suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-frames.h"
36 #include "stream-tcp-reassemble.h"
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-inline.h"
39 #include "stream-tcp.h"
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-private.h"
43 #include "ippair.h"
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 #include "app-layer-htp-mem.h"
50 #include "util-exception-policy.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
56 struct AppLayerThreadCtx_ {
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58  AppLayerProtoDetectThreadCtx *alpd_tctx;
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60  AppLayerParserThreadCtx *alp_tctx;
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
66  AppProto alproto;
67  uint64_t proto_detect_ticks_start;
68  uint64_t proto_detect_ticks_end;
69  uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
77  char name[MAX_COUNTER_SIZE];
78  char tx_name[MAX_COUNTER_SIZE];
79  char gap_error[MAX_COUNTER_SIZE];
80  char parser_error[MAX_COUNTER_SIZE];
81  char internal_error[MAX_COUNTER_SIZE];
82  char alloc_error[MAX_COUNTER_SIZE];
83 } AppLayerCounterNames;
84 
85 typedef struct AppLayerCounters_ {
86  uint16_t counter_id;
87  uint16_t counter_tx_id;
88  uint16_t gap_error_id;
89  uint16_t parser_error_id;
90  uint16_t internal_error_id;
91  uint16_t alloc_error_id;
92 } AppLayerCounters;
93 
94 /* counter names. Only used at init. */
95 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
96 /* counter id's. Used that runtime. */
97 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
98 
99 void AppLayerSetupCounters(void);
100 void AppLayerDeSetupCounters(void);
101 
102 /***** L7 layer dispatchers *****/
103 
104 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
105  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
106  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
107  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
108 }
109 
110 /**
111  * \note id can be 0 if protocol parser is disabled but detection
112  * is enabled.
113  */
114 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
117  if (likely(tv && id > 0)) {
118  StatsIncr(tv, id);
119  }
120 }
121 
122 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
123 {
124  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
125  if (likely(tv && id > 0)) {
126  StatsAddUI64(tv, id, step);
127  }
128 }
129 
130 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
131 {
132  const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id;
133  if (likely(tv && id > 0)) {
134  StatsIncr(tv, id);
135  }
136 }
137 
138 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
139 {
140  const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id;
141  if (likely(tv && id > 0)) {
142  StatsIncr(tv, id);
143  }
144 }
145 
146 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
147 {
148  const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id;
149  if (likely(tv && id > 0)) {
150  StatsIncr(tv, id);
151  }
152 }
153 
154 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
155 {
156  const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id;
157  if (likely(tv && id > 0)) {
158  StatsIncr(tv, id);
159  }
160 }
161 
162 /* in IDS mode protocol detection is done in reverse order:
163  * when TCP data is ack'd. We want to flag the correct packet,
164  * so in this case we set a flag in the flow so that the first
165  * packet in the correct direction can be tagged.
166  *
167  * For IPS we update packet and flow. */
168 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
169 {
170  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
171  if (flags & STREAM_TOSERVER) {
172  if (p->flowflags & FLOW_PKT_TOSERVER) {
173  p->flags |= PKT_PROTO_DETECT_TS_DONE;
174  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
175  } else {
176  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
177  }
178  } else {
179  if (p->flowflags & FLOW_PKT_TOCLIENT) {
180  p->flags |= PKT_PROTO_DETECT_TC_DONE;
181  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
182  } else {
183  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
184  }
185  }
186  } else {
187  if (flags & STREAM_TOSERVER) {
188  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
189  } else {
190  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
191  }
192  }
193 }
194 
195 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
196 {
197  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
198  f, f->alproto, f->alproto_ts, f->alproto_tc);
199  FlowCleanupAppLayer(f);
200  StreamTcpDisableAppLayer(f);
201  TcpSession *ssn = f->protoctx;
202  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
203  f->alproto = ALPROTO_FAILED;
204  AppLayerIncFlowCounter(tv, f);
205 
206  if (f->alproto_tc != ALPROTO_FAILED) {
207  if (f->alproto_tc == ALPROTO_UNKNOWN) {
208  f->alproto_tc = ALPROTO_FAILED;
209  }
210  FlagPacketFlow(p, f, STREAM_TOCLIENT);
211  }
212  if (f->alproto_ts != ALPROTO_FAILED) {
213  if (f->alproto_ts == ALPROTO_UNKNOWN) {
214  f->alproto_ts = ALPROTO_FAILED;
215  }
216  FlagPacketFlow(p, f, STREAM_TOSERVER);
217  }
218  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
219  f, f->alproto, f->alproto_ts, f->alproto_tc);
220 }
221 
222 /* See if we're going to have to give up:
223  *
224  * If we're getting a lot of data in one direction and the
225  * proto for this direction is unknown, proto detect will
226  * hold up segments in the segment list in the stream.
227  * They are held so that if we detect the protocol on the
228  * opposing stream, we can still parse this side of the stream
229  * as well. However, some sessions are very unbalanced. FTP
230  * data channels, large PUT/POST request and many others, can
231  * lead to cases where we would have to store many megabytes
232  * worth of segments before we see the opposing stream. This
233  * leads to risks of resource starvation.
234  *
235  * Here a cutoff point is enforced. If we've stored 100k in
236  * one direction and we've seen no data in the other direction,
237  * we give up.
238  *
239  * Giving up means we disable applayer an set an applayer event
240  */
241 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
242  Flow *f, TcpSession *ssn, Packet *p)
243 {
244  if (ssn->state < TCP_ESTABLISHED) {
245  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
246  return;
247  }
248 
249  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
250  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
251  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
252 
253  /* at least 100000 whatever the conditions
254  * and can be more if window is bigger and if configuration allows it */
255  const uint32_t size_tc_limit =
256  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
257  const uint32_t size_ts_limit =
258  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
259 
260  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
261  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
262  {
263  goto failure;
264 
265  /* we bail out whatever the pp and pm states if
266  * we received too much data */
267  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
268  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
269  goto failure;
270 
271  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
272  size_ts > size_ts_limit && size_tc == 0) {
273  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
274  APPLAYER_PROTO_DETECTION_SKIPPED);
275  goto failure;
276 
277  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
278  size_tc > size_tc_limit && size_ts == 0) {
279  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
280  APPLAYER_PROTO_DETECTION_SKIPPED);
281  goto failure;
282 
283  /* little data in ts direction, pp done, pm not done (max
284  * depth not reached), ts direction done, lots of data in
285  * tc direction. */
286  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
287  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
288  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
289  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
290  APPLAYER_PROTO_DETECTION_SKIPPED);
291  goto failure;
292 
293  /* little data in tc direction, pp done, pm not done (max
294  * depth not reached), tc direction done, lots of data in
295  * ts direction. */
296  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
297  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
298  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
299  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
300  APPLAYER_PROTO_DETECTION_SKIPPED);
301  goto failure;
302  }
303  return;
304 
305 failure:
306  DisableAppLayer(tv, f, p);
307  return;
308 }
309 
310 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
311  Packet *p, TcpSession *ssn, const TcpStream *stream)
312 {
313  TcpStream *opposing_stream = NULL;
314  if (stream == &ssn->client) {
315  opposing_stream = &ssn->server;
316  } else {
317  opposing_stream = &ssn->client;
318  }
319 
320  /* if the opposing side is not going to work, then
321  * we just have to give up. */
322  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
323  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
324  return -1;
325  }
326 
327  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
328  UPDATE_DIR_OPPOSING :
329  UPDATE_DIR_PACKET;
330  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
331  opposing_stream, p, dir);
332  return ret;
333 }
334 
335 extern enum ExceptionPolicy g_applayerparser_error_policy;
336 
337 /** \todo data const
338  * \retval int -1 error
339  * \retval int 0 ok
340  */
341 static int TCPProtoDetect(ThreadVars *tv,
342  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
343  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
344  uint8_t *data, uint32_t data_len, uint8_t flags)
345 {
346  AppProto *alproto;
347  AppProto *alproto_otherdir;
348  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
349 
350  if (flags & STREAM_TOSERVER) {
351  alproto = &f->alproto_ts;
352  alproto_otherdir = &f->alproto_tc;
353  } else {
354  alproto = &f->alproto_tc;
355  alproto_otherdir = &f->alproto_ts;
356  }
357 
358  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
359 #ifdef PRINT
360  if (data_len > 0) {
361  printf("=> Init Stream Data (app layer) -- start %s%s\n",
362  flags & STREAM_TOCLIENT ? "toclient" : "",
363  flags & STREAM_TOSERVER ? "toserver" : "");
364  PrintRawDataFp(stdout, data, data_len);
365  printf("=> Init Stream Data -- end\n");
366  }
367 #endif
368 
369  bool reverse_flow = false;
370  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
371  PACKET_PROFILING_APP_PD_START(app_tctx);
372  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
373  f, data, data_len,
374  IPPROTO_TCP, flags, &reverse_flow);
375  PACKET_PROFILING_APP_PD_END(app_tctx);
376  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
377 
378  if (*alproto != ALPROTO_UNKNOWN) {
379  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
380  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
381  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
382 
383  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
384  /* if we already invoked the parser, we go with that proto */
385  f->alproto = *alproto_otherdir;
386  } else {
387  /* no data sent to parser yet, we can still choose
388  * we're trusting the server more. */
389  if (flags & STREAM_TOCLIENT)
390  f->alproto = *alproto;
391  else
392  f->alproto = *alproto_otherdir;
393  }
394  } else {
395  f->alproto = *alproto;
396  }
397 
398  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
399  TcpSessionSetReassemblyDepth(ssn,
400  AppLayerParserGetStreamDepth(f));
401  FlagPacketFlow(p, f, flags);
402 
403  /* if protocol detection indicated that we need to reverse
404  * the direction of the flow, do it now. We flip the flow,
405  * packet and the direction flags */
406  if (reverse_flow &&
407  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
408  STREAMTCP_FLAG_MIDSTREAM)) {
409  /* but only if we didn't already detect it on the other side. */
410  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
411  SCLogDebug("reversing flow after proto detect told us so");
412  PacketSwap(p);
413  FlowSwap(f);
414  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
415  if (*stream == &ssn->client) {
416  *stream = &ssn->server;
417  } else {
418  *stream = &ssn->client;
419  }
420  direction = 1 - direction;
421  } else {
422  // TODO event, error?
423  }
424  }
425 
426  /* account flow if we have both sides */
427  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
428  AppLayerIncFlowCounter(tv, f);
429  }
430 
431  /* if we have seen data from the other direction first, send
432  * data for that direction first to the parser. This shouldn't
433  * be an issue, since each stream processing happens
434  * independently of the other stream direction. At this point of
435  * call, you need to know that this function's already being
436  * called by the very same StreamReassembly() function that we
437  * will now call shortly for the opposing direction. */
438  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
439  !(flags & ssn->data_first_seen_dir))
440  {
441  SCLogDebug("protocol %s needs first data in other direction",
442  AppProtoToString(*alproto));
443 
444  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
445  p, ssn, *stream) != 0)
446  {
447  goto detect_error;
448  }
449  if (FlowChangeProto(f)) {
450  /* We have the first data which requested a protocol change from P1 to P2
451  * even if it was not recognized at first as being P1
452  * As the second data was recognized as P1, the protocol did not change !
453  */
454  FlowUnsetChangeProtoFlag(f);
455  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
456  APPLAYER_UNEXPECTED_PROTOCOL);
457  }
458  }
459 
460  /* if the parser operates such that it needs to see data from
461  * a particular direction first, we check if we have seen
462  * data from that direction first for the flow. IF it is not
463  * the same, we set an event and exit.
464  *
465  * \todo We need to figure out a more robust solution for this,
466  * as this can lead to easy evasion tactics, where the
467  * attacker can first send some dummy data in the wrong
468  * direction first to mislead our proto detection process.
469  * While doing this we need to update the parsers as well,
470  * since the parsers must be robust to see such wrong
471  * direction data.
472  * Either ways the moment we see the
473  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
474  * flow, it shows something's fishy.
475  */
476  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
477  uint8_t first_data_dir;
478  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
479 
480  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
481  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
482  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
483  goto detect_error;
484  }
485  /* This can happen if the current direction is not the
486  * right direction, and the data from the other(also
487  * the right direction) direction is available to be sent
488  * to the app layer, but it is not ack'ed yet and hence
489  * the forced call to STreamTcpAppLayerReassemble still
490  * hasn't managed to send data from the other direction
491  * to the app layer. */
492  if (first_data_dir && !(first_data_dir & flags)) {
493  FlowCleanupAppLayer(f);
494  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
495  FLOW_RESET_PP_DONE(f, flags);
496  FLOW_RESET_PM_DONE(f, flags);
497  FLOW_RESET_PE_DONE(f, flags);
498  SCReturnInt(-1);
499  }
500  }
501 
502  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
503  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
504 
505  /* finally, invoke the parser */
506  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
507  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
508  flags, data, data_len);
509  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
510  p->flags |= PKT_APPLAYER_UPDATE;
511  if (r != 1) {
512  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
513  }
514  if (r < 0) {
515  goto parser_error;
516  }
517  } else {
518  /* if the ssn is midstream, we may end up with a case where the
519  * start of an HTTP request is missing. We won't detect HTTP based
520  * on the request. However, the reply is fine, so we detect
521  * HTTP anyway. This leads to passing the incomplete request to
522  * the htp parser.
523  *
524  * This has been observed, where the http parser then saw many
525  * bogus requests in the incomplete data.
526  *
527  * To counter this case, a midstream session MUST find it's
528  * protocol in the toserver direction. If not, we assume the
529  * start of the request/toserver is incomplete and no reliable
530  * detection and parsing is possible. So we give up.
531  */
532  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
533  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
534  {
535  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
536  SCLogDebug("midstream end pd %p", ssn);
537  /* midstream and toserver detection failed: give up */
538  DisableAppLayer(tv, f, p);
539  SCReturnInt(0);
540  }
541  }
542 
543  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
544  uint8_t first_data_dir;
545  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
546 
547  /* this would handle this test case -
548  * http parser which says it wants to see toserver data first only.
549  * tcp handshake
550  * toclient data first received. - RUBBISH DATA which
551  * we don't detect as http
552  * toserver data next sent - we detect this as http.
553  * at this stage we see that toclient is the first data seen
554  * for this session and we try and redetect the app protocol,
555  * but we are unable to detect the app protocol like before.
556  * But since we have managed to detect the protocol for the
557  * other direction as http, we try to use that. At this
558  * stage we check if the direction of this stream matches
559  * to that acceptable by the app parser. If it is not the
560  * acceptable direction we error out.
561  */
562  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
563  (first_data_dir) && !(first_data_dir & flags))
564  {
565  goto detect_error;
566  }
567 
568  /* if protocol detection is marked done for our direction we
569  * pass our data on. We're only succeeded in finding one
570  * direction: the opposing stream
571  *
572  * If PD was not yet complete, we don't do anything.
573  */
574  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
575  if (data_len > 0)
576  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
577 
578  if (*alproto_otherdir != ALPROTO_FAILED) {
579  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
580  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
581  f->alproto, flags,
582  data, data_len);
583  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
584  p->flags |= PKT_APPLAYER_UPDATE;
585  if (r != 1) {
586  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
587  }
588 
589  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
590  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
591  TcpSessionSetReassemblyDepth(ssn,
592  AppLayerParserGetStreamDepth(f));
593 
594  *alproto = *alproto_otherdir;
595  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
596  p->pcap_cnt, *alproto, *alproto_otherdir, r);
597  if (r < 0) {
598  goto parser_error;
599  }
600  }
601  *alproto = ALPROTO_FAILED;
602  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
603  AppLayerIncFlowCounter(tv, f);
604  FlagPacketFlow(p, f, flags);
605 
606  } else if (flags & STREAM_EOF) {
607  *alproto = f->alproto;
608  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
609  AppLayerIncFlowCounter(tv, f);
610  }
611  } else {
612  /* both sides unknown, let's see if we need to give up */
613  if (FlowChangeProto(f)) {
614  /* TCPProtoDetectCheckBailConditions does not work well because
615  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
616  * so, we set a lower limit to the data we inspect
617  * We could instead have set ssn->server.sb.stream_offset = 0;
618  */
619  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
620  DisableAppLayer(tv, f, p);
621  }
622  } else {
623  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
624  }
625  }
626  }
627  SCReturnInt(0);
628 parser_error:
629  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
630  SCReturnInt(-1);
631 detect_error:
632  DisableAppLayer(tv, f, p);
633  SCReturnInt(-2);
634 }
635 
636 /** \brief handle TCP data for the app-layer.
637  *
638  * First run protocol detection and then when the protocol is known invoke
639  * the app layer parser.
640  *
641  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
642  * reversed.
643  */
644 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
645  Packet *p, Flow *f,
646  TcpSession *ssn, TcpStream **stream,
647  uint8_t *data, uint32_t data_len,
648  uint8_t flags)
649 {
650  SCEnter();
651 
652  DEBUG_ASSERT_FLOW_LOCKED(f);
653  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
654 
655  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
656  AppProto alproto;
657  int r = 0;
658 
659  SCLogDebug("data_len %u flags %02X", data_len, flags);
660  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
661  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
662  goto end;
663  }
664 
665  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
666 
667  if (flags & STREAM_TOSERVER) {
668  alproto = f->alproto_ts;
669  } else {
670  alproto = f->alproto_tc;
671  }
672 
673  /* If a gap notification, relay the notification on to the
674  * app-layer if known. */
675  if (flags & STREAM_GAP) {
676  if (alproto == ALPROTO_UNKNOWN) {
677  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
678  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
679  /* if the other side didn't already find the proto, we're done */
680  if (f->alproto == ALPROTO_UNKNOWN) {
681  goto failure;
682  }
683  AppLayerIncFlowCounter(tv, f);
684  }
685  if (FlowChangeProto(f)) {
686  FlowUnsetChangeProtoFlag(f);
687  SCLogDebug("Cannot handle gap while changing protocol");
688  goto failure;
689  }
690  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
691  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
692  flags, data, data_len);
693  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
694  p->flags |= PKT_APPLAYER_UPDATE;
695  /* ignore parser result for gap */
696  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
697  if (r < 0) {
698  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
699  SCReturnInt(-1);
700  }
701  goto end;
702  }
703 
704  /* if we don't know the proto yet and we have received a stream
705  * initializer message, we run proto detection.
706  * We receive 2 stream init msgs (one for each direction), we
707  * only run the proto detection for both and emit an event
708  * in the case protocols mismatch. */
709  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
710  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
711  /* run protocol detection */
712  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
713  data, data_len, flags) != 0) {
714  goto failure;
715  }
716  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
717  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
718  void *alstate_orig = f->alstate;
719  AppLayerParserState *alparser = f->alparser;
720  // we delay AppLayerParserStateCleanup because we may need previous parser state
721  AppLayerProtoDetectReset(f);
722  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
723  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
724  /* rerun protocol detection */
725  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
726  if (f->alproto == ALPROTO_UNKNOWN) {
727  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
728  // not enough data, revert AppLayerProtoDetectReset to rerun detection
729  f->alparser = alparser;
730  f->alproto = f->alproto_orig;
731  f->alproto_tc = f->alproto_orig;
732  f->alproto_ts = f->alproto_orig;
733  } else {
734  FlowUnsetChangeProtoFlag(f);
735  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
736  if (alstate_orig == f->alstate) {
737  // we just freed it
738  f->alstate = NULL;
739  }
740  }
741  if (rd != 0) {
742  SCLogDebug("proto detect failure");
743  goto failure;
744  }
745  SCLogDebug("protocol change, old %s, new %s",
746  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
747 
748  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
749  f->alproto != f->alproto_expect) {
750  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
751  APPLAYER_UNEXPECTED_PROTOCOL);
752 
753  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
754  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
755  APPLAYER_NO_TLS_AFTER_STARTTLS);
756 
757  }
758  }
759  } else {
760  SCLogDebug("stream data (len %" PRIu32 " alproto "
761  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
762 #ifdef PRINT
763  if (data_len > 0) {
764  printf("=> Stream Data (app layer) -- start %s%s\n",
765  flags & STREAM_TOCLIENT ? "toclient" : "",
766  flags & STREAM_TOSERVER ? "toserver" : "");
767  PrintRawDataFp(stdout, data, data_len);
768  printf("=> Stream Data -- end\n");
769  }
770 #endif
771  /* if we don't have a data object here we are not getting it
772  * a start msg should have gotten us one */
773  if (f->alproto != ALPROTO_UNKNOWN) {
774  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
775  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
776  flags, data, data_len);
777  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
778  p->flags |= PKT_APPLAYER_UPDATE;
779  if (r != 1) {
780  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
781  if (r < 0) {
782  ExceptionPolicyApply(
783  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
784  SCReturnInt(-1);
785  }
786  }
787  }
788  }
789 
790  goto end;
791  failure:
792  r = -1;
793  end:
794  SCReturnInt(r);
795 }
796 
797 /**
798  * \brief Handle a app layer UDP message
799  *
800  * If the protocol is yet unknown, the proto detection code is run first.
801  *
802  * \param dp_ctx Thread app layer detect context
803  * \param f *locked* flow
804  * \param p UDP packet
805  *
806  * \retval 0 ok
807  * \retval -1 error
808  */
809 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
810 {
811  SCEnter();
812  AppProto *alproto;
813  AppProto *alproto_otherdir;
814 
815  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
816  SCReturnInt(0);
817  }
818 
819  int r = 0;
820  uint8_t flags = 0;
821  if (p->flowflags & FLOW_PKT_TOSERVER) {
822  flags |= STREAM_TOSERVER;
823  alproto = &f->alproto_ts;
824  alproto_otherdir = &f->alproto_tc;
825  } else {
826  flags |= STREAM_TOCLIENT;
827  alproto = &f->alproto_tc;
828  alproto_otherdir = &f->alproto_ts;
829  }
830 
831  AppLayerProfilingReset(tctx);
832 
833  /* if the protocol is still unknown, run detection */
834  if (*alproto == ALPROTO_UNKNOWN) {
835  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
836  p->payload_len);
837 
838  bool reverse_flow = false;
839  PACKET_PROFILING_APP_PD_START(tctx);
840  *alproto = AppLayerProtoDetectGetProto(
841  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
842  PACKET_PROFILING_APP_PD_END(tctx);
843 
844  switch (*alproto) {
845  case ALPROTO_UNKNOWN:
846  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
847  // Use recognized side
848  f->alproto = *alproto_otherdir;
849  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
850  *alproto = *alproto_otherdir;
851  if (*alproto_otherdir == ALPROTO_FAILED) {
852  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
853  }
854  } else {
855  // First side of protocol is unknown
856  *alproto = ALPROTO_FAILED;
857  }
858  break;
859  case ALPROTO_FAILED:
860  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
861  // Use recognized side
862  f->alproto = *alproto_otherdir;
863  if (*alproto_otherdir == ALPROTO_FAILED) {
864  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
865  }
866  }
867  // else wait for second side of protocol
868  break;
869  default:
870  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
871  if (*alproto_otherdir != *alproto) {
872  AppLayerDecoderEventsSetEventRaw(
873  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
874  // data already sent to parser, we cannot change the protocol to use the one
875  // of the server
876  }
877  } else {
878  f->alproto = *alproto;
879  }
880  }
881  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
882  if (f->alproto == ALPROTO_UNKNOWN) {
883  // so as to increase stat about .app_layer.flow.failed_udp
884  f->alproto = ALPROTO_FAILED;
885  }
886  // If the other side is unknown, this is the first packet of the flow
887  AppLayerIncFlowCounter(tv, f);
888  }
889 
890  // parse the data if we recognized one protocol
891  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
892  if (reverse_flow) {
893  SCLogDebug("reversing flow after proto detect told us so");
894  PacketSwap(p);
895  FlowSwap(f);
896  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
897  }
898 
899  PACKET_PROFILING_APP_START(tctx, f->alproto);
900  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
901  flags, p->payload, p->payload_len);
902  PACKET_PROFILING_APP_END(tctx, f->alproto);
903  p->flags |= PKT_APPLAYER_UPDATE;
904  }
905  PACKET_PROFILING_APP_STORE(tctx, p);
906  /* we do only inspection in one direction, so flag both
907  * sides as done here */
908  FlagPacketFlow(p, f, STREAM_TOSERVER);
909  FlagPacketFlow(p, f, STREAM_TOCLIENT);
910  } else {
911  SCLogDebug("data (len %" PRIu32 " ), alproto "
912  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
913 
914  /* run the parser */
915  PACKET_PROFILING_APP_START(tctx, f->alproto);
916  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
917  flags, p->payload, p->payload_len);
918  PACKET_PROFILING_APP_END(tctx, f->alproto);
919  PACKET_PROFILING_APP_STORE(tctx, p);
920  p->flags |= PKT_APPLAYER_UPDATE;
921  }
922  if (r < 0) {
923  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
924  SCReturnInt(-1);
925  }
926 
927  SCReturnInt(r);
928 }
929 
930 /***** Utility *****/
931 
932 AppProto AppLayerGetProtoByName(char *alproto_name)
933 {
934  SCEnter();
935  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
936  SCReturnCT(r, "AppProto");
937 }
938 
939 const char *AppLayerGetProtoName(AppProto alproto)
940 {
941  SCEnter();
942  const char * r = AppLayerProtoDetectGetProtoName(alproto);
943  SCReturnCT(r, "char *");
944 }
945 
946 void AppLayerListSupportedProtocols(void)
947 {
948  SCEnter();
949 
950  AppProto alproto;
951  AppProto alprotos[ALPROTO_MAX];
952 
953  AppLayerProtoDetectSupportedAppProtocols(alprotos);
954 
955  printf("=========Supported App Layer Protocols=========\n");
956  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
957  if (alprotos[alproto] == 1)
958  printf("%s\n", AppLayerGetProtoName(alproto));
959  }
960 
961  SCReturn;
962 }
963 
964 /***** Setup/General Registration *****/
965 
966 int AppLayerSetup(void)
967 {
968  SCEnter();
969 
970  AppLayerProtoDetectSetup();
971  AppLayerParserSetup();
972 
973  AppLayerParserRegisterProtocolParsers();
974  AppLayerProtoDetectPrepareState();
975 
976  AppLayerSetupCounters();
977 
978  SCReturnInt(0);
979 }
980 
981 int AppLayerDeSetup(void)
982 {
983  SCEnter();
984 
985  AppLayerProtoDetectDeSetup();
986  AppLayerParserDeSetup();
987 
988  AppLayerDeSetupCounters();
989 
990  SCReturnInt(0);
991 }
992 
993 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
994 {
995  SCEnter();
996 
997  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
998  if (app_tctx == NULL)
999  goto error;
1000  memset(app_tctx, 0, sizeof(*app_tctx));
1001 
1002  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1003  goto error;
1004  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1005  goto error;
1006 
1007  goto done;
1008  error:
1009  AppLayerDestroyCtxThread(app_tctx);
1010  app_tctx = NULL;
1011  done:
1012  SCReturnPtr(app_tctx, "void *");
1013 }
1014 
1015 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1016 {
1017  SCEnter();
1018 
1019  if (app_tctx == NULL)
1020  SCReturn;
1021 
1022  if (app_tctx->alpd_tctx != NULL)
1023  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1024  if (app_tctx->alp_tctx != NULL)
1025  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1026  SCFree(app_tctx);
1027 
1028  SCReturn;
1029 }
1030 
1031 #ifdef PROFILING
1032 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1033 {
1034  PACKET_PROFILING_APP_RESET(app_tctx);
1035 }
1036 
1037 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1038 {
1039  PACKET_PROFILING_APP_STORE(app_tctx, p);
1040 }
1041 #endif
1042 
1043 /** \brief HACK to work around our broken unix manager (re)init loop
1044  */
1045 void AppLayerRegisterGlobalCounters(void)
1046 {
1047  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1048  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1049  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1050  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1051  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1052 }
1053 
1054 #define IPPROTOS_MAX 2
1055 void AppLayerSetupCounters(void)
1056 {
1057  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1058  AppProto alprotos[ALPROTO_MAX];
1059  const char *str = "app_layer.flow.";
1060  const char *estr = "app_layer.error.";
1061 
1062  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1063 
1064  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1065  const uint8_t ipproto = ipprotos[p];
1066  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1067  const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP;
1068  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1069 
1070  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1071  if (alprotos[alproto] == 1) {
1072  const char *tx_str = "app_layer.tx.";
1073  const char *alproto_str = AppLayerGetProtoName(alproto);
1074 
1075  if (AppLayerParserProtoIsRegistered(ipproto, alproto) &&
1076  AppLayerParserProtoIsRegistered(other_ipproto, alproto)) {
1077  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1078  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1079  "%s%s%s", str, alproto_str, ipproto_suffix);
1080  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1081  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1082  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
1083 
1084  if (ipproto == IPPROTO_TCP) {
1085  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1086  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1087  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1088  }
1089  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1090  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1091  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1092  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1093  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1094  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1095  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1096  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1097  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1098  } else {
1099  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1100  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1101  "%s%s", str, alproto_str);
1102  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1103  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1104  "%s%s", tx_str, alproto_str);
1105 
1106  if (ipproto == IPPROTO_TCP) {
1107  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1108  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1109  "%s%s.gap", estr, alproto_str);
1110  }
1111  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1112  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1113  "%s%s.alloc", estr, alproto_str);
1114  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1115  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1116  "%s%s.parser", estr, alproto_str);
1117  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1118  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1119  "%s%s.internal", estr, alproto_str);
1120  }
1121  } else if (alproto == ALPROTO_FAILED) {
1122  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1123  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1124  "%s%s%s", str, "failed", ipproto_suffix);
1125  if (ipproto == IPPROTO_TCP) {
1126  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1127  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1128  "%sfailed%s.gap", estr, ipproto_suffix);
1129  }
1130  }
1131  }
1132  }
1133 }
1134 
1135 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1136 {
1137  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1138  AppProto alprotos[ALPROTO_MAX];
1139  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1140 
1141  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1142  const uint8_t ipproto = ipprotos[p];
1143  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1144 
1145  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1146  if (alprotos[alproto] == 1) {
1147  applayer_counters[ipproto_map][alproto].counter_id =
1148  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1149 
1150  applayer_counters[ipproto_map][alproto].counter_tx_id =
1151  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
1152 
1153  if (ipproto == IPPROTO_TCP) {
1154  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1155  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1156  }
1157  applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter(
1158  applayer_counter_names[ipproto_map][alproto].alloc_error, tv);
1159  applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter(
1160  applayer_counter_names[ipproto_map][alproto].parser_error, tv);
1161  applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter(
1162  applayer_counter_names[ipproto_map][alproto].internal_error, tv);
1163  } else if (alproto == ALPROTO_FAILED) {
1164  applayer_counters[ipproto_map][alproto].counter_id =
1165  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1166 
1167  if (ipproto == IPPROTO_TCP) {
1168  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1169  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1170  }
1171  }
1172  }
1173  }
1174 }
1175 
1176 void AppLayerDeSetupCounters(void)
1177 {
1178  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1179  memset(applayer_counters, 0, sizeof(applayer_counters));
1180 }
1181 
1182 /***** Unittests *****/
1183 
1184 #ifdef UNITTESTS
1185 #include "pkt-var.h"
1186 #include "stream-tcp-util.h"
1187 #include "stream.h"
1188 #include "util-unittest.h"
1189 
1190 #define TEST_START \
1191  Packet *p = PacketGetFromAlloc(); \
1192  FAIL_IF_NULL(p); \
1193  Flow f; \
1194  ThreadVars tv; \
1195  StreamTcpThread *stt = NULL; \
1196  TCPHdr tcph; \
1197  PacketQueueNoLock pq; \
1198  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1199  memset(&f, 0, sizeof(Flow)); \
1200  memset(&tv, 0, sizeof(ThreadVars)); \
1201  memset(&tcph, 0, sizeof(TCPHdr)); \
1202  \
1203  FLOW_INITIALIZE(&f); \
1204  f.flags = FLOW_IPV4; \
1205  f.proto = IPPROTO_TCP; \
1206  p->flow = &f; \
1207  p->tcph = &tcph; \
1208  \
1209  StreamTcpInitConfig(true); \
1210  IPPairInitConfig(true); \
1211  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1212  \
1213  /* handshake */ \
1214  tcph.th_win = htons(5480); \
1215  tcph.th_flags = TH_SYN; \
1216  p->flowflags = FLOW_PKT_TOSERVER; \
1217  p->payload_len = 0; \
1218  p->payload = NULL; \
1219  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1220  TcpSession *ssn = (TcpSession *)f.protoctx; \
1221  \
1222  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1223  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1224  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1225  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1226  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1227  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1228  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1229  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1230  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1231  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1232  FAIL_IF(ssn->data_first_seen_dir != 0); \
1233  \
1234  /* handshake */ \
1235  p->tcph->th_ack = htonl(1); \
1236  p->tcph->th_flags = TH_SYN | TH_ACK; \
1237  p->flowflags = FLOW_PKT_TOCLIENT; \
1238  p->payload_len = 0; \
1239  p->payload = NULL; \
1240  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1241  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1242  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1243  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1244  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1245  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1246  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1247  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1248  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1249  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1250  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1251  FAIL_IF(ssn->data_first_seen_dir != 0); \
1252  \
1253  /* handshake */ \
1254  p->tcph->th_ack = htonl(1); \
1255  p->tcph->th_seq = htonl(1); \
1256  p->tcph->th_flags = TH_ACK; \
1257  p->flowflags = FLOW_PKT_TOSERVER; \
1258  p->payload_len = 0; \
1259  p->payload = NULL; \
1260  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1261  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1262  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1263  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1264  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1265  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1266  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1267  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1268  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1269  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1270  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1271  FAIL_IF(ssn->data_first_seen_dir != 0);
1272 #define TEST_END \
1273  StreamTcpSessionClear(p->flow->protoctx); \
1274  StreamTcpThreadDeinit(&tv, (void *)stt); \
1275  StreamTcpFreeConfig(true); \
1276  PacketFree(p); \
1277  FLOW_DESTROY(&f); \
1278  StatsThreadCleanup(&tv);
1279 
1280 /**
1281  * \test GET -> HTTP/1.1
1282  */
1283 static int AppLayerTest01(void)
1284 {
1285  TEST_START;
1286 
1287  /* full request */
1288  uint8_t request[] = {
1289  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1290  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1291  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1292  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1293  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1294  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1295  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1296  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1297  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1298  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1299  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1300  p->tcph->th_ack = htonl(1);
1301  p->tcph->th_seq = htonl(1);
1302  p->tcph->th_flags = TH_PUSH | TH_ACK;
1303  p->flowflags = FLOW_PKT_TOSERVER;
1304  p->payload_len = sizeof(request);
1305  p->payload = request;
1306  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1307  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1308  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1309  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1310  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1311  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1312  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1313  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1314  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1315  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1316  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1317  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1318 
1319  /* full response - request ack */
1320  uint8_t response[] = {
1321  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1322  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1323  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1324  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1325  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1326  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1327  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1328  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1329  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1330  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1331  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1332  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1333  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1334  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1335  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1336  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1337  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1338  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1339  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1340  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1341  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1342  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1343  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1344  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1345  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1346  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1347  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1348  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1349  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1350  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1351  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1352  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1353  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1354  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1355  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1356  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1357  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1358  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1359  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1360  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1361  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1362  p->tcph->th_ack = htonl(88);
1363  p->tcph->th_seq = htonl(1);
1364  p->tcph->th_flags = TH_PUSH | TH_ACK;
1365  p->flowflags = FLOW_PKT_TOCLIENT;
1366  p->payload_len = sizeof(response);
1367  p->payload = response;
1368  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1369  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1370  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1371  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1372  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1373  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1374  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1375  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1376  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1377  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1378  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1379  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1380 
1381  /* response ack */
1382  p->tcph->th_ack = htonl(328);
1383  p->tcph->th_seq = htonl(88);
1384  p->tcph->th_flags = TH_ACK;
1385  p->flowflags = FLOW_PKT_TOSERVER;
1386  p->payload_len = 0;
1387  p->payload = NULL;
1388  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1389  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1390  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1391  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1392  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1393  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1394  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1395  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1396  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1397  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1398  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1399  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1400 
1401  TEST_END;
1402  PASS;
1403 }
1404 
1405 /**
1406  * \test GE -> T -> HTTP/1.1
1407  */
1408 static int AppLayerTest02(void)
1409 {
1410  TEST_START;
1411 
1412  /* partial request */
1413  uint8_t request1[] = { 0x47, 0x45, };
1414  p->tcph->th_ack = htonl(1);
1415  p->tcph->th_seq = htonl(1);
1416  p->tcph->th_flags = TH_PUSH | TH_ACK;
1417  p->flowflags = FLOW_PKT_TOSERVER;
1418  p->payload_len = sizeof(request1);
1419  p->payload = request1;
1420  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1421  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1422  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1423  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1424  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1425  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1426  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1427  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1428  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1429  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1430  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1431  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1432 
1433  /* response ack against partial request */
1434  p->tcph->th_ack = htonl(3);
1435  p->tcph->th_seq = htonl(1);
1436  p->tcph->th_flags = TH_ACK;
1437  p->flowflags = FLOW_PKT_TOCLIENT;
1438  p->payload_len = 0;
1439  p->payload = NULL;
1440  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1441  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1442  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1443  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1444  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1445  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1446  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1447  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1448  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1449  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1450  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1451  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1452 
1453  /* complete partial request */
1454  uint8_t request2[] = {
1455  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1456  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1457  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1458  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1459  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1460  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1461  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1462  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1463  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1464  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1465  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1466  p->tcph->th_ack = htonl(1);
1467  p->tcph->th_seq = htonl(3);
1468  p->tcph->th_flags = TH_PUSH | TH_ACK;
1469  p->flowflags = FLOW_PKT_TOSERVER;
1470  p->payload_len = sizeof(request2);
1471  p->payload = request2;
1472  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1473  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1474  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1475  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1476  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1477  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1478  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1479  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1480  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1481  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1482  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1483  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1484 
1485  /* response - request ack */
1486  uint8_t response[] = {
1487  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1488  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1489  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1490  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1491  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1492  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1493  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1494  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1495  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1496  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1497  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1498  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1499  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1500  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1501  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1502  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1503  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1504  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1505  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1506  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1507  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1508  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1509  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1510  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1511  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1512  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1513  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1514  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1515  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1516  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1517  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1518  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1519  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1520  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1521  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1522  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1523  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1524  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1525  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1526  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1527  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1528  p->tcph->th_ack = htonl(88);
1529  p->tcph->th_seq = htonl(1);
1530  p->tcph->th_flags = TH_PUSH | TH_ACK;
1531  p->flowflags = FLOW_PKT_TOCLIENT;
1532  p->payload_len = sizeof(response);
1533  p->payload = response;
1534  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1535  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1536  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1537  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1538  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1539  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1540  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1541  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1542  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1543  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1544  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1545  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1546 
1547  /* response ack */
1548  p->tcph->th_ack = htonl(328);
1549  p->tcph->th_seq = htonl(88);
1550  p->tcph->th_flags = TH_ACK;
1551  p->flowflags = FLOW_PKT_TOSERVER;
1552  p->payload_len = 0;
1553  p->payload = NULL;
1554  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1555  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1556  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1557  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1558  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1559  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1560  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1561  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1562  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1563  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1564  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1565  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1566 
1567  TEST_END;
1568  PASS;
1569 }
1570 
1571 /**
1572  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1573  */
1574 static int AppLayerTest03(void)
1575 {
1576  TEST_START;
1577 
1578  /* request */
1579  uint8_t request[] = {
1580  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1581  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1582  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1583  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1584  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1585  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1586  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1587  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1588  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1589  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1590  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1591  p->tcph->th_ack = htonl(1);
1592  p->tcph->th_seq = htonl(1);
1593  p->tcph->th_flags = TH_PUSH | TH_ACK;
1594  p->flowflags = FLOW_PKT_TOSERVER;
1595  p->payload_len = sizeof(request);
1596  p->payload = request;
1597  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1598  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1599  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1600  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1601  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1602  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1603  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1604  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1605  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1606  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1607  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1608  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1609 
1610  /* rubbish response */
1611  uint8_t response[] = {
1612  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1613  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1614  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1615  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1616  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1617  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1618  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1619  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1620  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1621  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1622  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1623  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1624  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1625  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1626  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1627  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1628  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1629  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1630  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1631  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1632  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1633  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1634  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1635  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1636  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1637  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1638  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1639  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1640  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1641  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1642  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1643  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1644  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1645  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1646  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1647  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1648  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1649  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1650  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1651  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1652  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1653  p->tcph->th_ack = htonl(88);
1654  p->tcph->th_seq = htonl(1);
1655  p->tcph->th_flags = TH_PUSH | TH_ACK;
1656  p->flowflags = FLOW_PKT_TOCLIENT;
1657  p->payload_len = sizeof(response);
1658  p->payload = response;
1659  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1660  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1661  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1662  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1663  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1664  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1665  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1666  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1667  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1668  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1669  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1670  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1671 
1672  /* response ack */
1673  p->tcph->th_ack = htonl(328);
1674  p->tcph->th_seq = htonl(88);
1675  p->tcph->th_flags = TH_ACK;
1676  p->flowflags = FLOW_PKT_TOSERVER;
1677  p->payload_len = 0;
1678  p->payload = NULL;
1679  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1680  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1681  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1682  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1683  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1684  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1685  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1686  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1687  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1688  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1689  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1690  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1691 
1692  TEST_END;
1693  PASS;
1694 }
1695 
1696 /**
1697  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1698  */
1699 static int AppLayerTest04(void)
1700 {
1701  TEST_START;
1702 
1703  /* request */
1704  uint8_t request[] = {
1705  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1706  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1707  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1708  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1709  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1710  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1711  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1712  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1713  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1714  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1715  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1716  PrintRawDataFp(stdout, request, sizeof(request));
1717  p->tcph->th_ack = htonl(1);
1718  p->tcph->th_seq = htonl(1);
1719  p->tcph->th_flags = TH_PUSH | TH_ACK;
1720  p->flowflags = FLOW_PKT_TOSERVER;
1721  p->payload_len = sizeof(request);
1722  p->payload = request;
1723  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1724  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1725  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1726  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1727  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1728  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1729  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1730  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1731  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1732  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1733  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1734  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1735 
1736  /* partial response */
1737  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1738  PrintRawDataFp(stdout, response1, sizeof(response1));
1739  p->tcph->th_ack = htonl(88);
1740  p->tcph->th_seq = htonl(1);
1741  p->tcph->th_flags = TH_PUSH | TH_ACK;
1742  p->flowflags = FLOW_PKT_TOCLIENT;
1743  p->payload_len = sizeof(response1);
1744  p->payload = response1;
1745  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1746  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1747  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1748  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1749  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1750  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1751  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1752  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1753  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1754  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1755  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1756  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1757 
1758  /* partial response ack */
1759  p->tcph->th_ack = htonl(5);
1760  p->tcph->th_seq = htonl(88);
1761  p->tcph->th_flags = TH_ACK;
1762  p->flowflags = FLOW_PKT_TOSERVER;
1763  p->payload_len = 0;
1764  p->payload = NULL;
1765  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1766  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1767  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1768  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1769  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1770  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1771  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1772  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1773  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1774  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1775  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1776  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1777 
1778  /* remaining response */
1779  uint8_t response2[] = {
1780  0x2f, 0x31, 0x2e, 0x31,
1781  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1782  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1783  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1784  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1785  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1786  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1787  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1788  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1789  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1790  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1791  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1792  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1793  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1794  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1795  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1796  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1797  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1798  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1799  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1800  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1801  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1802  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1803  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1804  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1805  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1806  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1807  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1808  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1809  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1810  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1811  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1812  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1813  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1814  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1815  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1816  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1817  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1818  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1819  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1820  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1821  PrintRawDataFp(stdout, response2, sizeof(response2));
1822  p->tcph->th_ack = htonl(88);
1823  p->tcph->th_seq = htonl(5);
1824  p->tcph->th_flags = TH_PUSH | TH_ACK;
1825  p->flowflags = FLOW_PKT_TOCLIENT;
1826  p->payload_len = sizeof(response2);
1827  p->payload = response2;
1828  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1829  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1830  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1831  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1832  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1833  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1834  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1835  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1836  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1837  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1838  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1839  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1840 
1841  /* response ack */
1842  p->tcph->th_ack = htonl(328);
1843  p->tcph->th_seq = htonl(88);
1844  p->tcph->th_flags = TH_ACK;
1845  p->flowflags = FLOW_PKT_TOSERVER;
1846  p->payload_len = 0;
1847  p->payload = NULL;
1848  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1849  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1850  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1851  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1852  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1853  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1854  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1855  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1856  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1857  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1858  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1859  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1860 
1861  TEST_END;
1862  PASS;
1863 }
1864 
1865 /**
1866  * \test RUBBISH -> HTTP/1.1
1867  */
1868 static int AppLayerTest05(void)
1869 {
1870  TEST_START;
1871 
1872  /* full request */
1873  uint8_t request[] = {
1874  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1875  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1876  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1877  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1878  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1879  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1880  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1881  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1882  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1883  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1884  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1885  PrintRawDataFp(stdout, request, sizeof(request));
1886  p->tcph->th_ack = htonl(1);
1887  p->tcph->th_seq = htonl(1);
1888  p->tcph->th_flags = TH_PUSH | TH_ACK;
1889  p->flowflags = FLOW_PKT_TOSERVER;
1890  p->payload_len = sizeof(request);
1891  p->payload = request;
1892  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1893  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1894  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1895  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1896  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1897  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1898  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1899  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1900  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1901  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1902  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1903  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1904 
1905  /* full response - request ack */
1906  uint8_t response[] = {
1907  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1908  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1909  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1910  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1911  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1912  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1913  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1914  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1915  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1916  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1917  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1918  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1919  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1920  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1921  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1922  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1923  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1924  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1925  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1926  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1927  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1928  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1929  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1930  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1931  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1932  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1933  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1934  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1935  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1936  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1937  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1938  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1939  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1940  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1941  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1942  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1943  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1944  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1945  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1946  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1947  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1948  PrintRawDataFp(stdout, response, sizeof(response));
1949  p->tcph->th_ack = htonl(88);
1950  p->tcph->th_seq = htonl(1);
1951  p->tcph->th_flags = TH_PUSH | TH_ACK;
1952  p->flowflags = FLOW_PKT_TOCLIENT;
1953  p->payload_len = sizeof(response);
1954  p->payload = response;
1955  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1956  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1957  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1958  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1959  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1960  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1961  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1962  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1963  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1964  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1965  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1966  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1967 
1968  /* response ack */
1969  p->tcph->th_ack = htonl(328);
1970  p->tcph->th_seq = htonl(88);
1971  p->tcph->th_flags = TH_ACK;
1972  p->flowflags = FLOW_PKT_TOSERVER;
1973  p->payload_len = 0;
1974  p->payload = NULL;
1975  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1976  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1977  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1978  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1979  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1980  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1981  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1982  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1983  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1984  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1985  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1986  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1987 
1988  TEST_END;
1989  PASS;
1990 }
1991 
1992 /**
1993  * \test HTTP/1.1 -> GET
1994  */
1995 static int AppLayerTest06(void)
1996 {
1997  TEST_START;
1998 
1999  /* full response - request ack */
2000  uint8_t response[] = {
2001  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2002  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2003  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2004  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2005  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2006  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2007  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2008  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2009  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2010  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2011  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2012  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2013  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2014  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2015  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2016  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2017  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2018  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2019  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2020  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2021  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2022  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2023  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2024  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2025  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2026  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2027  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2028  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2029  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2030  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2031  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2032  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2033  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2034  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2035  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2036  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2037  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2038  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2039  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2040  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2041  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2042  p->tcph->th_ack = htonl(1);
2043  p->tcph->th_seq = htonl(1);
2044  p->tcph->th_flags = TH_PUSH | TH_ACK;
2045  p->flowflags = FLOW_PKT_TOCLIENT;
2046  p->payload_len = sizeof(response);
2047  p->payload = response;
2048  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2049  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2050  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2051  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2052  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2053  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2054  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2055  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2056  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2057  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2058  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2059  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2060 
2061  /* full request - response ack*/
2062  uint8_t request[] = {
2063  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2064  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2065  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2066  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2067  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2068  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2069  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2070  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2071  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2072  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2073  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2074  p->tcph->th_ack = htonl(328);
2075  p->tcph->th_seq = htonl(1);
2076  p->tcph->th_flags = TH_PUSH | TH_ACK;
2077  p->flowflags = FLOW_PKT_TOSERVER;
2078  p->payload_len = sizeof(request);
2079  p->payload = request;
2080  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2081  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2082  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2083  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2084  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2085  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2086  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2087  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2088  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2089  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2090  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2091  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2092 
2093  p->tcph->th_ack = htonl(1 + sizeof(request));
2094  p->tcph->th_seq = htonl(328);
2095  p->tcph->th_flags = TH_PUSH | TH_ACK;
2096  p->flowflags = FLOW_PKT_TOCLIENT;
2097  p->payload_len = 0;
2098  p->payload = NULL;
2099  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2100  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2101  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2102  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2103  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2104  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2105  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2106  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2107  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2108  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2109  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2110  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2111 
2112  TEST_END;
2113  PASS;
2114 }
2115 
2116 /**
2117  * \test GET -> DCERPC
2118  */
2119 static int AppLayerTest07(void)
2120 {
2121  TEST_START;
2122 
2123  /* full request */
2124  uint8_t request[] = {
2125  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2126  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2127  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2128  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2129  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2130  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2131  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2132  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2133  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2134  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2135  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2136  p->tcph->th_ack = htonl(1);
2137  p->tcph->th_seq = htonl(1);
2138  p->tcph->th_flags = TH_PUSH | TH_ACK;
2139  p->flowflags = FLOW_PKT_TOSERVER;
2140  p->payload_len = sizeof(request);
2141  p->payload = request;
2142  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2143  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2144  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2145  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2146  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2147  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2148  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2149  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2150  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2151  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2152  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2153  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2154 
2155  /* full response - request ack */
2156  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2157  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2158  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2159  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2160  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2161  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2162  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2163  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2164  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2165  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2166  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2167  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2168  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2169  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2170  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2171  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2172  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2173  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2174  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2175  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2176  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2177  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2178  p->tcph->th_ack = htonl(88);
2179  p->tcph->th_seq = htonl(1);
2180  p->tcph->th_flags = TH_PUSH | TH_ACK;
2181  p->flowflags = FLOW_PKT_TOCLIENT;
2182  p->payload_len = sizeof(response);
2183  p->payload = response;
2184  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2185  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2186  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2187  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2188  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2189  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2190  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2191  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2192  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2193  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2194  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2195  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2196 
2197  /* response ack */
2198  p->tcph->th_ack = htonl(328);
2199  p->tcph->th_seq = htonl(88);
2200  p->tcph->th_flags = TH_ACK;
2201  p->flowflags = FLOW_PKT_TOSERVER;
2202  p->payload_len = 0;
2203  p->payload = NULL;
2204  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2205  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2206  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2207  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2208  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2209  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2210  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2211  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2212  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2213  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2214  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2215  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2216 
2217  TEST_END;
2218  PASS;
2219 }
2220 
2221 /**
2222  * \test SMB -> HTTP/1.1
2223  */
2224 static int AppLayerTest08(void)
2225 {
2226  TEST_START;
2227 
2228  /* full request */
2229  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2230  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2231  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2232  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2233  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2234  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2235  p->tcph->th_ack = htonl(1);
2236  p->tcph->th_seq = htonl(1);
2237  p->tcph->th_flags = TH_PUSH | TH_ACK;
2238  p->flowflags = FLOW_PKT_TOSERVER;
2239  p->payload_len = sizeof(request);
2240  p->payload = request;
2241  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2242  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2243  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2244  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2245  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2246  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2247  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2248  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2249  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2250  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2251  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2252  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2253 
2254  /* full response - request ack */
2255  uint8_t response[] = {
2256  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2257  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2258  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2259  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2260  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2261  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2262  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2263  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2264  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2265  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2266  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2267  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2268  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2269  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2270  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2271  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2272  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2273  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2274  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2275  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2276  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2277  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2278  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2279  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2280  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2281  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2282  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2283  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2284  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2285  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2286  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2287  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2288  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2289  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2290  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2291  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2292  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2293  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2294  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2295  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2296  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2297  p->tcph->th_ack = htonl(88);
2298  p->tcph->th_seq = htonl(1);
2299  p->tcph->th_flags = TH_PUSH | TH_ACK;
2300  p->flowflags = FLOW_PKT_TOCLIENT;
2301  p->payload_len = sizeof(response);
2302  p->payload = response;
2303  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2304  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2305  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2306  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2307  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2308  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2309  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2310  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2311  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2312  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2313  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2314  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2315 
2316  /* response ack */
2317  p->tcph->th_ack = htonl(328);
2318  p->tcph->th_seq = htonl(88);
2319  p->tcph->th_flags = TH_ACK;
2320  p->flowflags = FLOW_PKT_TOSERVER;
2321  p->payload_len = 0;
2322  p->payload = NULL;
2323  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2324  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2325  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2326  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2327  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2328  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2329  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2330  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2331  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2332  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2333  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2334  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2335 
2336  TEST_END;
2337  PASS;
2338 }
2339 
2340 /**
2341  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2342  * RUBBISH(TC - PM and PP DONE) ->
2343  * RUBBISH(TS - PM and PP DONE)
2344  */
2345 static int AppLayerTest09(void)
2346 {
2347  TEST_START;
2348 
2349  /* full request */
2350  uint8_t request1[] = {
2351  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2352  p->tcph->th_ack = htonl(1);
2353  p->tcph->th_seq = htonl(1);
2354  p->tcph->th_flags = TH_PUSH | TH_ACK;
2355  p->flowflags = FLOW_PKT_TOSERVER;
2356  p->payload_len = sizeof(request1);
2357  p->payload = request1;
2358  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2359  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2360  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2361  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2362  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2363  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2364  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2365  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2366  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2367  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2368  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2369  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2370 
2371  /* response - request ack */
2372  p->tcph->th_ack = htonl(9);
2373  p->tcph->th_seq = htonl(1);
2374  p->tcph->th_flags = TH_PUSH | TH_ACK;
2375  p->flowflags = FLOW_PKT_TOCLIENT;
2376  p->payload_len = 0;
2377  p->payload = NULL;
2378  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2379  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2380  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2381  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2382  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2383  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2384  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2385  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2386  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2387  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2388  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2389  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2390 
2391  /* full request */
2392  uint8_t request2[] = {
2393  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2394  p->tcph->th_ack = htonl(1);
2395  p->tcph->th_seq = htonl(9);
2396  p->tcph->th_flags = TH_PUSH | TH_ACK;
2397  p->flowflags = FLOW_PKT_TOSERVER;
2398  p->payload_len = sizeof(request2);
2399  p->payload = request2;
2400  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2401  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2402  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2403  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2404  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2405  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2406  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2407  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2408  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2409  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2410  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2411  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2412 
2413  /* full response - request ack */
2414  uint8_t response[] = {
2415  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2416  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2417  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2418  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2419  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2420  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2421  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2422  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2423  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2424  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2425  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2426  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2427  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2428  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2429  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2430  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2431  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2432  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2433  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2434  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2435  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2436  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2437  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2438  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2439  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2440  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2441  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2442  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2443  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2444  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2445  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2446  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2447  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2448  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2449  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2450  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2451  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2452  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2453  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2454  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2455  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2456  p->tcph->th_ack = htonl(18);
2457  p->tcph->th_seq = htonl(1);
2458  p->tcph->th_flags = TH_PUSH | TH_ACK;
2459  p->flowflags = FLOW_PKT_TOCLIENT;
2460  p->payload_len = sizeof(response);
2461  p->payload = response;
2462  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2463  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2464  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2465  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2466  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2467  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2468  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2469  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2470  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2471  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2472  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2473  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2474 
2475  /* response ack */
2476  p->tcph->th_ack = htonl(328);
2477  p->tcph->th_seq = htonl(18);
2478  p->tcph->th_flags = TH_ACK;
2479  p->flowflags = FLOW_PKT_TOSERVER;
2480  p->payload_len = 0;
2481  p->payload = NULL;
2482  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2483  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2484  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2485  FAIL_IF(f.alproto != ALPROTO_FAILED);
2486  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2487  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2488  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2489  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2490  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2491  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2492  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2493  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2494 
2495  TEST_END;
2496  PASS;
2497 }
2498 
2499 /**
2500  * \test RUBBISH(TC - PM and PP DONE) ->
2501  * RUBBISH(TS - PM and PP DONE)
2502  */
2503 static int AppLayerTest10(void)
2504 {
2505  TEST_START;
2506 
2507  /* full request */
2508  uint8_t request1[] = {
2509  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2510  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2511  p->tcph->th_ack = htonl(1);
2512  p->tcph->th_seq = htonl(1);
2513  p->tcph->th_flags = TH_PUSH | TH_ACK;
2514  p->flowflags = FLOW_PKT_TOSERVER;
2515  p->payload_len = sizeof(request1);
2516  p->payload = request1;
2517  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2518  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2519  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2520  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2521  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2522  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2523  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2524  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2525  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2526  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2527  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2528  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2529 
2530  /* response - request ack */
2531  p->tcph->th_ack = htonl(18);
2532  p->tcph->th_seq = htonl(1);
2533  p->tcph->th_flags = TH_PUSH | TH_ACK;
2534  p->flowflags = FLOW_PKT_TOCLIENT;
2535  p->payload_len = 0;
2536  p->payload = NULL;
2537  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2538  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2539  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2540  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2541  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2542  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2543  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2544  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2545  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2546  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2547  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2548  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2549 
2550  /* full response - request ack */
2551  uint8_t response[] = {
2552  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2553  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2554  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2555  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2556  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2557  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2558  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2559  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2560  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2561  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2562  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2563  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2564  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2565  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2566  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2567  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2568  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2569  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2570  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2571  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2572  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2573  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2574  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2575  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2576  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2577  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2578  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2579  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2580  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2581  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2582  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2583  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2584  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2585  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2586  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2587  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2588  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2589  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2590  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2591  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2592  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2593  p->tcph->th_ack = htonl(18);
2594  p->tcph->th_seq = htonl(1);
2595  p->tcph->th_flags = TH_PUSH | TH_ACK;
2596  p->flowflags = FLOW_PKT_TOCLIENT;
2597  p->payload_len = sizeof(response);
2598  p->payload = response;
2599  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2600  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2601  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2602  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2603  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2604  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2605  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2606  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2607  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2608  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2609  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2610  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2611 
2612  /* response ack */
2613  p->tcph->th_ack = htonl(328);
2614  p->tcph->th_seq = htonl(18);
2615  p->tcph->th_flags = TH_ACK;
2616  p->flowflags = FLOW_PKT_TOSERVER;
2617  p->payload_len = 0;
2618  p->payload = NULL;
2619  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2620  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2621  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2622  FAIL_IF(f.alproto != ALPROTO_FAILED);
2623  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2624  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2625  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2626  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2627  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2628  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2629  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2630  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2631 
2632  TEST_END;
2633  PASS;
2634 }
2635 
2636 /**
2637  * \test RUBBISH(TC - PM and PP DONE) ->
2638  * RUBBISH(TS - PM and PP NOT DONE) ->
2639  * RUBBISH(TS - PM and PP DONE)
2640  */
2641 static int AppLayerTest11(void)
2642 {
2643  TEST_START;
2644 
2645  /* full request */
2646  uint8_t request1[] = {
2647  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2648  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2649  p->tcph->th_ack = htonl(1);
2650  p->tcph->th_seq = htonl(1);
2651  p->tcph->th_flags = TH_PUSH | TH_ACK;
2652  p->flowflags = FLOW_PKT_TOSERVER;
2653  p->payload_len = sizeof(request1);
2654  p->payload = request1;
2655  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2656  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2657  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2658  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2659  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2660  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2661  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2662  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2663  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2664  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2665  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2666  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2667 
2668  /* response - request ack */
2669  p->tcph->th_ack = htonl(18);
2670  p->tcph->th_seq = htonl(1);
2671  p->tcph->th_flags = TH_PUSH | TH_ACK;
2672  p->flowflags = FLOW_PKT_TOCLIENT;
2673  p->payload_len = 0;
2674  p->payload = NULL;
2675  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2676  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2677  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2678  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2679  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2680  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2681  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2682  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2683  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2684  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2685  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2686  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2687 
2688  /* full response - request ack */
2689  uint8_t response1[] = {
2690  0x55, 0x74, 0x54, 0x50, };
2691  p->tcph->th_ack = htonl(18);
2692  p->tcph->th_seq = htonl(1);
2693  p->tcph->th_flags = TH_PUSH | TH_ACK;
2694  p->flowflags = FLOW_PKT_TOCLIENT;
2695  p->payload_len = sizeof(response1);
2696  p->payload = response1;
2697  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2698  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2699  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2700  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2701  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2702  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2703  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2704  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2705  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2706  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2707  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2708  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2709 
2710  /* response ack from request */
2711  p->tcph->th_ack = htonl(5);
2712  p->tcph->th_seq = htonl(18);
2713  p->tcph->th_flags = TH_ACK;
2714  p->flowflags = FLOW_PKT_TOSERVER;
2715  p->payload_len = 0;
2716  p->payload = NULL;
2717  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2718  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2719  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2720  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2721  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2722  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2723  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2724  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2725  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2726  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2727  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2728  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2729 
2730  uint8_t response2[] = {
2731  0x2f, 0x31, 0x2e, 0x31,
2732  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2733  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2734  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2735  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2736  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2737  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2738  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2739  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2740  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2741  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2742  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2743  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2744  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2745  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2746  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2747  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2748  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2749  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2750  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2751  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2752  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2753  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2754  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2755  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2756  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2757  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2758  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2759  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2760  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2761  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2762  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2763  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2764  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2765  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2766  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2767  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2768  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2769  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2770  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2771  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2772  p->tcph->th_ack = htonl(18);
2773  p->tcph->th_seq = htonl(5);
2774  p->tcph->th_flags = TH_PUSH | TH_ACK;
2775  p->flowflags = FLOW_PKT_TOCLIENT;
2776  p->payload_len = sizeof(response2);
2777  p->payload = response2;
2778  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2779  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2780  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2781  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2782  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2783  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2784  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2785  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2786  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2787  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2788  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2789  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2790 
2791  /* response ack from request */
2792  p->tcph->th_ack = htonl(328);
2793  p->tcph->th_seq = htonl(18);
2794  p->tcph->th_flags = TH_ACK;
2795  p->flowflags = FLOW_PKT_TOSERVER;
2796  p->payload_len = 0;
2797  p->payload = NULL;
2798  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2799  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2800  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2801  FAIL_IF(f.alproto != ALPROTO_FAILED);
2802  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2803  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2804  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2805  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2806  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2807  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2808  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2809  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2810 
2811  TEST_END;
2812  PASS;
2813 }
2814 
2815 void AppLayerUnittestsRegister(void)
2816 {
2817  SCEnter();
2818 
2819  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2820  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2821  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2822  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2823  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2824  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2825  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2826  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2827  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2828  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2829  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2830 
2831  SCReturn;
2832 }
2833 
2834 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:86
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:277
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:54
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:220
Packet_::proto
uint8_t proto
Definition: decode.h:451
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:283
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:66
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:88
AppLayerCounters_
Definition: app-layer.c:85
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:143
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1723
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:87
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:97
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1013
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1037
Flow_::proto
uint8_t proto
Definition: flow.h:365
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:574
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6850
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:60
Packet_::flags
uint32_t flags
Definition: decode.h:464
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:187
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:64
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:343
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:130
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:90
Flow_::protomap
uint8_t protomap
Definition: flow.h:437
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:74
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1163
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:230
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1135
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:448
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:167
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1032
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1636
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:386
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6425
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2815
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:83
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:946
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1055
PKT_APPLAYER_UPDATE
#define PKT_APPLAYER_UPDATE
Definition: decode.h:1060
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:460
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
MAX
#define MAX(x, y)
Definition: suricata-common.h:390
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
Flow_::protoctx
void * protoctx
Definition: flow.h:433
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:138
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:932
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:182
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:89
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:981
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1040
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:268
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:467
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1739
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:966
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1349
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:173
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:644
AppLayerParserState_
Definition: app-layer-parser.c:139
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:269
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1045
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:398
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:491
util-exception-policy.h
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:993
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5320
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:1054
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1871
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1190
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:207
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:143
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:101
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy.h:27
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:262
SCReturn
#define SCReturn
Definition: util-debug.h:273
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:276
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
Packet_
Definition: decode.h:429
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:809
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:101
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:299
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:712
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:146
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:173
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:451
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:55
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1307
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:445
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:278
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:554
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1753
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:91
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:100
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:154
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1041
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1597
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:281
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2099
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1421
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1960
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2057
str
#define str(s)
Definition: suricata-common.h:286
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:412
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:443
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6856
Flow_::alstate
void * alstate
Definition: flow.h:468
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1015
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
Flow_::flags
uint32_t flags
Definition: flow.h:413
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:89
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:939
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:159
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:122
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:59
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:222
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
TEST_END
#define TEST_END
Definition: app-layer.c:1272
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:53
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:173
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2014
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:95
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:230
TcpSession_
Definition: stream-tcp-private.h:283
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:444
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1524
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:955
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:196
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1176
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2082
app-layer.h