suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-frames.h"
36 #include "stream-tcp-reassemble.h"
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-inline.h"
39 #include "stream-tcp.h"
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-private.h"
43 #include "ippair.h"
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 #include "app-layer-htp-mem.h"
50 #include "util-exception-policy.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
56 struct AppLayerThreadCtx_ {
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58  AppLayerProtoDetectThreadCtx *alpd_tctx;
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60  AppLayerParserThreadCtx *alp_tctx;
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
66  AppProto alproto;
67  uint64_t proto_detect_ticks_start;
68  uint64_t proto_detect_ticks_end;
69  uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
77  char name[MAX_COUNTER_SIZE];
78  char tx_name[MAX_COUNTER_SIZE];
79  char gap_error[MAX_COUNTER_SIZE];
80  char parser_error[MAX_COUNTER_SIZE];
81  char internal_error[MAX_COUNTER_SIZE];
82  char alloc_error[MAX_COUNTER_SIZE];
83 } AppLayerCounterNames;
84 
85 typedef struct AppLayerCounters_ {
86  uint16_t counter_id;
87  uint16_t counter_tx_id;
88  uint16_t gap_error_id;
89  uint16_t parser_error_id;
90  uint16_t internal_error_id;
91  uint16_t alloc_error_id;
92 } AppLayerCounters;
93 
94 /* counter names. Only used at init. */
95 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
96 /* counter id's. Used that runtime. */
97 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
98 
99 void AppLayerSetupCounters(void);
100 void AppLayerDeSetupCounters(void);
101 
102 /***** L7 layer dispatchers *****/
103 
104 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
105  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
106  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
107  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
108 }
109 
110 /**
111  * \note id can be 0 if protocol parser is disabled but detection
112  * is enabled.
113  */
114 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
117  if (likely(tv && id > 0)) {
118  StatsIncr(tv, id);
119  }
120 }
121 
122 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
123 {
124  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
125  if (likely(tv && id > 0)) {
126  StatsAddUI64(tv, id, step);
127  }
128 }
129 
130 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
131 {
132  const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id;
133  if (likely(tv && id > 0)) {
134  StatsIncr(tv, id);
135  }
136 }
137 
138 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
139 {
140  const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id;
141  if (likely(tv && id > 0)) {
142  StatsIncr(tv, id);
143  }
144 }
145 
146 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
147 {
148  const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id;
149  if (likely(tv && id > 0)) {
150  StatsIncr(tv, id);
151  }
152 }
153 
154 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
155 {
156  const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id;
157  if (likely(tv && id > 0)) {
158  StatsIncr(tv, id);
159  }
160 }
161 
162 /* in IDS mode protocol detection is done in reverse order:
163  * when TCP data is ack'd. We want to flag the correct packet,
164  * so in this case we set a flag in the flow so that the first
165  * packet in the correct direction can be tagged.
166  *
167  * For IPS we update packet and flow. */
168 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
169 {
170  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
171  if (flags & STREAM_TOSERVER) {
172  if (p->flowflags & FLOW_PKT_TOSERVER) {
173  p->flags |= PKT_PROTO_DETECT_TS_DONE;
174  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
175  } else {
176  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
177  }
178  } else {
179  if (p->flowflags & FLOW_PKT_TOCLIENT) {
180  p->flags |= PKT_PROTO_DETECT_TC_DONE;
181  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
182  } else {
183  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
184  }
185  }
186  } else {
187  if (flags & STREAM_TOSERVER) {
188  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
189  } else {
190  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
191  }
192  }
193 }
194 
195 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
196 {
197  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
198  f, f->alproto, f->alproto_ts, f->alproto_tc);
199  FlowCleanupAppLayer(f);
200  StreamTcpDisableAppLayer(f);
201  TcpSession *ssn = f->protoctx;
202  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
203  f->alproto = ALPROTO_FAILED;
204  AppLayerIncFlowCounter(tv, f);
205 
206  if (f->alproto_tc != ALPROTO_FAILED) {
207  if (f->alproto_tc == ALPROTO_UNKNOWN) {
208  f->alproto_tc = ALPROTO_FAILED;
209  }
210  FlagPacketFlow(p, f, STREAM_TOCLIENT);
211  }
212  if (f->alproto_ts != ALPROTO_FAILED) {
213  if (f->alproto_ts == ALPROTO_UNKNOWN) {
214  f->alproto_ts = ALPROTO_FAILED;
215  }
216  FlagPacketFlow(p, f, STREAM_TOSERVER);
217  }
218  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
219  f, f->alproto, f->alproto_ts, f->alproto_tc);
220 }
221 
222 /* See if we're going to have to give up:
223  *
224  * If we're getting a lot of data in one direction and the
225  * proto for this direction is unknown, proto detect will
226  * hold up segments in the segment list in the stream.
227  * They are held so that if we detect the protocol on the
228  * opposing stream, we can still parse this side of the stream
229  * as well. However, some sessions are very unbalanced. FTP
230  * data channels, large PUT/POST request and many others, can
231  * lead to cases where we would have to store many megabytes
232  * worth of segments before we see the opposing stream. This
233  * leads to risks of resource starvation.
234  *
235  * Here a cutoff point is enforced. If we've stored 100k in
236  * one direction and we've seen no data in the other direction,
237  * we give up.
238  *
239  * Giving up means we disable applayer an set an applayer event
240  */
241 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
242  Flow *f, TcpSession *ssn, Packet *p)
243 {
244  if (ssn->state < TCP_ESTABLISHED) {
245  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
246  return;
247  }
248 
249  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
250  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
251  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
252 
253  /* at least 100000 whatever the conditions
254  * and can be more if window is bigger and if configuration allows it */
255  const uint32_t size_tc_limit =
256  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
257  const uint32_t size_ts_limit =
258  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
259 
260  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
261  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
262  {
263  goto failure;
264 
265  /* we bail out whatever the pp and pm states if
266  * we received too much data */
267  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
268  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
269  goto failure;
270 
271  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
272  size_ts > size_ts_limit && size_tc == 0) {
273  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
274  APPLAYER_PROTO_DETECTION_SKIPPED);
275  goto failure;
276 
277  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
278  size_tc > size_tc_limit && size_ts == 0) {
279  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
280  APPLAYER_PROTO_DETECTION_SKIPPED);
281  goto failure;
282 
283  /* little data in ts direction, pp done, pm not done (max
284  * depth not reached), ts direction done, lots of data in
285  * tc direction. */
286  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
287  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
288  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
289  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
290  APPLAYER_PROTO_DETECTION_SKIPPED);
291  goto failure;
292 
293  /* little data in tc direction, pp done, pm not done (max
294  * depth not reached), tc direction done, lots of data in
295  * ts direction. */
296  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
297  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
298  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
299  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
300  APPLAYER_PROTO_DETECTION_SKIPPED);
301  goto failure;
302  }
303  return;
304 
305 failure:
306  DisableAppLayer(tv, f, p);
307  return;
308 }
309 
310 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
311  Packet *p, TcpSession *ssn, const TcpStream *stream)
312 {
313  TcpStream *opposing_stream = NULL;
314  if (stream == &ssn->client) {
315  opposing_stream = &ssn->server;
316  } else {
317  opposing_stream = &ssn->client;
318  }
319 
320  /* if the opposing side is not going to work, then
321  * we just have to give up. */
322  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
323  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
324  return -1;
325  }
326 
327  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
328  UPDATE_DIR_OPPOSING :
329  UPDATE_DIR_PACKET;
330  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
331  opposing_stream, p, dir);
332  return ret;
333 }
334 
335 extern enum ExceptionPolicy g_applayerparser_error_policy;
336 
337 /** \todo data const
338  * \retval int -1 error
339  * \retval int 0 ok
340  */
341 static int TCPProtoDetect(ThreadVars *tv,
342  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
343  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
344  uint8_t *data, uint32_t data_len, uint8_t flags)
345 {
346  AppProto *alproto;
347  AppProto *alproto_otherdir;
348  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
349 
350  if (flags & STREAM_TOSERVER) {
351  alproto = &f->alproto_ts;
352  alproto_otherdir = &f->alproto_tc;
353  } else {
354  alproto = &f->alproto_tc;
355  alproto_otherdir = &f->alproto_ts;
356  }
357 
358  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
359 #ifdef PRINT
360  if (data_len > 0) {
361  printf("=> Init Stream Data (app layer) -- start %s%s\n",
362  flags & STREAM_TOCLIENT ? "toclient" : "",
363  flags & STREAM_TOSERVER ? "toserver" : "");
364  PrintRawDataFp(stdout, data, data_len);
365  printf("=> Init Stream Data -- end\n");
366  }
367 #endif
368 
369  bool reverse_flow = false;
370  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
371  PACKET_PROFILING_APP_PD_START(app_tctx);
372  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
373  f, data, data_len,
374  IPPROTO_TCP, flags, &reverse_flow);
375  PACKET_PROFILING_APP_PD_END(app_tctx);
376  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
377 
378  if (*alproto != ALPROTO_UNKNOWN) {
379  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
380  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
381  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
382 
383  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
384  /* if we already invoked the parser, we go with that proto */
385  f->alproto = *alproto_otherdir;
386  } else {
387  /* no data sent to parser yet, we can still choose
388  * we're trusting the server more. */
389  if (flags & STREAM_TOCLIENT)
390  f->alproto = *alproto;
391  else
392  f->alproto = *alproto_otherdir;
393  }
394  } else {
395  f->alproto = *alproto;
396  }
397 
398  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
399  TcpSessionSetReassemblyDepth(ssn,
400  AppLayerParserGetStreamDepth(f));
401  FlagPacketFlow(p, f, flags);
402 
403  /* if protocol detection indicated that we need to reverse
404  * the direction of the flow, do it now. We flip the flow,
405  * packet and the direction flags */
406  if (reverse_flow &&
407  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
408  STREAMTCP_FLAG_MIDSTREAM)) {
409  /* but only if we didn't already detect it on the other side. */
410  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
411  SCLogDebug("reversing flow after proto detect told us so");
412  PacketSwap(p);
413  FlowSwap(f);
414  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
415  if (*stream == &ssn->client) {
416  *stream = &ssn->server;
417  } else {
418  *stream = &ssn->client;
419  }
420  direction = 1 - direction;
421  } else {
422  // TODO event, error?
423  }
424  }
425 
426  /* account flow if we have both sides */
427  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
428  AppLayerIncFlowCounter(tv, f);
429  }
430 
431  /* if we have seen data from the other direction first, send
432  * data for that direction first to the parser. This shouldn't
433  * be an issue, since each stream processing happens
434  * independently of the other stream direction. At this point of
435  * call, you need to know that this function's already being
436  * called by the very same StreamReassembly() function that we
437  * will now call shortly for the opposing direction. */
438  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
439  !(flags & ssn->data_first_seen_dir))
440  {
441  SCLogDebug("protocol %s needs first data in other direction",
442  AppProtoToString(*alproto));
443 
444  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
445  p, ssn, *stream) != 0)
446  {
447  goto detect_error;
448  }
449  if (FlowChangeProto(f)) {
450  /* We have the first data which requested a protocol change from P1 to P2
451  * even if it was not recognized at first as being P1
452  * As the second data was recognized as P1, the protocol did not change !
453  */
454  FlowUnsetChangeProtoFlag(f);
455  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
456  APPLAYER_UNEXPECTED_PROTOCOL);
457  }
458  }
459 
460  /* if the parser operates such that it needs to see data from
461  * a particular direction first, we check if we have seen
462  * data from that direction first for the flow. IF it is not
463  * the same, we set an event and exit.
464  *
465  * \todo We need to figure out a more robust solution for this,
466  * as this can lead to easy evasion tactics, where the
467  * attackeer can first send some dummy data in the wrong
468  * direction first to mislead our proto detection process.
469  * While doing this we need to update the parsers as well,
470  * since the parsers must be robust to see such wrong
471  * direction data.
472  * Either ways the moment we see the
473  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
474  * flow, it shows something's fishy.
475  */
476  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
477  uint8_t first_data_dir;
478  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
479 
480  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
481  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
482  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
483  goto detect_error;
484  }
485  /* This can happen if the current direction is not the
486  * right direction, and the data from the other(also
487  * the right direction) direction is available to be sent
488  * to the app layer, but it is not ack'ed yet and hence
489  * the forced call to STreamTcpAppLayerReassemble still
490  * hasn't managed to send data from the other direction
491  * to the app layer. */
492  if (first_data_dir && !(first_data_dir & flags)) {
493  FlowCleanupAppLayer(f);
494  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
495  FLOW_RESET_PP_DONE(f, flags);
496  FLOW_RESET_PM_DONE(f, flags);
497  FLOW_RESET_PE_DONE(f, flags);
498  SCReturnInt(-1);
499  }
500  }
501 
502  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
503  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
504 
505  /* finally, invoke the parser */
506  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
507  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
508  flags, data, data_len);
509  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
510  if (r != 1) {
511  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
512  }
513  if (r < 0) {
514  goto parser_error;
515  }
516  } else {
517  /* if the ssn is midstream, we may end up with a case where the
518  * start of an HTTP request is missing. We won't detect HTTP based
519  * on the request. However, the reply is fine, so we detect
520  * HTTP anyway. This leads to passing the incomplete request to
521  * the htp parser.
522  *
523  * This has been observed, where the http parser then saw many
524  * bogus requests in the incomplete data.
525  *
526  * To counter this case, a midstream session MUST find it's
527  * protocol in the toserver direction. If not, we assume the
528  * start of the request/toserver is incomplete and no reliable
529  * detection and parsing is possible. So we give up.
530  */
531  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
532  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
533  {
534  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
535  SCLogDebug("midstream end pd %p", ssn);
536  /* midstream and toserver detection failed: give up */
537  DisableAppLayer(tv, f, p);
538  SCReturnInt(0);
539  }
540  }
541 
542  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
543  uint8_t first_data_dir;
544  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
545 
546  /* this would handle this test case -
547  * http parser which says it wants to see toserver data first only.
548  * tcp handshake
549  * toclient data first received. - RUBBISH DATA which
550  * we don't detect as http
551  * toserver data next sent - we detect this as http.
552  * at this stage we see that toclient is the first data seen
553  * for this session and we try and redetect the app protocol,
554  * but we are unable to detect the app protocol like before.
555  * But since we have managed to detect the protocol for the
556  * other direction as http, we try to use that. At this
557  * stage we check if the direction of this stream matches
558  * to that acceptable by the app parser. If it is not the
559  * acceptable direction we error out.
560  */
561  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
562  (first_data_dir) && !(first_data_dir & flags))
563  {
564  goto detect_error;
565  }
566 
567  /* if protocol detection is marked done for our direction we
568  * pass our data on. We're only succeeded in finding one
569  * direction: the opposing stream
570  *
571  * If PD was not yet complete, we don't do anything.
572  */
573  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
574  if (data_len > 0)
575  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
576 
577  if (*alproto_otherdir != ALPROTO_FAILED) {
578  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
579  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
580  f->alproto, flags,
581  data, data_len);
582  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
583  if (r != 1) {
584  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
585  }
586 
587  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
588  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
589  TcpSessionSetReassemblyDepth(ssn,
590  AppLayerParserGetStreamDepth(f));
591 
592  *alproto = *alproto_otherdir;
593  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
594  p->pcap_cnt, *alproto, *alproto_otherdir, r);
595  if (r < 0) {
596  goto parser_error;
597  }
598  }
599  *alproto = ALPROTO_FAILED;
600  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
601  AppLayerIncFlowCounter(tv, f);
602  FlagPacketFlow(p, f, flags);
603 
604  }
605  } else {
606  /* both sides unknown, let's see if we need to give up */
607  if (FlowChangeProto(f)) {
608  /* TCPProtoDetectCheckBailConditions does not work well because
609  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
610  * so, we set a lower limit to the data we inspect
611  * We could instead have set ssn->server.sb.stream_offset = 0;
612  */
613  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
614  DisableAppLayer(tv, f, p);
615  }
616  } else {
617  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
618  }
619  }
620  }
621  SCReturnInt(0);
622 parser_error:
623  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
624  SCReturnInt(-1);
625 detect_error:
626  DisableAppLayer(tv, f, p);
627  SCReturnInt(-2);
628 }
629 
630 /** \brief handle TCP data for the app-layer.
631  *
632  * First run protocol detection and then when the protocol is known invoke
633  * the app layer parser.
634  *
635  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
636  * reversed.
637  */
638 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
639  Packet *p, Flow *f,
640  TcpSession *ssn, TcpStream **stream,
641  uint8_t *data, uint32_t data_len,
642  uint8_t flags)
643 {
644  SCEnter();
645 
646  DEBUG_ASSERT_FLOW_LOCKED(f);
647  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
648 
649  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
650  AppProto alproto;
651  int r = 0;
652 
653  SCLogDebug("data_len %u flags %02X", data_len, flags);
654  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
655  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
656  goto end;
657  }
658 
659  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
660 
661  if (flags & STREAM_TOSERVER) {
662  alproto = f->alproto_ts;
663  } else {
664  alproto = f->alproto_tc;
665  }
666 
667  /* If a gap notification, relay the notification on to the
668  * app-layer if known. */
669  if (flags & STREAM_GAP) {
670  if (alproto == ALPROTO_UNKNOWN) {
671  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
672  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
673  /* if the other side didn't already find the proto, we're done */
674  if (f->alproto == ALPROTO_UNKNOWN) {
675  goto failure;
676  }
677  }
678  if (FlowChangeProto(f)) {
679  FlowUnsetChangeProtoFlag(f);
680  SCLogDebug("Cannot handle gap while changing protocol");
681  goto failure;
682  }
683  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
684  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
685  flags, data, data_len);
686  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
687  /* ignore parser result for gap */
688  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
689  if (r < 0) {
690  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
691  SCReturnInt(-1);
692  }
693  goto end;
694  }
695 
696  /* if we don't know the proto yet and we have received a stream
697  * initializer message, we run proto detection.
698  * We receive 2 stream init msgs (one for each direction), we
699  * only run the proto detection for both and emit an event
700  * in the case protocols mismatch. */
701  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
702  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
703  /* run protocol detection */
704  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
705  data, data_len, flags) != 0) {
706  goto failure;
707  }
708  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
709  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
710  void *alstate_orig = f->alstate;
711  AppLayerParserState *alparser = f->alparser;
712  // we delay AppLayerParserStateCleanup because we may need previous parser state
713  AppLayerProtoDetectReset(f);
714  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
715  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
716  /* rerun protocol detection */
717  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
718  if (f->alproto == ALPROTO_UNKNOWN) {
719  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
720  // not enough data, revert AppLayerProtoDetectReset to rerun detection
721  f->alparser = alparser;
722  f->alproto = f->alproto_orig;
723  f->alproto_tc = f->alproto_orig;
724  f->alproto_ts = f->alproto_orig;
725  } else {
726  FlowUnsetChangeProtoFlag(f);
727  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
728  if (alstate_orig == f->alstate) {
729  // we just freed it
730  f->alstate = NULL;
731  }
732  }
733  if (rd != 0) {
734  SCLogDebug("proto detect failure");
735  goto failure;
736  }
737  SCLogDebug("protocol change, old %s, new %s",
738  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
739 
740  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
741  f->alproto != f->alproto_expect) {
742  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
743  APPLAYER_UNEXPECTED_PROTOCOL);
744 
745  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
746  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
747  APPLAYER_NO_TLS_AFTER_STARTTLS);
748 
749  }
750  }
751  } else {
752  SCLogDebug("stream data (len %" PRIu32 " alproto "
753  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
754 #ifdef PRINT
755  if (data_len > 0) {
756  printf("=> Stream Data (app layer) -- start %s%s\n",
757  flags & STREAM_TOCLIENT ? "toclient" : "",
758  flags & STREAM_TOSERVER ? "toserver" : "");
759  PrintRawDataFp(stdout, data, data_len);
760  printf("=> Stream Data -- end\n");
761  }
762 #endif
763  /* if we don't have a data object here we are not getting it
764  * a start msg should have gotten us one */
765  if (f->alproto != ALPROTO_UNKNOWN) {
766  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
767  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
768  flags, data, data_len);
769  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
770  if (r != 1) {
771  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
772  if (r < 0) {
773  ExceptionPolicyApply(
774  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
775  SCReturnInt(-1);
776  }
777  }
778  }
779  }
780 
781  goto end;
782  failure:
783  r = -1;
784  end:
785  SCReturnInt(r);
786 }
787 
788 /**
789  * \brief Handle a app layer UDP message
790  *
791  * If the protocol is yet unknown, the proto detection code is run first.
792  *
793  * \param dp_ctx Thread app layer detect context
794  * \param f *locked* flow
795  * \param p UDP packet
796  *
797  * \retval 0 ok
798  * \retval -1 error
799  */
800 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
801 {
802  SCEnter();
803  AppProto *alproto;
804  AppProto *alproto_otherdir;
805 
806  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
807  SCReturnInt(0);
808  }
809 
810  int r = 0;
811  uint8_t flags = 0;
812  if (p->flowflags & FLOW_PKT_TOSERVER) {
813  flags |= STREAM_TOSERVER;
814  alproto = &f->alproto_ts;
815  alproto_otherdir = &f->alproto_tc;
816  } else {
817  flags |= STREAM_TOCLIENT;
818  alproto = &f->alproto_tc;
819  alproto_otherdir = &f->alproto_ts;
820  }
821 
822  AppLayerProfilingReset(tctx);
823 
824  /* if the protocol is still unknown, run detection */
825  if (*alproto == ALPROTO_UNKNOWN) {
826  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
827  p->payload_len);
828 
829  bool reverse_flow = false;
830  PACKET_PROFILING_APP_PD_START(tctx);
831  *alproto = AppLayerProtoDetectGetProto(
832  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
833  PACKET_PROFILING_APP_PD_END(tctx);
834 
835  switch (*alproto) {
836  case ALPROTO_UNKNOWN:
837  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
838  // Use recognized side
839  f->alproto = *alproto_otherdir;
840  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
841  *alproto = *alproto_otherdir;
842  if (*alproto_otherdir == ALPROTO_FAILED) {
843  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
844  }
845  } else {
846  // First side of protocol is unknown
847  *alproto = ALPROTO_FAILED;
848  }
849  break;
850  case ALPROTO_FAILED:
851  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
852  // Use recognized side
853  f->alproto = *alproto_otherdir;
854  if (*alproto_otherdir == ALPROTO_FAILED) {
855  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
856  }
857  }
858  // else wait for second side of protocol
859  break;
860  default:
861  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
862  if (*alproto_otherdir != *alproto) {
863  AppLayerDecoderEventsSetEventRaw(
864  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
865  // data already sent to parser, we cannot change the protocol to use the one
866  // of the server
867  }
868  } else {
869  f->alproto = *alproto;
870  }
871  }
872  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
873  if (f->alproto == ALPROTO_UNKNOWN) {
874  // so as to increase stat about .app_layer.flow.failed_udp
875  f->alproto = ALPROTO_FAILED;
876  }
877  // If the other side is unknown, this is the first packet of the flow
878  AppLayerIncFlowCounter(tv, f);
879  }
880 
881  // parse the data if we recognized one protocol
882  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
883  if (reverse_flow) {
884  SCLogDebug("reversing flow after proto detect told us so");
885  PacketSwap(p);
886  FlowSwap(f);
887  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
888  }
889 
890  PACKET_PROFILING_APP_START(tctx, f->alproto);
891  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
892  flags, p->payload, p->payload_len);
893  PACKET_PROFILING_APP_END(tctx, f->alproto);
894  }
895  PACKET_PROFILING_APP_STORE(tctx, p);
896  /* we do only inspection in one direction, so flag both
897  * sides as done here */
898  FlagPacketFlow(p, f, STREAM_TOSERVER);
899  FlagPacketFlow(p, f, STREAM_TOCLIENT);
900  } else {
901  SCLogDebug("data (len %" PRIu32 " ), alproto "
902  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
903 
904  /* run the parser */
905  PACKET_PROFILING_APP_START(tctx, f->alproto);
906  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
907  flags, p->payload, p->payload_len);
908  PACKET_PROFILING_APP_END(tctx, f->alproto);
909  PACKET_PROFILING_APP_STORE(tctx, p);
910  }
911  if (r < 0) {
912  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
913  SCReturnInt(-1);
914  }
915 
916  SCReturnInt(r);
917 }
918 
919 /***** Utility *****/
920 
921 AppProto AppLayerGetProtoByName(char *alproto_name)
922 {
923  SCEnter();
924  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
925  SCReturnCT(r, "AppProto");
926 }
927 
928 const char *AppLayerGetProtoName(AppProto alproto)
929 {
930  SCEnter();
931  const char * r = AppLayerProtoDetectGetProtoName(alproto);
932  SCReturnCT(r, "char *");
933 }
934 
935 void AppLayerListSupportedProtocols(void)
936 {
937  SCEnter();
938 
939  AppProto alproto;
940  AppProto alprotos[ALPROTO_MAX];
941 
942  AppLayerProtoDetectSupportedAppProtocols(alprotos);
943 
944  printf("=========Supported App Layer Protocols=========\n");
945  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
946  if (alprotos[alproto] == 1)
947  printf("%s\n", AppLayerGetProtoName(alproto));
948  }
949 
950  SCReturn;
951 }
952 
953 /***** Setup/General Registration *****/
954 
955 int AppLayerSetup(void)
956 {
957  SCEnter();
958 
959  AppLayerProtoDetectSetup();
960  AppLayerParserSetup();
961 
962  AppLayerParserRegisterProtocolParsers();
963  AppLayerProtoDetectPrepareState();
964 
965  AppLayerSetupCounters();
966 
967  SCReturnInt(0);
968 }
969 
970 int AppLayerDeSetup(void)
971 {
972  SCEnter();
973 
974  AppLayerProtoDetectDeSetup();
975  AppLayerParserDeSetup();
976 
977  AppLayerDeSetupCounters();
978 
979  SCReturnInt(0);
980 }
981 
982 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
983 {
984  SCEnter();
985 
986  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
987  if (app_tctx == NULL)
988  goto error;
989  memset(app_tctx, 0, sizeof(*app_tctx));
990 
991  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
992  goto error;
993  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
994  goto error;
995 
996  goto done;
997  error:
998  AppLayerDestroyCtxThread(app_tctx);
999  app_tctx = NULL;
1000  done:
1001  SCReturnPtr(app_tctx, "void *");
1002 }
1003 
1004 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1005 {
1006  SCEnter();
1007 
1008  if (app_tctx == NULL)
1009  SCReturn;
1010 
1011  if (app_tctx->alpd_tctx != NULL)
1012  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1013  if (app_tctx->alp_tctx != NULL)
1014  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1015  SCFree(app_tctx);
1016 
1017  SCReturn;
1018 }
1019 
1020 #ifdef PROFILING
1021 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1022 {
1023  PACKET_PROFILING_APP_RESET(app_tctx);
1024 }
1025 
1026 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1027 {
1028  PACKET_PROFILING_APP_STORE(app_tctx, p);
1029 }
1030 #endif
1031 
1032 /** \brief HACK to work around our broken unix manager (re)init loop
1033  */
1034 void AppLayerRegisterGlobalCounters(void)
1035 {
1036  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1037  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1038  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1039  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1040  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1041 }
1042 
1043 #define IPPROTOS_MAX 2
1044 void AppLayerSetupCounters()
1045 {
1046  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1047  AppProto alprotos[ALPROTO_MAX];
1048  const char *str = "app_layer.flow.";
1049  const char *estr = "app_layer.error.";
1050 
1051  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1052 
1053  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1054  const uint8_t ipproto = ipprotos[p];
1055  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1056  const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP;
1057  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1058 
1059  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1060  if (alprotos[alproto] == 1) {
1061  const char *tx_str = "app_layer.tx.";
1062  const char *alproto_str = AppLayerGetProtoName(alproto);
1063 
1064  if (AppLayerParserProtoIsRegistered(ipproto, alproto) &&
1065  AppLayerParserProtoIsRegistered(other_ipproto, alproto)) {
1066  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1067  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1068  "%s%s%s", str, alproto_str, ipproto_suffix);
1069  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1070  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1071  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
1072 
1073  if (ipproto == IPPROTO_TCP) {
1074  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1075  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1076  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1077  }
1078  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1079  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1080  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1081  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1082  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1083  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1084  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1085  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1086  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1087  } else {
1088  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1089  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1090  "%s%s", str, alproto_str);
1091  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1092  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1093  "%s%s", tx_str, alproto_str);
1094 
1095  if (ipproto == IPPROTO_TCP) {
1096  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1097  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1098  "%s%s.gap", estr, alproto_str);
1099  }
1100  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1101  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1102  "%s%s.alloc", estr, alproto_str);
1103  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1104  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1105  "%s%s.parser", estr, alproto_str);
1106  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1107  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1108  "%s%s.internal", estr, alproto_str);
1109  }
1110  } else if (alproto == ALPROTO_FAILED) {
1111  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1112  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1113  "%s%s%s", str, "failed", ipproto_suffix);
1114  if (ipproto == IPPROTO_TCP) {
1115  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1116  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1117  "%sfailed%s.gap", estr, ipproto_suffix);
1118  }
1119  }
1120  }
1121  }
1122 }
1123 
1124 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1125 {
1126  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1127  AppProto alprotos[ALPROTO_MAX];
1128  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1129 
1130  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1131  const uint8_t ipproto = ipprotos[p];
1132  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1133 
1134  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1135  if (alprotos[alproto] == 1) {
1136  applayer_counters[ipproto_map][alproto].counter_id =
1137  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1138 
1139  applayer_counters[ipproto_map][alproto].counter_tx_id =
1140  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
1141 
1142  if (ipproto == IPPROTO_TCP) {
1143  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1144  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1145  }
1146  applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter(
1147  applayer_counter_names[ipproto_map][alproto].alloc_error, tv);
1148  applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter(
1149  applayer_counter_names[ipproto_map][alproto].parser_error, tv);
1150  applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter(
1151  applayer_counter_names[ipproto_map][alproto].internal_error, tv);
1152  } else if (alproto == ALPROTO_FAILED) {
1153  applayer_counters[ipproto_map][alproto].counter_id =
1154  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1155 
1156  if (ipproto == IPPROTO_TCP) {
1157  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1158  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1159  }
1160  }
1161  }
1162  }
1163 }
1164 
1165 void AppLayerDeSetupCounters()
1166 {
1167  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1168  memset(applayer_counters, 0, sizeof(applayer_counters));
1169 }
1170 
1171 /***** Unittests *****/
1172 
1173 #ifdef UNITTESTS
1174 #include "pkt-var.h"
1175 #include "stream-tcp.h"
1176 #include "stream-tcp-util.h"
1177 #include "stream.h"
1178 #include "util-unittest.h"
1179 
1180 #define TEST_START \
1181  Packet *p = PacketGetFromAlloc(); \
1182  FAIL_IF_NULL(p); \
1183  Flow f; \
1184  ThreadVars tv; \
1185  StreamTcpThread *stt = NULL; \
1186  TCPHdr tcph; \
1187  PacketQueueNoLock pq; \
1188  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1189  memset(p, 0, SIZE_OF_PACKET); \
1190  memset(&f, 0, sizeof(Flow)); \
1191  memset(&tv, 0, sizeof(ThreadVars)); \
1192  memset(&tcph, 0, sizeof(TCPHdr)); \
1193  \
1194  FLOW_INITIALIZE(&f); \
1195  f.flags = FLOW_IPV4; \
1196  f.proto = IPPROTO_TCP; \
1197  p->flow = &f; \
1198  p->tcph = &tcph; \
1199  \
1200  StreamTcpInitConfig(true); \
1201  IPPairInitConfig(true); \
1202  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1203  \
1204  /* handshake */ \
1205  tcph.th_win = htons(5480); \
1206  tcph.th_flags = TH_SYN; \
1207  p->flowflags = FLOW_PKT_TOSERVER; \
1208  p->payload_len = 0; \
1209  p->payload = NULL; \
1210  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1211  TcpSession *ssn = (TcpSession *)f.protoctx; \
1212  \
1213  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1214  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1215  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1216  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1217  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1218  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1219  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1220  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1221  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1222  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1223  FAIL_IF(ssn->data_first_seen_dir != 0); \
1224  \
1225  /* handshake */ \
1226  p->tcph->th_ack = htonl(1); \
1227  p->tcph->th_flags = TH_SYN | TH_ACK; \
1228  p->flowflags = FLOW_PKT_TOCLIENT; \
1229  p->payload_len = 0; \
1230  p->payload = NULL; \
1231  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1232  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1233  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1234  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1235  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1236  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1237  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1238  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1239  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1240  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1241  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1242  FAIL_IF(ssn->data_first_seen_dir != 0); \
1243  \
1244  /* handshake */ \
1245  p->tcph->th_ack = htonl(1); \
1246  p->tcph->th_seq = htonl(1); \
1247  p->tcph->th_flags = TH_ACK; \
1248  p->flowflags = FLOW_PKT_TOSERVER; \
1249  p->payload_len = 0; \
1250  p->payload = NULL; \
1251  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1252  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1253  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1254  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1255  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1256  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1257  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1258  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1259  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1260  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1261  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1262  FAIL_IF(ssn->data_first_seen_dir != 0);
1263 #define TEST_END \
1264  StreamTcpSessionClear(p->flow->protoctx); \
1265  StreamTcpThreadDeinit(&tv, (void *)stt); \
1266  StreamTcpFreeConfig(true); \
1267  PacketFree(p); \
1268  FLOW_DESTROY(&f); \
1269  StatsThreadCleanup(&tv);
1270 
1271 /**
1272  * \test GET -> HTTP/1.1
1273  */
1274 static int AppLayerTest01(void)
1275 {
1276  TEST_START;
1277 
1278  /* full request */
1279  uint8_t request[] = {
1280  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1281  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1282  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1283  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1284  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1285  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1286  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1287  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1288  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1289  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1290  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1291  p->tcph->th_ack = htonl(1);
1292  p->tcph->th_seq = htonl(1);
1293  p->tcph->th_flags = TH_PUSH | TH_ACK;
1294  p->flowflags = FLOW_PKT_TOSERVER;
1295  p->payload_len = sizeof(request);
1296  p->payload = request;
1297  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1298  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1299  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1300  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1301  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1302  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1303  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1304  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1305  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1306  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1307  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1308  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1309 
1310  /* full response - request ack */
1311  uint8_t response[] = {
1312  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1313  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1314  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1315  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1316  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1317  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1318  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1319  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1320  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1321  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1322  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1323  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1324  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1325  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1326  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1327  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1328  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1329  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1330  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1331  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1332  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1333  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1334  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1335  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1336  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1337  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1338  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1339  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1340  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1341  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1342  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1343  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1344  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1345  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1346  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1347  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1348  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1349  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1350  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1351  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1352  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1353  p->tcph->th_ack = htonl(88);
1354  p->tcph->th_seq = htonl(1);
1355  p->tcph->th_flags = TH_PUSH | TH_ACK;
1356  p->flowflags = FLOW_PKT_TOCLIENT;
1357  p->payload_len = sizeof(response);
1358  p->payload = response;
1359  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1360  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1361  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1362  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1363  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1364  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1365  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1366  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1367  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1368  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1369  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1370  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1371 
1372  /* response ack */
1373  p->tcph->th_ack = htonl(328);
1374  p->tcph->th_seq = htonl(88);
1375  p->tcph->th_flags = TH_ACK;
1376  p->flowflags = FLOW_PKT_TOSERVER;
1377  p->payload_len = 0;
1378  p->payload = NULL;
1379  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1380  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1381  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1382  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1383  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1384  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1385  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1386  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1387  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1388  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1389  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1390  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1391 
1392  TEST_END;
1393  PASS;
1394 }
1395 
1396 /**
1397  * \test GE -> T -> HTTP/1.1
1398  */
1399 static int AppLayerTest02(void)
1400 {
1401  TEST_START;
1402 
1403  /* partial request */
1404  uint8_t request1[] = { 0x47, 0x45, };
1405  p->tcph->th_ack = htonl(1);
1406  p->tcph->th_seq = htonl(1);
1407  p->tcph->th_flags = TH_PUSH | TH_ACK;
1408  p->flowflags = FLOW_PKT_TOSERVER;
1409  p->payload_len = sizeof(request1);
1410  p->payload = request1;
1411  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1412  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1413  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1414  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1415  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1416  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1417  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1418  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1419  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1420  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1421  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1422  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1423 
1424  /* response ack against partial request */
1425  p->tcph->th_ack = htonl(3);
1426  p->tcph->th_seq = htonl(1);
1427  p->tcph->th_flags = TH_ACK;
1428  p->flowflags = FLOW_PKT_TOCLIENT;
1429  p->payload_len = 0;
1430  p->payload = NULL;
1431  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1432  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1433  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1434  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1435  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1436  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1437  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1438  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1439  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1440  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1441  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1442  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1443 
1444  /* complete partial request */
1445  uint8_t request2[] = {
1446  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1447  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1448  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1449  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1450  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1451  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1452  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1453  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1454  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1455  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1456  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1457  p->tcph->th_ack = htonl(1);
1458  p->tcph->th_seq = htonl(3);
1459  p->tcph->th_flags = TH_PUSH | TH_ACK;
1460  p->flowflags = FLOW_PKT_TOSERVER;
1461  p->payload_len = sizeof(request2);
1462  p->payload = request2;
1463  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1464  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1465  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1466  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1467  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1468  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1469  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1470  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1471  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1472  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1473  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1474  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1475 
1476  /* response - request ack */
1477  uint8_t response[] = {
1478  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1479  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1480  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1481  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1482  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1483  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1484  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1485  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1486  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1487  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1488  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1489  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1490  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1491  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1492  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1493  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1494  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1495  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1496  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1497  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1498  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1499  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1500  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1501  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1502  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1503  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1504  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1505  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1506  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1507  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1508  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1509  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1510  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1511  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1512  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1513  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1514  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1515  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1516  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1517  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1518  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1519  p->tcph->th_ack = htonl(88);
1520  p->tcph->th_seq = htonl(1);
1521  p->tcph->th_flags = TH_PUSH | TH_ACK;
1522  p->flowflags = FLOW_PKT_TOCLIENT;
1523  p->payload_len = sizeof(response);
1524  p->payload = response;
1525  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1526  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1527  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1528  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1529  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1530  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1531  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1532  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1533  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1534  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1535  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1536  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1537 
1538  /* response ack */
1539  p->tcph->th_ack = htonl(328);
1540  p->tcph->th_seq = htonl(88);
1541  p->tcph->th_flags = TH_ACK;
1542  p->flowflags = FLOW_PKT_TOSERVER;
1543  p->payload_len = 0;
1544  p->payload = NULL;
1545  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1546  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1547  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1548  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1549  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1550  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1551  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1552  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1553  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1554  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1555  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1556  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1557 
1558  TEST_END;
1559  PASS;
1560 }
1561 
1562 /**
1563  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1564  */
1565 static int AppLayerTest03(void)
1566 {
1567  TEST_START;
1568 
1569  /* request */
1570  uint8_t request[] = {
1571  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1572  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1573  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1574  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1575  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1576  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1577  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1578  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1579  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1580  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1581  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1582  p->tcph->th_ack = htonl(1);
1583  p->tcph->th_seq = htonl(1);
1584  p->tcph->th_flags = TH_PUSH | TH_ACK;
1585  p->flowflags = FLOW_PKT_TOSERVER;
1586  p->payload_len = sizeof(request);
1587  p->payload = request;
1588  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1589  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1590  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1591  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1592  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1593  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1594  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1595  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1596  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1597  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1598  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1599  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1600 
1601  /* rubbish response */
1602  uint8_t response[] = {
1603  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1604  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1605  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1606  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1607  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1608  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1609  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1610  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1611  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1612  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1613  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1614  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1615  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1616  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1617  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1618  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1619  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1620  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1621  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1622  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1623  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1624  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1625  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1626  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1627  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1628  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1629  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1630  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1631  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1632  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1633  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1634  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1635  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1636  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1637  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1638  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1639  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1640  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1641  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1642  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1643  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1644  p->tcph->th_ack = htonl(88);
1645  p->tcph->th_seq = htonl(1);
1646  p->tcph->th_flags = TH_PUSH | TH_ACK;
1647  p->flowflags = FLOW_PKT_TOCLIENT;
1648  p->payload_len = sizeof(response);
1649  p->payload = response;
1650  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1651  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1652  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1653  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1654  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1655  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1656  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1657  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1658  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1659  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1660  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1661  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1662 
1663  /* response ack */
1664  p->tcph->th_ack = htonl(328);
1665  p->tcph->th_seq = htonl(88);
1666  p->tcph->th_flags = TH_ACK;
1667  p->flowflags = FLOW_PKT_TOSERVER;
1668  p->payload_len = 0;
1669  p->payload = NULL;
1670  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1671  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1672  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1673  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1674  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1675  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1676  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1677  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1678  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1679  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1680  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1681  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1682 
1683  TEST_END;
1684  PASS;
1685 }
1686 
1687 /**
1688  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1689  */
1690 static int AppLayerTest04(void)
1691 {
1692  TEST_START;
1693 
1694  /* request */
1695  uint8_t request[] = {
1696  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1697  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1698  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1699  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1700  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1701  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1702  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1703  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1704  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1705  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1706  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1707  PrintRawDataFp(stdout, request, sizeof(request));
1708  p->tcph->th_ack = htonl(1);
1709  p->tcph->th_seq = htonl(1);
1710  p->tcph->th_flags = TH_PUSH | TH_ACK;
1711  p->flowflags = FLOW_PKT_TOSERVER;
1712  p->payload_len = sizeof(request);
1713  p->payload = request;
1714  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1715  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1716  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1717  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1718  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1719  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1720  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1721  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1722  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1723  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1724  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1725  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1726 
1727  /* partial response */
1728  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1729  PrintRawDataFp(stdout, response1, sizeof(response1));
1730  p->tcph->th_ack = htonl(88);
1731  p->tcph->th_seq = htonl(1);
1732  p->tcph->th_flags = TH_PUSH | TH_ACK;
1733  p->flowflags = FLOW_PKT_TOCLIENT;
1734  p->payload_len = sizeof(response1);
1735  p->payload = response1;
1736  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1737  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1738  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1739  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1740  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1741  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1742  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1743  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1744  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1745  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1746  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1747  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1748 
1749  /* partial response ack */
1750  p->tcph->th_ack = htonl(5);
1751  p->tcph->th_seq = htonl(88);
1752  p->tcph->th_flags = TH_ACK;
1753  p->flowflags = FLOW_PKT_TOSERVER;
1754  p->payload_len = 0;
1755  p->payload = NULL;
1756  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1757  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1758  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1759  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1760  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1761  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1762  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1763  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1764  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1765  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1766  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1767  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1768 
1769  /* remaining response */
1770  uint8_t response2[] = {
1771  0x2f, 0x31, 0x2e, 0x31,
1772  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1773  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1774  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1775  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1776  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1777  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1778  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1779  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1780  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1781  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1782  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1783  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1784  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1785  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1786  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1787  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1788  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1789  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1790  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1791  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1792  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1793  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1794  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1795  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1796  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1797  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1798  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1799  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1800  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1801  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1802  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1803  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1804  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1805  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1806  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1807  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1808  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1809  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1810  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1811  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1812  PrintRawDataFp(stdout, response2, sizeof(response2));
1813  p->tcph->th_ack = htonl(88);
1814  p->tcph->th_seq = htonl(5);
1815  p->tcph->th_flags = TH_PUSH | TH_ACK;
1816  p->flowflags = FLOW_PKT_TOCLIENT;
1817  p->payload_len = sizeof(response2);
1818  p->payload = response2;
1819  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1820  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1821  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1822  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1823  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1824  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1825  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1826  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1827  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1828  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1829  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1830  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1831 
1832  /* response ack */
1833  p->tcph->th_ack = htonl(328);
1834  p->tcph->th_seq = htonl(88);
1835  p->tcph->th_flags = TH_ACK;
1836  p->flowflags = FLOW_PKT_TOSERVER;
1837  p->payload_len = 0;
1838  p->payload = NULL;
1839  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1840  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1841  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1842  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1843  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1844  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1845  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1846  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1847  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1848  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1849  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1850  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1851 
1852  TEST_END;
1853  PASS;
1854 }
1855 
1856 /**
1857  * \test RUBBISH -> HTTP/1.1
1858  */
1859 static int AppLayerTest05(void)
1860 {
1861  TEST_START;
1862 
1863  /* full request */
1864  uint8_t request[] = {
1865  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1866  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1867  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1868  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1869  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1870  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1871  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1872  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1873  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1874  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1875  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1876  PrintRawDataFp(stdout, request, sizeof(request));
1877  p->tcph->th_ack = htonl(1);
1878  p->tcph->th_seq = htonl(1);
1879  p->tcph->th_flags = TH_PUSH | TH_ACK;
1880  p->flowflags = FLOW_PKT_TOSERVER;
1881  p->payload_len = sizeof(request);
1882  p->payload = request;
1883  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1884  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1885  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1886  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1887  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1888  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1889  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1890  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1891  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1892  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1893  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1894  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1895 
1896  /* full response - request ack */
1897  uint8_t response[] = {
1898  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1899  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1900  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1901  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1902  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1903  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1904  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1905  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1906  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1907  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1908  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1909  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1910  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1911  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1912  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1913  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1914  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1915  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1916  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1917  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1918  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1919  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1920  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1921  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1922  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1923  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1924  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1925  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1926  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1927  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1928  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1929  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1930  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1931  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1932  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1933  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1934  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1935  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1936  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1937  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1938  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1939  PrintRawDataFp(stdout, response, sizeof(response));
1940  p->tcph->th_ack = htonl(88);
1941  p->tcph->th_seq = htonl(1);
1942  p->tcph->th_flags = TH_PUSH | TH_ACK;
1943  p->flowflags = FLOW_PKT_TOCLIENT;
1944  p->payload_len = sizeof(response);
1945  p->payload = response;
1946  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1947  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1948  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1949  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1950  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1951  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1952  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1953  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1954  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1955  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1956  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1957  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1958 
1959  /* response ack */
1960  p->tcph->th_ack = htonl(328);
1961  p->tcph->th_seq = htonl(88);
1962  p->tcph->th_flags = TH_ACK;
1963  p->flowflags = FLOW_PKT_TOSERVER;
1964  p->payload_len = 0;
1965  p->payload = NULL;
1966  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1967  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1968  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1969  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1970  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1971  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1972  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1973  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1974  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1975  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1976  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1977  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1978 
1979  TEST_END;
1980  PASS;
1981 }
1982 
1983 /**
1984  * \test HTTP/1.1 -> GET
1985  */
1986 static int AppLayerTest06(void)
1987 {
1988  TEST_START;
1989 
1990  /* full response - request ack */
1991  uint8_t response[] = {
1992  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1993  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1994  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1995  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1996  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1997  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1998  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1999  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2000  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2001  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2002  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2003  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2004  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2005  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2006  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2007  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2008  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2009  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2010  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2011  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2012  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2013  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2014  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2015  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2016  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2017  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2018  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2019  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2020  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2021  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2022  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2023  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2024  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2025  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2026  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2027  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2028  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2029  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2030  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2031  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2032  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2033  p->tcph->th_ack = htonl(1);
2034  p->tcph->th_seq = htonl(1);
2035  p->tcph->th_flags = TH_PUSH | TH_ACK;
2036  p->flowflags = FLOW_PKT_TOCLIENT;
2037  p->payload_len = sizeof(response);
2038  p->payload = response;
2039  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2040  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2041  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2042  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2043  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2044  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2045  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2046  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2047  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2048  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2049  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2050  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2051 
2052  /* full request - response ack*/
2053  uint8_t request[] = {
2054  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2055  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2056  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2057  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2058  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2059  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2060  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2061  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2062  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2063  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2064  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2065  p->tcph->th_ack = htonl(328);
2066  p->tcph->th_seq = htonl(1);
2067  p->tcph->th_flags = TH_PUSH | TH_ACK;
2068  p->flowflags = FLOW_PKT_TOSERVER;
2069  p->payload_len = sizeof(request);
2070  p->payload = request;
2071  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2072  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2073  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2074  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2075  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2076  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2077  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2078  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2079  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2080  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2081  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2082  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2083 
2084  p->tcph->th_ack = htonl(1 + sizeof(request));
2085  p->tcph->th_seq = htonl(328);
2086  p->tcph->th_flags = TH_PUSH | TH_ACK;
2087  p->flowflags = FLOW_PKT_TOCLIENT;
2088  p->payload_len = 0;
2089  p->payload = NULL;
2090  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2091  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2092  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2093  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2094  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2095  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2096  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2097  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2098  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2099  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2100  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2101  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2102 
2103  TEST_END;
2104  PASS;
2105 }
2106 
2107 /**
2108  * \test GET -> DCERPC
2109  */
2110 static int AppLayerTest07(void)
2111 {
2112  TEST_START;
2113 
2114  /* full request */
2115  uint8_t request[] = {
2116  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2117  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2118  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2119  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2120  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2121  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2122  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2123  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2124  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2125  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2126  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2127  p->tcph->th_ack = htonl(1);
2128  p->tcph->th_seq = htonl(1);
2129  p->tcph->th_flags = TH_PUSH | TH_ACK;
2130  p->flowflags = FLOW_PKT_TOSERVER;
2131  p->payload_len = sizeof(request);
2132  p->payload = request;
2133  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2134  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2135  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2136  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2137  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2138  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2139  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2140  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2141  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2142  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2143  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2144  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2145 
2146  /* full response - request ack */
2147  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2148  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2149  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2150  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2151  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2152  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2153  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2154  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2155  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2156  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2157  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2158  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2159  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2160  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2161  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2162  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2163  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2164  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2165  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2166  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2167  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2168  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2169  p->tcph->th_ack = htonl(88);
2170  p->tcph->th_seq = htonl(1);
2171  p->tcph->th_flags = TH_PUSH | TH_ACK;
2172  p->flowflags = FLOW_PKT_TOCLIENT;
2173  p->payload_len = sizeof(response);
2174  p->payload = response;
2175  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2176  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2177  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2178  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2179  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2180  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2181  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2182  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2183  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2184  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2185  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2186  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2187 
2188  /* response ack */
2189  p->tcph->th_ack = htonl(328);
2190  p->tcph->th_seq = htonl(88);
2191  p->tcph->th_flags = TH_ACK;
2192  p->flowflags = FLOW_PKT_TOSERVER;
2193  p->payload_len = 0;
2194  p->payload = NULL;
2195  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2196  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2197  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2198  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2199  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2200  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2201  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2202  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2203  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2204  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2205  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2206  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2207 
2208  TEST_END;
2209  PASS;
2210 }
2211 
2212 /**
2213  * \test SMB -> HTTP/1.1
2214  */
2215 static int AppLayerTest08(void)
2216 {
2217  TEST_START;
2218 
2219  /* full request */
2220  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2221  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2222  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2223  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2224  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2225  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2226  p->tcph->th_ack = htonl(1);
2227  p->tcph->th_seq = htonl(1);
2228  p->tcph->th_flags = TH_PUSH | TH_ACK;
2229  p->flowflags = FLOW_PKT_TOSERVER;
2230  p->payload_len = sizeof(request);
2231  p->payload = request;
2232  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2233  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2234  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2235  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2236  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2237  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2238  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2239  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2240  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2241  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2242  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2243  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2244 
2245  /* full response - request ack */
2246  uint8_t response[] = {
2247  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2248  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2249  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2250  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2251  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2252  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2253  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2254  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2255  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2256  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2257  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2258  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2259  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2260  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2261  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2262  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2263  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2264  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2265  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2266  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2267  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2268  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2269  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2270  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2271  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2272  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2273  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2274  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2275  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2276  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2277  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2278  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2279  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2280  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2281  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2282  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2283  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2284  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2285  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2286  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2287  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2288  p->tcph->th_ack = htonl(88);
2289  p->tcph->th_seq = htonl(1);
2290  p->tcph->th_flags = TH_PUSH | TH_ACK;
2291  p->flowflags = FLOW_PKT_TOCLIENT;
2292  p->payload_len = sizeof(response);
2293  p->payload = response;
2294  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2295  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2296  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2297  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2298  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2299  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2300  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2301  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2302  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2303  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2304  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2305  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2306 
2307  /* response ack */
2308  p->tcph->th_ack = htonl(328);
2309  p->tcph->th_seq = htonl(88);
2310  p->tcph->th_flags = TH_ACK;
2311  p->flowflags = FLOW_PKT_TOSERVER;
2312  p->payload_len = 0;
2313  p->payload = NULL;
2314  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2315  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2316  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2317  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2318  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2319  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2320  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2321  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2322  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2323  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2324  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2325  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2326 
2327  TEST_END;
2328  PASS;
2329 }
2330 
2331 /**
2332  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2333  * RUBBISH(TC - PM and PP DONE) ->
2334  * RUBBISH(TS - PM and PP DONE)
2335  */
2336 static int AppLayerTest09(void)
2337 {
2338  TEST_START;
2339 
2340  /* full request */
2341  uint8_t request1[] = {
2342  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2343  p->tcph->th_ack = htonl(1);
2344  p->tcph->th_seq = htonl(1);
2345  p->tcph->th_flags = TH_PUSH | TH_ACK;
2346  p->flowflags = FLOW_PKT_TOSERVER;
2347  p->payload_len = sizeof(request1);
2348  p->payload = request1;
2349  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2350  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2351  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2352  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2353  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2354  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2355  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2356  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2357  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2358  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2359  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2360  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2361 
2362  /* response - request ack */
2363  p->tcph->th_ack = htonl(9);
2364  p->tcph->th_seq = htonl(1);
2365  p->tcph->th_flags = TH_PUSH | TH_ACK;
2366  p->flowflags = FLOW_PKT_TOCLIENT;
2367  p->payload_len = 0;
2368  p->payload = NULL;
2369  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2370  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2371  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2372  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2373  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2374  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2375  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2376  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2377  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2378  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2379  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2380  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2381 
2382  /* full request */
2383  uint8_t request2[] = {
2384  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2385  p->tcph->th_ack = htonl(1);
2386  p->tcph->th_seq = htonl(9);
2387  p->tcph->th_flags = TH_PUSH | TH_ACK;
2388  p->flowflags = FLOW_PKT_TOSERVER;
2389  p->payload_len = sizeof(request2);
2390  p->payload = request2;
2391  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2392  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2393  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2394  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2395  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2396  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2397  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2398  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2399  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2400  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2401  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2402  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2403 
2404  /* full response - request ack */
2405  uint8_t response[] = {
2406  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2407  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2408  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2409  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2410  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2411  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2412  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2413  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2414  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2415  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2416  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2417  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2418  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2419  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2420  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2421  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2422  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2423  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2424  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2425  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2426  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2427  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2428  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2429  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2430  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2431  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2432  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2433  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2434  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2435  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2436  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2437  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2438  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2439  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2440  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2441  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2442  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2443  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2444  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2445  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2446  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2447  p->tcph->th_ack = htonl(18);
2448  p->tcph->th_seq = htonl(1);
2449  p->tcph->th_flags = TH_PUSH | TH_ACK;
2450  p->flowflags = FLOW_PKT_TOCLIENT;
2451  p->payload_len = sizeof(response);
2452  p->payload = response;
2453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2454  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2455  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2456  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2457  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2458  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2459  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2460  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2461  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2462  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2463  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2464  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2465 
2466  /* response ack */
2467  p->tcph->th_ack = htonl(328);
2468  p->tcph->th_seq = htonl(18);
2469  p->tcph->th_flags = TH_ACK;
2470  p->flowflags = FLOW_PKT_TOSERVER;
2471  p->payload_len = 0;
2472  p->payload = NULL;
2473  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2474  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2475  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2476  FAIL_IF(f.alproto != ALPROTO_FAILED);
2477  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2478  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2479  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2480  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2481  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2482  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2483  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2484  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2485 
2486  TEST_END;
2487  PASS;
2488 }
2489 
2490 /**
2491  * \test RUBBISH(TC - PM and PP DONE) ->
2492  * RUBBISH(TS - PM and PP DONE)
2493  */
2494 static int AppLayerTest10(void)
2495 {
2496  TEST_START;
2497 
2498  /* full request */
2499  uint8_t request1[] = {
2500  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2501  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2502  p->tcph->th_ack = htonl(1);
2503  p->tcph->th_seq = htonl(1);
2504  p->tcph->th_flags = TH_PUSH | TH_ACK;
2505  p->flowflags = FLOW_PKT_TOSERVER;
2506  p->payload_len = sizeof(request1);
2507  p->payload = request1;
2508  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2509  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2510  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2511  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2512  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2513  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2514  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2515  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2516  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2517  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2518  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2519  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2520 
2521  /* response - request ack */
2522  p->tcph->th_ack = htonl(18);
2523  p->tcph->th_seq = htonl(1);
2524  p->tcph->th_flags = TH_PUSH | TH_ACK;
2525  p->flowflags = FLOW_PKT_TOCLIENT;
2526  p->payload_len = 0;
2527  p->payload = NULL;
2528  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2529  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2530  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2531  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2532  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2533  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2534  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2535  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2536  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2537  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2538  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2539  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2540 
2541  /* full response - request ack */
2542  uint8_t response[] = {
2543  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2544  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2545  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2546  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2547  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2548  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2549  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2550  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2551  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2552  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2553  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2554  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2555  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2556  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2557  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2558  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2559  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2560  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2561  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2562  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2563  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2564  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2565  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2566  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2567  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2568  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2569  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2570  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2571  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2572  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2573  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2574  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2575  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2576  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2577  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2578  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2579  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2580  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2581  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2582  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2583  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2584  p->tcph->th_ack = htonl(18);
2585  p->tcph->th_seq = htonl(1);
2586  p->tcph->th_flags = TH_PUSH | TH_ACK;
2587  p->flowflags = FLOW_PKT_TOCLIENT;
2588  p->payload_len = sizeof(response);
2589  p->payload = response;
2590  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2591  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2592  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2593  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2594  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2595  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2596  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2597  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2598  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2599  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2600  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2601  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2602 
2603  /* response ack */
2604  p->tcph->th_ack = htonl(328);
2605  p->tcph->th_seq = htonl(18);
2606  p->tcph->th_flags = TH_ACK;
2607  p->flowflags = FLOW_PKT_TOSERVER;
2608  p->payload_len = 0;
2609  p->payload = NULL;
2610  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2611  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2612  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2613  FAIL_IF(f.alproto != ALPROTO_FAILED);
2614  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2615  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2616  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2617  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2618  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2619  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2620  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2621  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2622 
2623  TEST_END;
2624  PASS;
2625 }
2626 
2627 /**
2628  * \test RUBBISH(TC - PM and PP DONE) ->
2629  * RUBBISH(TS - PM and PP NOT DONE) ->
2630  * RUBBISH(TS - PM and PP DONE)
2631  */
2632 static int AppLayerTest11(void)
2633 {
2634  TEST_START;
2635 
2636  /* full request */
2637  uint8_t request1[] = {
2638  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2639  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2640  p->tcph->th_ack = htonl(1);
2641  p->tcph->th_seq = htonl(1);
2642  p->tcph->th_flags = TH_PUSH | TH_ACK;
2643  p->flowflags = FLOW_PKT_TOSERVER;
2644  p->payload_len = sizeof(request1);
2645  p->payload = request1;
2646  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2647  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2648  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2649  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2650  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2651  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2652  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2653  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2654  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2655  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2656  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2657  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2658 
2659  /* response - request ack */
2660  p->tcph->th_ack = htonl(18);
2661  p->tcph->th_seq = htonl(1);
2662  p->tcph->th_flags = TH_PUSH | TH_ACK;
2663  p->flowflags = FLOW_PKT_TOCLIENT;
2664  p->payload_len = 0;
2665  p->payload = NULL;
2666  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2667  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2668  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2669  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2670  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2671  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2672  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2673  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2674  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2675  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2676  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2677  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2678 
2679  /* full response - request ack */
2680  uint8_t response1[] = {
2681  0x55, 0x74, 0x54, 0x50, };
2682  p->tcph->th_ack = htonl(18);
2683  p->tcph->th_seq = htonl(1);
2684  p->tcph->th_flags = TH_PUSH | TH_ACK;
2685  p->flowflags = FLOW_PKT_TOCLIENT;
2686  p->payload_len = sizeof(response1);
2687  p->payload = response1;
2688  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2689  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2690  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2691  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2692  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2693  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2694  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2695  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2696  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2697  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2698  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2699  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2700 
2701  /* response ack from request */
2702  p->tcph->th_ack = htonl(5);
2703  p->tcph->th_seq = htonl(18);
2704  p->tcph->th_flags = TH_ACK;
2705  p->flowflags = FLOW_PKT_TOSERVER;
2706  p->payload_len = 0;
2707  p->payload = NULL;
2708  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2709  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2710  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2711  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2712  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2713  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2714  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2715  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2716  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2717  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2718  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2719  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2720 
2721  uint8_t response2[] = {
2722  0x2f, 0x31, 0x2e, 0x31,
2723  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2724  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2725  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2726  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2727  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2728  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2729  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2730  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2731  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2732  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2733  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2734  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2735  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2736  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2737  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2738  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2739  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2740  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2741  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2742  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2743  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2744  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2745  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2746  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2747  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2748  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2749  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2750  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2751  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2752  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2753  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2754  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2755  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2756  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2757  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2758  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2759  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2760  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2761  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2762  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2763  p->tcph->th_ack = htonl(18);
2764  p->tcph->th_seq = htonl(5);
2765  p->tcph->th_flags = TH_PUSH | TH_ACK;
2766  p->flowflags = FLOW_PKT_TOCLIENT;
2767  p->payload_len = sizeof(response2);
2768  p->payload = response2;
2769  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2770  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2771  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2772  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2773  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2774  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2775  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2776  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2777  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2778  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2779  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2780  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2781 
2782  /* response ack from request */
2783  p->tcph->th_ack = htonl(328);
2784  p->tcph->th_seq = htonl(18);
2785  p->tcph->th_flags = TH_ACK;
2786  p->flowflags = FLOW_PKT_TOSERVER;
2787  p->payload_len = 0;
2788  p->payload = NULL;
2789  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2790  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2791  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2792  FAIL_IF(f.alproto != ALPROTO_FAILED);
2793  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2794  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2795  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2796  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2797  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2798  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2799  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2800  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2801 
2802  TEST_END;
2803  PASS;
2804 }
2805 
2806 void AppLayerUnittestsRegister(void)
2807 {
2808  SCEnter();
2809 
2810  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2811  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2812  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2813  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2814  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2815  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2816  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2817  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2818  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2819  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2820  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2821 
2822  SCReturn;
2823 }
2824 
2825 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:86
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:282
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:57
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:203
Packet_::proto
uint8_t proto
Definition: decode.h:456
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:296
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:28
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:88
AppLayerCounters_
Definition: app-layer.c:85
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:143
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1848
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:87
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:97
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1014
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1026
Flow_::proto
uint8_t proto
Definition: flow.h:375
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:574
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6555
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:63
Packet_::flags
uint32_t flags
Definition: decode.h:469
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:204
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:61
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:353
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:130
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:90
Flow_::protomap
uint8_t protomap
Definition: flow.h:455
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1159
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:243
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:292
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1124
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:466
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:190
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1021
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1560
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:327
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:154
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6051
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2806
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:935
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1044
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:465
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:113
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
Flow_::protoctx
void * protoctx
Definition: flow.h:451
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:138
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:921
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:199
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:280
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:89
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:970
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1202
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:169
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:273
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:485
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1659
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:955
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1301
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:174
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:638
AppLayerParserState_
Definition: app-layer-parser.c:155
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:274
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1034
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:405
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:491
util-exception-policy.h
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:982
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4935
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:1043
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1996
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:273
TEST_START
#define TEST_START
Definition: app-layer.c:1180
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:224
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:143
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:101
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy.h:25
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:275
SCReturn
#define SCReturn
Definition: util-debug.h:300
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:281
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:96
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:290
Packet_
Definition: decode.h:434
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:800
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:288
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:314
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:680
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:146
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:196
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:469
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:58
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:306
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1244
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:430
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:283
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:554
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1878
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:100
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:154
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:173
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:284
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1203
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1521
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:262
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2224
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1546
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2085
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:283
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2182
str
#define str(s)
Definition: suricata-common.h:272
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:398
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:461
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6561
Flow_::alstate
void * alstate
Definition: flow.h:486
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:1004
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:184
Flow_::flags
uint32_t flags
Definition: flow.h:431
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:928
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:175
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:122
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:62
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:312
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:258
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:199
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:211
TEST_END
#define TEST_END
Definition: app-layer.c:1263
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:56
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:190
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2139
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:95
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:213
TcpSession_
Definition: stream-tcp-private.h:271
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:276
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:462
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1649
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:956
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:213
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1165
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:224
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2207
app-layer.h