suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-frames.h"
36 #include "stream-tcp-reassemble.h"
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-inline.h"
39 #include "stream-tcp.h"
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-private.h"
43 #include "ippair.h"
44 
45 #include "util-debug.h"
46 #include "util-print.h"
47 #include "util-profiling.h"
48 #include "util-validate.h"
49 #include "decode-events.h"
50 
51 #include "app-layer-htp-mem.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
57 struct AppLayerThreadCtx_ {
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  AppLayerProtoDetectThreadCtx *alpd_tctx;
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61  AppLayerParserThreadCtx *alp_tctx;
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
67  AppProto alproto;
68  uint64_t proto_detect_ticks_start;
69  uint64_t proto_detect_ticks_end;
70  uint64_t proto_detect_ticks_spent;
71 #endif
72 };
73 
74 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
75 
76 #define MAX_COUNTER_SIZE 64
77 typedef struct AppLayerCounterNames_ {
78  char name[MAX_COUNTER_SIZE];
79  char tx_name[MAX_COUNTER_SIZE];
80  char gap_error[MAX_COUNTER_SIZE];
81  char parser_error[MAX_COUNTER_SIZE];
82  char internal_error[MAX_COUNTER_SIZE];
83  char alloc_error[MAX_COUNTER_SIZE];
84 } AppLayerCounterNames;
85 
86 typedef struct AppLayerCounters_ {
87  uint16_t counter_id;
88  uint16_t counter_tx_id;
89  uint16_t gap_error_id;
90  uint16_t parser_error_id;
91  uint16_t internal_error_id;
92  uint16_t alloc_error_id;
93 } AppLayerCounters;
94 
95 /* counter names. Only used at init. */
96 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
97 /* counter id's. Used that runtime. */
98 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
99 
100 void AppLayerSetupCounters(void);
101 void AppLayerDeSetupCounters(void);
102 
103 /***** L7 layer dispatchers *****/
104 
105 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
106  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
107  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
108  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
109 }
110 
111 /**
112  * \note id can be 0 if protocol parser is disabled but detection
113  * is enabled.
114  */
115 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
116 {
117  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
118  if (likely(tv && id > 0)) {
119  StatsIncr(tv, id);
120  }
121 }
122 
123 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
124 {
125  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
126  if (likely(tv && id > 0)) {
127  StatsAddUI64(tv, id, step);
128  }
129 }
130 
131 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
132 {
133  const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id;
134  if (likely(tv && id > 0)) {
135  StatsIncr(tv, id);
136  }
137 }
138 
139 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
140 {
141  const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id;
142  if (likely(tv && id > 0)) {
143  StatsIncr(tv, id);
144  }
145 }
146 
147 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
148 {
149  const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id;
150  if (likely(tv && id > 0)) {
151  StatsIncr(tv, id);
152  }
153 }
154 
155 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
156 {
157  const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id;
158  if (likely(tv && id > 0)) {
159  StatsIncr(tv, id);
160  }
161 }
162 
163 /* in IDS mode protocol detection is done in reverse order:
164  * when TCP data is ack'd. We want to flag the correct packet,
165  * so in this case we set a flag in the flow so that the first
166  * packet in the correct direction can be tagged.
167  *
168  * For IPS we update packet and flow. */
169 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
170 {
171  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
172  if (flags & STREAM_TOSERVER) {
173  if (p->flowflags & FLOW_PKT_TOSERVER) {
174  p->flags |= PKT_PROTO_DETECT_TS_DONE;
175  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
176  } else {
177  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
178  }
179  } else {
180  if (p->flowflags & FLOW_PKT_TOCLIENT) {
181  p->flags |= PKT_PROTO_DETECT_TC_DONE;
182  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
183  } else {
184  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
185  }
186  }
187  } else {
188  if (flags & STREAM_TOSERVER) {
189  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
190  } else {
191  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
192  }
193  }
194 }
195 
196 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
197 {
198  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
199  f, f->alproto, f->alproto_ts, f->alproto_tc);
200  FlowCleanupAppLayer(f);
201  StreamTcpDisableAppLayer(f);
202  TcpSession *ssn = f->protoctx;
203  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
204  f->alproto = ALPROTO_FAILED;
205  AppLayerIncFlowCounter(tv, f);
206 
207  if (f->alproto_tc != ALPROTO_FAILED) {
208  if (f->alproto_tc == ALPROTO_UNKNOWN) {
209  f->alproto_tc = ALPROTO_FAILED;
210  }
211  FlagPacketFlow(p, f, STREAM_TOCLIENT);
212  }
213  if (f->alproto_ts != ALPROTO_FAILED) {
214  if (f->alproto_ts == ALPROTO_UNKNOWN) {
215  f->alproto_ts = ALPROTO_FAILED;
216  }
217  FlagPacketFlow(p, f, STREAM_TOSERVER);
218  }
219  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
220  f, f->alproto, f->alproto_ts, f->alproto_tc);
221 }
222 
223 /* See if we're going to have to give up:
224  *
225  * If we're getting a lot of data in one direction and the
226  * proto for this direction is unknown, proto detect will
227  * hold up segments in the segment list in the stream.
228  * They are held so that if we detect the protocol on the
229  * opposing stream, we can still parse this side of the stream
230  * as well. However, some sessions are very unbalanced. FTP
231  * data channels, large PUT/POST request and many others, can
232  * lead to cases where we would have to store many megabytes
233  * worth of segments before we see the opposing stream. This
234  * leads to risks of resource starvation.
235  *
236  * Here a cutoff point is enforced. If we've stored 100k in
237  * one direction and we've seen no data in the other direction,
238  * we give up.
239  *
240  * Giving up means we disable applayer an set an applayer event
241  */
242 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
243  Flow *f, TcpSession *ssn, Packet *p)
244 {
245  if (ssn->state < TCP_ESTABLISHED) {
246  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
247  return;
248  }
249 
250  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
251  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
252  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
253 
254  /* at least 100000 whatever the conditions
255  * and can be more if window is bigger and if configuration allows it */
256  const uint32_t size_tc_limit =
257  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
258  const uint32_t size_ts_limit =
259  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
260 
261  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
262  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
263  {
264  goto failure;
265 
266  /* we bail out whatever the pp and pm states if
267  * we received too much data */
268  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
269  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
270  goto failure;
271 
272  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
273  size_ts > size_ts_limit && size_tc == 0) {
274  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
275  APPLAYER_PROTO_DETECTION_SKIPPED);
276  goto failure;
277 
278  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
279  size_tc > size_tc_limit && size_ts == 0) {
280  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
281  APPLAYER_PROTO_DETECTION_SKIPPED);
282  goto failure;
283 
284  /* little data in ts direction, pp done, pm not done (max
285  * depth not reached), ts direction done, lots of data in
286  * tc direction. */
287  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
288  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
289  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
290  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
291  APPLAYER_PROTO_DETECTION_SKIPPED);
292  goto failure;
293 
294  /* little data in tc direction, pp done, pm not done (max
295  * depth not reached), tc direction done, lots of data in
296  * ts direction. */
297  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
298  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
299  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
300  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
301  APPLAYER_PROTO_DETECTION_SKIPPED);
302  goto failure;
303  }
304  return;
305 
306 failure:
307  DisableAppLayer(tv, f, p);
308  return;
309 }
310 
311 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
312  Packet *p, TcpSession *ssn, const TcpStream *stream)
313 {
314  TcpStream *opposing_stream = NULL;
315  if (stream == &ssn->client) {
316  opposing_stream = &ssn->server;
317  } else {
318  opposing_stream = &ssn->client;
319  }
320 
321  /* if the opposing side is not going to work, then
322  * we just have to give up. */
323  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
324  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
325  return -1;
326  }
327 
328  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
329  UPDATE_DIR_OPPOSING :
330  UPDATE_DIR_PACKET;
331  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
332  opposing_stream, p, dir);
333  return ret;
334 }
335 
336 /** \todo data const
337  * \retval int -1 error
338  * \retval int 0 ok
339  */
340 static int TCPProtoDetect(ThreadVars *tv,
341  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
342  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
343  uint8_t *data, uint32_t data_len, uint8_t flags)
344 {
345  AppProto *alproto;
346  AppProto *alproto_otherdir;
347  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
348 
349  if (flags & STREAM_TOSERVER) {
350  alproto = &f->alproto_ts;
351  alproto_otherdir = &f->alproto_tc;
352  } else {
353  alproto = &f->alproto_tc;
354  alproto_otherdir = &f->alproto_ts;
355  }
356 
357  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
358 #ifdef PRINT
359  if (data_len > 0) {
360  printf("=> Init Stream Data (app layer) -- start %s%s\n",
361  flags & STREAM_TOCLIENT ? "toclient" : "",
362  flags & STREAM_TOSERVER ? "toserver" : "");
363  PrintRawDataFp(stdout, data, data_len);
364  printf("=> Init Stream Data -- end\n");
365  }
366 #endif
367 
368  bool reverse_flow = false;
369  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
370  PACKET_PROFILING_APP_PD_START(app_tctx);
371  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
372  f, data, data_len,
373  IPPROTO_TCP, flags, &reverse_flow);
374  PACKET_PROFILING_APP_PD_END(app_tctx);
375  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
376 
377  if (*alproto != ALPROTO_UNKNOWN) {
378  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
379  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
380  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
381 
382  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
383  /* if we already invoked the parser, we go with that proto */
384  f->alproto = *alproto_otherdir;
385  } else {
386  /* no data sent to parser yet, we can still choose
387  * we're trusting the server more. */
388  if (flags & STREAM_TOCLIENT)
389  f->alproto = *alproto;
390  else
391  f->alproto = *alproto_otherdir;
392  }
393  } else {
394  f->alproto = *alproto;
395  }
396 
397  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
398  TcpSessionSetReassemblyDepth(ssn,
399  AppLayerParserGetStreamDepth(f));
400  FlagPacketFlow(p, f, flags);
401 
402  /* if protocol detection indicated that we need to reverse
403  * the direction of the flow, do it now. We flip the flow,
404  * packet and the direction flags */
405  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
406  /* but only if we didn't already detect it on the other side. */
407  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
408  SCLogDebug("reversing flow after proto detect told us so");
409  PacketSwap(p);
410  FlowSwap(f);
411  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
412  if (*stream == &ssn->client) {
413  *stream = &ssn->server;
414  } else {
415  *stream = &ssn->client;
416  }
417  direction = 1 - direction;
418  } else {
419  // TODO event, error?
420  }
421  }
422 
423  /* account flow if we have both sides */
424  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
425  AppLayerIncFlowCounter(tv, f);
426  }
427 
428  /* if we have seen data from the other direction first, send
429  * data for that direction first to the parser. This shouldn't
430  * be an issue, since each stream processing happens
431  * independently of the other stream direction. At this point of
432  * call, you need to know that this function's already being
433  * called by the very same StreamReassembly() function that we
434  * will now call shortly for the opposing direction. */
435  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
436  !(flags & ssn->data_first_seen_dir))
437  {
438  SCLogDebug("protocol %s needs first data in other direction",
439  AppProtoToString(*alproto));
440 
441  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
442  p, ssn, *stream) != 0)
443  {
444  DisableAppLayer(tv, f, p);
445  SCReturnInt(-1);
446  }
447  if (FlowChangeProto(f)) {
448  /* We have the first data which requested a protocol change from P1 to P2
449  * even if it was not recognized at first as being P1
450  * As the second data was recognized as P1, the protocol did not change !
451  */
452  FlowUnsetChangeProtoFlag(f);
453  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
454  APPLAYER_UNEXPECTED_PROTOCOL);
455  }
456  }
457 
458  /* if the parser operates such that it needs to see data from
459  * a particular direction first, we check if we have seen
460  * data from that direction first for the flow. IF it is not
461  * the same, we set an event and exit.
462  *
463  * \todo We need to figure out a more robust solution for this,
464  * as this can lead to easy evasion tactics, where the
465  * attackeer can first send some dummy data in the wrong
466  * direction first to mislead our proto detection process.
467  * While doing this we need to update the parsers as well,
468  * since the parsers must be robust to see such wrong
469  * direction data.
470  * Either ways the moment we see the
471  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
472  * flow, it shows something's fishy.
473  */
474  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
475  uint8_t first_data_dir;
476  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
477 
478  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
479  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
480  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
481  DisableAppLayer(tv, f, p);
482  SCReturnInt(-1);
483  }
484  /* This can happen if the current direction is not the
485  * right direction, and the data from the other(also
486  * the right direction) direction is available to be sent
487  * to the app layer, but it is not ack'ed yet and hence
488  * the forced call to STreamTcpAppLayerReassemble still
489  * hasn't managed to send data from the other direction
490  * to the app layer. */
491  if (first_data_dir && !(first_data_dir & flags)) {
492  FlowCleanupAppLayer(f);
493  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
494  FLOW_RESET_PP_DONE(f, flags);
495  FLOW_RESET_PM_DONE(f, flags);
496  FLOW_RESET_PE_DONE(f, flags);
497  SCReturnInt(-1);
498  }
499  }
500 
501  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
502  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
503 
504  /* finally, invoke the parser */
505  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
506  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
507  flags, data, data_len);
508  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
509  if (r != 1) {
510  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
511  }
512  if (r < 0) {
513  SCReturnInt(-1);
514  }
515  } else {
516  /* if the ssn is midstream, we may end up with a case where the
517  * start of an HTTP request is missing. We won't detect HTTP based
518  * on the request. However, the reply is fine, so we detect
519  * HTTP anyway. This leads to passing the incomplete request to
520  * the htp parser.
521  *
522  * This has been observed, where the http parser then saw many
523  * bogus requests in the incomplete data.
524  *
525  * To counter this case, a midstream session MUST find it's
526  * protocol in the toserver direction. If not, we assume the
527  * start of the request/toserver is incomplete and no reliable
528  * detection and parsing is possible. So we give up.
529  */
530  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
531  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
532  {
533  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
534  SCLogDebug("midstream end pd %p", ssn);
535  /* midstream and toserver detection failed: give up */
536  DisableAppLayer(tv, f, p);
537  SCReturnInt(0);
538  }
539  }
540 
541  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
542  uint8_t first_data_dir;
543  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
544 
545  /* this would handle this test case -
546  * http parser which says it wants to see toserver data first only.
547  * tcp handshake
548  * toclient data first received. - RUBBISH DATA which
549  * we don't detect as http
550  * toserver data next sent - we detect this as http.
551  * at this stage we see that toclient is the first data seen
552  * for this session and we try and redetect the app protocol,
553  * but we are unable to detect the app protocol like before.
554  * But since we have managed to detect the protocol for the
555  * other direction as http, we try to use that. At this
556  * stage we check if the direction of this stream matches
557  * to that acceptable by the app parser. If it is not the
558  * acceptable direction we error out.
559  */
560  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
561  (first_data_dir) && !(first_data_dir & flags))
562  {
563  DisableAppLayer(tv, f, p);
564  SCReturnInt(-1);
565  }
566 
567  /* if protocol detection is marked done for our direction we
568  * pass our data on. We're only succeeded in finding one
569  * direction: the opposing stream
570  *
571  * If PD was not yet complete, we don't do anything.
572  */
573  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
574  if (data_len > 0)
575  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
576 
577  if (*alproto_otherdir != ALPROTO_FAILED) {
578  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
579  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
580  f->alproto, flags,
581  data, data_len);
582  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
583  if (r != 1) {
584  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
585  }
586 
587  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
588  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
589  TcpSessionSetReassemblyDepth(ssn,
590  AppLayerParserGetStreamDepth(f));
591 
592  *alproto = *alproto_otherdir;
593  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
594  p->pcap_cnt, *alproto, *alproto_otherdir, r);
595  if (r < 0) {
596  SCReturnInt(-1);
597  }
598  }
599  *alproto = ALPROTO_FAILED;
600  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
601  AppLayerIncFlowCounter(tv, f);
602  FlagPacketFlow(p, f, flags);
603 
604  }
605  } else {
606  /* both sides unknown, let's see if we need to give up */
607  if (FlowChangeProto(f)) {
608  /* TCPProtoDetectCheckBailConditions does not work well because
609  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
610  * so, we set a lower limit to the data we inspect
611  * We could instead have set ssn->server.sb.stream_offset = 0;
612  */
613  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
614  DisableAppLayer(tv, f, p);
615  }
616  } else {
617  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
618  }
619  }
620  }
621  SCReturnInt(0);
622 }
623 
624 /** \brief handle TCP data for the app-layer.
625  *
626  * First run protocol detection and then when the protocol is known invoke
627  * the app layer parser.
628  *
629  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
630  * reversed.
631  */
632 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
633  Packet *p, Flow *f,
634  TcpSession *ssn, TcpStream **stream,
635  uint8_t *data, uint32_t data_len,
636  uint8_t flags)
637 {
638  SCEnter();
639 
640  DEBUG_ASSERT_FLOW_LOCKED(f);
641  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
642 
643  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
644  AppProto alproto;
645  int r = 0;
646 
647  SCLogDebug("data_len %u flags %02X", data_len, flags);
648  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
649  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
650  goto end;
651  }
652 
653  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
654 
655  if (flags & STREAM_TOSERVER) {
656  alproto = f->alproto_ts;
657  } else {
658  alproto = f->alproto_tc;
659  }
660 
661  /* If a gap notification, relay the notification on to the
662  * app-layer if known. */
663  if (flags & STREAM_GAP) {
664  if (alproto == ALPROTO_UNKNOWN) {
665  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
666  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
667  /* if the other side didn't already find the proto, we're done */
668  if (f->alproto == ALPROTO_UNKNOWN) {
669  goto failure;
670  }
671  }
672  if (FlowChangeProto(f)) {
673  FlowUnsetChangeProtoFlag(f);
674  SCLogDebug("Cannot handle gap while changing protocol");
675  goto failure;
676  }
677  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
678  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
679  flags, data, data_len);
680  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
681  /* ignore parser result for gap */
682  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
683  goto end;
684  }
685 
686  /* if we don't know the proto yet and we have received a stream
687  * initializer message, we run proto detection.
688  * We receive 2 stream init msgs (one for each direction), we
689  * only run the proto detection for both and emit an event
690  * in the case protocols mismatch. */
691  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
692  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
693  /* run protocol detection */
694  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
695  data, data_len, flags) != 0) {
696  goto failure;
697  }
698  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
699  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
700  void *alstate_orig = f->alstate;
701  AppLayerParserState *alparser = f->alparser;
702  // we delay AppLayerParserStateCleanup because we may need previous parser state
703  AppLayerProtoDetectReset(f);
704  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
705  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
706  /* rerun protocol detection */
707  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
708  if (f->alproto == ALPROTO_UNKNOWN) {
709  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
710  // not enough data, revert AppLayerProtoDetectReset to rerun detection
711  f->alparser = alparser;
712  f->alproto = f->alproto_orig;
713  f->alproto_tc = f->alproto_orig;
714  f->alproto_ts = f->alproto_orig;
715  } else {
716  FlowUnsetChangeProtoFlag(f);
717  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
718  if (alstate_orig == f->alstate) {
719  // we just freed it
720  f->alstate = NULL;
721  }
722  }
723  if (rd != 0) {
724  SCLogDebug("proto detect failure");
725  goto failure;
726  }
727  SCLogDebug("protocol change, old %s, new %s",
728  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
729 
730  if (f->alproto_expect != ALPROTO_UNKNOWN &&
731  f->alproto != f->alproto_expect)
732  {
733  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
734  APPLAYER_UNEXPECTED_PROTOCOL);
735 
736  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
737  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
738  APPLAYER_NO_TLS_AFTER_STARTTLS);
739 
740  }
741  }
742  } else {
743  SCLogDebug("stream data (len %" PRIu32 " alproto "
744  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
745 #ifdef PRINT
746  if (data_len > 0) {
747  printf("=> Stream Data (app layer) -- start %s%s\n",
748  flags & STREAM_TOCLIENT ? "toclient" : "",
749  flags & STREAM_TOSERVER ? "toserver" : "");
750  PrintRawDataFp(stdout, data, data_len);
751  printf("=> Stream Data -- end\n");
752  }
753 #endif
754  /* if we don't have a data object here we are not getting it
755  * a start msg should have gotten us one */
756  if (f->alproto != ALPROTO_UNKNOWN) {
757  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
758  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
759  flags, data, data_len);
760  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
761  if (r != 1) {
762  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
763  }
764  }
765  }
766 
767  goto end;
768  failure:
769  r = -1;
770  end:
771  SCReturnInt(r);
772 }
773 
774 /**
775  * \brief Handle a app layer UDP message
776  *
777  * If the protocol is yet unknown, the proto detection code is run first.
778  *
779  * \param dp_ctx Thread app layer detect context
780  * \param f *locked* flow
781  * \param p UDP packet
782  *
783  * \retval 0 ok
784  * \retval -1 error
785  */
786 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
787 {
788  SCEnter();
789  AppProto *alproto;
790  AppProto *alproto_otherdir;
791 
792  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
793  SCReturnInt(0);
794  }
795 
796  int r = 0;
797  uint8_t flags = 0;
798  if (p->flowflags & FLOW_PKT_TOSERVER) {
799  flags |= STREAM_TOSERVER;
800  alproto = &f->alproto_ts;
801  alproto_otherdir = &f->alproto_tc;
802  } else {
803  flags |= STREAM_TOCLIENT;
804  alproto = &f->alproto_tc;
805  alproto_otherdir = &f->alproto_ts;
806  }
807 
808  AppLayerProfilingReset(tctx);
809 
810  /* if the protocol is still unknown, run detection */
811  if (*alproto == ALPROTO_UNKNOWN) {
812  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
813  p->payload_len);
814 
815  bool reverse_flow = false;
816  PACKET_PROFILING_APP_PD_START(tctx);
817  *alproto = AppLayerProtoDetectGetProto(
818  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
819  PACKET_PROFILING_APP_PD_END(tctx);
820 
821  switch (*alproto) {
822  case ALPROTO_UNKNOWN:
823  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
824  // Use recognized side
825  f->alproto = *alproto_otherdir;
826  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
827  *alproto = *alproto_otherdir;
828  if (*alproto_otherdir == ALPROTO_FAILED) {
829  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
830  }
831  } else {
832  // First side of protocol is unknown
833  *alproto = ALPROTO_FAILED;
834  }
835  break;
836  case ALPROTO_FAILED:
837  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
838  // Use recognized side
839  f->alproto = *alproto_otherdir;
840  if (*alproto_otherdir == ALPROTO_FAILED) {
841  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
842  }
843  }
844  // else wait for second side of protocol
845  break;
846  default:
847  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
848  if (*alproto_otherdir != *alproto) {
849  AppLayerDecoderEventsSetEventRaw(
850  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
851  // data already sent to parser, we cannot change the protocol to use the one
852  // of the server
853  }
854  } else {
855  f->alproto = *alproto;
856  }
857  }
858  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
859  if (f->alproto == ALPROTO_UNKNOWN) {
860  // so as to increase stat about .app_layer.flow.failed_udp
861  f->alproto = ALPROTO_FAILED;
862  }
863  // If the other side is unknown, this is the first packet of the flow
864  AppLayerIncFlowCounter(tv, f);
865  }
866 
867  // parse the data if we recognized one protocol
868  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
869  if (reverse_flow) {
870  SCLogDebug("reversing flow after proto detect told us so");
871  PacketSwap(p);
872  FlowSwap(f);
873  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
874  }
875 
876  PACKET_PROFILING_APP_START(tctx, f->alproto);
877  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
878  flags, p->payload, p->payload_len);
879  PACKET_PROFILING_APP_END(tctx, f->alproto);
880  }
881  PACKET_PROFILING_APP_STORE(tctx, p);
882  /* we do only inspection in one direction, so flag both
883  * sides as done here */
884  FlagPacketFlow(p, f, STREAM_TOSERVER);
885  FlagPacketFlow(p, f, STREAM_TOCLIENT);
886  } else {
887  SCLogDebug("data (len %" PRIu32 " ), alproto "
888  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
889 
890  /* run the parser */
891  PACKET_PROFILING_APP_START(tctx, f->alproto);
892  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
893  flags, p->payload, p->payload_len);
894  PACKET_PROFILING_APP_END(tctx, f->alproto);
895  PACKET_PROFILING_APP_STORE(tctx, p);
896  }
897 
898  SCReturnInt(r);
899 }
900 
901 /***** Utility *****/
902 
903 AppProto AppLayerGetProtoByName(char *alproto_name)
904 {
905  SCEnter();
906  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
907  SCReturnCT(r, "AppProto");
908 }
909 
910 const char *AppLayerGetProtoName(AppProto alproto)
911 {
912  SCEnter();
913  const char * r = AppLayerProtoDetectGetProtoName(alproto);
914  SCReturnCT(r, "char *");
915 }
916 
917 void AppLayerListSupportedProtocols(void)
918 {
919  SCEnter();
920 
921  AppProto alproto;
922  AppProto alprotos[ALPROTO_MAX];
923 
924  AppLayerProtoDetectSupportedAppProtocols(alprotos);
925 
926  printf("=========Supported App Layer Protocols=========\n");
927  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
928  if (alprotos[alproto] == 1)
929  printf("%s\n", AppLayerGetProtoName(alproto));
930  }
931 
932  SCReturn;
933 }
934 
935 /***** Setup/General Registration *****/
936 
937 int AppLayerSetup(void)
938 {
939  SCEnter();
940 
941  AppLayerProtoDetectSetup();
942  AppLayerParserSetup();
943 
944  AppLayerParserRegisterProtocolParsers();
945  AppLayerProtoDetectPrepareState();
946 
947  AppLayerSetupCounters();
948 
949  SCReturnInt(0);
950 }
951 
952 int AppLayerDeSetup(void)
953 {
954  SCEnter();
955 
956  AppLayerProtoDetectDeSetup();
957  AppLayerParserDeSetup();
958 
959  AppLayerDeSetupCounters();
960 
961  SCReturnInt(0);
962 }
963 
964 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
965 {
966  SCEnter();
967 
968  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
969  if (app_tctx == NULL)
970  goto error;
971  memset(app_tctx, 0, sizeof(*app_tctx));
972 
973  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
974  goto error;
975  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
976  goto error;
977 
978  goto done;
979  error:
980  AppLayerDestroyCtxThread(app_tctx);
981  app_tctx = NULL;
982  done:
983  SCReturnPtr(app_tctx, "void *");
984 }
985 
986 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
987 {
988  SCEnter();
989 
990  if (app_tctx == NULL)
991  SCReturn;
992 
993  if (app_tctx->alpd_tctx != NULL)
994  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
995  if (app_tctx->alp_tctx != NULL)
996  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
997  SCFree(app_tctx);
998 
999  SCReturn;
1000 }
1001 
1002 #ifdef PROFILING
1003 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1004 {
1005  PACKET_PROFILING_APP_RESET(app_tctx);
1006 }
1007 
1008 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1009 {
1010  PACKET_PROFILING_APP_STORE(app_tctx, p);
1011 }
1012 #endif
1013 
1014 /** \brief HACK to work around our broken unix manager (re)init loop
1015  */
1016 void AppLayerRegisterGlobalCounters(void)
1017 {
1018  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1019  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1020  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1021  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1022  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1023 }
1024 
1025 #define IPPROTOS_MAX 2
1026 void AppLayerSetupCounters()
1027 {
1028  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1029  AppProto alprotos[ALPROTO_MAX];
1030  const char *str = "app_layer.flow.";
1031  const char *estr = "app_layer.error.";
1032 
1033  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1034 
1035  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1036  const uint8_t ipproto = ipprotos[p];
1037  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1038  const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP;
1039  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1040 
1041  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1042  if (alprotos[alproto] == 1) {
1043  const char *tx_str = "app_layer.tx.";
1044  const char *alproto_str = AppLayerGetProtoName(alproto);
1045 
1046  if (AppLayerParserProtoIsRegistered(ipproto, alproto) &&
1047  AppLayerParserProtoIsRegistered(other_ipproto, alproto)) {
1048  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1049  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1050  "%s%s%s", str, alproto_str, ipproto_suffix);
1051  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1052  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1053  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
1054 
1055  if (ipproto == IPPROTO_TCP) {
1056  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1057  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1058  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1059  }
1060  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1061  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1062  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1063  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1064  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1065  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1066  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1067  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1068  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1069  } else {
1070  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1071  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1072  "%s%s", str, alproto_str);
1073  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1074  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1075  "%s%s", tx_str, alproto_str);
1076 
1077  if (ipproto == IPPROTO_TCP) {
1078  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1079  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1080  "%s%s.gap", estr, alproto_str);
1081  }
1082  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1083  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1084  "%s%s.alloc", estr, alproto_str);
1085  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1086  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1087  "%s%s.parser", estr, alproto_str);
1088  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1089  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1090  "%s%s.internal", estr, alproto_str);
1091  }
1092  } else if (alproto == ALPROTO_FAILED) {
1093  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1094  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1095  "%s%s%s", str, "failed", ipproto_suffix);
1096  if (ipproto == IPPROTO_TCP) {
1097  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1098  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1099  "%sfailed%s.gap", estr, ipproto_suffix);
1100  }
1101  }
1102  }
1103  }
1104 }
1105 
1106 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1107 {
1108  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1109  AppProto alprotos[ALPROTO_MAX];
1110  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1111 
1112  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1113  const uint8_t ipproto = ipprotos[p];
1114  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1115 
1116  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1117  if (alprotos[alproto] == 1) {
1118  applayer_counters[ipproto_map][alproto].counter_id =
1119  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1120 
1121  applayer_counters[ipproto_map][alproto].counter_tx_id =
1122  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
1123 
1124  if (ipproto == IPPROTO_TCP) {
1125  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1126  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1127  }
1128  applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter(
1129  applayer_counter_names[ipproto_map][alproto].alloc_error, tv);
1130  applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter(
1131  applayer_counter_names[ipproto_map][alproto].parser_error, tv);
1132  applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter(
1133  applayer_counter_names[ipproto_map][alproto].internal_error, tv);
1134  } else if (alproto == ALPROTO_FAILED) {
1135  applayer_counters[ipproto_map][alproto].counter_id =
1136  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1137 
1138  if (ipproto == IPPROTO_TCP) {
1139  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1140  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1141  }
1142  }
1143  }
1144  }
1145 }
1146 
1147 void AppLayerDeSetupCounters()
1148 {
1149  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1150  memset(applayer_counters, 0, sizeof(applayer_counters));
1151 }
1152 
1153 /***** Unittests *****/
1154 
1155 #ifdef UNITTESTS
1156 #include "pkt-var.h"
1157 #include "stream-tcp.h"
1158 #include "stream-tcp-util.h"
1159 #include "stream.h"
1160 #include "util-unittest.h"
1161 
1162 #define TEST_START \
1163  Packet *p = PacketGetFromAlloc(); \
1164  FAIL_IF_NULL(p); \
1165  Flow f; \
1166  ThreadVars tv; \
1167  StreamTcpThread *stt = NULL; \
1168  TCPHdr tcph; \
1169  PacketQueueNoLock pq; \
1170  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1171  memset(p, 0, SIZE_OF_PACKET); \
1172  memset(&f, 0, sizeof(Flow)); \
1173  memset(&tv, 0, sizeof(ThreadVars)); \
1174  memset(&tcph, 0, sizeof(TCPHdr)); \
1175  \
1176  FLOW_INITIALIZE(&f); \
1177  f.flags = FLOW_IPV4; \
1178  f.proto = IPPROTO_TCP; \
1179  p->flow = &f; \
1180  p->tcph = &tcph; \
1181  \
1182  StreamTcpInitConfig(true); \
1183  IPPairInitConfig(true); \
1184  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1185  \
1186  /* handshake */ \
1187  tcph.th_win = htons(5480); \
1188  tcph.th_flags = TH_SYN; \
1189  p->flowflags = FLOW_PKT_TOSERVER; \
1190  p->payload_len = 0; \
1191  p->payload = NULL; \
1192  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1193  TcpSession *ssn = (TcpSession *)f.protoctx; \
1194  \
1195  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1196  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1197  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1198  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1199  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1200  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1201  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1202  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1203  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1204  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1205  FAIL_IF(ssn->data_first_seen_dir != 0); \
1206  \
1207  /* handshake */ \
1208  p->tcph->th_ack = htonl(1); \
1209  p->tcph->th_flags = TH_SYN | TH_ACK; \
1210  p->flowflags = FLOW_PKT_TOCLIENT; \
1211  p->payload_len = 0; \
1212  p->payload = NULL; \
1213  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1214  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1215  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1216  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1217  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1218  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1219  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1220  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1221  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1222  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1223  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1224  FAIL_IF(ssn->data_first_seen_dir != 0); \
1225  \
1226  /* handshake */ \
1227  p->tcph->th_ack = htonl(1); \
1228  p->tcph->th_seq = htonl(1); \
1229  p->tcph->th_flags = TH_ACK; \
1230  p->flowflags = FLOW_PKT_TOSERVER; \
1231  p->payload_len = 0; \
1232  p->payload = NULL; \
1233  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1234  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1235  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1236  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1237  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1238  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1239  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1240  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1241  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1242  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1243  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1244  FAIL_IF(ssn->data_first_seen_dir != 0);
1245 #define TEST_END \
1246  StreamTcpSessionClear(p->flow->protoctx); \
1247  StreamTcpThreadDeinit(&tv, (void *)stt); \
1248  StreamTcpFreeConfig(true); \
1249  PacketFree(p); \
1250  FLOW_DESTROY(&f); \
1251  StatsThreadCleanup(&tv);
1252 
1253 /**
1254  * \test GET -> HTTP/1.1
1255  */
1256 static int AppLayerTest01(void)
1257 {
1258  TEST_START;
1259 
1260  /* full request */
1261  uint8_t request[] = {
1262  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1263  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1264  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1265  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1266  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1267  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1268  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1269  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1270  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1271  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1272  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1273  p->tcph->th_ack = htonl(1);
1274  p->tcph->th_seq = htonl(1);
1275  p->tcph->th_flags = TH_PUSH | TH_ACK;
1276  p->flowflags = FLOW_PKT_TOSERVER;
1277  p->payload_len = sizeof(request);
1278  p->payload = request;
1279  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1280  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1281  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1282  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1283  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1284  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1285  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1286  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1287  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1288  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1289  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1290  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1291 
1292  /* full response - request ack */
1293  uint8_t response[] = {
1294  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1295  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1296  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1297  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1298  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1299  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1300  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1301  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1302  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1303  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1304  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1305  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1306  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1307  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1308  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1309  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1310  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1311  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1312  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1313  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1314  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1315  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1316  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1317  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1318  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1319  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1320  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1321  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1322  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1323  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1324  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1325  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1326  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1327  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1328  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1329  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1330  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1331  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1332  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1333  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1334  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1335  p->tcph->th_ack = htonl(88);
1336  p->tcph->th_seq = htonl(1);
1337  p->tcph->th_flags = TH_PUSH | TH_ACK;
1338  p->flowflags = FLOW_PKT_TOCLIENT;
1339  p->payload_len = sizeof(response);
1340  p->payload = response;
1341  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1342  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1343  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1344  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1345  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1346  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1347  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1348  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1349  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1350  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1351  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1352  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1353 
1354  /* response ack */
1355  p->tcph->th_ack = htonl(328);
1356  p->tcph->th_seq = htonl(88);
1357  p->tcph->th_flags = TH_ACK;
1358  p->flowflags = FLOW_PKT_TOSERVER;
1359  p->payload_len = 0;
1360  p->payload = NULL;
1361  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1362  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1363  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1364  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1365  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1366  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1367  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1368  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1369  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1370  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1371  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1372  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1373 
1374  TEST_END;
1375  PASS;
1376 }
1377 
1378 /**
1379  * \test GE -> T -> HTTP/1.1
1380  */
1381 static int AppLayerTest02(void)
1382 {
1383  TEST_START;
1384 
1385  /* partial request */
1386  uint8_t request1[] = { 0x47, 0x45, };
1387  p->tcph->th_ack = htonl(1);
1388  p->tcph->th_seq = htonl(1);
1389  p->tcph->th_flags = TH_PUSH | TH_ACK;
1390  p->flowflags = FLOW_PKT_TOSERVER;
1391  p->payload_len = sizeof(request1);
1392  p->payload = request1;
1393  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1394  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1395  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1396  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1397  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1398  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1399  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1400  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1401  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1402  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1403  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1404  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1405 
1406  /* response ack against partial request */
1407  p->tcph->th_ack = htonl(3);
1408  p->tcph->th_seq = htonl(1);
1409  p->tcph->th_flags = TH_ACK;
1410  p->flowflags = FLOW_PKT_TOCLIENT;
1411  p->payload_len = 0;
1412  p->payload = NULL;
1413  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1414  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1415  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1416  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1417  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1418  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1419  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1420  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1421  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1422  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1423  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1424  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1425 
1426  /* complete partial request */
1427  uint8_t request2[] = {
1428  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1429  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1430  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1431  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1432  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1433  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1434  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1435  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1436  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1437  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1438  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1439  p->tcph->th_ack = htonl(1);
1440  p->tcph->th_seq = htonl(3);
1441  p->tcph->th_flags = TH_PUSH | TH_ACK;
1442  p->flowflags = FLOW_PKT_TOSERVER;
1443  p->payload_len = sizeof(request2);
1444  p->payload = request2;
1445  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1446  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1447  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1448  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1449  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1450  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1451  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1452  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1453  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1454  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1455  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1456  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1457 
1458  /* response - request ack */
1459  uint8_t response[] = {
1460  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1461  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1462  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1463  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1464  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1465  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1466  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1467  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1468  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1469  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1470  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1471  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1472  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1473  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1474  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1475  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1476  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1477  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1478  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1479  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1480  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1481  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1482  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1483  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1484  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1485  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1486  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1487  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1488  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1489  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1490  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1491  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1492  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1493  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1494  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1495  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1496  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1497  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1498  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1499  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1500  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1501  p->tcph->th_ack = htonl(88);
1502  p->tcph->th_seq = htonl(1);
1503  p->tcph->th_flags = TH_PUSH | TH_ACK;
1504  p->flowflags = FLOW_PKT_TOCLIENT;
1505  p->payload_len = sizeof(response);
1506  p->payload = response;
1507  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1508  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1509  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1510  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1511  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1512  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1513  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1514  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1515  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1516  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1517  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1518  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1519 
1520  /* response ack */
1521  p->tcph->th_ack = htonl(328);
1522  p->tcph->th_seq = htonl(88);
1523  p->tcph->th_flags = TH_ACK;
1524  p->flowflags = FLOW_PKT_TOSERVER;
1525  p->payload_len = 0;
1526  p->payload = NULL;
1527  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1528  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1529  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1530  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1531  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1532  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1533  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1534  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1535  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1536  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1537  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1538  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1539 
1540  TEST_END;
1541  PASS;
1542 }
1543 
1544 /**
1545  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1546  */
1547 static int AppLayerTest03(void)
1548 {
1549  TEST_START;
1550 
1551  /* request */
1552  uint8_t request[] = {
1553  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1554  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1555  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1556  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1557  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1558  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1559  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1560  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1561  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1562  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1563  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1564  p->tcph->th_ack = htonl(1);
1565  p->tcph->th_seq = htonl(1);
1566  p->tcph->th_flags = TH_PUSH | TH_ACK;
1567  p->flowflags = FLOW_PKT_TOSERVER;
1568  p->payload_len = sizeof(request);
1569  p->payload = request;
1570  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1571  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1572  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1573  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1574  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1575  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1576  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1577  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1578  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1579  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1580  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1581  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1582 
1583  /* rubbish response */
1584  uint8_t response[] = {
1585  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1586  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1587  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1588  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1589  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1590  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1591  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1592  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1593  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1594  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1595  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1596  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1597  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1598  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1599  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1600  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1601  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1602  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1603  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1604  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1605  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1606  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1607  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1608  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1609  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1610  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1611  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1612  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1613  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1614  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1615  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1616  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1617  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1618  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1619  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1620  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1621  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1622  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1623  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1624  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1625  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1626  p->tcph->th_ack = htonl(88);
1627  p->tcph->th_seq = htonl(1);
1628  p->tcph->th_flags = TH_PUSH | TH_ACK;
1629  p->flowflags = FLOW_PKT_TOCLIENT;
1630  p->payload_len = sizeof(response);
1631  p->payload = response;
1632  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1633  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1634  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1635  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1636  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1637  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1638  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1639  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1640  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1641  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1642  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1643  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1644 
1645  /* response ack */
1646  p->tcph->th_ack = htonl(328);
1647  p->tcph->th_seq = htonl(88);
1648  p->tcph->th_flags = TH_ACK;
1649  p->flowflags = FLOW_PKT_TOSERVER;
1650  p->payload_len = 0;
1651  p->payload = NULL;
1652  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1653  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1654  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1655  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1656  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1657  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1658  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1659  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1660  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1661  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1662  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1663  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1664 
1665  TEST_END;
1666  PASS;
1667 }
1668 
1669 /**
1670  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1671  */
1672 static int AppLayerTest04(void)
1673 {
1674  TEST_START;
1675 
1676  /* request */
1677  uint8_t request[] = {
1678  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1679  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1680  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1681  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1682  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1683  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1684  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1685  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1686  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1687  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1688  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1689  PrintRawDataFp(stdout, request, sizeof(request));
1690  p->tcph->th_ack = htonl(1);
1691  p->tcph->th_seq = htonl(1);
1692  p->tcph->th_flags = TH_PUSH | TH_ACK;
1693  p->flowflags = FLOW_PKT_TOSERVER;
1694  p->payload_len = sizeof(request);
1695  p->payload = request;
1696  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1697  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1698  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1699  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1700  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1701  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1702  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1703  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1704  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1705  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1706  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1707  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1708 
1709  /* partial response */
1710  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1711  PrintRawDataFp(stdout, response1, sizeof(response1));
1712  p->tcph->th_ack = htonl(88);
1713  p->tcph->th_seq = htonl(1);
1714  p->tcph->th_flags = TH_PUSH | TH_ACK;
1715  p->flowflags = FLOW_PKT_TOCLIENT;
1716  p->payload_len = sizeof(response1);
1717  p->payload = response1;
1718  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1719  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1720  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1721  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1722  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1723  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1724  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1725  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1726  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1727  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1728  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1729  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1730 
1731  /* partial response ack */
1732  p->tcph->th_ack = htonl(5);
1733  p->tcph->th_seq = htonl(88);
1734  p->tcph->th_flags = TH_ACK;
1735  p->flowflags = FLOW_PKT_TOSERVER;
1736  p->payload_len = 0;
1737  p->payload = NULL;
1738  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1739  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1740  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1741  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1742  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1743  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1744  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1745  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1746  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1747  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1748  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1749  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1750 
1751  /* remaining response */
1752  uint8_t response2[] = {
1753  0x2f, 0x31, 0x2e, 0x31,
1754  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1755  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1756  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1757  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1758  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1759  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1760  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1761  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1762  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1763  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1764  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1765  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1766  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1767  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1768  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1769  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1770  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1771  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1772  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1773  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1774  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1775  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1776  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1777  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1778  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1779  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1780  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1781  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1782  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1783  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1784  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1785  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1786  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1787  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1788  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1789  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1790  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1791  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1792  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1793  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1794  PrintRawDataFp(stdout, response2, sizeof(response2));
1795  p->tcph->th_ack = htonl(88);
1796  p->tcph->th_seq = htonl(5);
1797  p->tcph->th_flags = TH_PUSH | TH_ACK;
1798  p->flowflags = FLOW_PKT_TOCLIENT;
1799  p->payload_len = sizeof(response2);
1800  p->payload = response2;
1801  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1802  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1803  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1804  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1805  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1806  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1807  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1808  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1809  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1810  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1811  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1812  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1813 
1814  /* response ack */
1815  p->tcph->th_ack = htonl(328);
1816  p->tcph->th_seq = htonl(88);
1817  p->tcph->th_flags = TH_ACK;
1818  p->flowflags = FLOW_PKT_TOSERVER;
1819  p->payload_len = 0;
1820  p->payload = NULL;
1821  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1822  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1823  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1824  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1825  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1826  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1827  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1828  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1829  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1830  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1831  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1832  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1833 
1834  TEST_END;
1835  PASS;
1836 }
1837 
1838 /**
1839  * \test RUBBISH -> HTTP/1.1
1840  */
1841 static int AppLayerTest05(void)
1842 {
1843  TEST_START;
1844 
1845  /* full request */
1846  uint8_t request[] = {
1847  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1848  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1849  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1850  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1851  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1852  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1853  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1854  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1855  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1856  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1857  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1858  PrintRawDataFp(stdout, request, sizeof(request));
1859  p->tcph->th_ack = htonl(1);
1860  p->tcph->th_seq = htonl(1);
1861  p->tcph->th_flags = TH_PUSH | TH_ACK;
1862  p->flowflags = FLOW_PKT_TOSERVER;
1863  p->payload_len = sizeof(request);
1864  p->payload = request;
1865  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1866  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1867  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1868  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1869  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1870  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1871  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1872  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1873  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1874  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1875  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1876  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1877 
1878  /* full response - request ack */
1879  uint8_t response[] = {
1880  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1881  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1882  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1883  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1884  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1885  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1886  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1887  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1888  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1889  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1890  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1891  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1892  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1893  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1894  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1895  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1896  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1897  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1898  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1899  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1900  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1901  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1902  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1903  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1904  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1905  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1906  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1907  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1908  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1909  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1910  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1911  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1912  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1913  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1914  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1915  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1916  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1917  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1918  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1919  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1920  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1921  PrintRawDataFp(stdout, response, sizeof(response));
1922  p->tcph->th_ack = htonl(88);
1923  p->tcph->th_seq = htonl(1);
1924  p->tcph->th_flags = TH_PUSH | TH_ACK;
1925  p->flowflags = FLOW_PKT_TOCLIENT;
1926  p->payload_len = sizeof(response);
1927  p->payload = response;
1928  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1929  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1930  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1931  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1932  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1933  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1934  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1935  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1936  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1937  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1938  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1939  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1940 
1941  /* response ack */
1942  p->tcph->th_ack = htonl(328);
1943  p->tcph->th_seq = htonl(88);
1944  p->tcph->th_flags = TH_ACK;
1945  p->flowflags = FLOW_PKT_TOSERVER;
1946  p->payload_len = 0;
1947  p->payload = NULL;
1948  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1949  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1950  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1951  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1952  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1953  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1954  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1955  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1956  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1957  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1958  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1959  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1960 
1961  TEST_END;
1962  PASS;
1963 }
1964 
1965 /**
1966  * \test HTTP/1.1 -> GET
1967  */
1968 static int AppLayerTest06(void)
1969 {
1970  TEST_START;
1971 
1972  /* full response - request ack */
1973  uint8_t response[] = {
1974  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1975  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1976  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1977  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1978  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1979  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1980  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1981  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1982  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1983  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1984  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1985  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1986  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1987  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1988  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1989  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1990  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1991  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1992  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1993  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1994  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1995  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1996  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1997  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1998  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1999  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2000  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2001  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2002  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2003  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2004  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2005  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2006  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2007  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2008  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2009  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2010  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2011  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2012  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2013  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2014  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2015  p->tcph->th_ack = htonl(1);
2016  p->tcph->th_seq = htonl(1);
2017  p->tcph->th_flags = TH_PUSH | TH_ACK;
2018  p->flowflags = FLOW_PKT_TOCLIENT;
2019  p->payload_len = sizeof(response);
2020  p->payload = response;
2021  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2022  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2023  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2024  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2025  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2026  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2027  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2028  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2029  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2030  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2031  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2032  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2033 
2034  /* full request - response ack*/
2035  uint8_t request[] = {
2036  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2037  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2038  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2039  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2040  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2041  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2042  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2043  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2044  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2045  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2046  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2047  p->tcph->th_ack = htonl(328);
2048  p->tcph->th_seq = htonl(1);
2049  p->tcph->th_flags = TH_PUSH | TH_ACK;
2050  p->flowflags = FLOW_PKT_TOSERVER;
2051  p->payload_len = sizeof(request);
2052  p->payload = request;
2053  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2054  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2055  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2056  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2057  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2058  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2059  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2060  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2061  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2062  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2063  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2064  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2065 
2066  p->tcph->th_ack = htonl(1 + sizeof(request));
2067  p->tcph->th_seq = htonl(328);
2068  p->tcph->th_flags = TH_PUSH | TH_ACK;
2069  p->flowflags = FLOW_PKT_TOCLIENT;
2070  p->payload_len = 0;
2071  p->payload = NULL;
2072  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2073  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2074  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2075  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2076  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2077  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2078  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2079  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2080  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2081  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2082  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2083  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2084 
2085  TEST_END;
2086  PASS;
2087 }
2088 
2089 /**
2090  * \test GET -> DCERPC
2091  */
2092 static int AppLayerTest07(void)
2093 {
2094  TEST_START;
2095 
2096  /* full request */
2097  uint8_t request[] = {
2098  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2099  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2100  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2101  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2102  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2103  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2104  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2105  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2106  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2107  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2108  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2109  p->tcph->th_ack = htonl(1);
2110  p->tcph->th_seq = htonl(1);
2111  p->tcph->th_flags = TH_PUSH | TH_ACK;
2112  p->flowflags = FLOW_PKT_TOSERVER;
2113  p->payload_len = sizeof(request);
2114  p->payload = request;
2115  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2116  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2117  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2118  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2119  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2120  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2121  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2122  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2123  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2124  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2125  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2126  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2127 
2128  /* full response - request ack */
2129  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2130  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2131  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2132  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2133  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2134  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2135  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2136  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2137  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2138  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2139  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2140  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2141  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2142  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2143  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2144  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2145  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2146  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2147  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2148  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2149  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2150  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2151  p->tcph->th_ack = htonl(88);
2152  p->tcph->th_seq = htonl(1);
2153  p->tcph->th_flags = TH_PUSH | TH_ACK;
2154  p->flowflags = FLOW_PKT_TOCLIENT;
2155  p->payload_len = sizeof(response);
2156  p->payload = response;
2157  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2158  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2159  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2160  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2161  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2162  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2163  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2164  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2165  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2166  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2167  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2168  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2169 
2170  /* response ack */
2171  p->tcph->th_ack = htonl(328);
2172  p->tcph->th_seq = htonl(88);
2173  p->tcph->th_flags = TH_ACK;
2174  p->flowflags = FLOW_PKT_TOSERVER;
2175  p->payload_len = 0;
2176  p->payload = NULL;
2177  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2178  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2179  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2180  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2181  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2182  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2183  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2184  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2185  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2186  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2187  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2188  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2189 
2190  TEST_END;
2191  PASS;
2192 }
2193 
2194 /**
2195  * \test SMB -> HTTP/1.1
2196  */
2197 static int AppLayerTest08(void)
2198 {
2199  TEST_START;
2200 
2201  /* full request */
2202  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2203  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2204  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2205  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2206  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2207  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2208  p->tcph->th_ack = htonl(1);
2209  p->tcph->th_seq = htonl(1);
2210  p->tcph->th_flags = TH_PUSH | TH_ACK;
2211  p->flowflags = FLOW_PKT_TOSERVER;
2212  p->payload_len = sizeof(request);
2213  p->payload = request;
2214  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2215  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2216  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2217  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2218  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2219  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2220  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2221  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2222  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2223  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2224  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2225  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2226 
2227  /* full response - request ack */
2228  uint8_t response[] = {
2229  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2230  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2231  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2232  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2233  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2234  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2235  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2236  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2237  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2238  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2239  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2240  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2241  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2242  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2243  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2244  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2245  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2246  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2247  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2248  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2249  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2250  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2251  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2252  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2253  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2254  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2255  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2256  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2257  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2258  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2259  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2260  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2261  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2262  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2263  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2264  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2265  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2266  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2267  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2268  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2269  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2270  p->tcph->th_ack = htonl(88);
2271  p->tcph->th_seq = htonl(1);
2272  p->tcph->th_flags = TH_PUSH | TH_ACK;
2273  p->flowflags = FLOW_PKT_TOCLIENT;
2274  p->payload_len = sizeof(response);
2275  p->payload = response;
2276  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2277  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2278  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2279  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2280  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2281  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2282  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2283  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2284  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2285  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2286  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2287  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2288 
2289  /* response ack */
2290  p->tcph->th_ack = htonl(328);
2291  p->tcph->th_seq = htonl(88);
2292  p->tcph->th_flags = TH_ACK;
2293  p->flowflags = FLOW_PKT_TOSERVER;
2294  p->payload_len = 0;
2295  p->payload = NULL;
2296  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2297  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2298  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2299  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2300  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2301  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2302  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2303  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2304  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2305  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2306  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2307  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2308 
2309  TEST_END;
2310  PASS;
2311 }
2312 
2313 /**
2314  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2315  * RUBBISH(TC - PM and PP DONE) ->
2316  * RUBBISH(TS - PM and PP DONE)
2317  */
2318 static int AppLayerTest09(void)
2319 {
2320  TEST_START;
2321 
2322  /* full request */
2323  uint8_t request1[] = {
2324  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2325  p->tcph->th_ack = htonl(1);
2326  p->tcph->th_seq = htonl(1);
2327  p->tcph->th_flags = TH_PUSH | TH_ACK;
2328  p->flowflags = FLOW_PKT_TOSERVER;
2329  p->payload_len = sizeof(request1);
2330  p->payload = request1;
2331  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2332  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2333  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2334  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2335  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2336  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2337  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2338  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2339  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2340  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2341  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2342  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2343 
2344  /* response - request ack */
2345  p->tcph->th_ack = htonl(9);
2346  p->tcph->th_seq = htonl(1);
2347  p->tcph->th_flags = TH_PUSH | TH_ACK;
2348  p->flowflags = FLOW_PKT_TOCLIENT;
2349  p->payload_len = 0;
2350  p->payload = NULL;
2351  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2352  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2353  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2354  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2355  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2356  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2357  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2358  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2359  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2360  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2361  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2362  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2363 
2364  /* full request */
2365  uint8_t request2[] = {
2366  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2367  p->tcph->th_ack = htonl(1);
2368  p->tcph->th_seq = htonl(9);
2369  p->tcph->th_flags = TH_PUSH | TH_ACK;
2370  p->flowflags = FLOW_PKT_TOSERVER;
2371  p->payload_len = sizeof(request2);
2372  p->payload = request2;
2373  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2374  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2375  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2376  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2377  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2378  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2379  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2380  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2381  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2382  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2383  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2384  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2385 
2386  /* full response - request ack */
2387  uint8_t response[] = {
2388  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2389  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2390  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2391  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2392  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2393  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2394  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2395  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2396  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2397  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2398  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2399  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2400  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2401  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2402  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2403  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2404  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2405  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2406  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2407  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2408  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2409  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2410  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2411  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2412  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2413  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2414  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2415  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2416  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2417  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2418  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2419  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2420  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2421  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2422  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2423  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2424  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2425  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2426  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2427  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2428  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2429  p->tcph->th_ack = htonl(18);
2430  p->tcph->th_seq = htonl(1);
2431  p->tcph->th_flags = TH_PUSH | TH_ACK;
2432  p->flowflags = FLOW_PKT_TOCLIENT;
2433  p->payload_len = sizeof(response);
2434  p->payload = response;
2435  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2436  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2437  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2438  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2439  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2440  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2441  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2442  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2443  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2444  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2445  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2446  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2447 
2448  /* response ack */
2449  p->tcph->th_ack = htonl(328);
2450  p->tcph->th_seq = htonl(18);
2451  p->tcph->th_flags = TH_ACK;
2452  p->flowflags = FLOW_PKT_TOSERVER;
2453  p->payload_len = 0;
2454  p->payload = NULL;
2455  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2456  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2457  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2458  FAIL_IF(f.alproto != ALPROTO_FAILED);
2459  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2460  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2461  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2462  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2463  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2464  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2465  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2466  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2467 
2468  TEST_END;
2469  PASS;
2470 }
2471 
2472 /**
2473  * \test RUBBISH(TC - PM and PP DONE) ->
2474  * RUBBISH(TS - PM and PP DONE)
2475  */
2476 static int AppLayerTest10(void)
2477 {
2478  TEST_START;
2479 
2480  /* full request */
2481  uint8_t request1[] = {
2482  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2483  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2484  p->tcph->th_ack = htonl(1);
2485  p->tcph->th_seq = htonl(1);
2486  p->tcph->th_flags = TH_PUSH | TH_ACK;
2487  p->flowflags = FLOW_PKT_TOSERVER;
2488  p->payload_len = sizeof(request1);
2489  p->payload = request1;
2490  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2491  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2492  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2493  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2494  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2495  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2496  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2497  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2498  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2499  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2500  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2501  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2502 
2503  /* response - request ack */
2504  p->tcph->th_ack = htonl(18);
2505  p->tcph->th_seq = htonl(1);
2506  p->tcph->th_flags = TH_PUSH | TH_ACK;
2507  p->flowflags = FLOW_PKT_TOCLIENT;
2508  p->payload_len = 0;
2509  p->payload = NULL;
2510  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2511  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2512  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2513  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2514  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2515  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2516  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2517  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2518  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2519  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2520  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2521  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2522 
2523  /* full response - request ack */
2524  uint8_t response[] = {
2525  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2526  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2527  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2528  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2529  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2530  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2531  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2532  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2533  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2534  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2535  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2536  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2537  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2538  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2539  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2540  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2541  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2542  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2543  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2544  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2545  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2546  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2547  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2548  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2549  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2550  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2551  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2552  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2553  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2554  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2555  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2556  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2557  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2558  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2559  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2560  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2561  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2562  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2563  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2564  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2565  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2566  p->tcph->th_ack = htonl(18);
2567  p->tcph->th_seq = htonl(1);
2568  p->tcph->th_flags = TH_PUSH | TH_ACK;
2569  p->flowflags = FLOW_PKT_TOCLIENT;
2570  p->payload_len = sizeof(response);
2571  p->payload = response;
2572  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2573  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2574  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2575  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2576  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2577  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2578  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2579  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2580  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2581  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2582  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2583  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2584 
2585  /* response ack */
2586  p->tcph->th_ack = htonl(328);
2587  p->tcph->th_seq = htonl(18);
2588  p->tcph->th_flags = TH_ACK;
2589  p->flowflags = FLOW_PKT_TOSERVER;
2590  p->payload_len = 0;
2591  p->payload = NULL;
2592  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2593  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2594  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2595  FAIL_IF(f.alproto != ALPROTO_FAILED);
2596  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2597  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2598  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2599  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2600  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2601  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2602  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2603  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2604 
2605  TEST_END;
2606  PASS;
2607 }
2608 
2609 /**
2610  * \test RUBBISH(TC - PM and PP DONE) ->
2611  * RUBBISH(TS - PM and PP NOT DONE) ->
2612  * RUBBISH(TS - PM and PP DONE)
2613  */
2614 static int AppLayerTest11(void)
2615 {
2616  TEST_START;
2617 
2618  /* full request */
2619  uint8_t request1[] = {
2620  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2621  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2622  p->tcph->th_ack = htonl(1);
2623  p->tcph->th_seq = htonl(1);
2624  p->tcph->th_flags = TH_PUSH | TH_ACK;
2625  p->flowflags = FLOW_PKT_TOSERVER;
2626  p->payload_len = sizeof(request1);
2627  p->payload = request1;
2628  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2629  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2630  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2631  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2632  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2633  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2634  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2635  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2636  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2637  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2638  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2639  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2640 
2641  /* response - request ack */
2642  p->tcph->th_ack = htonl(18);
2643  p->tcph->th_seq = htonl(1);
2644  p->tcph->th_flags = TH_PUSH | TH_ACK;
2645  p->flowflags = FLOW_PKT_TOCLIENT;
2646  p->payload_len = 0;
2647  p->payload = NULL;
2648  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2649  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2650  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2651  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2652  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2653  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2654  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2655  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2656  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2657  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2658  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2659  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2660 
2661  /* full response - request ack */
2662  uint8_t response1[] = {
2663  0x55, 0x74, 0x54, 0x50, };
2664  p->tcph->th_ack = htonl(18);
2665  p->tcph->th_seq = htonl(1);
2666  p->tcph->th_flags = TH_PUSH | TH_ACK;
2667  p->flowflags = FLOW_PKT_TOCLIENT;
2668  p->payload_len = sizeof(response1);
2669  p->payload = response1;
2670  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2671  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2672  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2673  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2674  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2675  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2676  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2677  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2678  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2679  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2680  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2681  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2682 
2683  /* response ack from request */
2684  p->tcph->th_ack = htonl(5);
2685  p->tcph->th_seq = htonl(18);
2686  p->tcph->th_flags = TH_ACK;
2687  p->flowflags = FLOW_PKT_TOSERVER;
2688  p->payload_len = 0;
2689  p->payload = NULL;
2690  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2691  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2692  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2693  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2694  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2695  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2696  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2697  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2698  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2699  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2700  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2701  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2702 
2703  uint8_t response2[] = {
2704  0x2f, 0x31, 0x2e, 0x31,
2705  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2706  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2707  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2708  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2709  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2710  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2711  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2712  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2713  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2714  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2715  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2716  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2717  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2718  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2719  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2720  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2721  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2722  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2723  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2724  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2725  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2726  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2727  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2728  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2729  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2730  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2731  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2732  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2733  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2734  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2735  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2736  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2737  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2738  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2739  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2740  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2741  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2742  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2743  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2744  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2745  p->tcph->th_ack = htonl(18);
2746  p->tcph->th_seq = htonl(5);
2747  p->tcph->th_flags = TH_PUSH | TH_ACK;
2748  p->flowflags = FLOW_PKT_TOCLIENT;
2749  p->payload_len = sizeof(response2);
2750  p->payload = response2;
2751  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2752  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2753  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2754  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2755  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2756  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2757  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2758  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2759  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2760  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2761  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2762  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2763 
2764  /* response ack from request */
2765  p->tcph->th_ack = htonl(328);
2766  p->tcph->th_seq = htonl(18);
2767  p->tcph->th_flags = TH_ACK;
2768  p->flowflags = FLOW_PKT_TOSERVER;
2769  p->payload_len = 0;
2770  p->payload = NULL;
2771  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2772  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2773  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2774  FAIL_IF(f.alproto != ALPROTO_FAILED);
2775  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2776  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2777  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2778  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2779  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2780  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2781  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2782  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2783 
2784  TEST_END;
2785  PASS;
2786 }
2787 
2788 void AppLayerUnittestsRegister(void)
2789 {
2790  SCEnter();
2791 
2792  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2793  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2794  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2795  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2796  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2797  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2798  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2799  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2800  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2801  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2802  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2803 
2804  SCReturn;
2805 }
2806 
2807 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:92
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:38
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:87
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:284
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:202
Packet_::proto
uint8_t proto
Definition: decode.h:449
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:289
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:89
AppLayerCounters_
Definition: app-layer.c:86
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1843
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:88
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:98
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:588
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:994
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1008
Flow_::proto
uint8_t proto
Definition: flow.h:375
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:567
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6368
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:462
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:60
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:353
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:131
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:91
Flow_::protomap
uint8_t protomap
Definition: flow.h:455
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:66
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1152
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:236
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1106
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:466
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:190
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1003
AppLayerCounterNames_
Definition: app-layer.c:77
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1537
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5959
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2788
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:917
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1026
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:67
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:111
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
Flow_::protoctx
void * protoctx
Definition: flow.h:451
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:139
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:594
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:903
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:90
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:952
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1208
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:76
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:275
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:485
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1636
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:937
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1225
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:174
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:632
AppLayerParserState_
Definition: app-layer-parser.c:155
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:276
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1016
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:65
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:482
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:964
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4852
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:1025
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1990
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:1162
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:103
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:268
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:283
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:427
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:786
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:105
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:612
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:64
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:147
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:196
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:469
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:361
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:285
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:547
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1873
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:102
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:155
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1209
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1498
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:261
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2218
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1546
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2079
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2176
str
#define str(s)
Definition: suricata-common.h:272
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:398
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:461
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6374
Flow_::alstate
void * alstate
Definition: flow.h:486
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:986
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:431
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:910
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:123
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:250
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:188
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1245
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2133
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:96
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:212
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:462
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:74
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1649
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:936
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1147
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2201
app-layer.h