suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
56 struct AppLayerThreadCtx_ {
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58  AppLayerProtoDetectThreadCtx *alpd_tctx;
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60  AppLayerParserThreadCtx *alp_tctx;
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
66  AppProto alproto;
67  uint64_t proto_detect_ticks_start;
68  uint64_t proto_detect_ticks_end;
69  uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72 
73 #define MAX_COUNTER_SIZE 64
74 typedef struct AppLayerCounterNames_ {
75  char name[MAX_COUNTER_SIZE];
76  char tx_name[MAX_COUNTER_SIZE];
77 } AppLayerCounterNames;
78 
79 typedef struct AppLayerCounters_ {
80  uint16_t counter_id;
81  uint16_t counter_tx_id;
82 } AppLayerCounters;
83 
84 /* counter names. Only used at init. */
85 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
86 /* counter id's. Used that runtime. */
87 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
88 
89 void AppLayerSetupCounters(void);
90 void AppLayerDeSetupCounters(void);
91 
92 /***** L7 layer dispatchers *****/
93 
94 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
95  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
96  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
97  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
98 }
99 
100 /**
101  * \note id can be 0 if protocol parser is disabled but detection
102  * is enabled.
103  */
104 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
105 {
106  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
107  if (likely(tv && id > 0)) {
108  StatsIncr(tv, id);
109  }
110 }
111 
112 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
113 {
114  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
115  if (likely(tv && id > 0)) {
116  StatsAddUI64(tv, id, step);
117  }
118 }
119 
120 /* in IDS mode protocol detection is done in reverse order:
121  * when TCP data is ack'd. We want to flag the correct packet,
122  * so in this case we set a flag in the flow so that the first
123  * packet in the correct direction can be tagged.
124  *
125  * For IPS things are much simpler, and we don't use the flow
126  * flag. We just tag the packet directly. */
127 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
128 {
129  if (EngineModeIsIPS()) {
130  if (flags & STREAM_TOSERVER) {
131  if (p->flowflags & FLOW_PKT_TOSERVER) {
132  p->flags |= PKT_PROTO_DETECT_TS_DONE;
133  } else {
134  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
135  }
136  } else {
137  if (p->flowflags & FLOW_PKT_TOCLIENT) {
138  p->flags |= PKT_PROTO_DETECT_TC_DONE;
139  } else {
140  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
141  }
142  }
143  } else {
144  if (flags & STREAM_TOSERVER) {
145  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
146  } else {
147  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
148  }
149  }
150 }
151 
152 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
153 {
154  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
155  f, f->alproto, f->alproto_ts, f->alproto_tc);
156  FlowCleanupAppLayer(f);
157  StreamTcpDisableAppLayer(f);
158  TcpSession *ssn = f->protoctx;
159  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
160  f->alproto = ALPROTO_FAILED;
161  AppLayerIncFlowCounter(tv, f);
162 
163  if (f->alproto_tc != ALPROTO_FAILED) {
164  if (f->alproto_tc == ALPROTO_UNKNOWN) {
165  f->alproto_tc = ALPROTO_FAILED;
166  }
167  FlagPacketFlow(p, f, STREAM_TOCLIENT);
168  }
169  if (f->alproto_ts != ALPROTO_FAILED) {
170  if (f->alproto_ts == ALPROTO_UNKNOWN) {
171  f->alproto_ts = ALPROTO_FAILED;
172  }
173  FlagPacketFlow(p, f, STREAM_TOSERVER);
174  }
175  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
176  f, f->alproto, f->alproto_ts, f->alproto_tc);
177 }
178 
179 /* See if we're going to have to give up:
180  *
181  * If we're getting a lot of data in one direction and the
182  * proto for this direction is unknown, proto detect will
183  * hold up segments in the segment list in the stream.
184  * They are held so that if we detect the protocol on the
185  * opposing stream, we can still parse this side of the stream
186  * as well. However, some sessions are very unbalanced. FTP
187  * data channels, large PUT/POST request and many others, can
188  * lead to cases where we would have to store many megabytes
189  * worth of segments before we see the opposing stream. This
190  * leads to risks of resource starvation.
191  *
192  * Here a cutoff point is enforced. If we've stored 100k in
193  * one direction and we've seen no data in the other direction,
194  * we give up.
195  *
196  * Giving up means we disable applayer an set an applayer event
197  */
198 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
199  Flow *f, TcpSession *ssn, Packet *p)
200 {
201  if (ssn->state < TCP_ESTABLISHED) {
202  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
203  return;
204  }
205 
206  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
207  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
208  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
209 
210 #ifdef DEBUG_VALIDATION
211  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
212  BUG_ON(size_ts > 1000000UL);
213  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
214  BUG_ON(size_tc > 1000000UL);
215 #endif /* DEBUG_VALIDATION */
216 
217  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
218  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
219  {
220  goto failure;
221 
222  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
223  size_ts > 100000 && size_tc == 0)
224  {
225  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
226  APPLAYER_PROTO_DETECTION_SKIPPED);
227  goto failure;
228 
229  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
230  size_tc > 100000 && size_ts == 0)
231  {
232  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
233  APPLAYER_PROTO_DETECTION_SKIPPED);
234  goto failure;
235 
236  /* little data in ts direction, pp done, pm not done (max
237  * depth not reached), ts direction done, lots of data in
238  * tc direction. */
239  } else if (size_tc > 100000 &&
240  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
241  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
242  {
243  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
244  APPLAYER_PROTO_DETECTION_SKIPPED);
245  goto failure;
246 
247  /* little data in tc direction, pp done, pm not done (max
248  * depth not reached), tc direction done, lots of data in
249  * ts direction. */
250  } else if (size_ts > 100000 &&
251  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
252  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
253  {
254  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
255  APPLAYER_PROTO_DETECTION_SKIPPED);
256  goto failure;
257 
258  /* in case of really low TS data (e.g. 4 bytes) we can have
259  * the PP complete, PM not complete (depth not reached) and
260  * the TC side also not recognized (proto unknown) */
261  } else if (size_tc > 100000 &&
262  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
263  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
264  {
265  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
266  APPLAYER_PROTO_DETECTION_SKIPPED);
267  goto failure;
268  }
269  return;
270 
271 failure:
272  DisableAppLayer(tv, f, p);
273  return;
274 }
275 
276 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
277  TcpReassemblyThreadCtx *ra_ctx,
278  Packet *p, TcpSession *ssn, TcpStream *stream)
279 {
280  TcpStream *opposing_stream = NULL;
281  if (stream == &ssn->client) {
282  opposing_stream = &ssn->server;
283  } else {
284  opposing_stream = &ssn->client;
285  }
286 
287  /* if the opposing side is not going to work, then
288  * we just have to give up. */
289  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
290  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
291  return -1;
292  }
293 
294  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
295  UPDATE_DIR_OPPOSING :
296  UPDATE_DIR_PACKET;
297  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
298  opposing_stream, p, dir);
299  return ret;
300 }
301 
302 /** \todo data const
303  * \retval int -1 error
304  * \retval int 0 ok
305  */
306 static int TCPProtoDetect(ThreadVars *tv,
307  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
308  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
309  uint8_t *data, uint32_t data_len, uint8_t flags)
310 {
311  AppProto *alproto;
312  AppProto *alproto_otherdir;
313  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
314 
315  if (flags & STREAM_TOSERVER) {
316  alproto = &f->alproto_ts;
317  alproto_otherdir = &f->alproto_tc;
318  } else {
319  alproto = &f->alproto_tc;
320  alproto_otherdir = &f->alproto_ts;
321  }
322 
323  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
324 #ifdef PRINT
325  if (data_len > 0) {
326  printf("=> Init Stream Data (app layer) -- start %s%s\n",
327  flags & STREAM_TOCLIENT ? "toclient" : "",
328  flags & STREAM_TOSERVER ? "toserver" : "");
329  PrintRawDataFp(stdout, data, data_len);
330  printf("=> Init Stream Data -- end\n");
331  }
332 #endif
333 
334  bool reverse_flow = false;
335  PACKET_PROFILING_APP_PD_START(app_tctx);
336  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
337  f, data, data_len,
338  IPPROTO_TCP, flags, &reverse_flow);
339  PACKET_PROFILING_APP_PD_END(app_tctx);
340  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
341 
342  if (*alproto != ALPROTO_UNKNOWN) {
343  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
344  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
345  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
346 
347  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
348  /* if we already invoked the parser, we go with that proto */
349  f->alproto = *alproto_otherdir;
350  } else {
351  /* no data sent to parser yet, we can still choose
352  * we're trusting the server more. */
353  if (flags & STREAM_TOCLIENT)
354  f->alproto = *alproto;
355  else
356  f->alproto = *alproto_otherdir;
357  }
358  } else {
359  f->alproto = *alproto;
360  }
361 
362  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
363  TcpSessionSetReassemblyDepth(ssn,
364  AppLayerParserGetStreamDepth(f));
365  FlagPacketFlow(p, f, flags);
366  /* if protocol detection indicated that we need to reverse
367  * the direction of the flow, do it now. We flip the flow,
368  * packet and the direction flags */
369  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
370  SCLogDebug("reversing flow after proto detect told us so");
371  PacketSwap(p);
372  FlowSwap(f);
373  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
374  if (*stream == &ssn->client) {
375  *stream = &ssn->server;
376  } else {
377  *stream = &ssn->client;
378  }
379  direction = 1 - direction;
380  }
381 
382  /* account flow if we have both sides */
383  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
384  AppLayerIncFlowCounter(tv, f);
385  }
386 
387  /* if we have seen data from the other direction first, send
388  * data for that direction first to the parser. This shouldn't
389  * be an issue, since each stream processing happens
390  * independently of the other stream direction. At this point of
391  * call, you need to know that this function's already being
392  * called by the very same StreamReassembly() function that we
393  * will now call shortly for the opposing direction. */
394  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
395  !(flags & ssn->data_first_seen_dir))
396  {
397  SCLogDebug("protocol %s needs first data in other direction",
398  AppProtoToString(*alproto));
399 
400  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
401  p, ssn, *stream) != 0)
402  {
403  DisableAppLayer(tv, f, p);
404  SCReturnInt(-1);
405  }
406  }
407 
408  /* if the parser operates such that it needs to see data from
409  * a particular direction first, we check if we have seen
410  * data from that direction first for the flow. IF it is not
411  * the same, we set an event and exit.
412  *
413  * \todo We need to figure out a more robust solution for this,
414  * as this can lead to easy evasion tactics, where the
415  * attackeer can first send some dummy data in the wrong
416  * direction first to mislead our proto detection process.
417  * While doing this we need to update the parsers as well,
418  * since the parsers must be robust to see such wrong
419  * direction data.
420  * Either ways the moment we see the
421  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
422  * flow, it shows something's fishy.
423  */
424  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
425  uint8_t first_data_dir;
426  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
427 
428  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
429  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
430  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
431  DisableAppLayer(tv, f, p);
432  SCReturnInt(-1);
433  }
434  /* This can happen if the current direction is not the
435  * right direction, and the data from the other(also
436  * the right direction) direction is available to be sent
437  * to the app layer, but it is not ack'ed yet and hence
438  * the forced call to STreamTcpAppLayerReassemble still
439  * hasn't managed to send data from the other direction
440  * to the app layer. */
441  if (first_data_dir && !(first_data_dir & flags)) {
442  FlowCleanupAppLayer(f);
443  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
444  FLOW_RESET_PP_DONE(f, flags);
445  FLOW_RESET_PM_DONE(f, flags);
446  FLOW_RESET_PE_DONE(f, flags);
447  SCReturnInt(-1);
448  }
449  }
450 
451  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
452  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
453 
454  /* finally, invoke the parser */
455  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
456  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
457  flags, data, data_len);
458  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
459  if (r < 0) {
460  SCReturnInt(-1);
461  } else if (r == 0) {
462  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
463  }
464  } else {
465  /* if the ssn is midstream, we may end up with a case where the
466  * start of an HTTP request is missing. We won't detect HTTP based
467  * on the request. However, the reply is fine, so we detect
468  * HTTP anyway. This leads to passing the incomplete request to
469  * the htp parser.
470  *
471  * This has been observed, where the http parser then saw many
472  * bogus requests in the incomplete data.
473  *
474  * To counter this case, a midstream session MUST find it's
475  * protocol in the toserver direction. If not, we assume the
476  * start of the request/toserver is incomplete and no reliable
477  * detection and parsing is possible. So we give up.
478  */
479  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
480  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
481  {
482  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
483  SCLogDebug("midstream end pd %p", ssn);
484  /* midstream and toserver detection failed: give up */
485  DisableAppLayer(tv, f, p);
486  SCReturnInt(0);
487  }
488  }
489 
490  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
491  uint8_t first_data_dir;
492  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
493 
494  /* this would handle this test case -
495  * http parser which says it wants to see toserver data first only.
496  * tcp handshake
497  * toclient data first received. - RUBBISH DATA which
498  * we don't detect as http
499  * toserver data next sent - we detect this as http.
500  * at this stage we see that toclient is the first data seen
501  * for this session and we try and redetect the app protocol,
502  * but we are unable to detect the app protocol like before.
503  * But since we have managed to detect the protocol for the
504  * other direction as http, we try to use that. At this
505  * stage we check if the direction of this stream matches
506  * to that acceptable by the app parser. If it is not the
507  * acceptable direction we error out.
508  */
509  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
510  (first_data_dir) && !(first_data_dir & flags))
511  {
512  DisableAppLayer(tv, f, p);
513  SCReturnInt(-1);
514  }
515 
516  /* if protocol detection is marked done for our direction we
517  * pass our data on. We're only succeeded in finding one
518  * direction: the opposing stream
519  *
520  * If PD was not yet complete, we don't do anything.
521  */
522  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
523  if (data_len > 0)
524  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
525 
526  if (*alproto_otherdir != ALPROTO_FAILED) {
527  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
528  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
529  f->alproto, flags,
530  data, data_len);
531  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
532  if (r == 0) {
533  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
534  }
535 
536  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
537  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
538  TcpSessionSetReassemblyDepth(ssn,
539  AppLayerParserGetStreamDepth(f));
540 
541  *alproto = *alproto_otherdir;
542  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
543  p->pcap_cnt, *alproto, *alproto_otherdir, r);
544  if (r < 0) {
545  SCReturnInt(-1);
546  }
547  }
548  *alproto = ALPROTO_FAILED;
549  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
550  AppLayerIncFlowCounter(tv, f);
551  FlagPacketFlow(p, f, flags);
552 
553  }
554  } else {
555  /* both sides unknown, let's see if we need to give up */
556  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
557  }
558  }
559  SCReturnInt(0);
560 }
561 
562 /** \brief handle TCP data for the app-layer.
563  *
564  * First run protocol detection and then when the protocol is known invoke
565  * the app layer parser.
566  *
567  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
568  * reversed.
569  */
570 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
571  Packet *p, Flow *f,
572  TcpSession *ssn, TcpStream **stream,
573  uint8_t *data, uint32_t data_len,
574  uint8_t flags)
575 {
576  SCEnter();
577 
578  DEBUG_ASSERT_FLOW_LOCKED(f);
579  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
580 
581  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
582  AppProto alproto;
583  int r = 0;
584 
585  SCLogDebug("data_len %u flags %02X", data_len, flags);
586  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
587  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
588  goto end;
589  }
590 
591  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
592 
593  if (flags & STREAM_TOSERVER) {
594  alproto = f->alproto_ts;
595  } else {
596  alproto = f->alproto_tc;
597  }
598 
599  /* If a gap notification, relay the notification on to the
600  * app-layer if known. */
601  if (flags & STREAM_GAP) {
602  if (alproto == ALPROTO_UNKNOWN) {
603  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
604  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
605  /* if the other side didn't already find the proto, we're done */
606  if (f->alproto == ALPROTO_UNKNOWN) {
607  goto failure;
608  }
609  }
610  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
611  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
612  flags, data, data_len);
613  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
614  /* ignore parser result for gap */
615  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
616  goto end;
617  }
618 
619  /* if we don't know the proto yet and we have received a stream
620  * initializer message, we run proto detection.
621  * We receive 2 stream init msgs (one for each direction) but we
622  * only run the proto detection once. */
623  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
624  /* run protocol detection */
625  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
626  data, data_len, flags) != 0) {
627  goto failure;
628  }
629  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
630  f->alproto_orig = f->alproto;
631  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
632  AppLayerProtoDetectReset(f);
633  /* rerun protocol detection */
634  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
635  data, data_len, flags) != 0) {
636  SCLogDebug("proto detect failure");
637  goto failure;
638  }
639  SCLogDebug("protocol change, old %s, new %s",
640  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
641 
642  if (f->alproto_expect != ALPROTO_UNKNOWN &&
643  f->alproto != f->alproto_expect)
644  {
645  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
646  APPLAYER_UNEXPECTED_PROTOCOL);
647 
648  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
649  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
650  APPLAYER_NO_TLS_AFTER_STARTTLS);
651 
652  }
653  }
654  } else {
655  SCLogDebug("stream data (len %" PRIu32 " alproto "
656  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
657 #ifdef PRINT
658  if (data_len > 0) {
659  printf("=> Stream Data (app layer) -- start %s%s\n",
660  flags & STREAM_TOCLIENT ? "toclient" : "",
661  flags & STREAM_TOSERVER ? "toserver" : "");
662  PrintRawDataFp(stdout, data, data_len);
663  printf("=> Stream Data -- end\n");
664  }
665 #endif
666  /* if we don't have a data object here we are not getting it
667  * a start msg should have gotten us one */
668  if (f->alproto != ALPROTO_UNKNOWN) {
669  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
670  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
671  flags, data, data_len);
672  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
673  if (r == 0) {
674  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
675  }
676  }
677  }
678 
679  goto end;
680  failure:
681  r = -1;
682  end:
683  SCReturnInt(r);
684 }
685 
686 /**
687  * \brief Handle a app layer UDP message
688  *
689  * If the protocol is yet unknown, the proto detection code is run first.
690  *
691  * \param dp_ctx Thread app layer detect context
692  * \param f *locked* flow
693  * \param p UDP packet
694  *
695  * \retval 0 ok
696  * \retval -1 error
697  */
698 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
699 {
700  SCEnter();
701 
702  if (f->alproto == ALPROTO_FAILED) {
703  SCReturnInt(0);
704  }
705 
706  int r = 0;
707  uint8_t flags = 0;
708  if (p->flowflags & FLOW_PKT_TOSERVER) {
709  flags |= STREAM_TOSERVER;
710  } else {
711  flags |= STREAM_TOCLIENT;
712  }
713 
714  AppLayerProfilingReset(tctx);
715 
716  /* if the protocol is still unknown, run detection */
717  if (f->alproto == ALPROTO_UNKNOWN) {
718  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
719  p->payload_len);
720 
721  bool reverse_flow = false;
722  PACKET_PROFILING_APP_PD_START(tctx);
723  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
724  f, p->payload, p->payload_len,
725  IPPROTO_UDP, flags, &reverse_flow);
726  PACKET_PROFILING_APP_PD_END(tctx);
727 
728  if (f->alproto != ALPROTO_UNKNOWN) {
729  AppLayerIncFlowCounter(tv, f);
730 
731  if (reverse_flow) {
732  SCLogDebug("reversing flow after proto detect told us so");
733  PacketSwap(p);
734  FlowSwap(f);
735  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
736  }
737 
738  PACKET_PROFILING_APP_START(tctx, f->alproto);
739  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
740  flags, p->payload, p->payload_len);
741  PACKET_PROFILING_APP_END(tctx, f->alproto);
742  } else {
743  f->alproto = ALPROTO_FAILED;
744  AppLayerIncFlowCounter(tv, f);
745  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
746  }
747  PACKET_PROFILING_APP_STORE(tctx, p);
748  /* we do only inspection in one direction, so flag both
749  * sides as done here */
750  FlagPacketFlow(p, f, STREAM_TOSERVER);
751  FlagPacketFlow(p, f, STREAM_TOCLIENT);
752  } else {
753  SCLogDebug("data (len %" PRIu32 " ), alproto "
754  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
755 
756  /* run the parser */
757  PACKET_PROFILING_APP_START(tctx, f->alproto);
758  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
759  flags, p->payload, p->payload_len);
760  PACKET_PROFILING_APP_END(tctx, f->alproto);
761  PACKET_PROFILING_APP_STORE(tctx, p);
762  }
763 
764  SCReturnInt(r);
765 }
766 
767 /***** Utility *****/
768 
769 AppProto AppLayerGetProtoByName(char *alproto_name)
770 {
771  SCEnter();
772  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
773  SCReturnCT(r, "AppProto");
774 }
775 
776 const char *AppLayerGetProtoName(AppProto alproto)
777 {
778  SCEnter();
779  const char * r = AppLayerProtoDetectGetProtoName(alproto);
780  SCReturnCT(r, "char *");
781 }
782 
783 void AppLayerListSupportedProtocols(void)
784 {
785  SCEnter();
786 
787  AppProto alproto;
788  AppProto alprotos[ALPROTO_MAX];
789 
790  AppLayerProtoDetectSupportedAppProtocols(alprotos);
791 
792  printf("=========Supported App Layer Protocols=========\n");
793  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
794  if (alprotos[alproto] == 1)
795  printf("%s\n", AppLayerGetProtoName(alproto));
796  }
797 
798  SCReturn;
799 }
800 
801 /***** Setup/General Registration *****/
802 
803 int AppLayerSetup(void)
804 {
805  SCEnter();
806 
807  AppLayerProtoDetectSetup();
808  AppLayerParserSetup();
809 
810  AppLayerParserRegisterProtocolParsers();
811  AppLayerProtoDetectPrepareState();
812 
813  AppLayerSetupCounters();
814 
815  SCReturnInt(0);
816 }
817 
818 int AppLayerDeSetup(void)
819 {
820  SCEnter();
821 
822  AppLayerProtoDetectDeSetup();
823  AppLayerParserDeSetup();
824 
825  AppLayerDeSetupCounters();
826 
827  SCReturnInt(0);
828 }
829 
830 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
831 {
832  SCEnter();
833 
834  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
835  if (app_tctx == NULL)
836  goto error;
837  memset(app_tctx, 0, sizeof(*app_tctx));
838 
839  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
840  goto error;
841  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
842  goto error;
843 
844  goto done;
845  error:
846  AppLayerDestroyCtxThread(app_tctx);
847  app_tctx = NULL;
848  done:
849  SCReturnPtr(app_tctx, "void *");
850 }
851 
852 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
853 {
854  SCEnter();
855 
856  if (app_tctx == NULL)
857  SCReturn;
858 
859  if (app_tctx->alpd_tctx != NULL)
860  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
861  if (app_tctx->alp_tctx != NULL)
862  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
863  SCFree(app_tctx);
864 
865  SCReturn;
866 }
867 
868 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
869 {
870  PACKET_PROFILING_APP_RESET(app_tctx);
871 }
872 
873 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
874 {
875  PACKET_PROFILING_APP_STORE(app_tctx, p);
876 }
877 
878 /** \brief HACK to work around our broken unix manager (re)init loop
879  */
880 void AppLayerRegisterGlobalCounters(void)
881 {
882  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
883  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
884  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
885  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
886  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
887 }
888 
889 #define IPPROTOS_MAX 2
890 void AppLayerSetupCounters()
891 {
892  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
893  uint8_t ipproto;
894  AppProto alproto;
895  AppProto alprotos[ALPROTO_MAX];
896  const char *str = "app_layer.flow.";
897 
898  AppLayerProtoDetectSupportedAppProtocols(alprotos);
899 
900  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
901  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
902  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
903  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
904 
905  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
906  if (alprotos[alproto] == 1) {
907  const char *tx_str = "app_layer.tx.";
908  const char *alproto_str = AppLayerGetProtoName(alproto);
909 
910  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
911  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
912  {
913  snprintf(applayer_counter_names[ipproto_map][alproto].name,
914  sizeof(applayer_counter_names[ipproto_map][alproto].name),
915  "%s%s%s", str, alproto_str, ipproto_suffix);
916  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
917  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
918  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
919  } else {
920  snprintf(applayer_counter_names[ipproto_map][alproto].name,
921  sizeof(applayer_counter_names[ipproto_map][alproto].name),
922  "%s%s", str, alproto_str);
923  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
924  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
925  "%s%s", tx_str, alproto_str);
926  }
927  } else if (alproto == ALPROTO_FAILED) {
928  snprintf(applayer_counter_names[ipproto_map][alproto].name,
929  sizeof(applayer_counter_names[ipproto_map][alproto].name),
930  "%s%s%s", str, "failed", ipproto_suffix);
931  }
932  }
933  }
934 }
935 
936 void AppLayerRegisterThreadCounters(ThreadVars *tv)
937 {
938  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
939  uint8_t ipproto;
940  AppProto alproto;
941  AppProto alprotos[ALPROTO_MAX];
942 
943  AppLayerProtoDetectSupportedAppProtocols(alprotos);
944 
945  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
946  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
947 
948  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
949  if (alprotos[alproto] == 1) {
950  applayer_counters[ipproto_map][alproto].counter_id =
951  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
952 
953  applayer_counters[ipproto_map][alproto].counter_tx_id =
954  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
955  } else if (alproto == ALPROTO_FAILED) {
956  applayer_counters[ipproto_map][alproto].counter_id =
957  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
958  }
959  }
960  }
961 }
962 
963 void AppLayerDeSetupCounters()
964 {
965  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
966  memset(applayer_counters, 0, sizeof(applayer_counters));
967 }
968 
969 /***** Unittests *****/
970 
971 #ifdef UNITTESTS
972 #include "pkt-var.h"
973 #include "stream-tcp.h"
974 #include "stream-tcp-util.h"
975 #include "stream.h"
976 #include "util-unittest.h"
977 
978 #define TEST_START \
979  Packet *p = SCMalloc(SIZE_OF_PACKET);\
980  FAIL_IF_NULL(p);\
981  Flow f;\
982  ThreadVars tv;\
983  StreamTcpThread *stt = NULL;\
984  TCPHdr tcph;\
985  PacketQueueNoLock pq;\
986  memset(&pq,0,sizeof(PacketQueueNoLock));\
987  memset(p, 0, SIZE_OF_PACKET);\
988  memset (&f, 0, sizeof(Flow));\
989  memset(&tv, 0, sizeof (ThreadVars));\
990  memset(&tcph, 0, sizeof (TCPHdr));\
991 \
992  FLOW_INITIALIZE(&f);\
993  f.flags = FLOW_IPV4;\
994  f.proto = IPPROTO_TCP;\
995  p->flow = &f;\
996  p->tcph = &tcph;\
997 \
998  StreamTcpInitConfig(TRUE);\
999  IPPairInitConfig(TRUE); \
1000  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
1001 \
1002  /* handshake */\
1003  tcph.th_win = htons(5480);\
1004  tcph.th_flags = TH_SYN;\
1005  p->flowflags = FLOW_PKT_TOSERVER;\
1006  p->payload_len = 0;\
1007  p->payload = NULL;\
1008  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1009  TcpSession *ssn = (TcpSession *)f.protoctx;\
1010 \
1011  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1012  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1013  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1014  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1015  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1016  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1017  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1018  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1019  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1020  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1021  FAIL_IF(ssn->data_first_seen_dir != 0);\
1022 \
1023  /* handshake */\
1024  p->tcph->th_ack = htonl(1);\
1025  p->tcph->th_flags = TH_SYN | TH_ACK;\
1026  p->flowflags = FLOW_PKT_TOCLIENT;\
1027  p->payload_len = 0;\
1028  p->payload = NULL;\
1029  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1030  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1031  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1032  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1033  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1034  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1035  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1036  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1037  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1038  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1039  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1040  FAIL_IF(ssn->data_first_seen_dir != 0);\
1041 \
1042  /* handshake */\
1043  p->tcph->th_ack = htonl(1);\
1044  p->tcph->th_seq = htonl(1);\
1045  p->tcph->th_flags = TH_ACK;\
1046  p->flowflags = FLOW_PKT_TOSERVER;\
1047  p->payload_len = 0;\
1048  p->payload = NULL;\
1049  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1050  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1051  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1052  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1053  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1054  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1055  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1056  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1057  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1058  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1059  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1060  FAIL_IF(ssn->data_first_seen_dir != 0);
1061 #define TEST_END \
1062  StreamTcpSessionClear(p->flow->protoctx);\
1063  StreamTcpThreadDeinit(&tv, (void *)stt); \
1064  StreamTcpFreeConfig(TRUE);\
1065  PACKET_DESTRUCTOR(p);\
1066  SCFree(p);\
1067  FLOW_DESTROY(&f); \
1068  StatsThreadCleanup(&tv);
1069 
1070 /**
1071  * \test GET -> HTTP/1.1
1072  */
1073 static int AppLayerTest01(void)
1074 {
1075  TEST_START;
1076 
1077  /* full request */
1078  uint8_t request[] = {
1079  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1080  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1081  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1082  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1083  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1084  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1085  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1086  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1087  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1088  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1089  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1090  p->tcph->th_ack = htonl(1);
1091  p->tcph->th_seq = htonl(1);
1092  p->tcph->th_flags = TH_PUSH | TH_ACK;
1093  p->flowflags = FLOW_PKT_TOSERVER;
1094  p->payload_len = sizeof(request);
1095  p->payload = request;
1096  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1097  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1098  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1099  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1100  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1101  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1102  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1103  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1104  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1105  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1106  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1107  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1108 
1109  /* full response - request ack */
1110  uint8_t response[] = {
1111  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1112  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1113  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1114  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1115  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1116  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1117  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1118  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1119  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1120  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1121  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1122  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1123  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1124  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1125  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1126  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1127  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1128  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1129  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1130  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1131  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1132  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1133  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1134  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1135  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1136  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1137  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1138  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1139  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1140  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1141  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1142  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1143  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1144  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1145  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1146  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1147  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1148  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1149  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1150  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1151  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1152  p->tcph->th_ack = htonl(88);
1153  p->tcph->th_seq = htonl(1);
1154  p->tcph->th_flags = TH_PUSH | TH_ACK;
1155  p->flowflags = FLOW_PKT_TOCLIENT;
1156  p->payload_len = sizeof(response);
1157  p->payload = response;
1158  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1159  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1160  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1161  FAIL_IF(f.alproto != ALPROTO_HTTP);
1162  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1163  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1164  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1165  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1166  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1167  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1168  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1169  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1170 
1171  /* response ack */
1172  p->tcph->th_ack = htonl(328);
1173  p->tcph->th_seq = htonl(88);
1174  p->tcph->th_flags = TH_ACK;
1175  p->flowflags = FLOW_PKT_TOSERVER;
1176  p->payload_len = 0;
1177  p->payload = NULL;
1178  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1179  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1180  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1181  FAIL_IF(f.alproto != ALPROTO_HTTP);
1182  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1183  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1184  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1185  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1186  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1187  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1188  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1189  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1190 
1191  TEST_END;
1192  PASS;
1193 }
1194 
1195 /**
1196  * \test GE -> T -> HTTP/1.1
1197  */
1198 static int AppLayerTest02(void)
1199 {
1200  TEST_START;
1201 
1202  /* partial request */
1203  uint8_t request1[] = { 0x47, 0x45, };
1204  p->tcph->th_ack = htonl(1);
1205  p->tcph->th_seq = htonl(1);
1206  p->tcph->th_flags = TH_PUSH | TH_ACK;
1207  p->flowflags = FLOW_PKT_TOSERVER;
1208  p->payload_len = sizeof(request1);
1209  p->payload = request1;
1210  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1211  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1212  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1213  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1214  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1215  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1216  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1217  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1218  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1219  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1220  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1221  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1222 
1223  /* response ack against partial request */
1224  p->tcph->th_ack = htonl(3);
1225  p->tcph->th_seq = htonl(1);
1226  p->tcph->th_flags = TH_ACK;
1227  p->flowflags = FLOW_PKT_TOCLIENT;
1228  p->payload_len = 0;
1229  p->payload = NULL;
1230  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1231  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1232  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1233  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1234  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1235  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1236  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1237  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1238  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1239  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1240  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1241  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1242 
1243  /* complete partial request */
1244  uint8_t request2[] = {
1245  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1246  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1247  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1248  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1249  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1250  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1251  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1252  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1253  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1254  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1255  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1256  p->tcph->th_ack = htonl(1);
1257  p->tcph->th_seq = htonl(3);
1258  p->tcph->th_flags = TH_PUSH | TH_ACK;
1259  p->flowflags = FLOW_PKT_TOSERVER;
1260  p->payload_len = sizeof(request2);
1261  p->payload = request2;
1262  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1263  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1264  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1265  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1266  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1267  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1268  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1269  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1270  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1271  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1272  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1273  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1274 
1275  /* response - request ack */
1276  uint8_t response[] = {
1277  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1278  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1279  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1280  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1281  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1282  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1283  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1284  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1285  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1286  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1287  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1288  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1289  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1290  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1291  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1292  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1293  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1294  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1295  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1296  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1297  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1298  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1299  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1300  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1301  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1302  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1303  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1304  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1305  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1306  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1307  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1308  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1309  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1310  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1311  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1312  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1313  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1314  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1315  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1316  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1317  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1318  p->tcph->th_ack = htonl(88);
1319  p->tcph->th_seq = htonl(1);
1320  p->tcph->th_flags = TH_PUSH | TH_ACK;
1321  p->flowflags = FLOW_PKT_TOCLIENT;
1322  p->payload_len = sizeof(response);
1323  p->payload = response;
1324  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1325  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1326  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1327  FAIL_IF(f.alproto != ALPROTO_HTTP);
1328  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1329  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1330  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1331  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1332  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1333  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1334  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1335  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1336 
1337  /* response ack */
1338  p->tcph->th_ack = htonl(328);
1339  p->tcph->th_seq = htonl(88);
1340  p->tcph->th_flags = TH_ACK;
1341  p->flowflags = FLOW_PKT_TOSERVER;
1342  p->payload_len = 0;
1343  p->payload = NULL;
1344  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1345  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1346  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1347  FAIL_IF(f.alproto != ALPROTO_HTTP);
1348  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1349  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1350  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1351  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1352  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1353  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1354  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1355  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1356 
1357  TEST_END;
1358  PASS;
1359 }
1360 
1361 /**
1362  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1363  */
1364 static int AppLayerTest03(void)
1365 {
1366  TEST_START;
1367 
1368  /* request */
1369  uint8_t request[] = {
1370  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1371  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1372  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1373  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1374  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1375  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1376  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1377  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1378  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1379  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1380  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1381  p->tcph->th_ack = htonl(1);
1382  p->tcph->th_seq = htonl(1);
1383  p->tcph->th_flags = TH_PUSH | TH_ACK;
1384  p->flowflags = FLOW_PKT_TOSERVER;
1385  p->payload_len = sizeof(request);
1386  p->payload = request;
1387  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1388  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1389  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1390  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1391  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1392  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1393  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1394  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1395  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1396  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1397  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1398  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1399 
1400  /* rubbish response */
1401  uint8_t response[] = {
1402  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1403  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1404  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1405  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1406  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1407  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1408  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1409  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1410  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1411  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1412  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1413  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1414  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1415  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1416  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1417  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1418  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1419  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1420  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1421  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1422  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1423  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1424  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1425  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1426  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1427  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1428  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1429  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1430  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1431  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1432  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1433  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1434  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1435  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1436  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1437  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1438  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1439  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1440  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1441  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1442  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1443  p->tcph->th_ack = htonl(88);
1444  p->tcph->th_seq = htonl(1);
1445  p->tcph->th_flags = TH_PUSH | TH_ACK;
1446  p->flowflags = FLOW_PKT_TOCLIENT;
1447  p->payload_len = sizeof(response);
1448  p->payload = response;
1449  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1450  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1451  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1452  FAIL_IF(f.alproto != ALPROTO_HTTP);
1453  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1454  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1455  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1456  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1457  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1458  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1459  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1460  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1461 
1462  /* response ack */
1463  p->tcph->th_ack = htonl(328);
1464  p->tcph->th_seq = htonl(88);
1465  p->tcph->th_flags = TH_ACK;
1466  p->flowflags = FLOW_PKT_TOSERVER;
1467  p->payload_len = 0;
1468  p->payload = NULL;
1469  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1470  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1471  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1472  FAIL_IF(f.alproto != ALPROTO_HTTP);
1473  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1474  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1475  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1476  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1477  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1478  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1479  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1480  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1481 
1482  TEST_END;
1483  PASS;
1484 }
1485 
1486 /**
1487  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1488  */
1489 static int AppLayerTest04(void)
1490 {
1491  TEST_START;
1492 
1493  /* request */
1494  uint8_t request[] = {
1495  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1496  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1497  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1498  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1499  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1500  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1501  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1502  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1503  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1504  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1505  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1506  PrintRawDataFp(stdout, request, sizeof(request));
1507  p->tcph->th_ack = htonl(1);
1508  p->tcph->th_seq = htonl(1);
1509  p->tcph->th_flags = TH_PUSH | TH_ACK;
1510  p->flowflags = FLOW_PKT_TOSERVER;
1511  p->payload_len = sizeof(request);
1512  p->payload = request;
1513  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1514  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1515  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1516  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1517  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1518  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1519  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1520  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1521  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1522  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1523  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1524  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1525 
1526  /* partial response */
1527  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1528  PrintRawDataFp(stdout, response1, sizeof(response1));
1529  p->tcph->th_ack = htonl(88);
1530  p->tcph->th_seq = htonl(1);
1531  p->tcph->th_flags = TH_PUSH | TH_ACK;
1532  p->flowflags = FLOW_PKT_TOCLIENT;
1533  p->payload_len = sizeof(response1);
1534  p->payload = response1;
1535  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1536  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1537  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1538  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1539  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1540  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1541  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1542  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1543  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1544  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1545  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1546  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1547 
1548  /* partial response ack */
1549  p->tcph->th_ack = htonl(5);
1550  p->tcph->th_seq = htonl(88);
1551  p->tcph->th_flags = TH_ACK;
1552  p->flowflags = FLOW_PKT_TOSERVER;
1553  p->payload_len = 0;
1554  p->payload = NULL;
1555  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1556  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1557  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1558  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1559  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1560  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1561  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1562  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1563  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1564  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1565  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1566  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1567 
1568  /* remaining response */
1569  uint8_t response2[] = {
1570  0x2f, 0x31, 0x2e, 0x31,
1571  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1572  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1573  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1574  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1575  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1576  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1577  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1578  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1579  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1580  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1581  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1582  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1583  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1584  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1585  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1586  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1587  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1588  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1589  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1590  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1591  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1592  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1593  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1594  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1595  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1596  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1597  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1598  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1599  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1600  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1601  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1602  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1603  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1604  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1605  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1606  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1607  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1608  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1609  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1610  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1611  PrintRawDataFp(stdout, response2, sizeof(response2));
1612  p->tcph->th_ack = htonl(88);
1613  p->tcph->th_seq = htonl(5);
1614  p->tcph->th_flags = TH_PUSH | TH_ACK;
1615  p->flowflags = FLOW_PKT_TOCLIENT;
1616  p->payload_len = sizeof(response2);
1617  p->payload = response2;
1618  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1619  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1620  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1621  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1622  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1623  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1624  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1625  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1626  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1627  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1628  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1629  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1630 
1631  /* response ack */
1632  p->tcph->th_ack = htonl(328);
1633  p->tcph->th_seq = htonl(88);
1634  p->tcph->th_flags = TH_ACK;
1635  p->flowflags = FLOW_PKT_TOSERVER;
1636  p->payload_len = 0;
1637  p->payload = NULL;
1638  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1639  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1640  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1641  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1642  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1643  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1644  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1645  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1646  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1647  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1648  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1649  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1650 
1651  TEST_END;
1652  PASS;
1653 }
1654 
1655 /**
1656  * \test RUBBISH -> HTTP/1.1
1657  */
1658 static int AppLayerTest05(void)
1659 {
1660  TEST_START;
1661 
1662  /* full request */
1663  uint8_t request[] = {
1664  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1665  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1666  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1667  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1668  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1669  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1670  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1671  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1672  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1673  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1674  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1675  PrintRawDataFp(stdout, request, sizeof(request));
1676  p->tcph->th_ack = htonl(1);
1677  p->tcph->th_seq = htonl(1);
1678  p->tcph->th_flags = TH_PUSH | TH_ACK;
1679  p->flowflags = FLOW_PKT_TOSERVER;
1680  p->payload_len = sizeof(request);
1681  p->payload = request;
1682  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1683  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1684  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1685  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1686  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1687  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1688  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1689  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1690  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1691  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1692  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1693  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1694 
1695  /* full response - request ack */
1696  uint8_t response[] = {
1697  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1698  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1699  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1700  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1701  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1702  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1703  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1704  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1705  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1706  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1707  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1708  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1709  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1710  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1711  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1712  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1713  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1714  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1715  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1716  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1717  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1718  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1719  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1720  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1721  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1722  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1723  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1724  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1725  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1726  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1727  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1728  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1729  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1730  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1731  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1732  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1733  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1734  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1735  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1736  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1737  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1738  PrintRawDataFp(stdout, response, sizeof(response));
1739  p->tcph->th_ack = htonl(88);
1740  p->tcph->th_seq = htonl(1);
1741  p->tcph->th_flags = TH_PUSH | TH_ACK;
1742  p->flowflags = FLOW_PKT_TOCLIENT;
1743  p->payload_len = sizeof(response);
1744  p->payload = response;
1745  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1746  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1747  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1748  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1749  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1750  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1751  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1752  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1753  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1754  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1755  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1756  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1757 
1758  /* response ack */
1759  p->tcph->th_ack = htonl(328);
1760  p->tcph->th_seq = htonl(88);
1761  p->tcph->th_flags = TH_ACK;
1762  p->flowflags = FLOW_PKT_TOSERVER;
1763  p->payload_len = 0;
1764  p->payload = NULL;
1765  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1766  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1767  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1768  FAIL_IF(f.alproto != ALPROTO_HTTP);
1769  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1770  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1771  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1772  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1773  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1774  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1775  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1776  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1777 
1778  TEST_END;
1779  PASS;
1780 }
1781 
1782 /**
1783  * \test HTTP/1.1 -> GET
1784  */
1785 static int AppLayerTest06(void)
1786 {
1787  TEST_START;
1788 
1789  /* full response - request ack */
1790  uint8_t response[] = {
1791  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1792  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1793  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1794  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1795  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1796  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1797  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1798  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1799  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1800  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1801  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1802  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1803  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1804  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1805  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1806  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1807  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1808  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1809  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1810  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1811  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1812  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1813  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1814  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1815  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1816  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1817  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1818  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1819  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1820  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1821  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1822  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1823  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1824  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1825  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1826  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1827  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1828  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1829  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1830  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1831  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1832  p->tcph->th_ack = htonl(1);
1833  p->tcph->th_seq = htonl(1);
1834  p->tcph->th_flags = TH_PUSH | TH_ACK;
1835  p->flowflags = FLOW_PKT_TOCLIENT;
1836  p->payload_len = sizeof(response);
1837  p->payload = response;
1838  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1839  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1840  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1841  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1842  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1843  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1844  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1845  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1846  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1847  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1848  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1849  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1850 
1851  /* full request - response ack*/
1852  uint8_t request[] = {
1853  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1854  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1855  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1856  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1857  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1858  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1859  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1860  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1861  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1862  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1863  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1864  p->tcph->th_ack = htonl(328);
1865  p->tcph->th_seq = htonl(1);
1866  p->tcph->th_flags = TH_PUSH | TH_ACK;
1867  p->flowflags = FLOW_PKT_TOSERVER;
1868  p->payload_len = sizeof(request);
1869  p->payload = request;
1870  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1871  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1872  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1873  FAIL_IF(f.alproto != ALPROTO_HTTP);
1874  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1875  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1876  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1877  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1878  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1879  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1880  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1881  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1882 
1883  p->tcph->th_ack = htonl(1 + sizeof(request));
1884  p->tcph->th_seq = htonl(328);
1885  p->tcph->th_flags = TH_PUSH | TH_ACK;
1886  p->flowflags = FLOW_PKT_TOCLIENT;
1887  p->payload_len = 0;
1888  p->payload = NULL;
1889  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1890  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1891  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1892  FAIL_IF(f.alproto != ALPROTO_HTTP);
1893  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1894  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1895  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1896  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1897  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1898  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1899  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1900  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1901 
1902  TEST_END;
1903  PASS;
1904 }
1905 
1906 /**
1907  * \test GET -> DCERPC
1908  */
1909 static int AppLayerTest07(void)
1910 {
1911  TEST_START;
1912 
1913  /* full request */
1914  uint8_t request[] = {
1915  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1916  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1917  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1918  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1919  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1920  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1921  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1922  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1923  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1924  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1925  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1926  p->tcph->th_ack = htonl(1);
1927  p->tcph->th_seq = htonl(1);
1928  p->tcph->th_flags = TH_PUSH | TH_ACK;
1929  p->flowflags = FLOW_PKT_TOSERVER;
1930  p->payload_len = sizeof(request);
1931  p->payload = request;
1932  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1933  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1934  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1935  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1936  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1937  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1938  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1939  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1940  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1941  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1942  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1943  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1944 
1945  /* full response - request ack */
1946  uint8_t response[] = {
1947  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1948  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1949  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1950  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1951  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1952  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1953  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1954  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1955  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1956  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1957  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1958  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1959  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1960  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1961  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1962  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1963  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1964  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1965  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1966  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1967  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1968  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1969  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1970  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1971  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1972  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1973  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1974  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1975  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1976  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1977  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1978  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1979  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1980  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1981  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1982  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1983  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1984  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1985  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1986  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1987  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1988  p->tcph->th_ack = htonl(88);
1989  p->tcph->th_seq = htonl(1);
1990  p->tcph->th_flags = TH_PUSH | TH_ACK;
1991  p->flowflags = FLOW_PKT_TOCLIENT;
1992  p->payload_len = sizeof(response);
1993  p->payload = response;
1994  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1995  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1996  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1997  FAIL_IF(f.alproto != ALPROTO_HTTP);
1998  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1999  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2000  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2001  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2002  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2003  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2004  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2005  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2006 
2007  /* response ack */
2008  p->tcph->th_ack = htonl(328);
2009  p->tcph->th_seq = htonl(88);
2010  p->tcph->th_flags = TH_ACK;
2011  p->flowflags = FLOW_PKT_TOSERVER;
2012  p->payload_len = 0;
2013  p->payload = NULL;
2014  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2015  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2016  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2017  FAIL_IF(f.alproto != ALPROTO_HTTP);
2018  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2019  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2020  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2021  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2022  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2023  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2024  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2025  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2026 
2027  TEST_END;
2028  PASS;
2029 }
2030 
2031 /**
2032  * \test SMB -> HTTP/1.1
2033  */
2034 static int AppLayerTest08(void)
2035 {
2036  TEST_START;
2037 
2038  /* full request */
2039  uint8_t request[] = {
2040  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2041  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2042  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2043  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2044  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2045  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2046  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2047  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2048  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2049  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2050  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2051  p->tcph->th_ack = htonl(1);
2052  p->tcph->th_seq = htonl(1);
2053  p->tcph->th_flags = TH_PUSH | TH_ACK;
2054  p->flowflags = FLOW_PKT_TOSERVER;
2055  p->payload_len = sizeof(request);
2056  p->payload = request;
2057  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2058  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2059  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2060  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2061  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2062  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2063  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2064  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2065  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2066  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2067  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2068  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2069 
2070  /* full response - request ack */
2071  uint8_t response[] = {
2072  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2073  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2074  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2075  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2076  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2077  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2078  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2079  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2080  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2081  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2082  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2083  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2084  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2085  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2086  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2087  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2088  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2089  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2090  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2091  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2092  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2093  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2094  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2095  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2096  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2097  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2098  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2099  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2100  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2101  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2102  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2103  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2104  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2105  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2106  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2107  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2108  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2109  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2110  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2111  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2112  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2113  p->tcph->th_ack = htonl(88);
2114  p->tcph->th_seq = htonl(1);
2115  p->tcph->th_flags = TH_PUSH | TH_ACK;
2116  p->flowflags = FLOW_PKT_TOCLIENT;
2117  p->payload_len = sizeof(response);
2118  p->payload = response;
2119  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2120  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2121  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2122  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2123  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2124  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2125  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2126  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2127  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2128  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2129  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2130  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2131 
2132  /* response ack */
2133  p->tcph->th_ack = htonl(328);
2134  p->tcph->th_seq = htonl(88);
2135  p->tcph->th_flags = TH_ACK;
2136  p->flowflags = FLOW_PKT_TOSERVER;
2137  p->payload_len = 0;
2138  p->payload = NULL;
2139  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2140  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2141  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2142  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2143  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2144  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2145  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2146  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2147  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2148  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2149  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2150  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2151 
2152  TEST_END;
2153  PASS;
2154 }
2155 
2156 /**
2157  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2158  * RUBBISH(TC - PM and PP DONE) ->
2159  * RUBBISH(TS - PM and PP DONE)
2160  */
2161 static int AppLayerTest09(void)
2162 {
2163  TEST_START;
2164 
2165  /* full request */
2166  uint8_t request1[] = {
2167  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2168  p->tcph->th_ack = htonl(1);
2169  p->tcph->th_seq = htonl(1);
2170  p->tcph->th_flags = TH_PUSH | TH_ACK;
2171  p->flowflags = FLOW_PKT_TOSERVER;
2172  p->payload_len = sizeof(request1);
2173  p->payload = request1;
2174  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2175  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2176  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2177  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2178  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2179  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2180  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2181  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2182  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2183  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2184  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2185  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2186 
2187  /* response - request ack */
2188  p->tcph->th_ack = htonl(9);
2189  p->tcph->th_seq = htonl(1);
2190  p->tcph->th_flags = TH_PUSH | TH_ACK;
2191  p->flowflags = FLOW_PKT_TOCLIENT;
2192  p->payload_len = 0;
2193  p->payload = NULL;
2194  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2195  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2196  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2197  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2198  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2199  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2200  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2201  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2202  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2203  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2204  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2205  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2206 
2207  /* full request */
2208  uint8_t request2[] = {
2209  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2210  p->tcph->th_ack = htonl(1);
2211  p->tcph->th_seq = htonl(9);
2212  p->tcph->th_flags = TH_PUSH | TH_ACK;
2213  p->flowflags = FLOW_PKT_TOSERVER;
2214  p->payload_len = sizeof(request2);
2215  p->payload = request2;
2216  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2217  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2218  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2219  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2220  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2221  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2222  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2223  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2224  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2225  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2226  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2227  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2228 
2229  /* full response - request ack */
2230  uint8_t response[] = {
2231  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2232  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2233  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2234  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2235  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2236  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2237  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2238  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2239  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2240  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2241  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2242  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2243  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2244  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2245  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2246  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2247  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2248  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2249  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2250  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2251  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2252  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2253  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2254  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2255  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2256  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2257  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2258  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2259  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2260  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2261  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2262  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2263  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2264  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2265  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2266  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2267  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2268  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2269  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2270  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2271  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2272  p->tcph->th_ack = htonl(18);
2273  p->tcph->th_seq = htonl(1);
2274  p->tcph->th_flags = TH_PUSH | TH_ACK;
2275  p->flowflags = FLOW_PKT_TOCLIENT;
2276  p->payload_len = sizeof(response);
2277  p->payload = response;
2278  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2279  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2280  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2281  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2282  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2283  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2284  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2285  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2286  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2287  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2288  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2289  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2290 
2291  /* response ack */
2292  p->tcph->th_ack = htonl(328);
2293  p->tcph->th_seq = htonl(18);
2294  p->tcph->th_flags = TH_ACK;
2295  p->flowflags = FLOW_PKT_TOSERVER;
2296  p->payload_len = 0;
2297  p->payload = NULL;
2298  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2299  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2300  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2301  FAIL_IF(f.alproto != ALPROTO_FAILED);
2302  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2303  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2304  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2305  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2306  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2307  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2308  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2309  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2310 
2311  TEST_END;
2312  PASS;
2313 }
2314 
2315 /**
2316  * \test RUBBISH(TC - PM and PP DONE) ->
2317  * RUBBISH(TS - PM and PP DONE)
2318  */
2319 static int AppLayerTest10(void)
2320 {
2321  TEST_START;
2322 
2323  /* full request */
2324  uint8_t request1[] = {
2325  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2326  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2327  p->tcph->th_ack = htonl(1);
2328  p->tcph->th_seq = htonl(1);
2329  p->tcph->th_flags = TH_PUSH | TH_ACK;
2330  p->flowflags = FLOW_PKT_TOSERVER;
2331  p->payload_len = sizeof(request1);
2332  p->payload = request1;
2333  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2334  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2335  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2336  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2337  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2338  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2339  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2340  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2341  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2342  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2343  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2344  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2345 
2346  /* response - request ack */
2347  p->tcph->th_ack = htonl(18);
2348  p->tcph->th_seq = htonl(1);
2349  p->tcph->th_flags = TH_PUSH | TH_ACK;
2350  p->flowflags = FLOW_PKT_TOCLIENT;
2351  p->payload_len = 0;
2352  p->payload = NULL;
2353  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2354  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2355  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2356  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2357  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2358  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2359  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2360  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2361  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2362  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2363  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2364  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2365 
2366  /* full response - request ack */
2367  uint8_t response[] = {
2368  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2369  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2370  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2371  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2372  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2373  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2374  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2375  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2376  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2377  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2378  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2379  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2380  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2381  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2382  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2383  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2384  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2385  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2386  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2387  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2388  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2389  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2390  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2391  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2392  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2393  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2394  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2395  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2396  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2397  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2398  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2399  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2400  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2401  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2402  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2403  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2404  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2405  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2406  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2407  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2408  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2409  p->tcph->th_ack = htonl(18);
2410  p->tcph->th_seq = htonl(1);
2411  p->tcph->th_flags = TH_PUSH | TH_ACK;
2412  p->flowflags = FLOW_PKT_TOCLIENT;
2413  p->payload_len = sizeof(response);
2414  p->payload = response;
2415  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2416  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2417  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2418  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2419  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2420  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2421  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2422  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2423  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2424  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2425  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2426  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2427 
2428  /* response ack */
2429  p->tcph->th_ack = htonl(328);
2430  p->tcph->th_seq = htonl(18);
2431  p->tcph->th_flags = TH_ACK;
2432  p->flowflags = FLOW_PKT_TOSERVER;
2433  p->payload_len = 0;
2434  p->payload = NULL;
2435  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2436  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2437  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2438  FAIL_IF(f.alproto != ALPROTO_FAILED);
2439  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2440  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2441  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2442  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2443  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2444  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2445  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2446  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2447 
2448  TEST_END;
2449  PASS;
2450 }
2451 
2452 /**
2453  * \test RUBBISH(TC - PM and PP DONE) ->
2454  * RUBBISH(TS - PM and PP NOT DONE) ->
2455  * RUBBISH(TS - PM and PP DONE)
2456  */
2457 static int AppLayerTest11(void)
2458 {
2459  TEST_START;
2460 
2461  /* full request */
2462  uint8_t request1[] = {
2463  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2464  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2465  p->tcph->th_ack = htonl(1);
2466  p->tcph->th_seq = htonl(1);
2467  p->tcph->th_flags = TH_PUSH | TH_ACK;
2468  p->flowflags = FLOW_PKT_TOSERVER;
2469  p->payload_len = sizeof(request1);
2470  p->payload = request1;
2471  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2472  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2473  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2474  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2475  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2476  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2477  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2478  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2479  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2480  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2481  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2482  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2483 
2484  /* response - request ack */
2485  p->tcph->th_ack = htonl(18);
2486  p->tcph->th_seq = htonl(1);
2487  p->tcph->th_flags = TH_PUSH | TH_ACK;
2488  p->flowflags = FLOW_PKT_TOCLIENT;
2489  p->payload_len = 0;
2490  p->payload = NULL;
2491  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2492  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2493  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2494  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2495  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2496  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2497  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2498  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2499  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2500  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2501  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2502  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2503 
2504  /* full response - request ack */
2505  uint8_t response1[] = {
2506  0x55, 0x74, 0x54, 0x50, };
2507  p->tcph->th_ack = htonl(18);
2508  p->tcph->th_seq = htonl(1);
2509  p->tcph->th_flags = TH_PUSH | TH_ACK;
2510  p->flowflags = FLOW_PKT_TOCLIENT;
2511  p->payload_len = sizeof(response1);
2512  p->payload = response1;
2513  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2514  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2515  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2516  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2517  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2518  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2519  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2520  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2521  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2522  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2523  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2524  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2525 
2526  /* response ack from request */
2527  p->tcph->th_ack = htonl(5);
2528  p->tcph->th_seq = htonl(18);
2529  p->tcph->th_flags = TH_ACK;
2530  p->flowflags = FLOW_PKT_TOSERVER;
2531  p->payload_len = 0;
2532  p->payload = NULL;
2533  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2534  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2535  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2536  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2537  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2538  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2539  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2540  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2541  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2542  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2543  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2544  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2545 
2546  uint8_t response2[] = {
2547  0x2f, 0x31, 0x2e, 0x31,
2548  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2549  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2550  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2551  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2552  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2553  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2554  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2555  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2556  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2557  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2558  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2559  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2560  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2561  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2562  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2563  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2564  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2565  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2566  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2567  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2568  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2569  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2570  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2571  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2572  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2573  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2574  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2575  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2576  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2577  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2578  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2579  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2580  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2581  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2582  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2583  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2584  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2585  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2586  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2587  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2588  p->tcph->th_ack = htonl(18);
2589  p->tcph->th_seq = htonl(5);
2590  p->tcph->th_flags = TH_PUSH | TH_ACK;
2591  p->flowflags = FLOW_PKT_TOCLIENT;
2592  p->payload_len = sizeof(response2);
2593  p->payload = response2;
2594  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2595  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2596  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2597  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2598  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2599  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2600  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2601  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2602  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2603  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2604  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2605  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2606 
2607  /* response ack from request */
2608  p->tcph->th_ack = htonl(328);
2609  p->tcph->th_seq = htonl(18);
2610  p->tcph->th_flags = TH_ACK;
2611  p->flowflags = FLOW_PKT_TOSERVER;
2612  p->payload_len = 0;
2613  p->payload = NULL;
2614  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2615  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2616  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2617  FAIL_IF(f.alproto != ALPROTO_FAILED);
2618  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2619  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2620  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2621  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2622  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2623  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2624  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2625  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2626 
2627  TEST_END;
2628  PASS;
2629 }
2630 
2631 void AppLayerUnittestsRegister(void)
2632 {
2633  SCEnter();
2634 
2635  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2636  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2637  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2638  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2639  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2640  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2641  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2642  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2643  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2644  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2645  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2646 
2647  SCReturn;
2648 }
2649 
2650 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:80
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:274
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_
Definition: app-layer.c:79
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:141
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1765
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:81
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:564
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1003
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:873
Flow_::proto
uint8_t proto
Definition: flow.h:361
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
Packet_::payload
uint8_t * payload
Definition: decode.h:543
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6259
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:446
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:343
Flow_::protomap
uint8_t protomap
Definition: flow.h:420
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1076
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:936
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:431
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:169
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:868
AppLayerCounterNames_
Definition: app-layer.c:74
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5854
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2631
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:783
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:890
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:66
Flow_::protoctx
void * protoctx
Definition: flow.h:416
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:76
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:544
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:570
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:769
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:818
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1111
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:73
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:265
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1548
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:803
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1118
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:570
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:266
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:880
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:443
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:830
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4763
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:889
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1870
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:978
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:273
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:411
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:698
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:175
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:434
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:336
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:275
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:525
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1796
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1112
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1419
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:305
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2068
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1955
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2046
str
#define str(s)
Definition: suricata-common.h:273
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:401
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:426
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6265
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:852
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:396
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:776
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:112
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:61
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:243
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:187
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1061
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2009
likely
#define likely(expr)
Definition: util-optimize.h:32
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:198
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:85
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:75
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:256
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1491
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:427
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1567
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:945
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:963
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2063
app-layer.h