suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
70 #endif
71 };
72 
73 #define MAX_COUNTER_SIZE 64
74 typedef struct AppLayerCounterNames_ {
78 
79 typedef struct AppLayerCounters_ {
80  uint16_t counter_id;
81  uint16_t counter_tx_id;
83 
84 /* counter names. Only used at init. */
86 /* counter id's. Used that runtime. */
88 
89 void AppLayerSetupCounters(void);
90 void AppLayerDeSetupCounters(void);
91 
92 /***** L7 layer dispatchers *****/
93 
94 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
95  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
98 }
99 
100 /**
101  * \note id can be 0 if protocol parser is disabled but detection
102  * is enabled.
103  */
104 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
105 {
106  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
107  if (likely(tv && id > 0)) {
108  StatsIncr(tv, id);
109  }
110 }
111 
112 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
113 {
114  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
115  if (likely(tv && id > 0)) {
116  StatsAddUI64(tv, id, step);
117  }
118 }
119 
120 /* in IDS mode protocol detection is done in reverse order:
121  * when TCP data is ack'd. We want to flag the correct packet,
122  * so in this case we set a flag in the flow so that the first
123  * packet in the correct direction can be tagged.
124  *
125  * For IPS things are much simpler, and we don't use the flow
126  * flag. We just tag the packet directly. */
127 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
128 {
129  if (EngineModeIsIPS()) {
130  if (flags & STREAM_TOSERVER) {
131  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  } else {
135  }
136  } else {
137  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  } else {
141  }
142  }
143  } else {
144  if (flags & STREAM_TOSERVER) {
146  } else {
148  }
149  }
150 }
151 
152 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
153 {
154  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
155  f, f->alproto, f->alproto_ts, f->alproto_tc);
158  TcpSession *ssn = f->protoctx;
160  f->alproto = ALPROTO_FAILED;
161  AppLayerIncFlowCounter(tv, f);
162 
163  if (f->alproto_tc != ALPROTO_FAILED) {
164  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  }
167  FlagPacketFlow(p, f, STREAM_TOCLIENT);
168  }
169  if (f->alproto_ts != ALPROTO_FAILED) {
170  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  }
173  FlagPacketFlow(p, f, STREAM_TOSERVER);
174  }
175  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
176  f, f->alproto, f->alproto_ts, f->alproto_tc);
177 }
178 
179 /* See if we're going to have to give up:
180  *
181  * If we're getting a lot of data in one direction and the
182  * proto for this direction is unknown, proto detect will
183  * hold up segments in the segment list in the stream.
184  * They are held so that if we detect the protocol on the
185  * opposing stream, we can still parse this side of the stream
186  * as well. However, some sessions are very unbalanced. FTP
187  * data channels, large PUT/POST request and many others, can
188  * lead to cases where we would have to store many megabytes
189  * worth of segments before we see the opposing stream. This
190  * leads to risks of resource starvation.
191  *
192  * Here a cutoff point is enforced. If we've stored 100k in
193  * one direction and we've seen no data in the other direction,
194  * we give up.
195  *
196  * Giving up means we disable applayer an set an applayer event
197  */
198 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
199  Flow *f, TcpSession *ssn, Packet *p)
200 {
201  if (ssn->state < TCP_ESTABLISHED) {
202  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
203  return;
204  }
205 
206  const uint64_t size_ts = STREAM_HAS_SEEN_DATA(&ssn->client) ?
207  STREAM_RIGHT_EDGE(&ssn->client) : 0;
208  const uint64_t size_tc = STREAM_HAS_SEEN_DATA(&ssn->server) ?
209  STREAM_RIGHT_EDGE(&ssn->server) : 0;
210  SCLogDebug("size_ts %"PRIu64", size_tc %"PRIu64, size_ts, size_tc);
211 
212  DEBUG_VALIDATE_BUG_ON(size_ts > 1000000UL);
213  DEBUG_VALIDATE_BUG_ON(size_tc > 1000000UL);
214 
215  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
216  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
217  {
218  goto failure;
219 
221  size_ts > 100000 && size_tc == 0)
222  {
225  goto failure;
226 
228  size_tc > 100000 && size_ts == 0)
229  {
232  goto failure;
233 
234  /* little data in ts direction, pp done, pm not done (max
235  * depth not reached), ts direction done, lots of data in
236  * tc direction. */
237  } else if (size_tc > 100000 &&
240  {
243  goto failure;
244 
245  /* little data in tc direction, pp done, pm not done (max
246  * depth not reached), tc direction done, lots of data in
247  * ts direction. */
248  } else if (size_ts > 100000 &&
251  {
254  goto failure;
255 
256  /* in case of really low TS data (e.g. 4 bytes) we can have
257  * the PP complete, PM not complete (depth not reached) and
258  * the TC side also not recognized (proto unknown) */
259  } else if (size_tc > 100000 &&
262  {
265  goto failure;
266  }
267  return;
268 
269 failure:
270  DisableAppLayer(tv, f, p);
271  return;
272 }
273 
274 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
275  TcpReassemblyThreadCtx *ra_ctx,
276  Packet *p, TcpSession *ssn, TcpStream *stream)
277 {
278  TcpStream *opposing_stream = NULL;
279  if (stream == &ssn->client) {
280  opposing_stream = &ssn->server;
281  } else {
282  opposing_stream = &ssn->client;
283  }
284 
285  /* if the opposing side is not going to work, then
286  * we just have to give up. */
287  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
288  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
289  return -1;
290  }
291 
292  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
295  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
296  opposing_stream, p, dir);
297  return ret;
298 }
299 
300 /** \todo data const
301  * \retval int -1 error
302  * \retval int 0 ok
303  */
304 static int TCPProtoDetect(ThreadVars *tv,
305  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
306  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
307  uint8_t *data, uint32_t data_len, uint8_t flags)
308 {
309  AppProto *alproto;
310  AppProto *alproto_otherdir;
311  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
312 
313  if (flags & STREAM_TOSERVER) {
314  alproto = &f->alproto_ts;
315  alproto_otherdir = &f->alproto_tc;
316  } else {
317  alproto = &f->alproto_tc;
318  alproto_otherdir = &f->alproto_ts;
319  }
320 
321  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
322 #ifdef PRINT
323  if (data_len > 0) {
324  printf("=> Init Stream Data (app layer) -- start %s%s\n",
325  flags & STREAM_TOCLIENT ? "toclient" : "",
326  flags & STREAM_TOSERVER ? "toserver" : "");
327  PrintRawDataFp(stdout, data, data_len);
328  printf("=> Init Stream Data -- end\n");
329  }
330 #endif
331 
332  bool reverse_flow = false;
334  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
335  f, data, data_len,
336  IPPROTO_TCP, flags, &reverse_flow);
337  PACKET_PROFILING_APP_PD_END(app_tctx);
338  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
339 
340  if (*alproto != ALPROTO_UNKNOWN) {
341  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
344 
346  /* if we already invoked the parser, we go with that proto */
347  f->alproto = *alproto_otherdir;
348  } else {
349  /* no data sent to parser yet, we can still choose
350  * we're trusting the server more. */
351  if (flags & STREAM_TOCLIENT)
352  f->alproto = *alproto;
353  else
354  f->alproto = *alproto_otherdir;
355  }
356  } else {
357  f->alproto = *alproto;
358  }
359 
363  FlagPacketFlow(p, f, flags);
364  /* if protocol detection indicated that we need to reverse
365  * the direction of the flow, do it now. We flip the flow,
366  * packet and the direction flags */
367  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
368  SCLogDebug("reversing flow after proto detect told us so");
369  PacketSwap(p);
370  FlowSwap(f);
372  if (*stream == &ssn->client) {
373  *stream = &ssn->server;
374  } else {
375  *stream = &ssn->client;
376  }
377  direction = 1 - direction;
378  }
379 
380  /* account flow if we have both sides */
381  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
382  AppLayerIncFlowCounter(tv, f);
383  }
384 
385  /* if we have seen data from the other direction first, send
386  * data for that direction first to the parser. This shouldn't
387  * be an issue, since each stream processing happens
388  * independently of the other stream direction. At this point of
389  * call, you need to know that this function's already being
390  * called by the very same StreamReassembly() function that we
391  * will now call shortly for the opposing direction. */
393  !(flags & ssn->data_first_seen_dir))
394  {
395  SCLogDebug("protocol %s needs first data in other direction",
396  AppProtoToString(*alproto));
397 
398  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
399  p, ssn, *stream) != 0)
400  {
401  DisableAppLayer(tv, f, p);
402  SCReturnInt(-1);
403  }
404  }
405 
406  /* if the parser operates such that it needs to see data from
407  * a particular direction first, we check if we have seen
408  * data from that direction first for the flow. IF it is not
409  * the same, we set an event and exit.
410  *
411  * \todo We need to figure out a more robust solution for this,
412  * as this can lead to easy evasion tactics, where the
413  * attackeer can first send some dummy data in the wrong
414  * direction first to mislead our proto detection process.
415  * While doing this we need to update the parsers as well,
416  * since the parsers must be robust to see such wrong
417  * direction data.
418  * Either ways the moment we see the
419  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
420  * flow, it shows something's fishy.
421  */
423  uint8_t first_data_dir;
424  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
425 
426  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
429  DisableAppLayer(tv, f, p);
430  SCReturnInt(-1);
431  }
432  /* This can happen if the current direction is not the
433  * right direction, and the data from the other(also
434  * the right direction) direction is available to be sent
435  * to the app layer, but it is not ack'ed yet and hence
436  * the forced call to STreamTcpAppLayerReassemble still
437  * hasn't managed to send data from the other direction
438  * to the app layer. */
439  if (first_data_dir && !(first_data_dir & flags)) {
445  SCReturnInt(-1);
446  }
447  }
448 
449  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
451 
452  /* finally, invoke the parser */
453  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
454  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
455  flags, data, data_len);
456  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
457  if (r < 0) {
458  SCReturnInt(-1);
459  } else if (r == 0) {
460  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
461  }
462  } else {
463  /* if the ssn is midstream, we may end up with a case where the
464  * start of an HTTP request is missing. We won't detect HTTP based
465  * on the request. However, the reply is fine, so we detect
466  * HTTP anyway. This leads to passing the incomplete request to
467  * the htp parser.
468  *
469  * This has been observed, where the http parser then saw many
470  * bogus requests in the incomplete data.
471  *
472  * To counter this case, a midstream session MUST find it's
473  * protocol in the toserver direction. If not, we assume the
474  * start of the request/toserver is incomplete and no reliable
475  * detection and parsing is possible. So we give up.
476  */
477  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
479  {
481  SCLogDebug("midstream end pd %p", ssn);
482  /* midstream and toserver detection failed: give up */
483  DisableAppLayer(tv, f, p);
484  SCReturnInt(0);
485  }
486  }
487 
488  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
489  uint8_t first_data_dir;
490  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
491 
492  /* this would handle this test case -
493  * http parser which says it wants to see toserver data first only.
494  * tcp handshake
495  * toclient data first received. - RUBBISH DATA which
496  * we don't detect as http
497  * toserver data next sent - we detect this as http.
498  * at this stage we see that toclient is the first data seen
499  * for this session and we try and redetect the app protocol,
500  * but we are unable to detect the app protocol like before.
501  * But since we have managed to detect the protocol for the
502  * other direction as http, we try to use that. At this
503  * stage we check if the direction of this stream matches
504  * to that acceptable by the app parser. If it is not the
505  * acceptable direction we error out.
506  */
508  (first_data_dir) && !(first_data_dir & flags))
509  {
510  DisableAppLayer(tv, f, p);
511  SCReturnInt(-1);
512  }
513 
514  /* if protocol detection is marked done for our direction we
515  * pass our data on. We're only succeeded in finding one
516  * direction: the opposing stream
517  *
518  * If PD was not yet complete, we don't do anything.
519  */
520  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
521  if (data_len > 0)
523 
524  if (*alproto_otherdir != ALPROTO_FAILED) {
525  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
526  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
527  f->alproto, flags,
528  data, data_len);
529  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
530  if (r == 0) {
531  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
532  }
533 
538 
539  *alproto = *alproto_otherdir;
540  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
541  p->pcap_cnt, *alproto, *alproto_otherdir, r);
542  if (r < 0) {
543  SCReturnInt(-1);
544  }
545  }
546  *alproto = ALPROTO_FAILED;
548  AppLayerIncFlowCounter(tv, f);
549  FlagPacketFlow(p, f, flags);
550 
551  }
552  } else {
553  /* both sides unknown, let's see if we need to give up */
554  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
555  }
556  }
557  SCReturnInt(0);
558 }
559 
560 /** \brief handle TCP data for the app-layer.
561  *
562  * First run protocol detection and then when the protocol is known invoke
563  * the app layer parser.
564  *
565  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
566  * reversed.
567  */
569  Packet *p, Flow *f,
570  TcpSession *ssn, TcpStream **stream,
571  uint8_t *data, uint32_t data_len,
572  uint8_t flags)
573 {
574  SCEnter();
575 
577  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
578 
579  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
580  AppProto alproto;
581  int r = 0;
582 
583  SCLogDebug("data_len %u flags %02X", data_len, flags);
585  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
586  goto end;
587  }
588 
589  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
590 
591  if (flags & STREAM_TOSERVER) {
592  alproto = f->alproto_ts;
593  } else {
594  alproto = f->alproto_tc;
595  }
596 
597  /* If a gap notification, relay the notification on to the
598  * app-layer if known. */
599  if (flags & STREAM_GAP) {
600  if (alproto == ALPROTO_UNKNOWN) {
602  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
603  /* if the other side didn't already find the proto, we're done */
604  if (f->alproto == ALPROTO_UNKNOWN) {
605  goto failure;
606  }
607  }
608  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
609  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
610  flags, data, data_len);
611  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
612  /* ignore parser result for gap */
613  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
614  goto end;
615  }
616 
617  /* if we don't know the proto yet and we have received a stream
618  * initializer message, we run proto detection.
619  * We receive 2 stream init msgs (one for each direction) but we
620  * only run the proto detection once. */
621  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
622  /* run protocol detection */
623  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
624  data, data_len, flags) != 0) {
625  goto failure;
626  }
627  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
628  f->alproto_orig = f->alproto;
629  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
630  void *alstate_orig = f->alstate;
631  AppLayerParserState *alparser = f->alparser;
632  // we delay AppLayerParserStateCleanup because we may need previous parser state
636  /* rerun protocol detection */
637  int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
638  if (f->alproto == ALPROTO_UNKNOWN) {
639  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
640  // not enough data, revert AppLayerProtoDetectReset to rerun detection
641  f->alparser = alparser;
642  f->alproto = f->alproto_orig;
643  f->alproto_tc = f->alproto_orig;
644  f->alproto_ts = f->alproto_orig;
645  } else {
647  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
648  if (alstate_orig == f->alstate) {
649  // we just freed it
650  f->alstate = NULL;
651  }
652  }
653  if (rd != 0) {
654  SCLogDebug("proto detect failure");
655  goto failure;
656  }
657  SCLogDebug("protocol change, old %s, new %s",
659 
660  if (f->alproto_expect != ALPROTO_UNKNOWN &&
661  f->alproto != f->alproto_expect)
662  {
665 
666  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
669 
670  }
671  }
672  } else {
673  SCLogDebug("stream data (len %" PRIu32 " alproto "
674  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
675 #ifdef PRINT
676  if (data_len > 0) {
677  printf("=> Stream Data (app layer) -- start %s%s\n",
678  flags & STREAM_TOCLIENT ? "toclient" : "",
679  flags & STREAM_TOSERVER ? "toserver" : "");
680  PrintRawDataFp(stdout, data, data_len);
681  printf("=> Stream Data -- end\n");
682  }
683 #endif
684  /* if we don't have a data object here we are not getting it
685  * a start msg should have gotten us one */
686  if (f->alproto != ALPROTO_UNKNOWN) {
687  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
688  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
689  flags, data, data_len);
690  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
691  if (r == 0) {
692  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
693  }
694  }
695  }
696 
697  goto end;
698  failure:
699  r = -1;
700  end:
701  SCReturnInt(r);
702 }
703 
704 /**
705  * \brief Handle a app layer UDP message
706  *
707  * If the protocol is yet unknown, the proto detection code is run first.
708  *
709  * \param dp_ctx Thread app layer detect context
710  * \param f *locked* flow
711  * \param p UDP packet
712  *
713  * \retval 0 ok
714  * \retval -1 error
715  */
717 {
718  SCEnter();
719 
720  if (f->alproto == ALPROTO_FAILED) {
721  SCReturnInt(0);
722  }
723 
724  int r = 0;
725  uint8_t flags = 0;
726  if (p->flowflags & FLOW_PKT_TOSERVER) {
728  } else {
730  }
731 
732  AppLayerProfilingReset(tctx);
733 
734  /* if the protocol is still unknown, run detection */
735  if (f->alproto == ALPROTO_UNKNOWN) {
736  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
737  p->payload_len);
738 
739  bool reverse_flow = false;
742  f, p->payload, p->payload_len,
743  IPPROTO_UDP, flags, &reverse_flow);
745 
746  if (f->alproto != ALPROTO_UNKNOWN) {
747  AppLayerIncFlowCounter(tv, f);
748 
749  if (reverse_flow) {
750  SCLogDebug("reversing flow after proto detect told us so");
751  PacketSwap(p);
752  FlowSwap(f);
754  }
755 
757  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
758  flags, p->payload, p->payload_len);
760  } else {
761  f->alproto = ALPROTO_FAILED;
762  AppLayerIncFlowCounter(tv, f);
763  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
764  }
766  /* we do only inspection in one direction, so flag both
767  * sides as done here */
768  FlagPacketFlow(p, f, STREAM_TOSERVER);
769  FlagPacketFlow(p, f, STREAM_TOCLIENT);
770  } else {
771  SCLogDebug("data (len %" PRIu32 " ), alproto "
772  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
773 
774  /* run the parser */
776  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
777  flags, p->payload, p->payload_len);
780  }
781 
782  SCReturnInt(r);
783 }
784 
785 /***** Utility *****/
786 
787 AppProto AppLayerGetProtoByName(char *alproto_name)
788 {
789  SCEnter();
791  SCReturnCT(r, "AppProto");
792 }
793 
794 const char *AppLayerGetProtoName(AppProto alproto)
795 {
796  SCEnter();
797  const char * r = AppLayerProtoDetectGetProtoName(alproto);
798  SCReturnCT(r, "char *");
799 }
800 
802 {
803  SCEnter();
804 
805  AppProto alproto;
806  AppProto alprotos[ALPROTO_MAX];
807 
809 
810  printf("=========Supported App Layer Protocols=========\n");
811  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
812  if (alprotos[alproto] == 1)
813  printf("%s\n", AppLayerGetProtoName(alproto));
814  }
815 
816  SCReturn;
817 }
818 
819 /***** Setup/General Registration *****/
820 
821 int AppLayerSetup(void)
822 {
823  SCEnter();
824 
827 
830 
832 
833  SCReturnInt(0);
834 }
835 
837 {
838  SCEnter();
839 
842 
844 
845  SCReturnInt(0);
846 }
847 
849 {
850  SCEnter();
851 
852  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
853  if (app_tctx == NULL)
854  goto error;
855  memset(app_tctx, 0, sizeof(*app_tctx));
856 
857  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
858  goto error;
859  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
860  goto error;
861 
862  goto done;
863  error:
864  AppLayerDestroyCtxThread(app_tctx);
865  app_tctx = NULL;
866  done:
867  SCReturnPtr(app_tctx, "void *");
868 }
869 
871 {
872  SCEnter();
873 
874  if (app_tctx == NULL)
875  SCReturn;
876 
877  if (app_tctx->alpd_tctx != NULL)
879  if (app_tctx->alp_tctx != NULL)
881  SCFree(app_tctx);
882 
883  SCReturn;
884 }
885 
887 {
888  PACKET_PROFILING_APP_RESET(app_tctx);
889 }
890 
892 {
893  PACKET_PROFILING_APP_STORE(app_tctx, p);
894 }
895 
896 /** \brief HACK to work around our broken unix manager (re)init loop
897  */
899 {
904  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
905 }
906 
907 #define IPPROTOS_MAX 2
909 {
910  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
911  uint8_t ipproto;
912  AppProto alproto;
913  AppProto alprotos[ALPROTO_MAX];
914  const char *str = "app_layer.flow.";
915 
917 
918  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
919  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
920  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
921  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
922 
923  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
924  if (alprotos[alproto] == 1) {
925  const char *tx_str = "app_layer.tx.";
926  const char *alproto_str = AppLayerGetProtoName(alproto);
927 
928  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
929  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
930  {
931  snprintf(applayer_counter_names[ipproto_map][alproto].name,
932  sizeof(applayer_counter_names[ipproto_map][alproto].name),
933  "%s%s%s", str, alproto_str, ipproto_suffix);
934  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
935  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
936  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
937  } else {
938  snprintf(applayer_counter_names[ipproto_map][alproto].name,
939  sizeof(applayer_counter_names[ipproto_map][alproto].name),
940  "%s%s", str, alproto_str);
941  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
942  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
943  "%s%s", tx_str, alproto_str);
944  }
945  } else if (alproto == ALPROTO_FAILED) {
946  snprintf(applayer_counter_names[ipproto_map][alproto].name,
947  sizeof(applayer_counter_names[ipproto_map][alproto].name),
948  "%s%s%s", str, "failed", ipproto_suffix);
949  }
950  }
951  }
952 }
953 
955 {
956  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
957  uint8_t ipproto;
958  AppProto alproto;
959  AppProto alprotos[ALPROTO_MAX];
960 
962 
963  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
964  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
965 
966  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
967  if (alprotos[alproto] == 1) {
968  applayer_counters[ipproto_map][alproto].counter_id =
969  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
970 
971  applayer_counters[ipproto_map][alproto].counter_tx_id =
972  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
973  } else if (alproto == ALPROTO_FAILED) {
974  applayer_counters[ipproto_map][alproto].counter_id =
975  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
976  }
977  }
978  }
979 }
980 
982 {
984  memset(applayer_counters, 0, sizeof(applayer_counters));
985 }
986 
987 /***** Unittests *****/
988 
989 #ifdef UNITTESTS
990 #include "pkt-var.h"
991 #include "stream-tcp.h"
992 #include "stream-tcp-util.h"
993 #include "stream.h"
994 #include "util-unittest.h"
995 
996 #define TEST_START \
997  Packet *p = SCMalloc(SIZE_OF_PACKET);\
998  FAIL_IF_NULL(p);\
999  Flow f;\
1000  ThreadVars tv;\
1001  StreamTcpThread *stt = NULL;\
1002  TCPHdr tcph;\
1003  PacketQueueNoLock pq;\
1004  memset(&pq,0,sizeof(PacketQueueNoLock));\
1005  memset(p, 0, SIZE_OF_PACKET);\
1006  memset (&f, 0, sizeof(Flow));\
1007  memset(&tv, 0, sizeof (ThreadVars));\
1008  memset(&tcph, 0, sizeof (TCPHdr));\
1009 \
1010  FLOW_INITIALIZE(&f);\
1011  f.flags = FLOW_IPV4;\
1012  f.proto = IPPROTO_TCP;\
1013  p->flow = &f;\
1014  p->tcph = &tcph;\
1015 \
1016  StreamTcpInitConfig(TRUE);\
1017  IPPairInitConfig(TRUE); \
1018  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
1019 \
1020  /* handshake */\
1021  tcph.th_win = htons(5480);\
1022  tcph.th_flags = TH_SYN;\
1023  p->flowflags = FLOW_PKT_TOSERVER;\
1024  p->payload_len = 0;\
1025  p->payload = NULL;\
1026  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1027  TcpSession *ssn = (TcpSession *)f.protoctx;\
1028 \
1029  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1030  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1031  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1032  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1033  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1034  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1035  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1036  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1037  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1038  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1039  FAIL_IF(ssn->data_first_seen_dir != 0);\
1040 \
1041  /* handshake */\
1042  p->tcph->th_ack = htonl(1);\
1043  p->tcph->th_flags = TH_SYN | TH_ACK;\
1044  p->flowflags = FLOW_PKT_TOCLIENT;\
1045  p->payload_len = 0;\
1046  p->payload = NULL;\
1047  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1048  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1049  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1050  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1051  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1052  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1053  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1054  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1055  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1056  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1057  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1058  FAIL_IF(ssn->data_first_seen_dir != 0);\
1059 \
1060  /* handshake */\
1061  p->tcph->th_ack = htonl(1);\
1062  p->tcph->th_seq = htonl(1);\
1063  p->tcph->th_flags = TH_ACK;\
1064  p->flowflags = FLOW_PKT_TOSERVER;\
1065  p->payload_len = 0;\
1066  p->payload = NULL;\
1067  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1068  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1069  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1070  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1071  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1072  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1073  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1074  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1075  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1076  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1077  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1078  FAIL_IF(ssn->data_first_seen_dir != 0);
1079 #define TEST_END \
1080  StreamTcpSessionClear(p->flow->protoctx);\
1081  StreamTcpThreadDeinit(&tv, (void *)stt); \
1082  StreamTcpFreeConfig(TRUE);\
1083  PACKET_DESTRUCTOR(p);\
1084  SCFree(p);\
1085  FLOW_DESTROY(&f); \
1086  StatsThreadCleanup(&tv);
1087 
1088 /**
1089  * \test GET -> HTTP/1.1
1090  */
1091 static int AppLayerTest01(void)
1092 {
1093  TEST_START;
1094 
1095  /* full request */
1096  uint8_t request[] = {
1097  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1098  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1099  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1100  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1101  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1102  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1103  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1104  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1105  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1106  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1107  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1108  p->tcph->th_ack = htonl(1);
1109  p->tcph->th_seq = htonl(1);
1110  p->tcph->th_flags = TH_PUSH | TH_ACK;
1112  p->payload_len = sizeof(request);
1113  p->payload = request;
1114  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1126 
1127  /* full response - request ack */
1128  uint8_t response[] = {
1129  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1130  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1131  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1132  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1133  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1134  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1135  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1136  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1137  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1138  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1139  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1140  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1141  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1142  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1143  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1144  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1145  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1146  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1147  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1148  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1149  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1150  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1151  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1152  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1153  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1154  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1155  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1156  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1157  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1158  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1159  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1160  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1161  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1162  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1163  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1164  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1165  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1166  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1167  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1168  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1169  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1170  p->tcph->th_ack = htonl(88);
1171  p->tcph->th_seq = htonl(1);
1172  p->tcph->th_flags = TH_PUSH | TH_ACK;
1174  p->payload_len = sizeof(response);
1175  p->payload = response;
1176  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1188 
1189  /* response ack */
1190  p->tcph->th_ack = htonl(328);
1191  p->tcph->th_seq = htonl(88);
1192  p->tcph->th_flags = TH_ACK;
1194  p->payload_len = 0;
1195  p->payload = NULL;
1196  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1208 
1209  TEST_END;
1210  PASS;
1211 }
1212 
1213 /**
1214  * \test GE -> T -> HTTP/1.1
1215  */
1216 static int AppLayerTest02(void)
1217 {
1218  TEST_START;
1219 
1220  /* partial request */
1221  uint8_t request1[] = { 0x47, 0x45, };
1222  p->tcph->th_ack = htonl(1);
1223  p->tcph->th_seq = htonl(1);
1224  p->tcph->th_flags = TH_PUSH | TH_ACK;
1226  p->payload_len = sizeof(request1);
1227  p->payload = request1;
1228  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1240 
1241  /* response ack against partial request */
1242  p->tcph->th_ack = htonl(3);
1243  p->tcph->th_seq = htonl(1);
1244  p->tcph->th_flags = TH_ACK;
1246  p->payload_len = 0;
1247  p->payload = NULL;
1248  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1260 
1261  /* complete partial request */
1262  uint8_t request2[] = {
1263  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1264  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1265  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1266  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1267  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1268  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1269  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1270  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1271  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1272  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1273  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1274  p->tcph->th_ack = htonl(1);
1275  p->tcph->th_seq = htonl(3);
1276  p->tcph->th_flags = TH_PUSH | TH_ACK;
1278  p->payload_len = sizeof(request2);
1279  p->payload = request2;
1280  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1292 
1293  /* response - request ack */
1294  uint8_t response[] = {
1295  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1296  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1297  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1298  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1299  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1300  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1301  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1302  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1303  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1304  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1305  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1306  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1307  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1308  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1309  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1310  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1311  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1312  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1313  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1314  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1315  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1316  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1317  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1318  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1319  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1320  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1321  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1322  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1323  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1324  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1325  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1326  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1327  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1328  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1329  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1330  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1331  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1332  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1333  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1334  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1335  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1336  p->tcph->th_ack = htonl(88);
1337  p->tcph->th_seq = htonl(1);
1338  p->tcph->th_flags = TH_PUSH | TH_ACK;
1340  p->payload_len = sizeof(response);
1341  p->payload = response;
1342  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1354 
1355  /* response ack */
1356  p->tcph->th_ack = htonl(328);
1357  p->tcph->th_seq = htonl(88);
1358  p->tcph->th_flags = TH_ACK;
1360  p->payload_len = 0;
1361  p->payload = NULL;
1362  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1374 
1375  TEST_END;
1376  PASS;
1377 }
1378 
1379 /**
1380  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1381  */
1382 static int AppLayerTest03(void)
1383 {
1384  TEST_START;
1385 
1386  /* request */
1387  uint8_t request[] = {
1388  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1389  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1390  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1391  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1392  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1393  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1394  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1395  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1396  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1397  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1398  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1399  p->tcph->th_ack = htonl(1);
1400  p->tcph->th_seq = htonl(1);
1401  p->tcph->th_flags = TH_PUSH | TH_ACK;
1403  p->payload_len = sizeof(request);
1404  p->payload = request;
1405  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1417 
1418  /* rubbish response */
1419  uint8_t response[] = {
1420  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1421  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1422  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1423  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1424  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1425  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1426  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1427  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1428  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1429  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1430  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1431  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1432  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1433  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1434  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1435  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1436  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1437  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1438  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1439  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1440  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1441  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1442  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1443  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1444  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1445  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1446  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1447  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1448  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1449  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1450  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1451  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1452  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1453  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1454  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1455  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1456  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1457  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1458  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1459  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1460  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1461  p->tcph->th_ack = htonl(88);
1462  p->tcph->th_seq = htonl(1);
1463  p->tcph->th_flags = TH_PUSH | TH_ACK;
1465  p->payload_len = sizeof(response);
1466  p->payload = response;
1467  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1479 
1480  /* response ack */
1481  p->tcph->th_ack = htonl(328);
1482  p->tcph->th_seq = htonl(88);
1483  p->tcph->th_flags = TH_ACK;
1485  p->payload_len = 0;
1486  p->payload = NULL;
1487  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1499 
1500  TEST_END;
1501  PASS;
1502 }
1503 
1504 /**
1505  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1506  */
1507 static int AppLayerTest04(void)
1508 {
1509  TEST_START;
1510 
1511  /* request */
1512  uint8_t request[] = {
1513  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1514  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1515  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1516  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1517  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1518  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1519  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1520  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1521  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1522  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1523  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1524  PrintRawDataFp(stdout, request, sizeof(request));
1525  p->tcph->th_ack = htonl(1);
1526  p->tcph->th_seq = htonl(1);
1527  p->tcph->th_flags = TH_PUSH | TH_ACK;
1529  p->payload_len = sizeof(request);
1530  p->payload = request;
1531  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1542  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1543 
1544  /* partial response */
1545  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1546  PrintRawDataFp(stdout, response1, sizeof(response1));
1547  p->tcph->th_ack = htonl(88);
1548  p->tcph->th_seq = htonl(1);
1549  p->tcph->th_flags = TH_PUSH | TH_ACK;
1551  p->payload_len = sizeof(response1);
1552  p->payload = response1;
1553  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1556  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1557  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1564  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1565 
1566  /* partial response ack */
1567  p->tcph->th_ack = htonl(5);
1568  p->tcph->th_seq = htonl(88);
1569  p->tcph->th_flags = TH_ACK;
1571  p->payload_len = 0;
1572  p->payload = NULL;
1573  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1576  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1577  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1583  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1584  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1585 
1586  /* remaining response */
1587  uint8_t response2[] = {
1588  0x2f, 0x31, 0x2e, 0x31,
1589  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1590  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1591  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1592  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1593  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1594  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1595  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1596  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1597  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1598  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1599  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1600  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1601  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1602  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1603  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1604  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1605  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1606  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1607  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1608  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1609  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1610  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1611  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1612  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1613  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1614  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1615  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1616  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1617  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1618  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1619  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1620  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1621  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1622  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1623  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1624  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1625  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1626  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1627  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1628  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1629  PrintRawDataFp(stdout, response2, sizeof(response2));
1630  p->tcph->th_ack = htonl(88);
1631  p->tcph->th_seq = htonl(5);
1632  p->tcph->th_flags = TH_PUSH | TH_ACK;
1634  p->payload_len = sizeof(response2);
1635  p->payload = response2;
1636  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1639  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1640  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1646  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1647  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1648 
1649  /* response ack */
1650  p->tcph->th_ack = htonl(328);
1651  p->tcph->th_seq = htonl(88);
1652  p->tcph->th_flags = TH_ACK;
1654  p->payload_len = 0;
1655  p->payload = NULL;
1656  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1657  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1659  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1660  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1661  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1666  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1667  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1668 
1669  TEST_END;
1670  PASS;
1671 }
1672 
1673 /**
1674  * \test RUBBISH -> HTTP/1.1
1675  */
1676 static int AppLayerTest05(void)
1677 {
1678  TEST_START;
1679 
1680  /* full request */
1681  uint8_t request[] = {
1682  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1683  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1684  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1685  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1686  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1687  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1688  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1689  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1690  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1691  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1692  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1693  PrintRawDataFp(stdout, request, sizeof(request));
1694  p->tcph->th_ack = htonl(1);
1695  p->tcph->th_seq = htonl(1);
1696  p->tcph->th_flags = TH_PUSH | TH_ACK;
1698  p->payload_len = sizeof(request);
1699  p->payload = request;
1700  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1712 
1713  /* full response - request ack */
1714  uint8_t response[] = {
1715  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1716  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1717  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1718  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1719  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1720  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1721  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1722  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1723  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1724  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1725  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1726  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1727  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1728  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1729  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1730  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1731  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1732  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1733  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1734  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1735  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1736  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1737  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1738  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1739  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1740  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1741  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1742  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1743  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1744  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1745  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1746  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1747  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1748  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1749  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1750  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1751  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1752  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1753  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1754  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1755  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1756  PrintRawDataFp(stdout, response, sizeof(response));
1757  p->tcph->th_ack = htonl(88);
1758  p->tcph->th_seq = htonl(1);
1759  p->tcph->th_flags = TH_PUSH | TH_ACK;
1761  p->payload_len = sizeof(response);
1762  p->payload = response;
1763  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1775 
1776  /* response ack */
1777  p->tcph->th_ack = htonl(328);
1778  p->tcph->th_seq = htonl(88);
1779  p->tcph->th_flags = TH_ACK;
1781  p->payload_len = 0;
1782  p->payload = NULL;
1783  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1795 
1796  TEST_END;
1797  PASS;
1798 }
1799 
1800 /**
1801  * \test HTTP/1.1 -> GET
1802  */
1803 static int AppLayerTest06(void)
1804 {
1805  TEST_START;
1806 
1807  /* full response - request ack */
1808  uint8_t response[] = {
1809  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1810  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1811  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1812  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1813  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1814  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1815  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1816  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1817  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1818  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1819  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1820  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1821  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1822  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1823  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1824  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1825  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1826  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1827  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1828  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1829  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1830  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1831  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1832  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1833  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1834  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1835  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1836  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1837  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1838  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1839  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1840  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1841  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1842  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1843  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1844  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1845  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1846  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1847  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1848  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1849  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1850  p->tcph->th_ack = htonl(1);
1851  p->tcph->th_seq = htonl(1);
1852  p->tcph->th_flags = TH_PUSH | TH_ACK;
1854  p->payload_len = sizeof(response);
1855  p->payload = response;
1856  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1868 
1869  /* full request - response ack*/
1870  uint8_t request[] = {
1871  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1872  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1873  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1874  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1875  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1876  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1877  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1878  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1879  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1880  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1881  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1882  p->tcph->th_ack = htonl(328);
1883  p->tcph->th_seq = htonl(1);
1884  p->tcph->th_flags = TH_PUSH | TH_ACK;
1886  p->payload_len = sizeof(request);
1887  p->payload = request;
1888  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1900 
1901  p->tcph->th_ack = htonl(1 + sizeof(request));
1902  p->tcph->th_seq = htonl(328);
1903  p->tcph->th_flags = TH_PUSH | TH_ACK;
1905  p->payload_len = 0;
1906  p->payload = NULL;
1907  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1919 
1920  TEST_END;
1921  PASS;
1922 }
1923 
1924 /**
1925  * \test GET -> DCERPC
1926  */
1927 static int AppLayerTest07(void)
1928 {
1929  TEST_START;
1930 
1931  /* full request */
1932  uint8_t request[] = {
1933  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1934  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1935  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1936  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1937  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1938  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1939  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1940  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1941  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1942  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1943  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1944  p->tcph->th_ack = htonl(1);
1945  p->tcph->th_seq = htonl(1);
1946  p->tcph->th_flags = TH_PUSH | TH_ACK;
1948  p->payload_len = sizeof(request);
1949  p->payload = request;
1950  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1962 
1963  /* full response - request ack */
1964  uint8_t response[] = {
1965  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1966  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1967  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1968  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1969  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1970  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1971  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1972  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1973  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1974  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1975  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1976  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1977  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1978  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1979  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1980  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1981  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1982  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1983  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1984  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1985  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1986  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1987  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1988  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1989  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1990  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1991  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1992  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1993  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1994  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1995  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1996  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1997  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1998  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1999  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2000  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2001  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2002  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2003  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2004  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2005  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2006  p->tcph->th_ack = htonl(88);
2007  p->tcph->th_seq = htonl(1);
2008  p->tcph->th_flags = TH_PUSH | TH_ACK;
2010  p->payload_len = sizeof(response);
2011  p->payload = response;
2012  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2024 
2025  /* response ack */
2026  p->tcph->th_ack = htonl(328);
2027  p->tcph->th_seq = htonl(88);
2028  p->tcph->th_flags = TH_ACK;
2030  p->payload_len = 0;
2031  p->payload = NULL;
2032  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2044 
2045  TEST_END;
2046  PASS;
2047 }
2048 
2049 /**
2050  * \test SMB -> HTTP/1.1
2051  */
2052 static int AppLayerTest08(void)
2053 {
2054  TEST_START;
2055 
2056  /* full request */
2057  uint8_t request[] = {
2058  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2059  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2060  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2061  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2062  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2063  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2064  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2065  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2066  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2067  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2068  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2069  p->tcph->th_ack = htonl(1);
2070  p->tcph->th_seq = htonl(1);
2071  p->tcph->th_flags = TH_PUSH | TH_ACK;
2073  p->payload_len = sizeof(request);
2074  p->payload = request;
2075  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2087 
2088  /* full response - request ack */
2089  uint8_t response[] = {
2090  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2091  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2092  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2093  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2094  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2095  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2096  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2097  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2098  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2099  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2100  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2101  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2102  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2103  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2104  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2105  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2106  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2107  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2108  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2109  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2110  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2111  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2112  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2113  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2114  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2115  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2116  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2117  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2118  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2119  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2120  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2121  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2122  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2123  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2124  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2125  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2126  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2127  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2128  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2129  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2130  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2131  p->tcph->th_ack = htonl(88);
2132  p->tcph->th_seq = htonl(1);
2133  p->tcph->th_flags = TH_PUSH | TH_ACK;
2135  p->payload_len = sizeof(response);
2136  p->payload = response;
2137  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2149 
2150  /* response ack */
2151  p->tcph->th_ack = htonl(328);
2152  p->tcph->th_seq = htonl(88);
2153  p->tcph->th_flags = TH_ACK;
2155  p->payload_len = 0;
2156  p->payload = NULL;
2157  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2169 
2170  TEST_END;
2171  PASS;
2172 }
2173 
2174 /**
2175  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2176  * RUBBISH(TC - PM and PP DONE) ->
2177  * RUBBISH(TS - PM and PP DONE)
2178  */
2179 static int AppLayerTest09(void)
2180 {
2181  TEST_START;
2182 
2183  /* full request */
2184  uint8_t request1[] = {
2185  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2186  p->tcph->th_ack = htonl(1);
2187  p->tcph->th_seq = htonl(1);
2188  p->tcph->th_flags = TH_PUSH | TH_ACK;
2190  p->payload_len = sizeof(request1);
2191  p->payload = request1;
2192  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2204 
2205  /* response - request ack */
2206  p->tcph->th_ack = htonl(9);
2207  p->tcph->th_seq = htonl(1);
2208  p->tcph->th_flags = TH_PUSH | TH_ACK;
2210  p->payload_len = 0;
2211  p->payload = NULL;
2212  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2224 
2225  /* full request */
2226  uint8_t request2[] = {
2227  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2228  p->tcph->th_ack = htonl(1);
2229  p->tcph->th_seq = htonl(9);
2230  p->tcph->th_flags = TH_PUSH | TH_ACK;
2232  p->payload_len = sizeof(request2);
2233  p->payload = request2;
2234  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2246 
2247  /* full response - request ack */
2248  uint8_t response[] = {
2249  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2250  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2251  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2252  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2253  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2254  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2255  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2256  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2257  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2258  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2259  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2260  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2261  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2262  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2263  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2264  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2265  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2266  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2267  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2268  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2269  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2270  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2271  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2272  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2273  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2274  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2275  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2276  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2277  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2278  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2279  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2280  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2281  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2282  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2283  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2284  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2285  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2286  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2287  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2288  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2289  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2290  p->tcph->th_ack = htonl(18);
2291  p->tcph->th_seq = htonl(1);
2292  p->tcph->th_flags = TH_PUSH | TH_ACK;
2294  p->payload_len = sizeof(response);
2295  p->payload = response;
2296  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2308 
2309  /* response ack */
2310  p->tcph->th_ack = htonl(328);
2311  p->tcph->th_seq = htonl(18);
2312  p->tcph->th_flags = TH_ACK;
2314  p->payload_len = 0;
2315  p->payload = NULL;
2316  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2328 
2329  TEST_END;
2330  PASS;
2331 }
2332 
2333 /**
2334  * \test RUBBISH(TC - PM and PP DONE) ->
2335  * RUBBISH(TS - PM and PP DONE)
2336  */
2337 static int AppLayerTest10(void)
2338 {
2339  TEST_START;
2340 
2341  /* full request */
2342  uint8_t request1[] = {
2343  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2344  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2345  p->tcph->th_ack = htonl(1);
2346  p->tcph->th_seq = htonl(1);
2347  p->tcph->th_flags = TH_PUSH | TH_ACK;
2349  p->payload_len = sizeof(request1);
2350  p->payload = request1;
2351  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2363 
2364  /* response - request ack */
2365  p->tcph->th_ack = htonl(18);
2366  p->tcph->th_seq = htonl(1);
2367  p->tcph->th_flags = TH_PUSH | TH_ACK;
2369  p->payload_len = 0;
2370  p->payload = NULL;
2371  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2383 
2384  /* full response - request ack */
2385  uint8_t response[] = {
2386  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2387  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2388  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2389  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2390  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2391  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2392  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2393  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2394  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2395  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2396  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2397  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2398  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2399  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2400  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2401  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2402  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2403  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2404  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2405  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2406  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2407  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2408  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2409  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2410  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2411  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2412  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2413  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2414  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2415  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2416  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2417  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2418  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2419  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2420  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2421  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2422  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2423  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2424  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2425  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2426  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2427  p->tcph->th_ack = htonl(18);
2428  p->tcph->th_seq = htonl(1);
2429  p->tcph->th_flags = TH_PUSH | TH_ACK;
2431  p->payload_len = sizeof(response);
2432  p->payload = response;
2433  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2445 
2446  /* response ack */
2447  p->tcph->th_ack = htonl(328);
2448  p->tcph->th_seq = htonl(18);
2449  p->tcph->th_flags = TH_ACK;
2451  p->payload_len = 0;
2452  p->payload = NULL;
2453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2465 
2466  TEST_END;
2467  PASS;
2468 }
2469 
2470 /**
2471  * \test RUBBISH(TC - PM and PP DONE) ->
2472  * RUBBISH(TS - PM and PP NOT DONE) ->
2473  * RUBBISH(TS - PM and PP DONE)
2474  */
2475 static int AppLayerTest11(void)
2476 {
2477  TEST_START;
2478 
2479  /* full request */
2480  uint8_t request1[] = {
2481  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2482  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2483  p->tcph->th_ack = htonl(1);
2484  p->tcph->th_seq = htonl(1);
2485  p->tcph->th_flags = TH_PUSH | TH_ACK;
2487  p->payload_len = sizeof(request1);
2488  p->payload = request1;
2489  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2501 
2502  /* response - request ack */
2503  p->tcph->th_ack = htonl(18);
2504  p->tcph->th_seq = htonl(1);
2505  p->tcph->th_flags = TH_PUSH | TH_ACK;
2507  p->payload_len = 0;
2508  p->payload = NULL;
2509  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2521 
2522  /* full response - request ack */
2523  uint8_t response1[] = {
2524  0x55, 0x74, 0x54, 0x50, };
2525  p->tcph->th_ack = htonl(18);
2526  p->tcph->th_seq = htonl(1);
2527  p->tcph->th_flags = TH_PUSH | TH_ACK;
2529  p->payload_len = sizeof(response1);
2530  p->payload = response1;
2531  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2543 
2544  /* response ack from request */
2545  p->tcph->th_ack = htonl(5);
2546  p->tcph->th_seq = htonl(18);
2547  p->tcph->th_flags = TH_ACK;
2549  p->payload_len = 0;
2550  p->payload = NULL;
2551  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2563 
2564  uint8_t response2[] = {
2565  0x2f, 0x31, 0x2e, 0x31,
2566  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2567  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2568  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2569  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2570  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2571  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2572  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2573  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2574  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2575  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2576  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2577  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2578  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2579  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2580  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2581  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2582  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2583  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2584  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2585  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2586  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2587  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2588  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2589  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2590  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2591  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2592  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2593  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2594  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2595  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2596  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2597  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2598  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2599  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2600  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2601  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2602  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2603  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2604  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2605  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2606  p->tcph->th_ack = htonl(18);
2607  p->tcph->th_seq = htonl(5);
2608  p->tcph->th_flags = TH_PUSH | TH_ACK;
2610  p->payload_len = sizeof(response2);
2611  p->payload = response2;
2612  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2624 
2625  /* response ack from request */
2626  p->tcph->th_ack = htonl(328);
2627  p->tcph->th_seq = htonl(18);
2628  p->tcph->th_flags = TH_ACK;
2630  p->payload_len = 0;
2631  p->payload = NULL;
2632  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2644 
2645  TEST_END;
2646  PASS;
2647 }
2648 
2650 {
2651  SCEnter();
2652 
2653  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2654  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2655  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2656  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2657  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2658  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2659  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2660  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2661  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2662  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2663  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2664 
2665  SCReturn;
2666 }
2667 
2668 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:80
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:278
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:202
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:242
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_
Definition: app-layer.c:79
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1815
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:81
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:570
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:997
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:891
Flow_::proto
uint8_t proto
Definition: flow.h:365
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:73
Packet_::payload
uint8_t * payload
Definition: decode.h:549
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6241
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:449
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:347
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1096
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:187
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:954
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:456
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:169
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:886
AppLayerCounterNames_
Definition: app-layer.c:74
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1477
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5836
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2649
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:801
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:908
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:68
Flow_::protoctx
void * protoctx
Definition: flow.h:441
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:76
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:576
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:787
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:836
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1133
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:73
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:269
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:475
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1586
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:821
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1194
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:568
AppLayerParserState_
Definition: app-layer-parser.c:154
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
STREAM_HAS_SEEN_DATA
#define STREAM_HAS_SEEN_DATA(stream)
Definition: stream-tcp-private.h:92
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:270
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:898
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:449
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:848
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4748
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:907
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1919
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:996
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:100
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:218
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:277
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:414
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:716
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:175
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:459
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1203
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:279
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1845
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:99
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1134
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1456
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:261
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2112
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1999
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2090
str
#define str(s)
Definition: suricata-common.h:273
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:401
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:451
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6247
Flow_::alstate
void * alstate
Definition: flow.h:476
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:870
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:421
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:794
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:112
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:63
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:188
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1079
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2053
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:85
STREAM_RIGHT_EDGE
#define STREAM_RIGHT_EDGE(stream)
Definition: stream-tcp-private.h:90
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:75
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:212
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1535
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:452
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1621
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:981
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2107
app-layer.h