suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-htp-range.h"
35 #include "app-layer-detect-proto.h"
36 #include "app-layer-frames.h"
37 #include "app-layer-events.h"
38 #include "stream-tcp-reassemble.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-inline.h"
41 #include "stream-tcp.h"
42 #include "flow.h"
43 #include "flow-util.h"
44 #include "flow-private.h"
45 #include "ippair.h"
46 #include "util-debug.h"
47 #include "util-print.h"
48 #include "util-profiling.h"
49 #include "util-validate.h"
50 #include "decode-events.h"
51 #include "app-layer-htp-mem.h"
52 #include "util-exception-policy.h"
53 
54 extern bool g_stats_eps_per_app_proto_errors;
55 /**
56  * \brief This is for the app layer in general and it contains per thread
57  * context relevant to both the alpd and alp.
58  */
59 struct AppLayerThreadCtx_ {
60  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
61  AppLayerProtoDetectThreadCtx *alpd_tctx;
62  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
63  AppLayerParserThreadCtx *alp_tctx;
64 
65 #ifdef PROFILING
66  uint64_t ticks_start;
67  uint64_t ticks_end;
68  uint64_t ticks_spent;
69  AppProto alproto;
70  uint64_t proto_detect_ticks_start;
71  uint64_t proto_detect_ticks_end;
72  uint64_t proto_detect_ticks_spent;
73 #endif
74 };
75 
76 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
77 
78 #define MAX_COUNTER_SIZE 64
79 typedef struct AppLayerCounterNames_ {
80  char name[MAX_COUNTER_SIZE];
81  char tx_name[MAX_COUNTER_SIZE];
82  char gap_error[MAX_COUNTER_SIZE];
83  char parser_error[MAX_COUNTER_SIZE];
84  char internal_error[MAX_COUNTER_SIZE];
85  char alloc_error[MAX_COUNTER_SIZE];
86  char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE];
87 } AppLayerCounterNames;
88 
89 typedef struct AppLayerCounters_ {
90  StatsCounterId counter_id;
91  StatsCounterId counter_tx_id;
92  StatsCounterId gap_error_id;
93  StatsCounterId parser_error_id;
94  StatsCounterId internal_error_id;
95  StatsCounterId alloc_error_id;
96  ExceptionPolicyCounters eps_error;
97 } AppLayerCounters;
98 
99 /* counter names. Only used at init. */
100 AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX];
101 /* counter id's. Used that runtime. */
102 AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX];
103 /* Exception policy global counters ids */
104 ExceptionPolicyCounters eps_error_summary;
105 
106 /* Settings order as in the enum */
107 // clang-format off
108 ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
109  .valid_settings_ids = {
110  /* EXCEPTION_POLICY_NOT_SET */ false,
111  /* EXCEPTION_POLICY_AUTO */ false,
112  /* EXCEPTION_POLICY_PASS_PACKET */ true,
113  /* EXCEPTION_POLICY_PASS_FLOW */ true,
114  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
115  /* EXCEPTION_POLICY_DROP_PACKET */ false,
116  /* EXCEPTION_POLICY_DROP_FLOW */ false,
117  /* EXCEPTION_POLICY_REJECT */ true,
118  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
119  },
120  .valid_settings_ips = {
121  /* EXCEPTION_POLICY_NOT_SET */ false,
122  /* EXCEPTION_POLICY_AUTO */ false,
123  /* EXCEPTION_POLICY_PASS_PACKET */ true,
124  /* EXCEPTION_POLICY_PASS_FLOW */ true,
125  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
126  /* EXCEPTION_POLICY_DROP_PACKET */ true,
127  /* EXCEPTION_POLICY_DROP_FLOW */ true,
128  /* EXCEPTION_POLICY_REJECT */ true,
129  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
130  },
131 };
132 // clang-format on
133 
134 void AppLayerSetupCounters(void);
135 void AppLayerDeSetupCounters(void);
136 
137 /***** L7 layer dispatchers *****/
138 
139 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
140  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
141  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
142  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
143 }
144 
145 /**
146  * \note id can be 0 if protocol parser is disabled but detection
147  * is enabled.
148  */
149 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
150 {
151  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_id;
152  if (likely(tv && id.id > 0)) {
153  StatsCounterIncr(&tv->stats, id);
154  }
155 }
156 
157 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
158 {
159  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_tx_id;
160  if (likely(tv && id.id > 0)) {
161  StatsCounterAddI64(&tv->stats, id, step);
162  }
163 }
164 
165 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
166 {
167  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].gap_error_id;
168  if (likely(tv && id.id > 0)) {
169  StatsCounterIncr(&tv->stats, id);
170  }
171 }
172 
173 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
174 {
175  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].alloc_error_id;
176  if (likely(tv && id.id > 0)) {
177  StatsCounterIncr(&tv->stats, id);
178  }
179 }
180 
181 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
182 {
183  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].parser_error_id;
184  if (likely(tv && id.id > 0)) {
185  StatsCounterIncr(&tv->stats, id);
186  }
187 }
188 
189 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
190 {
191  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].internal_error_id;
192  if (likely(tv && id.id > 0)) {
193  StatsCounterIncr(&tv->stats, id);
194  }
195 }
196 
197 static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy)
198 {
199 #ifdef UNITTESTS
200  if (tv == NULL) {
201  return;
202  }
203 #endif
204  StatsCounterId id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy];
205  /* for the summary values */
206  StatsCounterId g_id = eps_error_summary.eps_id[policy];
207 
208  if (likely(id.id > 0)) {
209  StatsCounterIncr(&tv->stats, id);
210  }
211  if (likely(g_id.id > 0)) {
212  StatsCounterIncr(&tv->stats, g_id);
213  }
214 }
215 
216 /* in IDS mode protocol detection is done in reverse order:
217  * when TCP data is ack'd. We want to flag the correct packet,
218  * so in this case we set a flag in the flow so that the first
219  * packet in the correct direction can be tagged.
220  *
221  * For IPS we update packet and flow. */
222 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
223 {
224  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
225  if (flags & STREAM_TOSERVER) {
226  if (p->flowflags & FLOW_PKT_TOSERVER) {
227  p->flags |= PKT_PROTO_DETECT_TS_DONE;
228  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
229  } else {
230  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
231  }
232  } else {
233  if (p->flowflags & FLOW_PKT_TOCLIENT) {
234  p->flags |= PKT_PROTO_DETECT_TC_DONE;
235  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
236  } else {
237  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
238  }
239  }
240  } else {
241  if (flags & STREAM_TOSERVER) {
242  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
243  } else {
244  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
245  }
246  }
247 }
248 
249 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
250 {
251  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
252  f, f->alproto, f->alproto_ts, f->alproto_tc);
253  FlowCleanupAppLayer(f);
254  StreamTcpDisableAppLayer(f);
255  TcpSession *ssn = f->protoctx;
256  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
257  f->alproto = ALPROTO_FAILED;
258  AppLayerIncFlowCounter(tv, f);
259 
260  if (f->alproto_tc != ALPROTO_FAILED) {
261  if (f->alproto_tc == ALPROTO_UNKNOWN) {
262  f->alproto_tc = ALPROTO_FAILED;
263  }
264  FlagPacketFlow(p, f, STREAM_TOCLIENT);
265  }
266  if (f->alproto_ts != ALPROTO_FAILED) {
267  if (f->alproto_ts == ALPROTO_UNKNOWN) {
268  f->alproto_ts = ALPROTO_FAILED;
269  }
270  FlagPacketFlow(p, f, STREAM_TOSERVER);
271  }
272  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
273  f, f->alproto, f->alproto_ts, f->alproto_tc);
274 }
275 
276 /* See if we're going to have to give up:
277  *
278  * If we're getting a lot of data in one direction and the
279  * proto for this direction is unknown, proto detect will
280  * hold up segments in the segment list in the stream.
281  * They are held so that if we detect the protocol on the
282  * opposing stream, we can still parse this side of the stream
283  * as well. However, some sessions are very unbalanced. FTP
284  * data channels, large PUT/POST request and many others, can
285  * lead to cases where we would have to store many megabytes
286  * worth of segments before we see the opposing stream. This
287  * leads to risks of resource starvation.
288  *
289  * Here a cutoff point is enforced. If we've stored 100k in
290  * one direction and we've seen no data in the other direction,
291  * we give up.
292  *
293  * Giving up means we disable applayer an set an applayer event
294  */
295 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
296  Flow *f, TcpSession *ssn, Packet *p)
297 {
298  if (ssn->state < TCP_ESTABLISHED) {
299  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
300  return;
301  }
302 
303  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
304  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
305  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
306 
307  /* at least 100000 whatever the conditions
308  * and can be more if window is bigger and if configuration allows it */
309  const uint32_t size_tc_limit =
310  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
311  const uint32_t size_ts_limit =
312  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
313 
314  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
315  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
316  {
317  goto failure;
318 
319  /* we bail out whatever the pp and pm states if
320  * we received too much data */
321  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
322  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
323  goto failure;
324 
325  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
326  size_ts > size_ts_limit && size_tc == 0) {
327  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
328  goto failure;
329 
330  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
331  size_tc > size_tc_limit && size_ts == 0) {
332  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
333  goto failure;
334 
335  /* little data in ts direction, pp done, pm not done (max
336  * depth not reached), ts direction done, lots of data in
337  * tc direction. */
338  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
339  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
340  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
341  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
342  goto failure;
343 
344  /* little data in tc direction, pp done, pm not done (max
345  * depth not reached), tc direction done, lots of data in
346  * ts direction. */
347  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
348  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
349  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
350  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
351  goto failure;
352  }
353  return;
354 
355 failure:
356  DisableAppLayer(tv, f, p);
357 }
358 
359 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
360  Packet *p, TcpSession *ssn, const TcpStream *stream)
361 {
362  TcpStream *opposing_stream = NULL;
363  if (stream == &ssn->client) {
364  opposing_stream = &ssn->server;
365  } else {
366  opposing_stream = &ssn->client;
367  }
368 
369  /* if the opposing side is not going to work, then
370  * we just have to give up. */
371  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
372  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
373  return -1;
374  }
375 
376  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
377  UPDATE_DIR_OPPOSING :
378  UPDATE_DIR_PACKET;
379  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
380  opposing_stream, p, dir);
381  return ret;
382 }
383 
384 extern enum ExceptionPolicy g_applayerparser_error_policy;
385 
386 /** \todo data const
387  * \retval int -1 error
388  * \retval int 0 ok
389  */
390 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
391  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
392  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
393 {
394  AppProto *alproto;
395  AppProto *alproto_otherdir;
396  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
397 
398  if (flags & STREAM_TOSERVER) {
399  alproto = &f->alproto_ts;
400  alproto_otherdir = &f->alproto_tc;
401  } else {
402  alproto = &f->alproto_tc;
403  alproto_otherdir = &f->alproto_ts;
404  }
405 
406  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
407 #ifdef PRINT
408  if (data_len > 0) {
409  printf("=> Init Stream Data (app layer) -- start %s%s\n",
410  flags & STREAM_TOCLIENT ? "toclient" : "",
411  flags & STREAM_TOSERVER ? "toserver" : "");
412  PrintRawDataFp(stdout, data, data_len);
413  printf("=> Init Stream Data -- end\n");
414  }
415 #endif
416 
417  bool reverse_flow = false;
418  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
419  PACKET_PROFILING_APP_PD_START(app_tctx);
420  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
421  f, data, data_len,
422  IPPROTO_TCP, flags, &reverse_flow);
423  PACKET_PROFILING_APP_PD_END(app_tctx);
424  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
425 
426  if (*alproto != ALPROTO_UNKNOWN) {
427  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
428  SCAppLayerDecoderEventsSetEventRaw(
429  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
430 
431  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
432  /* if we already invoked the parser, we go with that proto */
433  f->alproto = *alproto_otherdir;
434  } else {
435  /* no data sent to parser yet, we can still choose
436  * we're trusting the server more. */
437  if (flags & STREAM_TOCLIENT)
438  f->alproto = *alproto;
439  else
440  f->alproto = *alproto_otherdir;
441  }
442  } else {
443  f->alproto = *alproto;
444  }
445 
446  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
447  TcpSessionSetReassemblyDepth(ssn,
448  AppLayerParserGetStreamDepth(f));
449  FlagPacketFlow(p, f, flags);
450 
451  /* if protocol detection indicated that we need to reverse
452  * the direction of the flow, do it now. We flip the flow,
453  * packet and the direction flags */
454  if (reverse_flow &&
455  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
456  STREAMTCP_FLAG_MIDSTREAM)) {
457  /* but only if we didn't already detect it on the other side. */
458  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
459  SCLogDebug("reversing flow after proto detect told us so");
460  PacketSwap(p);
461  FlowSwap(f);
462  // Will reset signature groups in DetectRunSetup
463  f->de_ctx_version = UINT32_MAX;
464  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
465  if (*stream == &ssn->client) {
466  *stream = &ssn->server;
467  } else {
468  *stream = &ssn->client;
469  }
470  direction = 1 - direction;
471  } else {
472  // TODO event, error?
473  }
474  }
475 
476  /* account flow if we have both sides */
477  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
478  AppLayerIncFlowCounter(tv, f);
479  }
480 
481  /* if we have seen data from the other direction first, send
482  * data for that direction first to the parser. This shouldn't
483  * be an issue, since each stream processing happens
484  * independently of the other stream direction. At this point of
485  * call, you need to know that this function's already being
486  * called by the very same StreamReassembly() function that we
487  * will now call shortly for the opposing direction. */
488  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
489  !(flags & ssn->data_first_seen_dir))
490  {
491  SCLogDebug("protocol %s needs first data in other direction",
492  AppProtoToString(*alproto));
493 
494  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
495  p, ssn, *stream) != 0)
496  {
497  goto detect_error;
498  }
499  if (FlowChangeProto(f)) {
500  /* We have the first data which requested a protocol change from P1 to P2
501  * even if it was not recognized at first as being P1
502  * As the second data was recognized as P1, the protocol did not change !
503  */
504  FlowUnsetChangeProtoFlag(f);
505  SCAppLayerDecoderEventsSetEventRaw(
506  &p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
507  }
508  }
509 
510  /* if the parser operates such that it needs to see data from
511  * a particular direction first, we check if we have seen
512  * data from that direction first for the flow. IF it is not
513  * the same, we set an event and exit.
514  *
515  * \todo We need to figure out a more robust solution for this,
516  * as this can lead to easy evasion tactics, where the
517  * attacker can first send some dummy data in the wrong
518  * direction first to mislead our proto detection process.
519  * While doing this we need to update the parsers as well,
520  * since the parsers must be robust to see such wrong
521  * direction data.
522  * Either ways the moment we see the
523  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
524  * flow, it shows something's fishy.
525  */
526  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
527  uint8_t first_data_dir;
528  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
529 
530  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
531  SCAppLayerDecoderEventsSetEventRaw(
532  &p->app_layer_events, APPLAYER_WRONG_DIRECTION_FIRST_DATA);
533  goto detect_error;
534  }
535  /* This can happen if the current direction is not the
536  * right direction, and the data from the other(also
537  * the right direction) direction is available to be sent
538  * to the app layer, but it is not ack'ed yet and hence
539  * the forced call to STreamTcpAppLayerReassemble still
540  * hasn't managed to send data from the other direction
541  * to the app layer. */
542  if (first_data_dir && !(first_data_dir & flags)) {
543  FlowCleanupAppLayer(f);
544  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
545  FLOW_RESET_PP_DONE(f, flags);
546  FLOW_RESET_PM_DONE(f, flags);
547  FLOW_RESET_PE_DONE(f, flags);
548  SCReturnInt(-1);
549  }
550  }
551 
552  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
553  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
554 
555  /* finally, invoke the parser */
556  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
557  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
558  flags, data, data_len);
559  PACKET_PROFILING_APP_END(app_tctx);
560  p->app_update_direction = (uint8_t)app_update_dir;
561  if (r != 1) {
562  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
563  }
564  if (r == 0) {
565  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
566  TcpStream *opposing_stream;
567  if (*stream == &ssn->client) {
568  opposing_stream = &ssn->server;
569  } else {
570  opposing_stream = &ssn->client;
571  }
572  if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) {
573  // can happen in detection-only
574  AppLayerIncFlowCounter(tv, f);
575  }
576  }
577  }
578  if (r < 0) {
579  goto parser_error;
580  }
581  } else {
582  /* if the ssn is midstream, we may end up with a case where the
583  * start of an HTTP request is missing. We won't detect HTTP based
584  * on the request. However, the reply is fine, so we detect
585  * HTTP anyway. This leads to passing the incomplete request to
586  * the htp parser.
587  *
588  * This has been observed, where the http parser then saw many
589  * bogus requests in the incomplete data.
590  *
591  * To counter this case, a midstream session MUST find it's
592  * protocol in the toserver direction. If not, we assume the
593  * start of the request/toserver is incomplete and no reliable
594  * detection and parsing is possible. So we give up.
595  */
596  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
597  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
598  {
599  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
600  SCLogDebug("midstream end pd %p", ssn);
601  /* midstream and toserver detection failed: give up */
602  DisableAppLayer(tv, f, p);
603  SCReturnInt(0);
604  }
605  }
606 
607  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
608  uint8_t first_data_dir;
609  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
610 
611  /* this would handle this test case -
612  * http parser which says it wants to see toserver data first only.
613  * tcp handshake
614  * toclient data first received. - RUBBISH DATA which
615  * we don't detect as http
616  * toserver data next sent - we detect this as http.
617  * at this stage we see that toclient is the first data seen
618  * for this session and we try and redetect the app protocol,
619  * but we are unable to detect the app protocol like before.
620  * But since we have managed to detect the protocol for the
621  * other direction as http, we try to use that. At this
622  * stage we check if the direction of this stream matches
623  * to that acceptable by the app parser. If it is not the
624  * acceptable direction we error out.
625  */
626  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
627  (first_data_dir) && !(first_data_dir & flags))
628  {
629  goto detect_error;
630  }
631 
632  /* if protocol detection is marked done for our direction we
633  * pass our data on. We're only succeeded in finding one
634  * direction: the opposing stream
635  *
636  * If PD was not yet complete, we don't do anything.
637  */
638  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
639  if (data_len > 0)
640  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
641 
642  if (*alproto_otherdir != ALPROTO_FAILED) {
643  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
644  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
645  f->alproto, flags,
646  data, data_len);
647  PACKET_PROFILING_APP_END(app_tctx);
648  p->app_update_direction = (uint8_t)app_update_dir;
649  if (r != 1) {
650  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
651  }
652 
653  SCAppLayerDecoderEventsSetEventRaw(
654  &p->app_layer_events, APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
655  TcpSessionSetReassemblyDepth(ssn,
656  AppLayerParserGetStreamDepth(f));
657  AppLayerIncFlowCounter(tv, f);
658 
659  *alproto = *alproto_otherdir;
660  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
661  p->pcap_cnt, *alproto, *alproto_otherdir, r);
662  if (r < 0) {
663  goto parser_error;
664  }
665  }
666  *alproto = ALPROTO_FAILED;
667  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
668  FlagPacketFlow(p, f, flags);
669 
670  } else if (flags & STREAM_EOF) {
671  *alproto = f->alproto;
672  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
673  AppLayerIncFlowCounter(tv, f);
674  }
675  } else {
676  /* both sides unknown, let's see if we need to give up */
677  if (FlowChangeProto(f)) {
678  /* TCPProtoDetectCheckBailConditions does not work well because
679  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
680  * so, we set a lower limit to the data we inspect
681  * We could instead have set ssn->server.sb.stream_offset = 0;
682  */
683  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
684  DisableAppLayer(tv, f, p);
685  }
686  } else {
687  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
688  }
689  }
690  }
691  SCReturnInt(0);
692 parser_error:
693  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
694  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
695  SCReturnInt(-1);
696 detect_error:
697  DisableAppLayer(tv, f, p);
698  SCReturnInt(-2);
699 }
700 
701 /** \brief handle TCP data for the app-layer.
702  *
703  * First run protocol detection and then when the protocol is known invoke
704  * the app layer parser.
705  *
706  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
707  * reversed.
708  */
709 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
710  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
711  enum StreamUpdateDir app_update_dir)
712 {
713  SCEnter();
714 
715  DEBUG_ASSERT_FLOW_LOCKED(f);
716  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
717 
718  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
719  AppProto alproto;
720  int r = 0;
721 
722  SCLogDebug("data_len %u flags %02X", data_len, flags);
723  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
724  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
725  goto end;
726  }
727 
728  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
729 
730  if (flags & STREAM_TOSERVER) {
731  alproto = f->alproto_ts;
732  } else {
733  alproto = f->alproto_tc;
734  }
735 
736  /* If a gap notification, relay the notification on to the
737  * app-layer if known. */
738  if (flags & STREAM_GAP) {
739  SCLogDebug("GAP of size %u", data_len);
740  if (alproto == ALPROTO_UNKNOWN) {
741  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
742  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
743  /* if the other side didn't already find the proto, we're done */
744  if (f->alproto == ALPROTO_UNKNOWN) {
745  goto failure;
746  }
747  AppLayerIncFlowCounter(tv, f);
748  }
749  if (FlowChangeProto(f)) {
750  FlowUnsetChangeProtoFlag(f);
751  SCLogDebug("Cannot handle gap while changing protocol");
752  goto failure;
753  }
754  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
755  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
756  flags, data, data_len);
757  PACKET_PROFILING_APP_END(app_tctx);
758  p->app_update_direction = (uint8_t)app_update_dir;
759  /* ignore parser result for gap */
760  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
761  if (r < 0) {
762  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
763  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
764  SCReturnInt(-1);
765  }
766  goto end;
767  }
768 
769  /* if we don't know the proto yet and we have received a stream
770  * initializer message, we run proto detection.
771  * We receive 2 stream init msgs (one for each direction), we
772  * only run the proto detection for both and emit an event
773  * in the case protocols mismatch. */
774  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
775  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
776  /* run protocol detection */
777  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags,
778  app_update_dir) != 0) {
779  goto failure;
780  }
781  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
782  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
783  void *alstate_orig = f->alstate;
784  AppLayerParserState *alparser = f->alparser;
785  // we delay AppLayerParserStateCleanup because we may need previous parser state
786  AppLayerProtoDetectReset(f);
787  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
788  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
789  /* rerun protocol detection */
790  int rd = TCPProtoDetect(
791  tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, app_update_dir);
792  if (f->alproto == ALPROTO_UNKNOWN) {
793  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
794  // not enough data, revert AppLayerProtoDetectReset to rerun detection
795  f->alparser = alparser;
796  f->alproto = f->alproto_orig;
797  f->alproto_tc = f->alproto_orig;
798  f->alproto_ts = f->alproto_orig;
799  } else {
800  FlowUnsetChangeProtoFlag(f);
801  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
802  if (alstate_orig == f->alstate) {
803  // we just freed it
804  f->alstate = NULL;
805  }
806  }
807  if (rd != 0) {
808  SCLogDebug("proto detect failure");
809  goto failure;
810  }
811  SCLogDebug("protocol change, old %s, new %s",
812  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
813 
814  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
815  f->alproto != f->alproto_expect) {
816  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
817 
818  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
819  SCAppLayerDecoderEventsSetEventRaw(
820  &p->app_layer_events, APPLAYER_NO_TLS_AFTER_STARTTLS);
821  }
822  }
823  } else {
824  SCLogDebug("stream data (len %" PRIu32 " alproto "
825  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
826 #ifdef PRINT
827  if (data_len > 0) {
828  printf("=> Stream Data (app layer) -- start %s%s\n",
829  flags & STREAM_TOCLIENT ? "toclient" : "",
830  flags & STREAM_TOSERVER ? "toserver" : "");
831  PrintRawDataFp(stdout, data, data_len);
832  printf("=> Stream Data -- end\n");
833  }
834 #endif
835  /* if we don't have a data object here we are not getting it
836  * a start msg should have gotten us one */
837  if (f->alproto != ALPROTO_UNKNOWN) {
838  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
839  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
840  flags, data, data_len);
841  PACKET_PROFILING_APP_END(app_tctx);
842  p->app_update_direction = (uint8_t)app_update_dir;
843  if (r != 1) {
844  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
845  if (r < 0) {
846  ExceptionPolicyApply(
847  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
848  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
849  SCReturnInt(-1);
850  }
851  }
852  }
853  }
854 
855  goto end;
856  failure:
857  r = -1;
858  end:
859  SCReturnInt(r);
860 }
861 
862 /**
863  * \brief Handle a app layer UDP message
864  *
865  * If the protocol is yet unknown, the proto detection code is run first.
866  *
867  * \param dp_ctx Thread app layer detect context
868  * \param f *locked* flow
869  * \param p UDP packet
870  *
871  * \retval 0 ok
872  * \retval -1 error
873  */
874 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
875 {
876  SCEnter();
877  AppProto *alproto;
878  AppProto *alproto_otherdir;
879 
880  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
881  SCReturnInt(0);
882  }
883 
884  int r = 0;
885  uint8_t flags = 0;
886  if (p->flowflags & FLOW_PKT_TOSERVER) {
887  flags |= STREAM_TOSERVER;
888  alproto = &f->alproto_ts;
889  alproto_otherdir = &f->alproto_tc;
890  } else {
891  flags |= STREAM_TOCLIENT;
892  alproto = &f->alproto_tc;
893  alproto_otherdir = &f->alproto_ts;
894  }
895 
896  AppLayerProfilingReset(tctx);
897 
898  /* if the protocol is still unknown, run detection */
899  if (*alproto == ALPROTO_UNKNOWN) {
900  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
901  p->payload_len);
902 
903  bool reverse_flow = false;
904  PACKET_PROFILING_APP_PD_START(tctx);
905  *alproto = AppLayerProtoDetectGetProto(
906  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
907  PACKET_PROFILING_APP_PD_END(tctx);
908 
909  switch (*alproto) {
910  case ALPROTO_UNKNOWN:
911  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
912  // Use recognized side
913  f->alproto = *alproto_otherdir;
914  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
915  *alproto = *alproto_otherdir;
916  if (*alproto_otherdir == ALPROTO_FAILED) {
917  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
918  }
919  } else {
920  // First side of protocol is unknown
921  *alproto = ALPROTO_FAILED;
922  }
923  break;
924  case ALPROTO_FAILED:
925  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
926  // Use recognized side
927  f->alproto = *alproto_otherdir;
928  if (*alproto_otherdir == ALPROTO_FAILED) {
929  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
930  }
931  }
932  // else wait for second side of protocol
933  break;
934  default:
935  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
936  if (*alproto_otherdir != *alproto) {
937  SCAppLayerDecoderEventsSetEventRaw(
938  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
939  // data already sent to parser, we cannot change the protocol to use the one
940  // of the server
941  }
942  } else {
943  f->alproto = *alproto;
944  }
945  }
946  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
947  if (f->alproto == ALPROTO_UNKNOWN) {
948  // so as to increase stat about .app_layer.flow.failed_udp
949  f->alproto = ALPROTO_FAILED;
950  }
951  // If the other side is unknown, this is the first packet of the flow
952  AppLayerIncFlowCounter(tv, f);
953  }
954 
955  // parse the data if we recognized one protocol
956  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
957  if (reverse_flow) {
958  SCLogDebug("reversing flow after proto detect told us so");
959  PacketSwap(p);
960  FlowSwap(f);
961  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
962  }
963 
964  PACKET_PROFILING_APP_START(tctx, f->alproto);
965  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
966  flags, p->payload, p->payload_len);
967  PACKET_PROFILING_APP_END(tctx);
968  if (f->flags & FLOW_NOPAYLOAD_INSPECTION &&
969  SCAppLayerParserStateIssetFlag(f->alparser, APP_LAYER_PARSER_BYPASS_READY)) {
970  PacketBypassCallback(p);
971  }
972  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
973  }
974  PACKET_PROFILING_APP_STORE(tctx, p);
975  /* we do only inspection in one direction, so flag both
976  * sides as done here */
977  FlagPacketFlow(p, f, STREAM_TOSERVER);
978  FlagPacketFlow(p, f, STREAM_TOCLIENT);
979  } else {
980  SCLogDebug("data (len %" PRIu32 " ), alproto "
981  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
982 
983  /* run the parser */
984  PACKET_PROFILING_APP_START(tctx, f->alproto);
985  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
986  flags, p->payload, p->payload_len);
987  if (f->flags & FLOW_NOPAYLOAD_INSPECTION &&
988  SCAppLayerParserStateIssetFlag(f->alparser, APP_LAYER_PARSER_BYPASS_READY)) {
989  PacketBypassCallback(p);
990  }
991  PACKET_PROFILING_APP_END(tctx);
992  PACKET_PROFILING_APP_STORE(tctx, p);
993  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
994  }
995  if (r < 0) {
996  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
997  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
998  SCReturnInt(-1);
999  }
1000 
1001  SCReturnInt(r);
1002 }
1003 
1004 /***** Utility *****/
1005 
1006 AppProto AppLayerGetProtoByName(const char *alproto_name)
1007 {
1008  SCEnter();
1009  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
1010  SCReturnCT(r, "AppProto");
1011 }
1012 
1013 const char *AppLayerGetProtoName(AppProto alproto)
1014 {
1015  SCEnter();
1016  const char * r = AppLayerProtoDetectGetProtoName(alproto);
1017  SCReturnCT(r, "char *");
1018 }
1019 
1020 void AppLayerListSupportedProtocols(void)
1021 {
1022  SCEnter();
1023 
1024  AppProto alproto;
1025  AppProto alprotos[g_alproto_max];
1026 
1027  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1028 
1029  printf("=========Supported App Layer Protocols=========\n");
1030  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1031  if (alprotos[alproto] == 1)
1032  printf("%s\n", AppLayerGetProtoName(alproto));
1033  }
1034 
1035  SCReturn;
1036 }
1037 
1038 /***** Setup/General Registration *****/
1039 static void AppLayerNamesSetup(void)
1040 {
1041  AppProtoRegisterProtoString(ALPROTO_UNKNOWN, "unknown");
1042  AppProtoRegisterProtoString(ALPROTO_FAILED, "failed");
1043  AppProtoRegisterProtoString(ALPROTO_HTTP1, "http1");
1044  AppProtoRegisterProtoString(ALPROTO_FTP, "ftp");
1045  AppProtoRegisterProtoString(ALPROTO_SMTP, "smtp");
1046  AppProtoRegisterProtoString(ALPROTO_TLS, "tls");
1047  AppProtoRegisterProtoString(ALPROTO_SSH, "ssh");
1048  AppProtoRegisterProtoString(ALPROTO_IMAP, "imap");
1049  AppProtoRegisterProtoString(ALPROTO_JABBER, "jabber");
1050  AppProtoRegisterProtoString(ALPROTO_SMB, "smb");
1051  AppProtoRegisterProtoString(ALPROTO_DCERPC, "dcerpc");
1052  AppProtoRegisterProtoString(ALPROTO_IRC, "irc");
1053  AppProtoRegisterProtoString(ALPROTO_DNS, "dns");
1054  AppProtoRegisterProtoString(ALPROTO_MODBUS, "modbus");
1055  AppProtoRegisterProtoString(ALPROTO_ENIP, "enip");
1056  AppProtoRegisterProtoString(ALPROTO_DNP3, "dnp3");
1057  AppProtoRegisterProtoString(ALPROTO_NFS, "nfs");
1058  AppProtoRegisterProtoString(ALPROTO_NTP, "ntp");
1059  AppProtoRegisterProtoString(ALPROTO_FTPDATA, "ftp-data");
1060  AppProtoRegisterProtoString(ALPROTO_TFTP, "tftp");
1061  AppProtoRegisterProtoString(ALPROTO_IKE, "ike");
1062  AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
1063  AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
1064  AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
1065  AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
1066  AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
1067  AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
1068  AppProtoRegisterProtoString(ALPROTO_PGSQL, "pgsql");
1069  AppProtoRegisterProtoString(ALPROTO_TELNET, "telnet");
1070  AppProtoRegisterProtoString(ALPROTO_WEBSOCKET, "websocket");
1071  AppProtoRegisterProtoString(ALPROTO_LDAP, "ldap");
1072  AppProtoRegisterProtoString(ALPROTO_DOH2, "doh2");
1073  AppProtoRegisterProtoString(ALPROTO_MDNS, "mdns");
1074  AppProtoRegisterProtoString(ALPROTO_TEMPLATE, "template");
1075  AppProtoRegisterProtoString(ALPROTO_RDP, "rdp");
1076  AppProtoRegisterProtoString(ALPROTO_HTTP2, "http2");
1077  AppProtoRegisterProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht");
1078  AppProtoRegisterProtoString(ALPROTO_POP3, "pop3");
1079  AppProtoRegisterProtoString(ALPROTO_HTTP, "http");
1080 }
1081 
1082 int AppLayerSetup(void)
1083 {
1084  SCEnter();
1085 
1086  AppLayerNamesSetup();
1087  AppLayerProtoDetectSetup();
1088  AppLayerParserSetup();
1089 
1090  AppLayerParserRegisterProtocolParsers();
1091  AppLayerProtoDetectPrepareState();
1092 
1093  AppLayerSetupCounters();
1094  FrameConfigInit();
1095 
1096  SCReturnInt(0);
1097 }
1098 
1099 int AppLayerDeSetup(void)
1100 {
1101  SCEnter();
1102 
1103  AppLayerProtoDetectDeSetup();
1104  AppLayerParserDeSetup();
1105 
1106  AppLayerDeSetupCounters();
1107  FrameConfigDeInit();
1108 
1109  SCReturnInt(0);
1110 }
1111 
1112 AppLayerThreadCtx *AppLayerGetCtxThread(void)
1113 {
1114  SCEnter();
1115 
1116  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1117  if (app_tctx == NULL)
1118  goto error;
1119 
1120  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1121  goto error;
1122  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1123  goto error;
1124 
1125  goto done;
1126  error:
1127  AppLayerDestroyCtxThread(app_tctx);
1128  app_tctx = NULL;
1129  done:
1130  SCReturnPtr(app_tctx, "void *");
1131 }
1132 
1133 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1134 {
1135  SCEnter();
1136 
1137  if (app_tctx == NULL)
1138  SCReturn;
1139 
1140  if (app_tctx->alpd_tctx != NULL)
1141  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1142  if (app_tctx->alp_tctx != NULL)
1143  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1144  SCFree(app_tctx);
1145 
1146  SCReturn;
1147 }
1148 
1149 #ifdef PROFILING
1150 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1151 {
1152  PACKET_PROFILING_APP_RESET(app_tctx);
1153 }
1154 
1155 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1156 {
1157  PACKET_PROFILING_APP_STORE(app_tctx, p);
1158 }
1159 #endif
1160 
1161 /** \brief HACK to work around our broken unix manager (re)init loop
1162  */
1163 void AppLayerRegisterGlobalCounters(void)
1164 {
1165  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1166  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1167  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1168  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1169  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1170  StatsRegisterGlobalCounter("http.byterange.memuse", HTPByteRangeMemuseGlobalCounter);
1171  StatsRegisterGlobalCounter("http.byterange.memcap", HTPByteRangeMemcapGlobalCounter);
1172  StatsRegisterGlobalCounter("ippair.memuse", IPPairGetMemuse);
1173  StatsRegisterGlobalCounter("ippair.memcap", IPPairGetMemcap);
1174  StatsRegisterGlobalCounter("host.memuse", HostGetMemuse);
1175  StatsRegisterGlobalCounter("host.memcap", HostGetMemcap);
1176 }
1177 
1178 static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy)
1179 {
1180  if (EngineModeIsIPS()) {
1181  return app_layer_error_eps_stats.valid_settings_ips[policy];
1182  }
1183  return app_layer_error_eps_stats.valid_settings_ids[policy];
1184 }
1185 
1186 static void AppLayerSetupExceptionPolicyPerProtoCounters(
1187  uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix)
1188 {
1189  if (g_stats_eps_per_app_proto_errors &&
1190  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1191  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1192  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1193  snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i],
1194  sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]),
1195  "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix,
1196  ExceptionPolicyEnumToString(i, true));
1197  }
1198  }
1199  }
1200 }
1201 
1202 void AppLayerSetupCounters(void)
1203 {
1204  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1205  AppProto alprotos[g_alproto_max];
1206  const char *str = "app_layer.flow.";
1207  const char *estr = "app_layer.error.";
1208 
1209  applayer_counter_names =
1210  SCCalloc(g_alproto_max, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX]));
1211  if (unlikely(applayer_counter_names == NULL)) {
1212  FatalError("Unable to alloc applayer_counter_names.");
1213  }
1214  applayer_counters = SCCalloc(g_alproto_max, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX]));
1215  if (unlikely(applayer_counters == NULL)) {
1216  FatalError("Unable to alloc applayer_counters.");
1217  }
1218  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1219  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1220  /* Register global counters for app layer error exception policy summary */
1221  const char *eps_default_str = "exception_policy.app_layer.error.";
1222  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1223  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1224  snprintf(app_layer_error_eps_stats.eps_name[i],
1225  sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str,
1226  ExceptionPolicyEnumToString(i, true));
1227  }
1228  }
1229  }
1230 
1231  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1232 
1233  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1234  const uint8_t ipproto = ipprotos[p];
1235  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1236  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1237  uint8_t ipprotos_all[256 / 8];
1238 
1239  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1240  if (alprotos[alproto] == 1) {
1241  const char *tx_str = "app_layer.tx.";
1242  const char *alproto_str = AppLayerGetProtoName(alproto);
1243 
1244  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1245  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1246  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1247  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1248  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1249  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s",
1250  str, alproto_str, ipproto_suffix);
1251  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1252  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s",
1253  tx_str, alproto_str, ipproto_suffix);
1254 
1255  if (ipproto == IPPROTO_TCP) {
1256  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1257  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1258  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1259  }
1260  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1261  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1262  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1263  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1264  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1265  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1266  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1267  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1268  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1269 
1270  AppLayerSetupExceptionPolicyPerProtoCounters(
1271  ipproto_map, alproto, alproto_str, ipproto_suffix);
1272  } else {
1273  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1274  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str,
1275  alproto_str);
1276  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1277  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s",
1278  tx_str, alproto_str);
1279 
1280  if (ipproto == IPPROTO_TCP) {
1281  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1282  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1283  "%s%s.gap", estr, alproto_str);
1284  }
1285  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1286  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1287  "%s%s.alloc", estr, alproto_str);
1288  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1289  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1290  "%s%s.parser", estr, alproto_str);
1291  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1292  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1293  "%s%s.internal", estr, alproto_str);
1294  AppLayerSetupExceptionPolicyPerProtoCounters(
1295  ipproto_map, alproto, alproto_str, "");
1296  }
1297  } else if (alproto == ALPROTO_FAILED) {
1298  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1299  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str,
1300  "failed", ipproto_suffix);
1301  if (ipproto == IPPROTO_TCP) {
1302  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1303  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1304  "%sfailed%s.gap", estr, ipproto_suffix);
1305  }
1306  }
1307  }
1308  }
1309 }
1310 
1311 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1312 {
1313  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1314  AppProto alprotos[g_alproto_max];
1315  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1316 
1317  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1318  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1319  /* Register global counters for app layer error exception policy summary */
1320  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1321  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1322  eps_error_summary.eps_id[i] =
1323  StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], &tv->stats);
1324  }
1325  }
1326  }
1327 
1328  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1329  const uint8_t ipproto = ipprotos[p];
1330  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1331 
1332  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1333  if (alprotos[alproto] == 1) {
1334  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1335  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1336 
1337  if (AppLayerParserProtoIsRegistered(ipproto, alproto) != 1)
1338  continue;
1339 
1340  applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter(
1341  applayer_counter_names[alproto][ipproto_map].tx_name, &tv->stats);
1342 
1343  if (ipproto == IPPROTO_TCP) {
1344  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1345  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1346  }
1347  applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter(
1348  applayer_counter_names[alproto][ipproto_map].alloc_error, &tv->stats);
1349  applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter(
1350  applayer_counter_names[alproto][ipproto_map].parser_error, &tv->stats);
1351  applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter(
1352  applayer_counter_names[alproto][ipproto_map].internal_error, &tv->stats);
1353  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1354  if (g_stats_eps_per_app_proto_errors &&
1355  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1356  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1;
1357  i < EXCEPTION_POLICY_MAX; i++) {
1358  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1359  applayer_counters[alproto][ipproto_map]
1360  .eps_error.eps_id[i] = StatsRegisterCounter(
1361  applayer_counter_names[alproto][ipproto_map].eps_name[i],
1362  &tv->stats);
1363  }
1364  }
1365  }
1366  } else if (alproto == ALPROTO_FAILED) {
1367  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1368  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1369 
1370  if (ipproto == IPPROTO_TCP) {
1371  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1372  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1373  }
1374  }
1375  }
1376  }
1377 }
1378 
1379 void AppLayerDeSetupCounters(void)
1380 {
1381  SCFree(applayer_counter_names);
1382  SCFree(applayer_counters);
1383 }
1384 
1385 /***** Unittests *****/
1386 
1387 #ifdef UNITTESTS
1388 #include "pkt-var.h"
1389 #include "stream-tcp-util.h"
1390 #include "stream.h"
1391 #include "util-unittest.h"
1392 
1393 #define TEST_START \
1394  Packet *p = PacketGetFromAlloc(); \
1395  FAIL_IF_NULL(p); \
1396  Flow f; \
1397  ThreadVars tv; \
1398  StreamTcpThread *stt = NULL; \
1399  TCPHdr tcph; \
1400  PacketQueueNoLock pq; \
1401  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1402  memset(&f, 0, sizeof(Flow)); \
1403  memset(&tv, 0, sizeof(ThreadVars)); \
1404  StatsThreadInit(&tv.stats); \
1405  memset(&tcph, 0, sizeof(TCPHdr)); \
1406  \
1407  FLOW_INITIALIZE(&f); \
1408  f.flags = FLOW_IPV4; \
1409  f.proto = IPPROTO_TCP; \
1410  p->flow = &f; \
1411  PacketSetTCP(p, (uint8_t *)&tcph); \
1412  \
1413  StreamTcpInitConfig(true); \
1414  IPPairInitConfig(true); \
1415  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1416  \
1417  /* handshake */ \
1418  tcph.th_win = htons(5480); \
1419  tcph.th_flags = TH_SYN; \
1420  p->flowflags = FLOW_PKT_TOSERVER; \
1421  p->payload_len = 0; \
1422  p->payload = NULL; \
1423  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1424  TcpSession *ssn = (TcpSession *)f.protoctx; \
1425  \
1426  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1427  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1428  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1429  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1430  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1431  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1432  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1433  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1434  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1435  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1436  FAIL_IF(ssn->data_first_seen_dir != 0); \
1437  \
1438  /* handshake */ \
1439  tcph.th_ack = htonl(1); \
1440  tcph.th_flags = TH_SYN | TH_ACK; \
1441  p->flowflags = FLOW_PKT_TOCLIENT; \
1442  p->payload_len = 0; \
1443  p->payload = NULL; \
1444  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1445  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1446  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1447  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1448  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1449  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1450  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1451  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1452  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1453  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1454  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1455  FAIL_IF(ssn->data_first_seen_dir != 0); \
1456  \
1457  /* handshake */ \
1458  tcph.th_ack = htonl(1); \
1459  tcph.th_seq = htonl(1); \
1460  tcph.th_flags = TH_ACK; \
1461  p->flowflags = FLOW_PKT_TOSERVER; \
1462  p->payload_len = 0; \
1463  p->payload = NULL; \
1464  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1465  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1466  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1467  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1468  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1469  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1470  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1471  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1472  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1473  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1474  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1475  FAIL_IF(ssn->data_first_seen_dir != 0);
1476 #define TEST_END \
1477  StreamTcpSessionClear(p->flow->protoctx); \
1478  StreamTcpThreadDeinit(&tv, (void *)stt); \
1479  StreamTcpFreeConfig(true); \
1480  PacketFree(p); \
1481  FLOW_DESTROY(&f); \
1482  IPPairShutdown(); \
1483  StatsThreadCleanup(&tv.stats);
1484 
1485 /**
1486  * \test GET -> HTTP/1.1
1487  */
1488 static int AppLayerTest01(void)
1489 {
1490  TEST_START;
1491 
1492  /* full request */
1493  uint8_t request[] = {
1494  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1495  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1496  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1497  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1498  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1499  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1500  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1501  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1502  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1503  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1504  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1505  tcph.th_ack = htonl(1);
1506  tcph.th_seq = htonl(1);
1507  tcph.th_flags = TH_PUSH | TH_ACK;
1508  p->flowflags = FLOW_PKT_TOSERVER;
1509  p->payload_len = sizeof(request);
1510  p->payload = request;
1511  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1512  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1513  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1514  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1515  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1516  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1517  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1518  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1519  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1520  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1521  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1522  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1523 
1524  /* full response - request ack */
1525  uint8_t response[] = {
1526  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1527  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1528  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1529  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1530  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1531  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1532  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1533  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1534  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1535  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1536  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1537  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1538  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1539  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1540  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1541  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1542  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1543  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1544  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1545  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1546  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1547  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1548  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1549  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1550  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1551  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1552  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1553  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1554  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1555  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1556  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1557  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1558  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1559  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1560  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1561  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1562  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1563  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1564  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1565  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1566  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1567  tcph.th_ack = htonl(88);
1568  tcph.th_seq = htonl(1);
1569  tcph.th_flags = TH_PUSH | TH_ACK;
1570  p->flowflags = FLOW_PKT_TOCLIENT;
1571  p->payload_len = sizeof(response);
1572  p->payload = response;
1573  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1574  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1575  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1576  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1577  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1578  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1579  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1580  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1581  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1582  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1583  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1584  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1585 
1586  /* response ack */
1587  tcph.th_ack = htonl(328);
1588  tcph.th_seq = htonl(88);
1589  tcph.th_flags = TH_ACK;
1590  p->flowflags = FLOW_PKT_TOSERVER;
1591  p->payload_len = 0;
1592  p->payload = NULL;
1593  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1594  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1595  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1596  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1597  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1598  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1599  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1600  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1601  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1602  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1603  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1604  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1605 
1606  TEST_END;
1607  PASS;
1608 }
1609 
1610 /**
1611  * \test GE -> T -> HTTP/1.1
1612  */
1613 static int AppLayerTest02(void)
1614 {
1615  TEST_START;
1616 
1617  /* partial request */
1618  uint8_t request1[] = { 0x47, 0x45, };
1619  tcph.th_ack = htonl(1);
1620  tcph.th_seq = htonl(1);
1621  tcph.th_flags = TH_PUSH | TH_ACK;
1622  p->flowflags = FLOW_PKT_TOSERVER;
1623  p->payload_len = sizeof(request1);
1624  p->payload = request1;
1625  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1626  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1627  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1628  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1629  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1630  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1631  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1632  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1633  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1634  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1635  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1636  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1637 
1638  /* response ack against partial request */
1639  tcph.th_ack = htonl(3);
1640  tcph.th_seq = htonl(1);
1641  tcph.th_flags = TH_ACK;
1642  p->flowflags = FLOW_PKT_TOCLIENT;
1643  p->payload_len = 0;
1644  p->payload = NULL;
1645  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1646  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1647  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1648  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1649  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1650  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1651  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1652  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1653  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1654  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1655  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1656  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1657 
1658  /* complete partial request */
1659  uint8_t request2[] = {
1660  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1661  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1662  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1663  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1664  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1665  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1666  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1667  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1668  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1669  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1670  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1671  tcph.th_ack = htonl(1);
1672  tcph.th_seq = htonl(3);
1673  tcph.th_flags = TH_PUSH | TH_ACK;
1674  p->flowflags = FLOW_PKT_TOSERVER;
1675  p->payload_len = sizeof(request2);
1676  p->payload = request2;
1677  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1678  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1679  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1680  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1681  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1682  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1683  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1684  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1685  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1686  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1687  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1688  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1689 
1690  /* response - request ack */
1691  uint8_t response[] = {
1692  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1693  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1694  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1695  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1696  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1697  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1698  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1699  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1700  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1701  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1702  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1703  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1704  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1705  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1706  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1707  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1708  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1709  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1710  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1711  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1712  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1713  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1714  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1715  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1716  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1717  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1718  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1719  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1720  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1721  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1722  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1723  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1724  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1725  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1726  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1727  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1728  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1729  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1730  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1731  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1732  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1733  tcph.th_ack = htonl(88);
1734  tcph.th_seq = htonl(1);
1735  tcph.th_flags = TH_PUSH | TH_ACK;
1736  p->flowflags = FLOW_PKT_TOCLIENT;
1737  p->payload_len = sizeof(response);
1738  p->payload = response;
1739  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1740  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1741  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1742  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1743  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1744  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1745  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1746  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1747  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1748  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1749  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1750  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1751 
1752  /* response ack */
1753  tcph.th_ack = htonl(328);
1754  tcph.th_seq = htonl(88);
1755  tcph.th_flags = TH_ACK;
1756  p->flowflags = FLOW_PKT_TOSERVER;
1757  p->payload_len = 0;
1758  p->payload = NULL;
1759  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1760  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1761  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1762  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1763  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1764  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1765  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1766  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1767  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1768  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1769  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1770  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1771 
1772  TEST_END;
1773  PASS;
1774 }
1775 
1776 /**
1777  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1778  */
1779 static int AppLayerTest03(void)
1780 {
1781  TEST_START;
1782 
1783  /* request */
1784  uint8_t request[] = {
1785  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1786  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1787  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1788  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1789  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1790  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1791  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1792  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1793  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1794  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1795  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1796  tcph.th_ack = htonl(1);
1797  tcph.th_seq = htonl(1);
1798  tcph.th_flags = TH_PUSH | TH_ACK;
1799  p->flowflags = FLOW_PKT_TOSERVER;
1800  p->payload_len = sizeof(request);
1801  p->payload = request;
1802  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1803  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1804  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1805  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1806  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1807  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1808  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1809  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1810  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1811  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1812  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1813  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1814 
1815  /* rubbish response */
1816  uint8_t response[] = {
1817  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1818  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1819  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1820  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1821  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1822  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1823  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1824  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1825  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1826  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1827  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1828  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1829  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1830  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1831  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1832  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1833  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1834  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1835  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1836  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1837  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1838  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1839  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1840  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1841  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1842  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1843  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1844  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1845  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1846  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1847  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1848  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1849  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1850  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1851  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1852  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1853  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1854  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1855  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1856  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1857  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1858  tcph.th_ack = htonl(88);
1859  tcph.th_seq = htonl(1);
1860  tcph.th_flags = TH_PUSH | TH_ACK;
1861  p->flowflags = FLOW_PKT_TOCLIENT;
1862  p->payload_len = sizeof(response);
1863  p->payload = response;
1864  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1865  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1866  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1867  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1868  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1869  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1870  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1871  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1872  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1873  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1874  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1875  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1876 
1877  /* response ack */
1878  tcph.th_ack = htonl(328);
1879  tcph.th_seq = htonl(88);
1880  tcph.th_flags = TH_ACK;
1881  p->flowflags = FLOW_PKT_TOSERVER;
1882  p->payload_len = 0;
1883  p->payload = NULL;
1884  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1885  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1886  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1887  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1888  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1889  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1890  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1891  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1892  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1893  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1894  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1895  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1896 
1897  TEST_END;
1898  PASS;
1899 }
1900 
1901 /**
1902  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1903  */
1904 static int AppLayerTest04(void)
1905 {
1906  TEST_START;
1907 
1908  /* request */
1909  uint8_t request[] = {
1910  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1911  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1912  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1913  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1914  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1915  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1916  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1917  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1918  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1919  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1920  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1921  PrintRawDataFp(stdout, request, sizeof(request));
1922  tcph.th_ack = htonl(1);
1923  tcph.th_seq = htonl(1);
1924  tcph.th_flags = TH_PUSH | TH_ACK;
1925  p->flowflags = FLOW_PKT_TOSERVER;
1926  p->payload_len = sizeof(request);
1927  p->payload = request;
1928  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1929  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1930  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1931  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1932  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1933  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1934  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1935  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1936  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1937  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1938  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1939  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1940 
1941  /* partial response */
1942  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1943  PrintRawDataFp(stdout, response1, sizeof(response1));
1944  tcph.th_ack = htonl(88);
1945  tcph.th_seq = htonl(1);
1946  tcph.th_flags = TH_PUSH | TH_ACK;
1947  p->flowflags = FLOW_PKT_TOCLIENT;
1948  p->payload_len = sizeof(response1);
1949  p->payload = response1;
1950  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1951  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1952  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1953  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1954  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1955  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1956  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1957  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1958  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1959  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1960  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1961  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1962 
1963  /* partial response ack */
1964  tcph.th_ack = htonl(5);
1965  tcph.th_seq = htonl(88);
1966  tcph.th_flags = TH_ACK;
1967  p->flowflags = FLOW_PKT_TOSERVER;
1968  p->payload_len = 0;
1969  p->payload = NULL;
1970  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1971  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1972  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1973  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1974  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1975  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1976  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1977  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1978  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1979  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1980  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1981  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1982 
1983  /* remaining response */
1984  uint8_t response2[] = {
1985  0x2f, 0x31, 0x2e, 0x31,
1986  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1987  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1988  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1989  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1990  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1991  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1992  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1993  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1994  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1995  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1996  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1997  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1998  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1999  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2000  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2001  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2002  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2003  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2004  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2005  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2006  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2007  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2008  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2009  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2010  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2011  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2012  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2013  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2014  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2015  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2016  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2017  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2018  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2019  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2020  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2021  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2022  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2023  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2024  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2025  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2026  PrintRawDataFp(stdout, response2, sizeof(response2));
2027  tcph.th_ack = htonl(88);
2028  tcph.th_seq = htonl(5);
2029  tcph.th_flags = TH_PUSH | TH_ACK;
2030  p->flowflags = FLOW_PKT_TOCLIENT;
2031  p->payload_len = sizeof(response2);
2032  p->payload = response2;
2033  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2034  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2035  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2036  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2037  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2038  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2039  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2040  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2041  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2042  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2043  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2044  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2045 
2046  /* response ack */
2047  tcph.th_ack = htonl(328);
2048  tcph.th_seq = htonl(88);
2049  tcph.th_flags = TH_ACK;
2050  p->flowflags = FLOW_PKT_TOSERVER;
2051  p->payload_len = 0;
2052  p->payload = NULL;
2053  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2054  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
2055  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2056  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2057  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2058  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
2059  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2060  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2061  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2062  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2063  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2064  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2065 
2066  TEST_END;
2067  PASS;
2068 }
2069 
2070 /**
2071  * \test RUBBISH -> HTTP/1.1
2072  */
2073 static int AppLayerTest05(void)
2074 {
2075  TEST_START;
2076 
2077  /* full request */
2078  uint8_t request[] = {
2079  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2080  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2081  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2082  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2083  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2084  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2085  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2086  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2087  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2088  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2089  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2090  PrintRawDataFp(stdout, request, sizeof(request));
2091  tcph.th_ack = htonl(1);
2092  tcph.th_seq = htonl(1);
2093  tcph.th_flags = TH_PUSH | TH_ACK;
2094  p->flowflags = FLOW_PKT_TOSERVER;
2095  p->payload_len = sizeof(request);
2096  p->payload = request;
2097  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2098  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2099  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2100  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2101  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2102  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2103  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2104  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2105  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2106  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2107  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2108  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2109 
2110  /* full response - request ack */
2111  uint8_t response[] = {
2112  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2113  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2114  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2115  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2116  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2117  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2118  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2119  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2120  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2121  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2122  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2123  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2124  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2125  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2126  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2127  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2128  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2129  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2130  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2131  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2132  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2133  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2134  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2135  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2136  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2137  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2138  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2139  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2140  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2141  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2142  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2143  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2144  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2145  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2146  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2147  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2148  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2149  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2150  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2151  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2152  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2153  PrintRawDataFp(stdout, response, sizeof(response));
2154  tcph.th_ack = htonl(88);
2155  tcph.th_seq = htonl(1);
2156  tcph.th_flags = TH_PUSH | TH_ACK;
2157  p->flowflags = FLOW_PKT_TOCLIENT;
2158  p->payload_len = sizeof(response);
2159  p->payload = response;
2160  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2161  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2162  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2163  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2164  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2165  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2166  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2167  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2168  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2169  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2170  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2171  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2172 
2173  /* response ack */
2174  tcph.th_ack = htonl(328);
2175  tcph.th_seq = htonl(88);
2176  tcph.th_flags = TH_ACK;
2177  p->flowflags = FLOW_PKT_TOSERVER;
2178  p->payload_len = 0;
2179  p->payload = NULL;
2180  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2181  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2182  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2183  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2184  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2185  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2186  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2187  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2188  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2189  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2190  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2191  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2192 
2193  TEST_END;
2194  PASS;
2195 }
2196 
2197 /**
2198  * \test HTTP/1.1 -> GET
2199  */
2200 static int AppLayerTest06(void)
2201 {
2202  TEST_START;
2203 
2204  /* full response - request ack */
2205  uint8_t response[] = {
2206  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2207  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2208  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2209  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2210  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2211  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2212  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2213  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2214  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2215  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2216  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2217  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2218  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2219  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2220  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2221  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2222  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2223  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2224  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2225  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2226  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2227  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2228  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2229  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2230  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2231  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2232  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2233  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2234  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2235  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2236  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2237  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2238  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2239  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2240  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2241  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2242  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2243  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2244  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2245  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2246  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2247  tcph.th_ack = htonl(1);
2248  tcph.th_seq = htonl(1);
2249  tcph.th_flags = TH_PUSH | TH_ACK;
2250  p->flowflags = FLOW_PKT_TOCLIENT;
2251  p->payload_len = sizeof(response);
2252  p->payload = response;
2253  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2254  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2255  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2256  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2257  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2258  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2259  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2260  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2261  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2262  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2263  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2264  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2265 
2266  /* full request - response ack*/
2267  uint8_t request[] = {
2268  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2269  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2270  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2271  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2272  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2273  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2274  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2275  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2276  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2277  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2278  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2279  tcph.th_ack = htonl(328);
2280  tcph.th_seq = htonl(1);
2281  tcph.th_flags = TH_PUSH | TH_ACK;
2282  p->flowflags = FLOW_PKT_TOSERVER;
2283  p->payload_len = sizeof(request);
2284  p->payload = request;
2285  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2286  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2287  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2288  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2289  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2290  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2291  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2292  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2293  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2294  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2295  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2296  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2297 
2298  tcph.th_ack = htonl(1 + sizeof(request));
2299  tcph.th_seq = htonl(328);
2300  tcph.th_flags = TH_PUSH | TH_ACK;
2301  p->flowflags = FLOW_PKT_TOCLIENT;
2302  p->payload_len = 0;
2303  p->payload = NULL;
2304  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2305  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2306  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2307  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2308  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2309  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2310  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2311  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2312  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2313  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2314  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2315  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2316 
2317  TEST_END;
2318  PASS;
2319 }
2320 
2321 /**
2322  * \test GET -> DCERPC
2323  */
2324 static int AppLayerTest07(void)
2325 {
2326  TEST_START;
2327 
2328  /* full request */
2329  uint8_t request[] = {
2330  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2331  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2332  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2333  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2334  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2335  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2336  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2337  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2338  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2339  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2340  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2341  tcph.th_ack = htonl(1);
2342  tcph.th_seq = htonl(1);
2343  tcph.th_flags = TH_PUSH | TH_ACK;
2344  p->flowflags = FLOW_PKT_TOSERVER;
2345  p->payload_len = sizeof(request);
2346  p->payload = request;
2347  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2348  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2349  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2350  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2351  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2352  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2353  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2354  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2355  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2356  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2357  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2358  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2359 
2360  /* full response - request ack */
2361  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2362  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2363  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2364  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2365  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2366  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2367  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2368  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2369  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2370  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2371  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2372  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2373  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2374  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2375  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2376  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2377  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2378  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2379  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2380  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2381  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2382  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2383  tcph.th_ack = htonl(88);
2384  tcph.th_seq = htonl(1);
2385  tcph.th_flags = TH_PUSH | TH_ACK;
2386  p->flowflags = FLOW_PKT_TOCLIENT;
2387  p->payload_len = sizeof(response);
2388  p->payload = response;
2389  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2390  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2391  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2392  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2393  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2394  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2395  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2396  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2397  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2398  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2399  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2400  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2401 
2402  /* response ack */
2403  tcph.th_ack = htonl(328);
2404  tcph.th_seq = htonl(88);
2405  tcph.th_flags = TH_ACK;
2406  p->flowflags = FLOW_PKT_TOSERVER;
2407  p->payload_len = 0;
2408  p->payload = NULL;
2409  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2410  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2411  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2412  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2413  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2414  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2415  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2416  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2417  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2418  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2419  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2420  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2421 
2422  TEST_END;
2423  PASS;
2424 }
2425 
2426 /**
2427  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2428  * RUBBISH(TC - PM and PP DONE) ->
2429  * RUBBISH(TS - PM and PP DONE)
2430  */
2431 static int AppLayerTest09(void)
2432 {
2433  TEST_START;
2434 
2435  /* full request */
2436  uint8_t request1[] = {
2437  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2438  tcph.th_ack = htonl(1);
2439  tcph.th_seq = htonl(1);
2440  tcph.th_flags = TH_PUSH | TH_ACK;
2441  p->flowflags = FLOW_PKT_TOSERVER;
2442  p->payload_len = sizeof(request1);
2443  p->payload = request1;
2444  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2445  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2446  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2447  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2448  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2449  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2450  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2451  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2452  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2453  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2454  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2455  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2456 
2457  /* response - request ack */
2458  tcph.th_ack = htonl(9);
2459  tcph.th_seq = htonl(1);
2460  tcph.th_flags = TH_PUSH | TH_ACK;
2461  p->flowflags = FLOW_PKT_TOCLIENT;
2462  p->payload_len = 0;
2463  p->payload = NULL;
2464  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2465  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2466  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2467  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2468  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2469  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2470  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2471  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2472  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2473  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2474  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2475  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2476 
2477  /* full request */
2478  uint8_t request2[] = {
2479  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2480  tcph.th_ack = htonl(1);
2481  tcph.th_seq = htonl(9);
2482  tcph.th_flags = TH_PUSH | TH_ACK;
2483  p->flowflags = FLOW_PKT_TOSERVER;
2484  p->payload_len = sizeof(request2);
2485  p->payload = request2;
2486  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2487  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2488  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2489  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2490  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2491  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2492  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2493  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2494  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2495  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2496  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2497  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2498 
2499  /* full response - request ack */
2500  uint8_t response[] = {
2501  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2502  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2503  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2504  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2505  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2506  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2507  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2508  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2509  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2510  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2511  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2512  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2513  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2514  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2515  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2516  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2517  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2518  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2519  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2520  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2521  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2522  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2523  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2524  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2525  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2526  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2527  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2528  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2529  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2530  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2531  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2532  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2533  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2534  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2535  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2536  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2537  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2538  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2539  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2540  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2541  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2542  tcph.th_ack = htonl(18);
2543  tcph.th_seq = htonl(1);
2544  tcph.th_flags = TH_PUSH | TH_ACK;
2545  p->flowflags = FLOW_PKT_TOCLIENT;
2546  p->payload_len = sizeof(response);
2547  p->payload = response;
2548  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2549  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2550  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2551  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2552  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2553  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2554  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2555  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2556  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2557  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2558  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2559  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2560 
2561  /* response ack */
2562  tcph.th_ack = htonl(328);
2563  tcph.th_seq = htonl(18);
2564  tcph.th_flags = TH_ACK;
2565  p->flowflags = FLOW_PKT_TOSERVER;
2566  p->payload_len = 0;
2567  p->payload = NULL;
2568  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2569  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2570  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2571  FAIL_IF(f.alproto != ALPROTO_FAILED);
2572  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2573  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2574  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2575  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2576  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2577  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2578  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2579  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2580 
2581  TEST_END;
2582  PASS;
2583 }
2584 
2585 /**
2586  * \test RUBBISH(TC - PM and PP DONE) ->
2587  * RUBBISH(TS - PM and PP DONE)
2588  */
2589 static int AppLayerTest10(void)
2590 {
2591  TEST_START;
2592 
2593  /* full request */
2594  uint8_t request1[] = {
2595  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2596  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2597  tcph.th_ack = htonl(1);
2598  tcph.th_seq = htonl(1);
2599  tcph.th_flags = TH_PUSH | TH_ACK;
2600  p->flowflags = FLOW_PKT_TOSERVER;
2601  p->payload_len = sizeof(request1);
2602  p->payload = request1;
2603  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2604  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2605  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2606  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2607  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2608  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2609  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2610  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2611  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2612  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2613  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2614  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2615 
2616  /* response - request ack */
2617  tcph.th_ack = htonl(18);
2618  tcph.th_seq = htonl(1);
2619  tcph.th_flags = TH_PUSH | TH_ACK;
2620  p->flowflags = FLOW_PKT_TOCLIENT;
2621  p->payload_len = 0;
2622  p->payload = NULL;
2623  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2624  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2625  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2626  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2627  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2628  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2629  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2630  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2631  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2632  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2633  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2634  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2635 
2636  /* full response - request ack */
2637  uint8_t response[] = {
2638  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2639  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2640  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2641  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2642  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2643  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2644  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2645  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2646  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2647  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2648  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2649  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2650  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2651  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2652  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2653  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2654  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2655  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2656  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2657  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2658  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2659  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2660  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2661  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2662  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2663  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2664  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2665  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2666  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2667  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2668  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2669  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2670  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2671  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2672  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2673  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2674  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2675  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2676  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2677  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2678  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2679  tcph.th_ack = htonl(18);
2680  tcph.th_seq = htonl(1);
2681  tcph.th_flags = TH_PUSH | TH_ACK;
2682  p->flowflags = FLOW_PKT_TOCLIENT;
2683  p->payload_len = sizeof(response);
2684  p->payload = response;
2685  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2686  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2687  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2688  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2689  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2690  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2691  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2692  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2693  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2694  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2695  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2696  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2697 
2698  /* response ack */
2699  tcph.th_ack = htonl(328);
2700  tcph.th_seq = htonl(18);
2701  tcph.th_flags = TH_ACK;
2702  p->flowflags = FLOW_PKT_TOSERVER;
2703  p->payload_len = 0;
2704  p->payload = NULL;
2705  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2706  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2707  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2708  FAIL_IF(f.alproto != ALPROTO_FAILED);
2709  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2710  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2711  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2712  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2713  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2714  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2715  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2716  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2717 
2718  TEST_END;
2719  PASS;
2720 }
2721 
2722 /**
2723  * \test RUBBISH(TC - PM and PP DONE) ->
2724  * RUBBISH(TS - PM and PP NOT DONE) ->
2725  * RUBBISH(TS - PM and PP DONE)
2726  */
2727 static int AppLayerTest11(void)
2728 {
2729  TEST_START;
2730 
2731  /* full request */
2732  uint8_t request1[] = {
2733  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2734  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2735  tcph.th_ack = htonl(1);
2736  tcph.th_seq = htonl(1);
2737  tcph.th_flags = TH_PUSH | TH_ACK;
2738  p->flowflags = FLOW_PKT_TOSERVER;
2739  p->payload_len = sizeof(request1);
2740  p->payload = request1;
2741  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2742  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2743  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2744  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2745  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2746  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2747  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2748  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2749  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2750  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2751  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2752  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2753 
2754  /* response - request ack */
2755  tcph.th_ack = htonl(18);
2756  tcph.th_seq = htonl(1);
2757  tcph.th_flags = TH_PUSH | TH_ACK;
2758  p->flowflags = FLOW_PKT_TOCLIENT;
2759  p->payload_len = 0;
2760  p->payload = NULL;
2761  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2762  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2763  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2764  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2765  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2766  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2767  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2768  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2769  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2770  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2771  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2772  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2773 
2774  /* full response - request ack */
2775  uint8_t response1[] = {
2776  0x55, 0x74, 0x54, 0x50, };
2777  tcph.th_ack = htonl(18);
2778  tcph.th_seq = htonl(1);
2779  tcph.th_flags = TH_PUSH | TH_ACK;
2780  p->flowflags = FLOW_PKT_TOCLIENT;
2781  p->payload_len = sizeof(response1);
2782  p->payload = response1;
2783  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2784  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2785  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2786  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2787  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2788  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2789  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2790  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2791  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2792  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2793  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2794  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2795 
2796  /* response ack from request */
2797  tcph.th_ack = htonl(5);
2798  tcph.th_seq = htonl(18);
2799  tcph.th_flags = TH_ACK;
2800  p->flowflags = FLOW_PKT_TOSERVER;
2801  p->payload_len = 0;
2802  p->payload = NULL;
2803  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2804  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2805  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2806  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2807  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2808  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2809  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2810  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2811  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2812  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2813  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2814  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2815 
2816  uint8_t response2[] = {
2817  0x2f, 0x31, 0x2e, 0x31,
2818  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2819  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2820  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2821  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2822  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2823  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2824  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2825  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2826  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2827  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2828  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2829  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2830  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2831  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2832  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2833  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2834  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2835  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2836  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2837  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2838  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2839  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2840  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2841  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2842  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2843  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2844  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2845  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2846  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2847  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2848  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2849  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2850  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2851  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2852  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2853  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2854  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2855  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2856  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2857  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2858  tcph.th_ack = htonl(18);
2859  tcph.th_seq = htonl(5);
2860  tcph.th_flags = TH_PUSH | TH_ACK;
2861  p->flowflags = FLOW_PKT_TOCLIENT;
2862  p->payload_len = sizeof(response2);
2863  p->payload = response2;
2864  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2865  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2866  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2867  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2868  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2869  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2870  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2871  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2872  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2873  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2874  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2875  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2876 
2877  /* response ack from request */
2878  tcph.th_ack = htonl(328);
2879  tcph.th_seq = htonl(18);
2880  tcph.th_flags = TH_ACK;
2881  p->flowflags = FLOW_PKT_TOSERVER;
2882  p->payload_len = 0;
2883  p->payload = NULL;
2884  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2885  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2886  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2887  FAIL_IF(f.alproto != ALPROTO_FAILED);
2888  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2889  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2890  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2891  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2892  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2893  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2894  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2895  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2896 
2897  TEST_END;
2898  PASS;
2899 }
2900 
2901 void AppLayerUnittestsRegister(void)
2902 {
2903  SCEnter();
2904 
2905  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2906  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2907  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2908  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2909  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2910  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2911  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2912  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2913  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2914  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2915 
2916  SCReturn;
2917 }
2918 
2919 #endif /* UNITTESTS */
AppLayerCounters_::counter_tx_id
StatsCounterId counter_tx_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:278
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:187
StatsRegisterGlobalCounter
StatsCounterGlobalId StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1053
Packet_::proto
uint8_t proto
Definition: decode.h:523
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:285
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:51
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:138
AppLayerCounters_
Definition: app-layer.c:89
ippair.h
SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1840
app-layer-htp-range.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1661
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
AppLayerCounterNames_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]
Definition: app-layer.c:86
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
AppLayerCounters_::gap_error_id
StatsCounterId gap_error_id
Definition: app-layer.c:92
AppLayerCounters_::internal_error_id
StatsCounterId internal_error_id
Definition: app-layer.c:94
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:534
stream-tcp.h
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7232
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(const char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:1006
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:52
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1001
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
name
const char * name
Definition: detect-engine-proto.c:48
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1155
Flow_::proto
uint8_t proto
Definition: flow.h:369
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
Packet_::payload
uint8_t * payload
Definition: decode.h:605
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:62
Packet_::flags
uint32_t flags
Definition: decode.h:544
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:72
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:186
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:63
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:347
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:165
Flow_::protomap
uint8_t protomap
Definition: flow.h:436
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:68
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:57
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1142
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:224
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:228
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir app_update_dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1396
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:66
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:305
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1311
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:447
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2041
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:59
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1150
AppLayerCounterNames_
Definition: app-layer.c:79
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1640
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
handle TCP data for the app-layer.
Definition: app-layer.c:709
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:224
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:65
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6807
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
app_layer_error_eps_stats
ExceptionPolicyStatsSetts app_layer_error_eps_stats
Definition: app-layer.c:108
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:71
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2901
StatsCounterId
Definition: counters.h:30
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:49
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:80
AppLayerCounters_::counter_id
StatsCounterId counter_id
Definition: app-layer.c:90
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:1020
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1202
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
app-layer-ftp.h
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:69
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:227
MAX
#define MAX(x, y)
Definition: suricata-common.h:412
Flow_::protoctx
void * protoctx
Definition: flow.h:432
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:173
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:632
util-unittest.h
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:181
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1099
HostGetMemcap
uint64_t HostGetMemcap(void)
Return memcap value.
Definition: host.c:83
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1303
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:78
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:269
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:50
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:469
EXCEPTION_POLICY_MAX
#define EXCEPTION_POLICY_MAX
Definition: util-exception-policy-types.h:37
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1780
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:70
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1082
app-layer-expectation.h
app-layer-detect-proto.h
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:179
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
ExceptionPolicyCounters_
Definition: util-exception-policy-types.h:52
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:46
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:270
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1163
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:387
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:67
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
Definition: app-layer.c:157
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:581
util-exception-policy.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:81
HTPByteRangeMemuseGlobalCounter
uint64_t HTPByteRangeMemuseGlobalCounter(void)
Definition: app-layer-htp-range.c:62
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:59
util-print.h
IPPairGetMemcap
uint64_t IPPairGetMemcap(void)
Return memcap value.
Definition: ippair.c:81
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5669
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1869
StatsCounterIncr
void StatsCounterIncr(StatsThreadContext *stats, StatsCounterId id)
Increments the local counter.
Definition: counters.c:165
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1393
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:59
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
HostGetMemuse
uint64_t HostGetMemuse(void)
Return memuse value.
Definition: host.c:94
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:206
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:104
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:259
SCReturn
#define SCReturn
Definition: util-debug.h:286
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:277
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
Packet_
Definition: decode.h:501
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
stream-tcp-private.h
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:68
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:75
applayer_counters
AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:102
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:874
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp)
Definition: util-profiling.h:173
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:63
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:300
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:61
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:722
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1112
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:66
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:181
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:225
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:450
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:57
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1284
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:279
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1718
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:62
IPPairGetMemuse
uint64_t IPPairGetMemuse(void)
Return memuse value.
Definition: ippair.c:92
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:535
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:103
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:189
eps_error_summary
ExceptionPolicyCounters eps_error_summary
Definition: app-layer.c:104
FatalError
#define FatalError(...)
Definition: util-debug.h:517
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:48
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
applayer_counter_names
AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:100
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1304
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:40
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1572
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
app-layer-events.h
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:246
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2103
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1394
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1962
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2061
str
#define str(s)
Definition: suricata-common.h:308
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:434
ExceptionPolicyEnumToString
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
Definition: util-exception-policy.c:39
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:442
AppLayerCounters_::alloc_error_id
StatsCounterId alloc_error_id
Definition: app-layer.c:95
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:60
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7238
Flow_::alstate
void * alstate
Definition: flow.h:470
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1133
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
HTPByteRangeMemcapGlobalCounter
uint64_t HTPByteRangeMemcapGlobalCounter(void)
Definition: app-layer-htp-range.c:56
Flow_::flags
uint32_t flags
Definition: flow.h:412
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
StatsCounterId::id
uint16_t id
Definition: counters.h:31
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:86
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:61
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1013
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:155
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerCounters_::eps_error
ExceptionPolicyCounters eps_error
Definition: app-layer.c:96
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:67
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:84
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:298
app-layer-protos.h
AppLayerProfilingReset
#define AppLayerProfilingReset(app_tctx)
Definition: app-layer.h:127
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:246
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:60
TEST_END
#define TEST_END
Definition: app-layer.c:1476
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2015
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:70
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
AppLayerCounters_::parser_error_id
StatsCounterId parser_error_id
Definition: app-layer.c:93
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:197
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:51
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:443
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:76
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1482
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:441
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:85
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:195
StatsCounterAddI64
void StatsCounterAddI64(StatsThreadContext *stats, StatsCounterId id, int64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:47
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1379
ExceptionPolicyCounters_::eps_id
StatsCounterId eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:54
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
ExceptionPolicyStatsSetts_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][EXCEPTION_POLICY_COUNTER_MAX_LEN]
Definition: util-exception-policy-types.h:58
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2086
app-layer.h
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:455