  uint8_t response[] = {
1782  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1783  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1784  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1785  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1786  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1787  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1788  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1789  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1790  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1791  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1792  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1793  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1794  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1795  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1796  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1797  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1798  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1799  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1800  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1801  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1802  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1803  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1804  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1805  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1806  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1807  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1808  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1809  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1810  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1811  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1812  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1813  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1814  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1815  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1816  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1817  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1818  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1819  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1820  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1821  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1822  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1823  p->tcph->th_ack = htonl(1);
1824  p->tcph->th_seq = htonl(1);
1825  p->tcph->th_flags = TH_PUSH | TH_ACK;
1826  p->flowflags = FLOW_PKT_TOCLIENT;
1827  p->payload_len = sizeof(response);
1828  p->payload = response;
1829  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1830  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1831  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1832  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1833  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1834  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1835  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1836  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1837  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1838  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1839  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1840  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1841 
1842  /* full request - response ack*/
1843  uint8_t request[] = {
1844  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1845  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1846  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1847  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1848  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1849  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1850  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1851  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1852  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1853  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1854  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1855  p->tcph->th_ack = htonl(328);
1856  p->tcph->th_seq = htonl(1);
1857  p->tcph->th_flags = TH_PUSH | TH_ACK;
1858  p->flowflags = FLOW_PKT_TOSERVER;
1859  p->payload_len = sizeof(request);
1860  p->payload = request;
1861  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1862  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1863  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1864  FAIL_IF(f.alproto != ALPROTO_HTTP);
1865  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1866  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1867  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1868  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1869  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1870  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1871  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1872  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1873 
1874  p->tcph->th_ack = htonl(1 + sizeof(request));
1875  p->tcph->th_seq = htonl(328);
1876  p->tcph->th_flags = TH_PUSH | TH_ACK;
1877  p->flowflags = FLOW_PKT_TOCLIENT;
1878  p->payload_len = 0;
1879  p->payload = NULL;
1880  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1881  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1882  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1883  FAIL_IF(f.alproto != ALPROTO_HTTP);
1884  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1885  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1886  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1887  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1888  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1889  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1890  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1891  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1892 
1893  TEST_END;
1894  PASS;
1895 }
1896 
1897 /**
1898  * \test GET -> DCERPC
1899  */
1900 static int AppLayerTest07(void)
1901 {
1902  TEST_START;
1903 
1904  /* full request */
1905  uint8_t request[] = {
1906  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1907  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1908  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1909  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1910  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1911  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1912  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1913  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1914  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1915  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1916  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1917  p->tcph->th_ack = htonl(1);
1918  p->tcph->th_seq = htonl(1);
1919  p->tcph->th_flags = TH_PUSH | TH_ACK;
1920  p->flowflags = FLOW_PKT_TOSERVER;
1921  p->payload_len = sizeof(request);
1922  p->payload = request;
1923  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1924  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1925  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1926  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1927  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1928  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1929  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1930  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1931  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1932  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1933  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1934  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1935 
1936  /* full response - request ack */
1937  uint8_t response[] = {
1938  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1939  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1940  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1941  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1942  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1943  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1944  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1945  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1946  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1947  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1948  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1949  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1950  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1951  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1952  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1953  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1954  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1955  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1956  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1957  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1958  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1959  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1960  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1961  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1962  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1963  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1964  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1965  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1966  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1967  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1968  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1969  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1970  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1971  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1972  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1973  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1974  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1975  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1976  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1977  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1978  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1979  p->tcph->th_ack = htonl(88);
1980  p->tcph->th_seq = htonl(1);
1981  p->tcph->th_flags = TH_PUSH | TH_ACK;
1982  p->flowflags = FLOW_PKT_TOCLIENT;
1983  p->payload_len = sizeof(response);
1984  p->payload = response;
1985  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1986  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1987  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1988  FAIL_IF(f.alproto != ALPROTO_HTTP);
1989  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1990  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1991  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1992  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1993  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1994  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1995  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1996  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1997 
1998  /* response ack */
1999  p->tcph->th_ack = htonl(328);
2000  p->tcph->th_seq = htonl(88);
2001  p->tcph->th_flags = TH_ACK;
2002  p->flowflags = FLOW_PKT_TOSERVER;
2003  p->payload_len = 0;
2004  p->payload = NULL;
2005  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2006  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2007  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2008  FAIL_IF(f.alproto != ALPROTO_HTTP);
2009  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2010  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2011  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2012  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2013  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2014  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2015  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2016  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2017 
2018  TEST_END;
2019  PASS;
2020 }
2021 
2022 /**
2023  * \test SMB -> HTTP/1.1
2024  */
2025 static int AppLayerTest08(void)
2026 {
2027  TEST_START;
2028 
2029  /* full request */
2030  uint8_t request[] = {
2031  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2032  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2033  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2034  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2035  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2036  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2037  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2038  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2039  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2040  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2041  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2042  p->tcph->th_ack = htonl(1);
2043  p->tcph->th_seq = htonl(1);
2044  p->tcph->th_flags = TH_PUSH | TH_ACK;
2045  p->flowflags = FLOW_PKT_TOSERVER;
2046  p->payload_len = sizeof(request);
2047  p->payload = request;
2048  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2049  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2050  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2051  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2052  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2053  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2054  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2055  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2056  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2057  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2058  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2059  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2060 
2061  /* full response - request ack */
2062  uint8_t response[] = {
2063  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2064  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2065  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2066  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2067  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2068  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2069  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2070  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2071  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2072  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2073  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2074  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2075  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2076  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2077  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2078  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2079  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2080  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2081  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2082  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2083  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2084  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2085  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2086  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2087  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2088  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2089  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2090  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2091  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2092  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2093  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2094  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2095  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2096  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2097  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2098  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2099  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2100  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2101  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2102  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2103  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2104  p->tcph->th_ack = htonl(88);
2105  p->tcph->th_seq = htonl(1);
2106  p->tcph->th_flags = TH_PUSH | TH_ACK;
2107  p->flowflags = FLOW_PKT_TOCLIENT;
2108  p->payload_len = sizeof(response);
2109  p->payload = response;
2110  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2111  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2112  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2113  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2114  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2115  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2116  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2117  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2118  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2119  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2120  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2121  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2122 
2123  /* response ack */
2124  p->tcph->th_ack = htonl(328);
2125  p->tcph->th_seq = htonl(88);
2126  p->tcph->th_flags = TH_ACK;
2127  p->flowflags = FLOW_PKT_TOSERVER;
2128  p->payload_len = 0;
2129  p->payload = NULL;
2130  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2131  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2132  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2133  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2134  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2135  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2136  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2137  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2138  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2139  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2140  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2141  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2142 
2143  TEST_END;
2144  PASS;
2145 }
2146 
2147 /**
2148  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2149  * RUBBISH(TC - PM and PP DONE) ->
2150  * RUBBISH(TS - PM and PP DONE)
2151  */
2152 static int AppLayerTest09(void)
2153 {
2154  TEST_START;
2155 
2156  /* full request */
2157  uint8_t request1[] = {
2158  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2159  p->tcph->th_ack = htonl(1);
2160  p->tcph->th_seq = htonl(1);
2161  p->tcph->th_flags = TH_PUSH | TH_ACK;
2162  p->flowflags = FLOW_PKT_TOSERVER;
2163  p->payload_len = sizeof(request1);
2164  p->payload = request1;
2165  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2166  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2167  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2168  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2169  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2170  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2171  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2172  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2173  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2174  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2175  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2176  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2177 
2178  /* response - request ack */
2179  p->tcph->th_ack = htonl(9);
2180  p->tcph->th_seq = htonl(1);
2181  p->tcph->th_flags = TH_PUSH | TH_ACK;
2182  p->flowflags = FLOW_PKT_TOCLIENT;
2183  p->payload_len = 0;
2184  p->payload = NULL;
2185  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2186  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2187  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2188  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2189  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2190  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2191  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2192  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2193  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2194  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2195  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2196  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2197 
2198  /* full request */
2199  uint8_t request2[] = {
2200  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2201  p->tcph->th_ack = htonl(1);
2202  p->tcph->th_seq = htonl(9);
2203  p->tcph->th_flags = TH_PUSH | TH_ACK;
2204  p->flowflags = FLOW_PKT_TOSERVER;
2205  p->payload_len = sizeof(request2);
2206  p->payload = request2;
2207  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2208  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2209  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2210  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2211  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2212  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2213  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2214  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2215  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2216  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2217  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2218  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2219 
2220  /* full response - request ack */
2221  uint8_t response[] = {
2222  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2223  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2224  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2225  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2226  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2227  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2228  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2229  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2230  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2231  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2232  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2233  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2234  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2235  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2236  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2237  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2238  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2239  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2240  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2241  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2242  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2243  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2244  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2245  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2246  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2247  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2248  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2249  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2250  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2251  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2252  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2253  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2254  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2255  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2256  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2257  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2258  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2259  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2260  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2261  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2262  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2263  p->tcph->th_ack = htonl(18);
2264  p->tcph->th_seq = htonl(1);
2265  p->tcph->th_flags = TH_PUSH | TH_ACK;
2266  p->flowflags = FLOW_PKT_TOCLIENT;
2267  p->payload_len = sizeof(response);
2268  p->payload = response;
2269  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2270  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2271  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2272  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2273  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2274  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2275  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2276  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2277  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2278  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2279  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2280  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2281 
2282  /* response ack */
2283  p->tcph->th_ack = htonl(328);
2284  p->tcph->th_seq = htonl(18);
2285  p->tcph->th_flags = TH_ACK;
2286  p->flowflags = FLOW_PKT_TOSERVER;
2287  p->payload_len = 0;
2288  p->payload = NULL;
2289  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2290  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2291  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2292  FAIL_IF(f.alproto != ALPROTO_FAILED);
2293  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2294  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2295  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2296  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2297  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2298  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2299  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2300  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2301 
2302  TEST_END;
2303  PASS;
2304 }
2305 
2306 /**
2307  * \test RUBBISH(TC - PM and PP DONE) ->
2308  * RUBBISH(TS - PM and PP DONE)
2309  */
2310 static int AppLayerTest10(void)
2311 {
2312  TEST_START;
2313 
2314  /* full request */
2315  uint8_t request1[] = {
2316  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2317  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2318  p->tcph->th_ack = htonl(1);
2319  p->tcph->th_seq = htonl(1);
2320  p->tcph->th_flags = TH_PUSH | TH_ACK;
2321  p->flowflags = FLOW_PKT_TOSERVER;
2322  p->payload_len = sizeof(request1);
2323  p->payload = request1;
2324  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2325  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2326  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2327  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2328  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2329  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2330  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2331  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2332  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2333  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2334  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2335  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2336 
2337  /* response - request ack */
2338  p->tcph->th_ack = htonl(18);
2339  p->tcph->th_seq = htonl(1);
2340  p->tcph->th_flags = TH_PUSH | TH_ACK;
2341  p->flowflags = FLOW_PKT_TOCLIENT;
2342  p->payload_len = 0;
2343  p->payload = NULL;
2344  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2345  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2346  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2347  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2348  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2349  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2350  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2351  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2352  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2353  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2354  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2355  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2356 
2357  /* full response - request ack */
2358  uint8_t response[] = {
2359  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2360  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2361  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2362  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2363  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2364  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2365  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2366  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2367  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2368  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2369  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2370  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2371  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2372  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2373  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2374  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2375  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2376  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2377  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2378  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2379  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2380  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2381  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2382  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2383  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2384  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2385  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2386  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2387  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2388  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2389  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2390  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2391  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2392  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2393  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2394  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2395  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2396  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2397  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2398  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2399  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2400  p->tcph->th_ack = htonl(18);
2401  p->tcph->th_seq = htonl(1);
2402  p->tcph->th_flags = TH_PUSH | TH_ACK;
2403  p->flowflags = FLOW_PKT_TOCLIENT;
2404  p->payload_len = sizeof(response);
2405  p->payload = response;
2406  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2407  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2408  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2409  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2410  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2411  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2412  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2413  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2414  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2415  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2416  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2417  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2418 
2419  /* response ack */
2420  p->tcph->th_ack = htonl(328);
2421  p->tcph->th_seq = htonl(18);
2422  p->tcph->th_flags = TH_ACK;
2423  p->flowflags = FLOW_PKT_TOSERVER;
2424  p->payload_len = 0;
2425  p->payload = NULL;
2426  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2427  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2428  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2429  FAIL_IF(f.alproto != ALPROTO_FAILED);
2430  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2431  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2432  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2433  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2434  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2435  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2436  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2437  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2438 
2439  TEST_END;
2440  PASS;
2441 }
2442 
2443 /**
2444  * \test RUBBISH(TC - PM and PP DONE) ->
2445  * RUBBISH(TS - PM and PP NOT DONE) ->
2446  * RUBBISH(TS - PM and PP DONE)
2447  */
2448 static int AppLayerTest11(void)
2449 {
2450  TEST_START;
2451 
2452  /* full request */
2453  uint8_t request1[] = {
2454  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2455  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2456  p->tcph->th_ack = htonl(1);
2457  p->tcph->th_seq = htonl(1);
2458  p->tcph->th_flags = TH_PUSH | TH_ACK;
2459  p->flowflags = FLOW_PKT_TOSERVER;
2460  p->payload_len = sizeof(request1);
2461  p->payload = request1;
2462  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2463  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2464  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2465  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2466  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2467  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2468  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2469  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2470  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2471  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2472  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2473  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2474 
2475  /* response - request ack */
2476  p->tcph->th_ack = htonl(18);
2477  p->tcph->th_seq = htonl(1);
2478  p->tcph->th_flags = TH_PUSH | TH_ACK;
2479  p->flowflags = FLOW_PKT_TOCLIENT;
2480  p->payload_len = 0;
2481  p->payload = NULL;
2482  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2483  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2484  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2485  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2486  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2487  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2488  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2489  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2490  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2491  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2492  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2493  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2494 
2495  /* full response - request ack */
2496  uint8_t response1[] = {
2497  0x55, 0x74, 0x54, 0x50, };
2498  p->tcph->th_ack = htonl(18);
2499  p->tcph->th_seq = htonl(1);
2500  p->tcph->th_flags = TH_PUSH | TH_ACK;
2501  p->flowflags = FLOW_PKT_TOCLIENT;
2502  p->payload_len = sizeof(response1);
2503  p->payload = response1;
2504  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2505  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2506  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2507  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2508  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2509  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2510  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2511  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2512  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2513  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2514  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2515  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2516 
2517  /* response ack from request */
2518  p->tcph->th_ack = htonl(5);
2519  p->tcph->th_seq = htonl(18);
2520  p->tcph->th_flags = TH_ACK;
2521  p->flowflags = FLOW_PKT_TOSERVER;
2522  p->payload_len = 0;
2523  p->payload = NULL;
2524  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2525  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2526  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2527  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2528  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2529  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2530  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2531  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2532  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2533  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2534  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2535  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2536 
2537  uint8_t response2[] = {
2538  0x2f, 0x31, 0x2e, 0x31,
2539  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2540  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2541  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2542  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2543  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2544  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2545  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2546  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2547  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2548  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2549  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2550  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2551  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2552  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2553  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2554  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2555  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2556  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2557  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2558  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2559  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2560  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2561  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2562  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2563  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2564  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2565  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2566  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2567  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2568  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2569  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2570  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2571  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2572  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2573  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2574  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2575  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2576  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2577  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2578  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2579  p->tcph->th_ack = htonl(18);
2580  p->tcph->th_seq = htonl(5);
2581  p->tcph->th_flags = TH_PUSH | TH_ACK;
2582  p->flowflags = FLOW_PKT_TOCLIENT;
2583  p->payload_len = sizeof(response2);
2584  p->payload = response2;
2585  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2586  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2587  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2588  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2589  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2590  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2591  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2592  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2593  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2594  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2595  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2596  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2597 
2598  /* response ack from request */
2599  p->tcph->th_ack = htonl(328);
2600  p->tcph->th_seq = htonl(18);
2601  p->tcph->th_flags = TH_ACK;
2602  p->flowflags = FLOW_PKT_TOSERVER;
2603  p->payload_len = 0;
2604  p->payload = NULL;
2605  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2606  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2607  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2608  FAIL_IF(f.alproto != ALPROTO_FAILED);
2609  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2610  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2611  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2612  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2613  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2614  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2615  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2616  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2617 
2618  TEST_END;
2619  PASS;
2620 }
2621 
2622 void AppLayerUnittestsRegister(void)
2623 {
2624  SCEnter();
2625 
2626  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2627  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2628  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2629  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2630  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2631  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2632  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2633  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2634  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2635  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2636  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2637 
2638  SCReturn;
2639 }
2640 
2641 #endif /* UNITTESTS */
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2064
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:418
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
FlowSwap
void FlowSwap(Flow *f)
swap the flow&#39;s direction
Definition: flow.c:289
TcpSession_
Definition: stream-tcp-private.h:259
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1763
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:411
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:568
TEST_END
#define TEST_END
Definition: app-layer.c:1052
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:81
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
Flow_::proto
uint8_t proto
Definition: flow.h:344
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:809
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1565
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:197
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:859
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1489
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:378
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:336
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:186
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:880
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:212
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:794
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:66
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:562
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:70
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:171
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:523
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:247
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:864
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:760
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1794
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:271
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:64
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:157
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:774
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:351
Flow_::protoctx
void * protoctx
Definition: flow.h:400
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:118
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1528
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:67
AppLayerCounters_
Definition: app-layer.c:80
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:943
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4762
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:415
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:410
str
#define str(s)
Definition: suricata-common.h:256
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:258
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:82
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:821
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:248
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:270
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1118
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2622
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1399
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:38
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:177
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:253
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:277
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1001
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:439
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:264
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:275
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:408
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1868
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:563
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:954
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
TcpStream_
Definition: stream-tcp-private.h:94
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2047
SCFree
#define SCFree(a)
Definition: util-mem.h:322
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:268
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:249
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:843
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:871
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:161
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1184
STREAM_START
#define STREAM_START
Definition: stream.h:29
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:881
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
TEST_START
#define TEST_START
Definition: app-layer.c:969
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:199
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:256
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6248
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:767
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2010
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:257
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1108
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:689
SCReturn
#define SCReturn
Definition: util-debug.h:339
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1956
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
Packet_::flags
uint32_t flags
Definition: decode.h:444
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:147
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:65
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6242
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2069
AppLayerCounterNames_
Definition: app-layer.c:75
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:279
Flow_::protomap
uint8_t protomap
Definition: flow.h:404
Flow_
Flow data structure.
Definition: flow.h:325
Packet_::payload
uint8_t * payload
Definition: decode.h:541
Flow_::flags
uint32_t flags
Definition: flow.h:379
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:927
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1092
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1119
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186