suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
57 struct AppLayerThreadCtx_ {
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  AppLayerProtoDetectThreadCtx *alpd_tctx;
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61  AppLayerParserThreadCtx *alp_tctx;
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
67  AppProto alproto;
68  uint64_t proto_detect_ticks_start;
69  uint64_t proto_detect_ticks_end;
70  uint64_t proto_detect_ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
78 } AppLayerCounterNames;
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
83 } AppLayerCounters;
84 
85 /* counter names. Only used at init. */
86 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
87 /* counter id's. Used that runtime. */
88 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  p->flags |= PKT_PROTO_DETECT_TS_DONE;
134  } else {
135  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  p->flags |= PKT_PROTO_DETECT_TC_DONE;
140  } else {
141  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
146  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
147  } else {
148  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
157  FlowCleanupAppLayer(f);
158  StreamTcpDisableAppLayer(f);
159  TcpSession *ssn = f->protoctx;
160  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  f->alproto_tc = ALPROTO_FAILED;
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  f->alproto_ts = ALPROTO_FAILED;
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
218  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
219  size_ts > 100000 && size_tc == 0)
220  {
221  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
222  APPLAYER_PROTO_DETECTION_SKIPPED);
223  goto failure;
224 
225  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
226  size_tc > 100000 && size_ts == 0)
227  {
228  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
229  APPLAYER_PROTO_DETECTION_SKIPPED);
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
236  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
237  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
238  {
239  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
240  APPLAYER_PROTO_DETECTION_SKIPPED);
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
247  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
248  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
249  {
250  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
251  APPLAYER_PROTO_DETECTION_SKIPPED);
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
258  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
259  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
260  {
261  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
262  APPLAYER_PROTO_DETECTION_SKIPPED);
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
291  UPDATE_DIR_OPPOSING :
292  UPDATE_DIR_PACKET;
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  PACKET_PROFILING_APP_PD_START(app_tctx);
327  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
328  f, data, data_len,
329  IPPROTO_TCP, flags);
330  PACKET_PROFILING_APP_PD_END(app_tctx);
331 
332  if (*alproto != ALPROTO_UNKNOWN) {
333  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
334  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
335  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
336 
337  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
338  /* if we already invoked the parser, we go with that proto */
339  f->alproto = *alproto_otherdir;
340  } else {
341  /* no data sent to parser yet, we can still choose
342  * we're trusting the server more. */
343  if (flags & STREAM_TOCLIENT)
344  f->alproto = *alproto;
345  else
346  f->alproto = *alproto_otherdir;
347  }
348  } else {
349  f->alproto = *alproto;
350  }
351 
352  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
353  TcpSessionSetReassemblyDepth(ssn,
354  AppLayerParserGetStreamDepth(f));
355  FlagPacketFlow(p, f, flags);
356 
357  /* account flow if we have both sides */
358  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
359  AppLayerIncFlowCounter(tv, f);
360  }
361 
362  /* if we have seen data from the other direction first, send
363  * data for that direction first to the parser. This shouldn't
364  * be an issue, since each stream processing happens
365  * independently of the other stream direction. At this point of
366  * call, you need to know that this function's already being
367  * called by the very same StreamReassembly() function that we
368  * will now call shortly for the opposing direction. */
369  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
370  !(flags & ssn->data_first_seen_dir))
371  {
372  SCLogDebug("protocol %s needs first data in other direction",
373  AppProtoToString(*alproto));
374 
375  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
376  p, ssn, stream) != 0)
377  {
378  DisableAppLayer(tv, f, p);
379  goto failure;
380  }
381  }
382 
383  /* if the parser operates such that it needs to see data from
384  * a particular direction first, we check if we have seen
385  * data from that direction first for the flow. IF it is not
386  * the same, we set an event and exit.
387  *
388  * \todo We need to figure out a more robust solution for this,
389  * as this can lead to easy evasion tactics, where the
390  * attackeer can first send some dummy data in the wrong
391  * direction first to mislead our proto detection process.
392  * While doing this we need to update the parsers as well,
393  * since the parsers must be robust to see such wrong
394  * direction data.
395  * Either ways the moment we see the
396  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
397  * flow, it shows something's fishy.
398  */
399  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
400  uint8_t first_data_dir;
401  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
402 
403  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
404  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
405  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
406  DisableAppLayer(tv, f, p);
407  goto failure;
408  }
409  /* This can happen if the current direction is not the
410  * right direction, and the data from the other(also
411  * the right direction) direction is available to be sent
412  * to the app layer, but it is not ack'ed yet and hence
413  * the forced call to STreamTcpAppLayerReassemble still
414  * hasn't managed to send data from the other direction
415  * to the app layer. */
416  if (first_data_dir && !(first_data_dir & flags)) {
417  FlowCleanupAppLayer(f);
418  StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream);
419  FLOW_RESET_PP_DONE(f, flags);
420  FLOW_RESET_PM_DONE(f, flags);
421  FLOW_RESET_PE_DONE(f, flags);
422  goto failure;
423  }
424  }
425 
426  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
427  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
428 
429  /* finally, invoke the parser */
430  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
431  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
432  flags, data, data_len);
433  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
434  if (r < 0)
435  goto failure;
436 
437  } else {
438  /* if the ssn is midstream, we may end up with a case where the
439  * start of an HTTP request is missing. We won't detect HTTP based
440  * on the request. However, the reply is fine, so we detect
441  * HTTP anyway. This leads to passing the incomplete request to
442  * the htp parser.
443  *
444  * This has been observed, where the http parser then saw many
445  * bogus requests in the incomplete data.
446  *
447  * To counter this case, a midstream session MUST find it's
448  * protocol in the toserver direction. If not, we assume the
449  * start of the request/toserver is incomplete and no reliable
450  * detection and parsing is possible. So we give up.
451  */
452  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
453  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
454  {
455  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
456  SCLogDebug("midstream end pd %p", ssn);
457  /* midstream and toserver detection failed: give up */
458  DisableAppLayer(tv, f, p);
459  goto end;
460  }
461  }
462 
463  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
464  uint8_t first_data_dir;
465  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
466 
467  /* this would handle this test case -
468  * http parser which says it wants to see toserver data first only.
469  * tcp handshake
470  * toclient data first received. - RUBBISH DATA which
471  * we don't detect as http
472  * toserver data next sent - we detect this as http.
473  * at this stage we see that toclient is the first data seen
474  * for this session and we try and redetect the app protocol,
475  * but we are unable to detect the app protocol like before.
476  * But since we have managed to detect the protocol for the
477  * other direction as http, we try to use that. At this
478  * stage we check if the direction of this stream matches
479  * to that acceptable by the app parser. If it is not the
480  * acceptable direction we error out.
481  */
482  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
483  (first_data_dir) && !(first_data_dir & flags))
484  {
485  DisableAppLayer(tv, f, p);
486  goto failure;
487  }
488 
489  /* if protocol detection is marked done for our direction we
490  * pass our data on. We're only succeeded in finding one
491  * direction: the opposing stream
492  *
493  * If PD was not yet complete, we don't do anything.
494  */
495  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
496  if (data_len > 0)
497  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
498 
499  if (*alproto_otherdir != ALPROTO_FAILED) {
500  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
501  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
502  f->alproto, flags,
503  data, data_len);
504  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
505 
506  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
507  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
508  TcpSessionSetReassemblyDepth(ssn,
509  AppLayerParserGetStreamDepth(f));
510 
511  *alproto = *alproto_otherdir;
512  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
513  p->pcap_cnt, *alproto, *alproto_otherdir, r);
514  if (r < 0)
515  goto failure;
516  }
517  *alproto = ALPROTO_FAILED;
518  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
519  AppLayerIncFlowCounter(tv, f);
520  FlagPacketFlow(p, f, flags);
521 
522  }
523  } else {
524  /* both sides unknown, let's see if we need to give up */
525  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
526  }
527  }
528 end:
529  return 0;
530 
531 failure:
532  return -1;
533 }
534 
535 /** \brief handle TCP data for the app-layer.
536  *
537  * First run protocol detection and then when the protocol is known invoke
538  * the app layer parser.
539  */
540 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
541  Packet *p, Flow *f,
542  TcpSession *ssn, TcpStream *stream,
543  uint8_t *data, uint32_t data_len,
544  uint8_t flags)
545 {
546  SCEnter();
547 
548  DEBUG_ASSERT_FLOW_LOCKED(f);
549 
550  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
551  AppProto alproto;
552  int r = 0;
553 
554  SCLogDebug("data_len %u flags %02X", data_len, flags);
555  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
556  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
557  goto end;
558  }
559 
560  if (flags & STREAM_TOSERVER) {
561  alproto = f->alproto_ts;
562  } else {
563  alproto = f->alproto_tc;
564  }
565 
566  /* If a gap notification, relay the notification on to the
567  * app-layer if known. */
568  if (flags & STREAM_GAP) {
569  if (alproto == ALPROTO_UNKNOWN) {
570  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
571  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
572  /* if the other side didn't already find the proto, we're done */
573  if (f->alproto == ALPROTO_UNKNOWN)
574  goto end;
575 
576  }
577  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
578  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
579  flags, data, data_len);
580  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
581  goto end;
582  }
583 
584  /* if we don't know the proto yet and we have received a stream
585  * initializer message, we run proto detection.
586  * We receive 2 stream init msgs (one for each direction) but we
587  * only run the proto detection once. */
588  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
589  /* run protocol detection */
590  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
591  data, data_len, flags) != 0) {
592  goto failure;
593  }
594  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
595  f->alproto_orig = f->alproto;
596  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
597  AppLayerProtoDetectReset(f);
598  /* rerun protocol detection */
599  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
600  data, data_len, flags) != 0) {
601  SCLogDebug("proto detect failure");
602  goto failure;
603  }
604  SCLogDebug("protocol change, old %s, new %s",
605  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
606 
607  if (f->alproto_expect != ALPROTO_UNKNOWN &&
608  f->alproto != f->alproto_expect)
609  {
610  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
611  APPLAYER_UNEXPECTED_PROTOCOL);
612 
613  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
614  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
615  APPLAYER_NO_TLS_AFTER_STARTTLS);
616 
617  }
618  }
619  } else {
620  SCLogDebug("stream data (len %" PRIu32 " alproto "
621  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
622 #ifdef PRINT
623  if (data_len > 0) {
624  printf("=> Stream Data (app layer) -- start %s%s\n",
625  flags & STREAM_TOCLIENT ? "toclient" : "",
626  flags & STREAM_TOSERVER ? "toserver" : "");
627  PrintRawDataFp(stdout, data, data_len);
628  printf("=> Stream Data -- end\n");
629  }
630 #endif
631  /* if we don't have a data object here we are not getting it
632  * a start msg should have gotten us one */
633  if (f->alproto != ALPROTO_UNKNOWN) {
634  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
635  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
636  flags, data, data_len);
637  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
638  }
639  }
640 
641  goto end;
642  failure:
643  r = -1;
644  end:
645  SCReturnInt(r);
646 }
647 
648 /**
649  * \brief Handle a app layer UDP message
650  *
651  * If the protocol is yet unknown, the proto detection code is run first.
652  *
653  * \param dp_ctx Thread app layer detect context
654  * \param f *locked* flow
655  * \param p UDP packet
656  *
657  * \retval 0 ok
658  * \retval -1 error
659  */
660 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
661 {
662  SCEnter();
663 
664  int r = 0;
665 
666  uint8_t flags = 0;
667  if (p->flowflags & FLOW_PKT_TOSERVER) {
668  flags |= STREAM_TOSERVER;
669  } else {
670  flags |= STREAM_TOCLIENT;
671  }
672 
673  if (f->alproto == ALPROTO_FAILED) {
674  SCReturnInt(0);
675 
676  /* if the protocol is still unknown, run detection */
677  } else if (f->alproto == ALPROTO_UNKNOWN) {
678  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
679  p->payload_len);
680 
681  PACKET_PROFILING_APP_PD_START(tctx);
682  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
683  f,
684  p->payload, p->payload_len,
685  IPPROTO_UDP, flags);
686  PACKET_PROFILING_APP_PD_END(tctx);
687 
688  if (f->alproto != ALPROTO_UNKNOWN) {
689  AppLayerIncFlowCounter(tv, f);
690 
691  PACKET_PROFILING_APP_START(tctx, f->alproto);
692  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
693  flags, p->payload, p->payload_len);
694  PACKET_PROFILING_APP_END(tctx, f->alproto);
695  PACKET_PROFILING_APP_STORE(tctx, p);
696  } else {
697  f->alproto = ALPROTO_FAILED;
698  AppLayerIncFlowCounter(tv, f);
699  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
700  }
701  /* we do only inspection in one direction, so flag both
702  * sides as done here */
703  FlagPacketFlow(p, f, STREAM_TOSERVER);
704  FlagPacketFlow(p, f, STREAM_TOCLIENT);
705  } else {
706  SCLogDebug("data (len %" PRIu32 " ), alproto "
707  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
708 
709  /* run the parser */
710  PACKET_PROFILING_APP_START(tctx, f->alproto);
711  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
712  flags, p->payload, p->payload_len);
713  PACKET_PROFILING_APP_END(tctx, f->alproto);
714  PACKET_PROFILING_APP_STORE(tctx, p);
715  }
716 
717  SCReturnInt(r);
718 }
719 
720 /***** Utility *****/
721 
722 AppProto AppLayerGetProtoByName(char *alproto_name)
723 {
724  SCEnter();
725  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
726  SCReturnCT(r, "AppProto");
727 }
728 
729 const char *AppLayerGetProtoName(AppProto alproto)
730 {
731  SCEnter();
732  const char * r = AppLayerProtoDetectGetProtoName(alproto);
733  SCReturnCT(r, "char *");
734 }
735 
736 void AppLayerListSupportedProtocols(void)
737 {
738  SCEnter();
739 
740  AppProto alproto;
741  AppProto alprotos[ALPROTO_MAX];
742 
743  AppLayerProtoDetectSupportedAppProtocols(alprotos);
744 
745  printf("=========Supported App Layer Protocols=========\n");
746  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
747  if (alprotos[alproto] == 1)
748  printf("%s\n", AppLayerGetProtoName(alproto));
749  }
750 
751  SCReturn;
752 }
753 
754 /***** Setup/General Registration *****/
755 
756 int AppLayerSetup(void)
757 {
758  SCEnter();
759 
760  AppLayerProtoDetectSetup();
761  AppLayerParserSetup();
762 
763  AppLayerParserRegisterProtocolParsers();
764  AppLayerProtoDetectPrepareState();
765 
766  AppLayerSetupCounters();
767 
768  SCReturnInt(0);
769 }
770 
771 int AppLayerDeSetup(void)
772 {
773  SCEnter();
774 
775  AppLayerProtoDetectDeSetup();
776  AppLayerParserDeSetup();
777 
778  AppLayerDeSetupCounters();
779 
780  SCReturnInt(0);
781 }
782 
783 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
784 {
785  SCEnter();
786 
787  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
788  if (app_tctx == NULL)
789  goto error;
790  memset(app_tctx, 0, sizeof(*app_tctx));
791 
792  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
793  goto error;
794  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
795  goto error;
796 
797  goto done;
798  error:
799  AppLayerDestroyCtxThread(app_tctx);
800  app_tctx = NULL;
801  done:
802  SCReturnPtr(app_tctx, "void *");
803 }
804 
805 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
806 {
807  SCEnter();
808 
809  if (app_tctx == NULL)
810  SCReturn;
811 
812  if (app_tctx->alpd_tctx != NULL)
813  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
814  if (app_tctx->alp_tctx != NULL)
815  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
816  SCFree(app_tctx);
817 
818  SCReturn;
819 }
820 
821 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
822 {
823  PACKET_PROFILING_APP_RESET(app_tctx);
824 }
825 
826 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
827 {
828  PACKET_PROFILING_APP_STORE(app_tctx, p);
829 }
830 
831 /** \brief HACK to work around our broken unix manager (re)init loop
832  */
833 void AppLayerRegisterGlobalCounters(void)
834 {
835  StatsRegisterGlobalCounter("dns.memuse", DNSMemcapGetMemuseCounter);
836  StatsRegisterGlobalCounter("dns.memcap_state", DNSMemcapGetMemcapStateCounter);
837  StatsRegisterGlobalCounter("dns.memcap_global", DNSMemcapGetMemcapGlobalCounter);
838  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
839  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
840  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
841  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
842  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
843 }
844 
845 #define IPPROTOS_MAX 2
846 void AppLayerSetupCounters()
847 {
848  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
849  uint8_t ipproto;
850  AppProto alproto;
851  AppProto alprotos[ALPROTO_MAX];
852  const char *str = "app_layer.flow.";
853 
854  AppLayerProtoDetectSupportedAppProtocols(alprotos);
855 
856  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
857  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
858  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
859  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
860 
861  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
862  if (alprotos[alproto] == 1) {
863  const char *tx_str = "app_layer.tx.";
864  const char *alproto_str = AppLayerGetProtoName(alproto);
865 
866  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
867  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
868  {
869  snprintf(applayer_counter_names[ipproto_map][alproto].name,
870  sizeof(applayer_counter_names[ipproto_map][alproto].name),
871  "%s%s%s", str, alproto_str, ipproto_suffix);
872  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
873  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
874  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
875  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
876  }
877  } else {
878  snprintf(applayer_counter_names[ipproto_map][alproto].name,
879  sizeof(applayer_counter_names[ipproto_map][alproto].name),
880  "%s%s", str, alproto_str);
881  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
882  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
883  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
884  "%s%s", tx_str, alproto_str);
885  }
886  }
887  } else if (alproto == ALPROTO_FAILED) {
888  snprintf(applayer_counter_names[ipproto_map][alproto].name,
889  sizeof(applayer_counter_names[ipproto_map][alproto].name),
890  "%s%s%s", str, "failed", ipproto_suffix);
891  }
892  }
893  }
894 }
895 
896 void AppLayerRegisterThreadCounters(ThreadVars *tv)
897 {
898  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
899  uint8_t ipproto;
900  AppProto alproto;
901  AppProto alprotos[ALPROTO_MAX];
902 
903  AppLayerProtoDetectSupportedAppProtocols(alprotos);
904 
905  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
906  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
907 
908  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
909  if (alprotos[alproto] == 1) {
910  applayer_counters[ipproto_map][alproto].counter_id =
911  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
912 
913  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
914  applayer_counters[ipproto_map][alproto].counter_tx_id =
915  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
916  }
917  } else if (alproto == ALPROTO_FAILED) {
918  applayer_counters[ipproto_map][alproto].counter_id =
919  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
920  }
921  }
922  }
923 }
924 
925 void AppLayerDeSetupCounters()
926 {
927  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
928  memset(applayer_counters, 0, sizeof(applayer_counters));
929 }
930 
931 /***** Unittests *****/
932 
933 #ifdef UNITTESTS
934 #include "pkt-var.h"
935 #include "stream-tcp.h"
936 #include "stream-tcp-util.h"
937 #include "stream.h"
938 #include "util-unittest.h"
939 
940 #define TEST_START \
941  Packet *p = SCMalloc(SIZE_OF_PACKET);\
942  FAIL_IF_NULL(p);\
943  Flow f;\
944  ThreadVars tv;\
945  StreamTcpThread *stt = NULL;\
946  TCPHdr tcph;\
947  PacketQueue pq;\
948  memset(&pq,0,sizeof(PacketQueue));\
949  memset(p, 0, SIZE_OF_PACKET);\
950  memset (&f, 0, sizeof(Flow));\
951  memset(&tv, 0, sizeof (ThreadVars));\
952  memset(&tcph, 0, sizeof (TCPHdr));\
953 \
954  FLOW_INITIALIZE(&f);\
955  f.flags = FLOW_IPV4;\
956  f.proto = IPPROTO_TCP;\
957  p->flow = &f;\
958  p->tcph = &tcph;\
959 \
960  StreamTcpInitConfig(TRUE);\
961  IPPairInitConfig(TRUE); \
962  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
963 \
964  /* handshake */\
965  tcph.th_win = htons(5480);\
966  tcph.th_flags = TH_SYN;\
967  p->flowflags = FLOW_PKT_TOSERVER;\
968  p->payload_len = 0;\
969  p->payload = NULL;\
970  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
971  TcpSession *ssn = (TcpSession *)f.protoctx;\
972 \
973  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
974  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
975  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
976  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
977  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
978  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
979  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
980  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
981  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
982  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
983  FAIL_IF(ssn->data_first_seen_dir != 0);\
984 \
985  /* handshake */\
986  p->tcph->th_ack = htonl(1);\
987  p->tcph->th_flags = TH_SYN | TH_ACK;\
988  p->flowflags = FLOW_PKT_TOCLIENT;\
989  p->payload_len = 0;\
990  p->payload = NULL;\
991  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
992  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
993  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
994  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
995  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
996  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
997  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
998  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
999  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1000  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1001  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1002  FAIL_IF(ssn->data_first_seen_dir != 0);\
1003 \
1004  /* handshake */\
1005  p->tcph->th_ack = htonl(1);\
1006  p->tcph->th_seq = htonl(1);\
1007  p->tcph->th_flags = TH_ACK;\
1008  p->flowflags = FLOW_PKT_TOSERVER;\
1009  p->payload_len = 0;\
1010  p->payload = NULL;\
1011  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1012  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1013  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1014  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1015  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1016  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1017  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1018  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1019  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1020  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1021  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1022  FAIL_IF(ssn->data_first_seen_dir != 0);
1023 #define TEST_END \
1024  StreamTcpSessionClear(p->flow->protoctx);\
1025  StreamTcpThreadDeinit(&tv, (void *)stt); \
1026  StreamTcpFreeConfig(TRUE);\
1027  PACKET_DESTRUCTOR(p);\
1028  SCFree(p);\
1029  FLOW_DESTROY(&f); \
1030  StatsThreadCleanup(&tv);
1031 
1032 /**
1033  * \test GET -> HTTP/1.1
1034  */
1035 static int AppLayerTest01(void)
1036 {
1037  TEST_START;
1038 
1039  /* full request */
1040  uint8_t request[] = {
1041  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1042  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1043  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1044  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1045  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1046  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1047  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1048  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1049  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1050  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1051  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1052  p->tcph->th_ack = htonl(1);
1053  p->tcph->th_seq = htonl(1);
1054  p->tcph->th_flags = TH_PUSH | TH_ACK;
1055  p->flowflags = FLOW_PKT_TOSERVER;
1056  p->payload_len = sizeof(request);
1057  p->payload = request;
1058  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1059  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1060  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1061  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1062  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1063  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1064  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1065  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1066  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1067  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1068  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1069  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1070 
1071  /* full response - request ack */
1072  uint8_t response[] = {
1073  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1074  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1075  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1076  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1077  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1078  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1079  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1080  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1081  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1082  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1083  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1084  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1085  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1086  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1087  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1088  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1089  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1090  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1091  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1092  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1093  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1094  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1095  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1096  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1097  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1098  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1099  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1100  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1101  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1102  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1103  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1104  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1105  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1106  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1107  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1108  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1109  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1110  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1111  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1112  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1113  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1114  p->tcph->th_ack = htonl(88);
1115  p->tcph->th_seq = htonl(1);
1116  p->tcph->th_flags = TH_PUSH | TH_ACK;
1117  p->flowflags = FLOW_PKT_TOCLIENT;
1118  p->payload_len = sizeof(response);
1119  p->payload = response;
1120  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1121  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1122  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1123  FAIL_IF(f.alproto != ALPROTO_HTTP);
1124  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1125  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1126  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1127  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1128  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1129  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1130  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1131  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1132 
1133  /* response ack */
1134  p->tcph->th_ack = htonl(328);
1135  p->tcph->th_seq = htonl(88);
1136  p->tcph->th_flags = TH_ACK;
1137  p->flowflags = FLOW_PKT_TOSERVER;
1138  p->payload_len = 0;
1139  p->payload = NULL;
1140  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1141  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1142  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1143  FAIL_IF(f.alproto != ALPROTO_HTTP);
1144  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1145  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1146  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1147  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1148  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1149  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1150  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1151  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1152 
1153  TEST_END;
1154  PASS;
1155 }
1156 
1157 /**
1158  * \test GE -> T -> HTTP/1.1
1159  */
1160 static int AppLayerTest02(void)
1161 {
1162  TEST_START;
1163 
1164  /* partial request */
1165  uint8_t request1[] = { 0x47, 0x45, };
1166  p->tcph->th_ack = htonl(1);
1167  p->tcph->th_seq = htonl(1);
1168  p->tcph->th_flags = TH_PUSH | TH_ACK;
1169  p->flowflags = FLOW_PKT_TOSERVER;
1170  p->payload_len = sizeof(request1);
1171  p->payload = request1;
1172  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1173  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1174  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1175  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1176  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1177  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1178  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1179  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1180  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1181  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1182  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1183  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1184 
1185  /* response ack against partial request */
1186  p->tcph->th_ack = htonl(3);
1187  p->tcph->th_seq = htonl(1);
1188  p->tcph->th_flags = TH_ACK;
1189  p->flowflags = FLOW_PKT_TOCLIENT;
1190  p->payload_len = 0;
1191  p->payload = NULL;
1192  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1193  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1194  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1195  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1196  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1197  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1198  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1199  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1200  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1201  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1202  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1203  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1204 
1205  /* complete partial request */
1206  uint8_t request2[] = {
1207  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1208  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1209  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1210  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1211  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1212  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1213  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1214  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1215  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1216  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1217  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1218  p->tcph->th_ack = htonl(1);
1219  p->tcph->th_seq = htonl(3);
1220  p->tcph->th_flags = TH_PUSH | TH_ACK;
1221  p->flowflags = FLOW_PKT_TOSERVER;
1222  p->payload_len = sizeof(request2);
1223  p->payload = request2;
1224  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1225  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1226  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1227  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1228  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1229  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1230  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1231  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1232  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1233  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1234  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1235  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1236 
1237  /* response - request ack */
1238  uint8_t response[] = {
1239  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1240  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1241  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1242  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1243  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1244  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1245  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1246  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1247  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1248  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1249  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1250  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1251  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1252  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1253  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1254  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1255  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1256  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1257  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1258  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1259  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1260  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1261  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1262  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1263  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1264  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1265  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1266  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1267  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1268  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1269  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1270  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1271  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1272  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1273  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1274  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1275  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1276  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1277  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1278  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1279  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1280  p->tcph->th_ack = htonl(88);
1281  p->tcph->th_seq = htonl(1);
1282  p->tcph->th_flags = TH_PUSH | TH_ACK;
1283  p->flowflags = FLOW_PKT_TOCLIENT;
1284  p->payload_len = sizeof(response);
1285  p->payload = response;
1286  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1287  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1288  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1289  FAIL_IF(f.alproto != ALPROTO_HTTP);
1290  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1291  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1292  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1293  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1294  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1295  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1296  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1297  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1298 
1299  /* response ack */
1300  p->tcph->th_ack = htonl(328);
1301  p->tcph->th_seq = htonl(88);
1302  p->tcph->th_flags = TH_ACK;
1303  p->flowflags = FLOW_PKT_TOSERVER;
1304  p->payload_len = 0;
1305  p->payload = NULL;
1306  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1307  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1308  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1309  FAIL_IF(f.alproto != ALPROTO_HTTP);
1310  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1311  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1312  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1313  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1314  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1315  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1316  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1317  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1318 
1319  TEST_END;
1320  PASS;
1321 }
1322 
1323 /**
1324  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1325  */
1326 static int AppLayerTest03(void)
1327 {
1328  TEST_START;
1329 
1330  /* request */
1331  uint8_t request[] = {
1332  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1333  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1334  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1335  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1336  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1337  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1338  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1339  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1340  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1341  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1342  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1343  p->tcph->th_ack = htonl(1);
1344  p->tcph->th_seq = htonl(1);
1345  p->tcph->th_flags = TH_PUSH | TH_ACK;
1346  p->flowflags = FLOW_PKT_TOSERVER;
1347  p->payload_len = sizeof(request);
1348  p->payload = request;
1349  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1350  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1351  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1352  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1353  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1354  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1355  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1356  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1357  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1358  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1359  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1360  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1361 
1362  /* rubbish response */
1363  uint8_t response[] = {
1364  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1365  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1366  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1367  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1368  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1369  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1370  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1371  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1372  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1373  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1374  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1375  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1376  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1377  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1378  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1379  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1380  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1381  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1382  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1383  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1384  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1385  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1386  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1387  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1388  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1389  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1390  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1391  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1392  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1393  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1394  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1395  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1396  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1397  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1398  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1399  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1400  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1401  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1402  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1403  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1404  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1405  p->tcph->th_ack = htonl(88);
1406  p->tcph->th_seq = htonl(1);
1407  p->tcph->th_flags = TH_PUSH | TH_ACK;
1408  p->flowflags = FLOW_PKT_TOCLIENT;
1409  p->payload_len = sizeof(response);
1410  p->payload = response;
1411  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1412  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1413  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1414  FAIL_IF(f.alproto != ALPROTO_HTTP);
1415  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1416  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1417  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1418  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1419  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1420  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1421  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1422  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1423 
1424  /* response ack */
1425  p->tcph->th_ack = htonl(328);
1426  p->tcph->th_seq = htonl(88);
1427  p->tcph->th_flags = TH_ACK;
1428  p->flowflags = FLOW_PKT_TOSERVER;
1429  p->payload_len = 0;
1430  p->payload = NULL;
1431  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1432  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1433  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1434  FAIL_IF(f.alproto != ALPROTO_HTTP);
1435  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1436  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1437  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1438  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1439  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1440  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1441  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1442  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1443 
1444  TEST_END;
1445  PASS;
1446 }
1447 
1448 /**
1449  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1450  */
1451 static int AppLayerTest04(void)
1452 {
1453  TEST_START;
1454 
1455  /* request */
1456  uint8_t request[] = {
1457  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1458  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1459  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1460  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1461  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1462  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1463  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1464  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1465  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1466  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1467  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1468  PrintRawDataFp(stdout, request, sizeof(request));
1469  p->tcph->th_ack = htonl(1);
1470  p->tcph->th_seq = htonl(1);
1471  p->tcph->th_flags = TH_PUSH | TH_ACK;
1472  p->flowflags = FLOW_PKT_TOSERVER;
1473  p->payload_len = sizeof(request);
1474  p->payload = request;
1475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1476  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1477  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1478  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1479  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1480  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1481  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1482  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1483  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1484  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1485  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1486  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1487 
1488  /* partial response */
1489  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1490  PrintRawDataFp(stdout, response1, sizeof(response1));
1491  p->tcph->th_ack = htonl(88);
1492  p->tcph->th_seq = htonl(1);
1493  p->tcph->th_flags = TH_PUSH | TH_ACK;
1494  p->flowflags = FLOW_PKT_TOCLIENT;
1495  p->payload_len = sizeof(response1);
1496  p->payload = response1;
1497  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1498  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1499  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1500  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1501  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1502  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1503  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1504  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1505  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1506  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1507  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1508  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1509 
1510  /* partial response ack */
1511  p->tcph->th_ack = htonl(5);
1512  p->tcph->th_seq = htonl(88);
1513  p->tcph->th_flags = TH_ACK;
1514  p->flowflags = FLOW_PKT_TOSERVER;
1515  p->payload_len = 0;
1516  p->payload = NULL;
1517  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1518  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1519  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1520  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1521  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1522  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1523  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1524  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1525  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1526  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1527  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1528  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1529 
1530  /* remaining response */
1531  uint8_t response2[] = {
1532  0x2f, 0x31, 0x2e, 0x31,
1533  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1534  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1535  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1536  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1537  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1538  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1539  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1540  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1541  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1542  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1543  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1544  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1545  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1546  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1547  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1548  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1549  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1550  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1551  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1552  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1553  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1554  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1555  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1556  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1557  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1558  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1559  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1560  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1561  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1562  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1563  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1564  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1565  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1566  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1567  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1568  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1569  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1570  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1571  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1572  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1573  PrintRawDataFp(stdout, response2, sizeof(response2));
1574  p->tcph->th_ack = htonl(88);
1575  p->tcph->th_seq = htonl(5);
1576  p->tcph->th_flags = TH_PUSH | TH_ACK;
1577  p->flowflags = FLOW_PKT_TOCLIENT;
1578  p->payload_len = sizeof(response2);
1579  p->payload = response2;
1580  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1581  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1582  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1583  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1584  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1585  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1586  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1587  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1588  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1589  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1590  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1591  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1592 
1593  /* response ack */
1594  p->tcph->th_ack = htonl(328);
1595  p->tcph->th_seq = htonl(88);
1596  p->tcph->th_flags = TH_ACK;
1597  p->flowflags = FLOW_PKT_TOSERVER;
1598  p->payload_len = 0;
1599  p->payload = NULL;
1600  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1601  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1602  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1603  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1604  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1605  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1606  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1607  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1608  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1609  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1610  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1611  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1612 
1613  TEST_END;
1614  PASS;
1615 }
1616 
1617 /**
1618  * \test RUBBISH -> HTTP/1.1
1619  */
1620 static int AppLayerTest05(void)
1621 {
1622  TEST_START;
1623 
1624  /* full request */
1625  uint8_t request[] = {
1626  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1627  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1628  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1629  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1630  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1631  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1632  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1633  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1634  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1635  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1636  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1637  PrintRawDataFp(stdout, request, sizeof(request));
1638  p->tcph->th_ack = htonl(1);
1639  p->tcph->th_seq = htonl(1);
1640  p->tcph->th_flags = TH_PUSH | TH_ACK;
1641  p->flowflags = FLOW_PKT_TOSERVER;
1642  p->payload_len = sizeof(request);
1643  p->payload = request;
1644  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1645  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1646  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1647  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1648  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1649  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1650  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1651  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1652  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1653  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1654  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1655  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1656 
1657  /* full response - request ack */
1658  uint8_t response[] = {
1659  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1660  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1661  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1662  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1663  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1664  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1665  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1666  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1667  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1668  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1669  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1670  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1671  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1672  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1673  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1674  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1675  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1676  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1677  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1678  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1679  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1680  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1681  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1682  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1683  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1684  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1685  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1686  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1687  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1688  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1689  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1690  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1691  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1692  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1693  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1694  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1695  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1696  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1697  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1698  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1699  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1700  PrintRawDataFp(stdout, response, sizeof(response));
1701  p->tcph->th_ack = htonl(88);
1702  p->tcph->th_seq = htonl(1);
1703  p->tcph->th_flags = TH_PUSH | TH_ACK;
1704  p->flowflags = FLOW_PKT_TOCLIENT;
1705  p->payload_len = sizeof(response);
1706  p->payload = response;
1707  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1708  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1709  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1710  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1711  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1712  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1713  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1714  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1715  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1716  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1717  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1718  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1719 
1720  /* response ack */
1721  p->tcph->th_ack = htonl(328);
1722  p->tcph->th_seq = htonl(88);
1723  p->tcph->th_flags = TH_ACK;
1724  p->flowflags = FLOW_PKT_TOSERVER;
1725  p->payload_len = 0;
1726  p->payload = NULL;
1727  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1728  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1729  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1730  FAIL_IF(f.alproto != ALPROTO_HTTP);
1731  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1732  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1733  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1734  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1735  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1736  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1737  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1738  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1739 
1740  TEST_END;
1741  PASS;
1742 }
1743 
1744 /**
1745  * \test HTTP/1.1 -> GET
1746  */
1747 static int AppLayerTest06(void)
1748 {
1749  TEST_START;
1750 
1751  /* full response - request ack */
1752  uint8_t response[] = {
1753  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1754  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1755  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1756  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1757  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1758  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1759  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1760  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1761  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1762  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1763  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1764  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1765  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1766  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1767  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1768  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1769  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1770  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1771  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1772  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1773  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1774  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1775  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1776  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1777  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1778  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1779  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1780  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1781  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1782  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1783  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1784  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1785  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1786  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1787  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1788  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1789  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1790  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1791  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1792  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1793  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1794  p->tcph->th_ack = htonl(1);
1795  p->tcph->th_seq = htonl(1);
1796  p->tcph->th_flags = TH_PUSH | TH_ACK;
1797  p->flowflags = FLOW_PKT_TOCLIENT;
1798  p->payload_len = sizeof(response);
1799  p->payload = response;
1800  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1801  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1802  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1803  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1804  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1805  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1806  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1807  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1808  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1809  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1810  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1811  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1812 
1813  /* full request - response ack*/
1814  uint8_t request[] = {
1815  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1816  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1817  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1818  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1819  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1820  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1821  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1822  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1823  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1824  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1825  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1826  p->tcph->th_ack = htonl(328);
1827  p->tcph->th_seq = htonl(1);
1828  p->tcph->th_flags = TH_PUSH | TH_ACK;
1829  p->flowflags = FLOW_PKT_TOSERVER;
1830  p->payload_len = sizeof(request);
1831  p->payload = request;
1832  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1833  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1834  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1835  FAIL_IF(f.alproto != ALPROTO_HTTP);
1836  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1837  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1838  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1839  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1840  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1841  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1842  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1843  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1844 
1845  p->tcph->th_ack = htonl(1 + sizeof(request));
1846  p->tcph->th_seq = htonl(328);
1847  p->tcph->th_flags = TH_PUSH | TH_ACK;
1848  p->flowflags = FLOW_PKT_TOCLIENT;
1849  p->payload_len = 0;
1850  p->payload = NULL;
1851  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1852  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1853  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1854  FAIL_IF(f.alproto != ALPROTO_HTTP);
1855  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1856  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1857  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1858  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1859  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1860  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1861  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1862  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1863 
1864  TEST_END;
1865  PASS;
1866 }
1867 
1868 /**
1869  * \test GET -> DCERPC
1870  */
1871 static int AppLayerTest07(void)
1872 {
1873  TEST_START;
1874 
1875  /* full request */
1876  uint8_t request[] = {
1877  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1878  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1879  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1880  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1881  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1882  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1883  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1884  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1885  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1886  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1887  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1888  p->tcph->th_ack = htonl(1);
1889  p->tcph->th_seq = htonl(1);
1890  p->tcph->th_flags = TH_PUSH | TH_ACK;
1891  p->flowflags = FLOW_PKT_TOSERVER;
1892  p->payload_len = sizeof(request);
1893  p->payload = request;
1894  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1895  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1896  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1897  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1898  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1899  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1900  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1901  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1902  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1903  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1904  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1905  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1906 
1907  /* full response - request ack */
1908  uint8_t response[] = {
1909  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1910  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1911  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1912  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1913  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1914  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1915  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1916  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1917  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1918  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1919  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1920  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1921  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1922  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1923  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1924  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1925  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1926  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1927  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1928  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1929  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1930  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1931  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1932  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1933  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1934  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1935  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1936  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1937  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1938  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1939  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1940  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1941  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1942  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1943  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1944  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1945  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1946  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1947  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1948  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1949  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1950  p->tcph->th_ack = htonl(88);
1951  p->tcph->th_seq = htonl(1);
1952  p->tcph->th_flags = TH_PUSH | TH_ACK;
1953  p->flowflags = FLOW_PKT_TOCLIENT;
1954  p->payload_len = sizeof(response);
1955  p->payload = response;
1956  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1957  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1958  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1959  FAIL_IF(f.alproto != ALPROTO_HTTP);
1960  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1961  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1962  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1963  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1964  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1965  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1966  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1967  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1968 
1969  /* response ack */
1970  p->tcph->th_ack = htonl(328);
1971  p->tcph->th_seq = htonl(88);
1972  p->tcph->th_flags = TH_ACK;
1973  p->flowflags = FLOW_PKT_TOSERVER;
1974  p->payload_len = 0;
1975  p->payload = NULL;
1976  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1977  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1978  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1979  FAIL_IF(f.alproto != ALPROTO_HTTP);
1980  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1981  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
1982  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1983  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1984  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1985  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1986  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1987  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1988 
1989  TEST_END;
1990  PASS;
1991 }
1992 
1993 /**
1994  * \test SMB -> HTTP/1.1
1995  */
1996 static int AppLayerTest08(void)
1997 {
1998  TEST_START;
1999 
2000  /* full request */
2001  uint8_t request[] = {
2002  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2003  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2004  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2005  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2006  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2007  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2008  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2009  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2010  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2011  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2012  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2013  p->tcph->th_ack = htonl(1);
2014  p->tcph->th_seq = htonl(1);
2015  p->tcph->th_flags = TH_PUSH | TH_ACK;
2016  p->flowflags = FLOW_PKT_TOSERVER;
2017  p->payload_len = sizeof(request);
2018  p->payload = request;
2019  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2020  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2021  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2022  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2023  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2024  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2025  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2026  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2027  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2028  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2029  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2030  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2031 
2032  /* full response - request ack */
2033  uint8_t response[] = {
2034  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2035  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2036  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2037  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2038  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2039  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2040  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2041  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2042  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2043  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2044  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2045  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2046  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2047  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2048  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2049  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2050  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2051  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2052  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2053  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2054  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2055  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2056  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2057  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2058  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2059  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2060  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2061  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2062  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2063  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2064  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2065  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2066  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2067  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2068  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2069  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2070  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2071  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2072  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2073  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2074  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2075  p->tcph->th_ack = htonl(88);
2076  p->tcph->th_seq = htonl(1);
2077  p->tcph->th_flags = TH_PUSH | TH_ACK;
2078  p->flowflags = FLOW_PKT_TOCLIENT;
2079  p->payload_len = sizeof(response);
2080  p->payload = response;
2081  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2082  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2083  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2084  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2085  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2086  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2087  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2088  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2089  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2090  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2091  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2092  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2093 
2094  /* response ack */
2095  p->tcph->th_ack = htonl(328);
2096  p->tcph->th_seq = htonl(88);
2097  p->tcph->th_flags = TH_ACK;
2098  p->flowflags = FLOW_PKT_TOSERVER;
2099  p->payload_len = 0;
2100  p->payload = NULL;
2101  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2102  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2103  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2104  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2105  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2106  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2107  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2108  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2109  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2110  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2111  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2112  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2113 
2114  TEST_END;
2115  PASS;
2116 }
2117 
2118 /**
2119  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2120  * RUBBISH(TC - PM and PP DONE) ->
2121  * RUBBISH(TS - PM and PP DONE)
2122  */
2123 static int AppLayerTest09(void)
2124 {
2125  TEST_START;
2126 
2127  /* full request */
2128  uint8_t request1[] = {
2129  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2130  p->tcph->th_ack = htonl(1);
2131  p->tcph->th_seq = htonl(1);
2132  p->tcph->th_flags = TH_PUSH | TH_ACK;
2133  p->flowflags = FLOW_PKT_TOSERVER;
2134  p->payload_len = sizeof(request1);
2135  p->payload = request1;
2136  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2137  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2138  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2139  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2140  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2141  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2142  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2143  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2144  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2145  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2146  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2147  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2148 
2149  /* response - request ack */
2150  p->tcph->th_ack = htonl(9);
2151  p->tcph->th_seq = htonl(1);
2152  p->tcph->th_flags = TH_PUSH | TH_ACK;
2153  p->flowflags = FLOW_PKT_TOCLIENT;
2154  p->payload_len = 0;
2155  p->payload = NULL;
2156  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2157  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2158  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2159  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2160  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2161  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2162  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2163  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2164  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2165  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2166  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2167  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2168 
2169  /* full request */
2170  uint8_t request2[] = {
2171  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2172  p->tcph->th_ack = htonl(1);
2173  p->tcph->th_seq = htonl(9);
2174  p->tcph->th_flags = TH_PUSH | TH_ACK;
2175  p->flowflags = FLOW_PKT_TOSERVER;
2176  p->payload_len = sizeof(request2);
2177  p->payload = request2;
2178  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2179  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2180  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2181  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2182  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2183  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2184  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2185  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2186  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2187  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2188  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2189  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2190 
2191  /* full response - request ack */
2192  uint8_t response[] = {
2193  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2194  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2195  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2196  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2197  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2198  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2199  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2200  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2201  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2202  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2203  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2204  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2205  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2206  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2207  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2208  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2209  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2210  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2211  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2212  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2213  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2214  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2215  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2216  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2217  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2218  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2219  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2220  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2221  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2222  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2223  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2224  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2225  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2226  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2227  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2228  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2229  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2230  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2231  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2232  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2233  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2234  p->tcph->th_ack = htonl(18);
2235  p->tcph->th_seq = htonl(1);
2236  p->tcph->th_flags = TH_PUSH | TH_ACK;
2237  p->flowflags = FLOW_PKT_TOCLIENT;
2238  p->payload_len = sizeof(response);
2239  p->payload = response;
2240  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2241  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2242  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2243  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2244  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2245  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2246  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2247  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2248  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2249  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2250  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2251  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2252 
2253  /* response ack */
2254  p->tcph->th_ack = htonl(328);
2255  p->tcph->th_seq = htonl(18);
2256  p->tcph->th_flags = TH_ACK;
2257  p->flowflags = FLOW_PKT_TOSERVER;
2258  p->payload_len = 0;
2259  p->payload = NULL;
2260  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2261  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2262  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2263  FAIL_IF(f.alproto != ALPROTO_FAILED);
2264  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2265  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2266  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2267  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2268  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2269  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2270  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2271  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2272 
2273  TEST_END;
2274  PASS;
2275 }
2276 
2277 /**
2278  * \test RUBBISH(TC - PM and PP DONE) ->
2279  * RUBBISH(TS - PM and PP DONE)
2280  */
2281 static int AppLayerTest10(void)
2282 {
2283  TEST_START;
2284 
2285  /* full request */
2286  uint8_t request1[] = {
2287  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2288  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2289  p->tcph->th_ack = htonl(1);
2290  p->tcph->th_seq = htonl(1);
2291  p->tcph->th_flags = TH_PUSH | TH_ACK;
2292  p->flowflags = FLOW_PKT_TOSERVER;
2293  p->payload_len = sizeof(request1);
2294  p->payload = request1;
2295  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2296  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2297  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2298  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2299  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2300  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2301  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2302  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2303  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2304  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2305  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2306  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2307 
2308  /* response - request ack */
2309  p->tcph->th_ack = htonl(18);
2310  p->tcph->th_seq = htonl(1);
2311  p->tcph->th_flags = TH_PUSH | TH_ACK;
2312  p->flowflags = FLOW_PKT_TOCLIENT;
2313  p->payload_len = 0;
2314  p->payload = NULL;
2315  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2316  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2317  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2318  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2319  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2320  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2321  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2322  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2323  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2324  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2325  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2326  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2327 
2328  /* full response - request ack */
2329  uint8_t response[] = {
2330  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2331  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2332  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2333  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2334  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2335  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2336  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2337  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2338  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2339  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2340  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2341  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2342  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2343  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2344  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2345  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2346  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2347  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2348  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2349  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2350  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2351  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2352  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2353  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2354  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2355  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2356  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2357  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2358  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2359  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2360  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2361  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2362  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2363  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2364  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2365  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2366  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2367  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2368  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2369  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2370  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2371  p->tcph->th_ack = htonl(18);
2372  p->tcph->th_seq = htonl(1);
2373  p->tcph->th_flags = TH_PUSH | TH_ACK;
2374  p->flowflags = FLOW_PKT_TOCLIENT;
2375  p->payload_len = sizeof(response);
2376  p->payload = response;
2377  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2378  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2379  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2380  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2381  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2382  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2383  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2384  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2385  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2386  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2387  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2388  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2389 
2390  /* response ack */
2391  p->tcph->th_ack = htonl(328);
2392  p->tcph->th_seq = htonl(18);
2393  p->tcph->th_flags = TH_ACK;
2394  p->flowflags = FLOW_PKT_TOSERVER;
2395  p->payload_len = 0;
2396  p->payload = NULL;
2397  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2398  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2399  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2400  FAIL_IF(f.alproto != ALPROTO_FAILED);
2401  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2402  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2403  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2404  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2405  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2406  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2407  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2408  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2409 
2410  TEST_END;
2411  PASS;
2412 }
2413 
2414 /**
2415  * \test RUBBISH(TC - PM and PP DONE) ->
2416  * RUBBISH(TS - PM and PP NOT DONE) ->
2417  * RUBBISH(TS - PM and PP DONE)
2418  */
2419 static int AppLayerTest11(void)
2420 {
2421  TEST_START;
2422 
2423  /* full request */
2424  uint8_t request1[] = {
2425  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2426  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2427  p->tcph->th_ack = htonl(1);
2428  p->tcph->th_seq = htonl(1);
2429  p->tcph->th_flags = TH_PUSH | TH_ACK;
2430  p->flowflags = FLOW_PKT_TOSERVER;
2431  p->payload_len = sizeof(request1);
2432  p->payload = request1;
2433  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2434  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2435  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2436  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2437  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2438  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2439  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2440  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2441  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2442  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2443  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2444  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2445 
2446  /* response - request ack */
2447  p->tcph->th_ack = htonl(18);
2448  p->tcph->th_seq = htonl(1);
2449  p->tcph->th_flags = TH_PUSH | TH_ACK;
2450  p->flowflags = FLOW_PKT_TOCLIENT;
2451  p->payload_len = 0;
2452  p->payload = NULL;
2453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2454  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2455  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2456  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2457  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2458  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2459  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2460  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2461  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2462  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2463  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2464  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2465 
2466  /* full response - request ack */
2467  uint8_t response1[] = {
2468  0x55, 0x74, 0x54, 0x50, };
2469  p->tcph->th_ack = htonl(18);
2470  p->tcph->th_seq = htonl(1);
2471  p->tcph->th_flags = TH_PUSH | TH_ACK;
2472  p->flowflags = FLOW_PKT_TOCLIENT;
2473  p->payload_len = sizeof(response1);
2474  p->payload = response1;
2475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2476  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2477  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2478  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2479  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2480  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2481  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2482  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2483  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2484  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2485  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2486  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2487 
2488  /* response ack from request */
2489  p->tcph->th_ack = htonl(5);
2490  p->tcph->th_seq = htonl(18);
2491  p->tcph->th_flags = TH_ACK;
2492  p->flowflags = FLOW_PKT_TOSERVER;
2493  p->payload_len = 0;
2494  p->payload = NULL;
2495  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2496  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2497  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2498  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2499  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2500  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2501  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2502  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2503  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2504  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2505  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2506  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2507 
2508  uint8_t response2[] = {
2509  0x2f, 0x31, 0x2e, 0x31,
2510  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2511  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2512  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2513  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2514  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2515  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2516  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2517  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2518  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2519  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2520  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2521  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2522  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2523  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2524  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2525  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2526  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2527  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2528  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2529  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2530  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2531  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2532  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2533  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2534  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2535  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2536  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2537  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2538  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2539  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2540  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2541  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2542  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2543  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2544  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2545  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2546  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2547  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2548  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2549  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2550  p->tcph->th_ack = htonl(18);
2551  p->tcph->th_seq = htonl(5);
2552  p->tcph->th_flags = TH_PUSH | TH_ACK;
2553  p->flowflags = FLOW_PKT_TOCLIENT;
2554  p->payload_len = sizeof(response2);
2555  p->payload = response2;
2556  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2557  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2558  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2559  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2560  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2561  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2562  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2563  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2564  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2565  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2566  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2567  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2568 
2569  /* response ack from request */
2570  p->tcph->th_ack = htonl(328);
2571  p->tcph->th_seq = htonl(18);
2572  p->tcph->th_flags = TH_ACK;
2573  p->flowflags = FLOW_PKT_TOSERVER;
2574  p->payload_len = 0;
2575  p->payload = NULL;
2576  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2577  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2578  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2579  FAIL_IF(f.alproto != ALPROTO_FAILED);
2580  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2581  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2582  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2583  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2584  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2585  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2586  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2587  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2588 
2589  TEST_END;
2590  PASS;
2591 }
2592 
2593 void AppLayerUnittestsRegister(void)
2594 {
2595  SCEnter();
2596 
2597  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2598  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2599  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2600  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2601  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2602  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2603  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2604  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2605  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2606  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2607  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2608 
2609  SCReturn;
2610 }
2611 
2612 #endif /* UNITTESTS */
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:1914
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:98
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:416
flags
uint16_t flags
Definition: app-layer-dns-common.h:39
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1615
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:409
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:572
TEST_END
#define TEST_END
Definition: app-layer.c:1023
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:81
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:267
Flow_::proto
uint8_t proto
Definition: flow.h:346
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:771
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1427
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:237
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:195
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:821
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:540
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:186
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:97
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:845
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:73
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:210
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:756
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:66
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:566
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
DNSMemcapGetMemcapStateCounter
uint64_t DNSMemcapGetMemcapStateCounter(void)
Definition: app-layer-dns-common.c:112
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:69
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:106
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:525
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:241
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:826
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:722
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1646
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:269
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:64
DNSMemcapGetMemcapGlobalCounter
uint64_t DNSMemcapGetMemcapGlobalCounter(void)
Definition: app-layer-dns-common.c:118
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:157
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:736
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:351
Flow_::protoctx
void * protoctx
Definition: flow.h:398
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:118
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1478
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:67
AppLayerCounters_
Definition: app-layer.c:80
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4670
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:413
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:408
str
#define str(s)
Definition: suricata-common.h:258
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:250
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:82
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:783
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:240
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:268
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1125
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2593
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1367
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:38
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:112
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:275
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1000
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:262
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:273
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1354
Packet_
Definition: decode.h:406
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1718
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:213
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:925
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:174
TcpStream_
Definition: stream-tcp-private.h:94
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:1897
SCFree
#define SCFree(a)
Definition: util-mem.h:236
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:266
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:241
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:805
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:833
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:161
STREAM_START
#define STREAM_START
Definition: stream.h:29
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:846
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
TEST_START
#define TEST_START
Definition: app-layer.c:940
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:197
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:248
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6289
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:729
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1860
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:249
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1101
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:660
SCReturn
#define SCReturn
Definition: util-debug.h:339
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1806
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:407
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:163
Packet_::flags
uint32_t flags
Definition: decode.h:442
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:546
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:65
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6283
DNSMemcapGetMemuseCounter
uint64_t DNSMemcapGetMemuseCounter(void)
Definition: app-layer-dns-common.c:106
AppLayerParserProtocolIsTxAware
int AppLayerParserProtocolIsTxAware(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1305
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:1919
AppLayerCounterNames_
Definition: app-layer.c:75
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:277
Flow_::protomap
uint8_t protomap
Definition: flow.h:402
Flow_
Flow data structure.
Definition: flow.h:327
Packet_::payload
uint8_t * payload
Definition: decode.h:545
Flow_::flags
uint32_t flags
Definition: flow.h:377
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:896
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1050
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:182
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1126
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186