suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
56 struct AppLayerThreadCtx_ {
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58  AppLayerProtoDetectThreadCtx *alpd_tctx;
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60  AppLayerParserThreadCtx *alp_tctx;
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
66  AppProto alproto;
67  uint64_t proto_detect_ticks_start;
68  uint64_t proto_detect_ticks_end;
69  uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72 
73 #define MAX_COUNTER_SIZE 64
74 typedef struct AppLayerCounterNames_ {
75  char name[MAX_COUNTER_SIZE];
76  char tx_name[MAX_COUNTER_SIZE];
77 } AppLayerCounterNames;
78 
79 typedef struct AppLayerCounters_ {
80  uint16_t counter_id;
81  uint16_t counter_tx_id;
82 } AppLayerCounters;
83 
84 /* counter names. Only used at init. */
85 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
86 /* counter id's. Used that runtime. */
87 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
88 
89 void AppLayerSetupCounters(void);
90 void AppLayerDeSetupCounters(void);
91 
92 /***** L7 layer dispatchers *****/
93 
94 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
95  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
96  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
97  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
98 }
99 
100 /**
101  * \note id can be 0 if protocol parser is disabled but detection
102  * is enabled.
103  */
104 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
105 {
106  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
107  if (likely(tv && id > 0)) {
108  StatsIncr(tv, id);
109  }
110 }
111 
112 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
113 {
114  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
115  if (likely(tv && id > 0)) {
116  StatsAddUI64(tv, id, step);
117  }
118 }
119 
120 /* in IDS mode protocol detection is done in reverse order:
121  * when TCP data is ack'd. We want to flag the correct packet,
122  * so in this case we set a flag in the flow so that the first
123  * packet in the correct direction can be tagged.
124  *
125  * For IPS things are much simpler, and we don't use the flow
126  * flag. We just tag the packet directly. */
127 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
128 {
129  if (EngineModeIsIPS()) {
130  if (flags & STREAM_TOSERVER) {
131  if (p->flowflags & FLOW_PKT_TOSERVER) {
132  p->flags |= PKT_PROTO_DETECT_TS_DONE;
133  } else {
134  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
135  }
136  } else {
137  if (p->flowflags & FLOW_PKT_TOCLIENT) {
138  p->flags |= PKT_PROTO_DETECT_TC_DONE;
139  } else {
140  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
141  }
142  }
143  } else {
144  if (flags & STREAM_TOSERVER) {
145  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
146  } else {
147  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
148  }
149  }
150 }
151 
152 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
153 {
154  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
155  f, f->alproto, f->alproto_ts, f->alproto_tc);
156  FlowCleanupAppLayer(f);
157  StreamTcpDisableAppLayer(f);
158  TcpSession *ssn = f->protoctx;
159  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
160  f->alproto = ALPROTO_FAILED;
161  AppLayerIncFlowCounter(tv, f);
162 
163  if (f->alproto_tc != ALPROTO_FAILED) {
164  if (f->alproto_tc == ALPROTO_UNKNOWN) {
165  f->alproto_tc = ALPROTO_FAILED;
166  }
167  FlagPacketFlow(p, f, STREAM_TOCLIENT);
168  }
169  if (f->alproto_ts != ALPROTO_FAILED) {
170  if (f->alproto_ts == ALPROTO_UNKNOWN) {
171  f->alproto_ts = ALPROTO_FAILED;
172  }
173  FlagPacketFlow(p, f, STREAM_TOSERVER);
174  }
175  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
176  f, f->alproto, f->alproto_ts, f->alproto_tc);
177 }
178 
179 /* See if we're going to have to give up:
180  *
181  * If we're getting a lot of data in one direction and the
182  * proto for this direction is unknown, proto detect will
183  * hold up segments in the segment list in the stream.
184  * They are held so that if we detect the protocol on the
185  * opposing stream, we can still parse this side of the stream
186  * as well. However, some sessions are very unbalanced. FTP
187  * data channels, large PUT/POST request and many others, can
188  * lead to cases where we would have to store many megabytes
189  * worth of segments before we see the opposing stream. This
190  * leads to risks of resource starvation.
191  *
192  * Here a cutoff point is enforced. If we've stored 100k in
193  * one direction and we've seen no data in the other direction,
194  * we give up.
195  *
196  * Giving up means we disable applayer an set an applayer event
197  */
198 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
199  Flow *f, TcpSession *ssn, Packet *p)
200 {
201  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
202  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
203  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
204 
205 #ifdef DEBUG_VALIDATION
206  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
207  BUG_ON(size_ts > 1000000UL);
208  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
209  BUG_ON(size_tc > 1000000UL);
210 #endif /* DEBUG_VALIDATION */
211 
212  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
213  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
214  {
215  goto failure;
216 
217  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
218  size_ts > 100000 && size_tc == 0)
219  {
220  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
221  APPLAYER_PROTO_DETECTION_SKIPPED);
222  goto failure;
223 
224  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
225  size_tc > 100000 && size_ts == 0)
226  {
227  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
228  APPLAYER_PROTO_DETECTION_SKIPPED);
229  goto failure;
230 
231  /* little data in ts direction, pp done, pm not done (max
232  * depth not reached), ts direction done, lots of data in
233  * tc direction. */
234  } else if (size_tc > 100000 &&
235  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
236  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
237  {
238  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
239  APPLAYER_PROTO_DETECTION_SKIPPED);
240  goto failure;
241 
242  /* little data in tc direction, pp done, pm not done (max
243  * depth not reached), tc direction done, lots of data in
244  * ts direction. */
245  } else if (size_ts > 100000 &&
246  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
247  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
248  {
249  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
250  APPLAYER_PROTO_DETECTION_SKIPPED);
251  goto failure;
252 
253  /* in case of really low TS data (e.g. 4 bytes) we can have
254  * the PP complete, PM not complete (depth not reached) and
255  * the TC side also not recognized (proto unknown) */
256  } else if (size_tc > 100000 &&
257  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
258  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
259  {
260  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
261  APPLAYER_PROTO_DETECTION_SKIPPED);
262  goto failure;
263  }
264  return;
265 
266 failure:
267  DisableAppLayer(tv, f, p);
268  return;
269 }
270 
271 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
272  TcpReassemblyThreadCtx *ra_ctx,
273  Packet *p, TcpSession *ssn, TcpStream *stream)
274 {
275  TcpStream *opposing_stream = NULL;
276  if (stream == &ssn->client) {
277  opposing_stream = &ssn->server;
278  } else {
279  opposing_stream = &ssn->client;
280  }
281 
282  /* if the opposing side is not going to work, then
283  * we just have to give up. */
284  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
285  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
286  return -1;
287  }
288 
289  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
290  UPDATE_DIR_OPPOSING :
291  UPDATE_DIR_PACKET;
292  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
293  opposing_stream, p, dir);
294  return ret;
295 }
296 
297 /** \todo data const
298  * \retval int -1 error
299  * \retval int 0 ok
300  */
301 static int TCPProtoDetect(ThreadVars *tv,
302  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
303  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
304  uint8_t *data, uint32_t data_len, uint8_t flags)
305 {
306  AppProto *alproto;
307  AppProto *alproto_otherdir;
308  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
309 
310  if (flags & STREAM_TOSERVER) {
311  alproto = &f->alproto_ts;
312  alproto_otherdir = &f->alproto_tc;
313  } else {
314  alproto = &f->alproto_tc;
315  alproto_otherdir = &f->alproto_ts;
316  }
317 
318  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
319 #ifdef PRINT
320  if (data_len > 0) {
321  printf("=> Init Stream Data (app layer) -- start %s%s\n",
322  flags & STREAM_TOCLIENT ? "toclient" : "",
323  flags & STREAM_TOSERVER ? "toserver" : "");
324  PrintRawDataFp(stdout, data, data_len);
325  printf("=> Init Stream Data -- end\n");
326  }
327 #endif
328 
329  bool reverse_flow = false;
330  PACKET_PROFILING_APP_PD_START(app_tctx);
331  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
332  f, data, data_len,
333  IPPROTO_TCP, flags, &reverse_flow);
334  PACKET_PROFILING_APP_PD_END(app_tctx);
335  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
336 
337  if (*alproto != ALPROTO_UNKNOWN) {
338  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
339  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
340  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
341 
342  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
343  /* if we already invoked the parser, we go with that proto */
344  f->alproto = *alproto_otherdir;
345  } else {
346  /* no data sent to parser yet, we can still choose
347  * we're trusting the server more. */
348  if (flags & STREAM_TOCLIENT)
349  f->alproto = *alproto;
350  else
351  f->alproto = *alproto_otherdir;
352  }
353  } else {
354  f->alproto = *alproto;
355  }
356 
357  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
358  TcpSessionSetReassemblyDepth(ssn,
359  AppLayerParserGetStreamDepth(f));
360  FlagPacketFlow(p, f, flags);
361  /* if protocol detection indicated that we need to reverse
362  * the direction of the flow, do it now. We flip the flow,
363  * packet and the direction flags */
364  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
365  SCLogDebug("reversing flow after proto detect told us so");
366  PacketSwap(p);
367  FlowSwap(f);
368  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
369  if (*stream == &ssn->client) {
370  *stream = &ssn->server;
371  } else {
372  *stream = &ssn->client;
373  }
374  direction = 1 - direction;
375  }
376 
377  /* account flow if we have both sides */
378  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
379  AppLayerIncFlowCounter(tv, f);
380  }
381 
382  /* if we have seen data from the other direction first, send
383  * data for that direction first to the parser. This shouldn't
384  * be an issue, since each stream processing happens
385  * independently of the other stream direction. At this point of
386  * call, you need to know that this function's already being
387  * called by the very same StreamReassembly() function that we
388  * will now call shortly for the opposing direction. */
389  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
390  !(flags & ssn->data_first_seen_dir))
391  {
392  SCLogDebug("protocol %s needs first data in other direction",
393  AppProtoToString(*alproto));
394 
395  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
396  p, ssn, *stream) != 0)
397  {
398  DisableAppLayer(tv, f, p);
399  SCReturnInt(-1);
400  }
401  }
402 
403  /* if the parser operates such that it needs to see data from
404  * a particular direction first, we check if we have seen
405  * data from that direction first for the flow. IF it is not
406  * the same, we set an event and exit.
407  *
408  * \todo We need to figure out a more robust solution for this,
409  * as this can lead to easy evasion tactics, where the
410  * attackeer can first send some dummy data in the wrong
411  * direction first to mislead our proto detection process.
412  * While doing this we need to update the parsers as well,
413  * since the parsers must be robust to see such wrong
414  * direction data.
415  * Either ways the moment we see the
416  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
417  * flow, it shows something's fishy.
418  */
419  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
420  uint8_t first_data_dir;
421  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
422 
423  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
424  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
425  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
426  DisableAppLayer(tv, f, p);
427  SCReturnInt(-1);
428  }
429  /* This can happen if the current direction is not the
430  * right direction, and the data from the other(also
431  * the right direction) direction is available to be sent
432  * to the app layer, but it is not ack'ed yet and hence
433  * the forced call to STreamTcpAppLayerReassemble still
434  * hasn't managed to send data from the other direction
435  * to the app layer. */
436  if (first_data_dir && !(first_data_dir & flags)) {
437  FlowCleanupAppLayer(f);
438  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
439  FLOW_RESET_PP_DONE(f, flags);
440  FLOW_RESET_PM_DONE(f, flags);
441  FLOW_RESET_PE_DONE(f, flags);
442  SCReturnInt(-1);
443  }
444  }
445 
446  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
447  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
448 
449  /* finally, invoke the parser */
450  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
451  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
452  flags, data, data_len);
453  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
454  if (r < 0) {
455  SCReturnInt(-1);
456  } else if (r == 0) {
457  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
458  }
459  } else {
460  /* if the ssn is midstream, we may end up with a case where the
461  * start of an HTTP request is missing. We won't detect HTTP based
462  * on the request. However, the reply is fine, so we detect
463  * HTTP anyway. This leads to passing the incomplete request to
464  * the htp parser.
465  *
466  * This has been observed, where the http parser then saw many
467  * bogus requests in the incomplete data.
468  *
469  * To counter this case, a midstream session MUST find it's
470  * protocol in the toserver direction. If not, we assume the
471  * start of the request/toserver is incomplete and no reliable
472  * detection and parsing is possible. So we give up.
473  */
474  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
475  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
476  {
477  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
478  SCLogDebug("midstream end pd %p", ssn);
479  /* midstream and toserver detection failed: give up */
480  DisableAppLayer(tv, f, p);
481  SCReturnInt(0);
482  }
483  }
484 
485  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
486  uint8_t first_data_dir;
487  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
488 
489  /* this would handle this test case -
490  * http parser which says it wants to see toserver data first only.
491  * tcp handshake
492  * toclient data first received. - RUBBISH DATA which
493  * we don't detect as http
494  * toserver data next sent - we detect this as http.
495  * at this stage we see that toclient is the first data seen
496  * for this session and we try and redetect the app protocol,
497  * but we are unable to detect the app protocol like before.
498  * But since we have managed to detect the protocol for the
499  * other direction as http, we try to use that. At this
500  * stage we check if the direction of this stream matches
501  * to that acceptable by the app parser. If it is not the
502  * acceptable direction we error out.
503  */
504  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
505  (first_data_dir) && !(first_data_dir & flags))
506  {
507  DisableAppLayer(tv, f, p);
508  SCReturnInt(-1);
509  }
510 
511  /* if protocol detection is marked done for our direction we
512  * pass our data on. We're only succeeded in finding one
513  * direction: the opposing stream
514  *
515  * If PD was not yet complete, we don't do anything.
516  */
517  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
518  if (data_len > 0)
519  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
520 
521  if (*alproto_otherdir != ALPROTO_FAILED) {
522  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
523  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
524  f->alproto, flags,
525  data, data_len);
526  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
527  if (r == 0) {
528  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
529  }
530 
531  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
532  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
533  TcpSessionSetReassemblyDepth(ssn,
534  AppLayerParserGetStreamDepth(f));
535 
536  *alproto = *alproto_otherdir;
537  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
538  p->pcap_cnt, *alproto, *alproto_otherdir, r);
539  if (r < 0) {
540  SCReturnInt(-1);
541  }
542  }
543  *alproto = ALPROTO_FAILED;
544  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
545  AppLayerIncFlowCounter(tv, f);
546  FlagPacketFlow(p, f, flags);
547 
548  }
549  } else {
550  /* both sides unknown, let's see if we need to give up */
551  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
552  }
553  }
554  SCReturnInt(0);
555 }
556 
557 /** \brief handle TCP data for the app-layer.
558  *
559  * First run protocol detection and then when the protocol is known invoke
560  * the app layer parser.
561  *
562  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
563  * reversed.
564  */
565 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
566  Packet *p, Flow *f,
567  TcpSession *ssn, TcpStream **stream,
568  uint8_t *data, uint32_t data_len,
569  uint8_t flags)
570 {
571  SCEnter();
572 
573  DEBUG_ASSERT_FLOW_LOCKED(f);
574  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
575 
576  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
577  AppProto alproto;
578  int r = 0;
579 
580  SCLogDebug("data_len %u flags %02X", data_len, flags);
581  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
582  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
583  goto end;
584  }
585 
586  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
587 
588  if (flags & STREAM_TOSERVER) {
589  alproto = f->alproto_ts;
590  } else {
591  alproto = f->alproto_tc;
592  }
593 
594  /* If a gap notification, relay the notification on to the
595  * app-layer if known. */
596  if (flags & STREAM_GAP) {
597  if (alproto == ALPROTO_UNKNOWN) {
598  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
599  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
600  /* if the other side didn't already find the proto, we're done */
601  if (f->alproto == ALPROTO_UNKNOWN) {
602  goto failure;
603  }
604  }
605  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
606  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
607  flags, data, data_len);
608  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
609  /* ignore parser result for gap */
610  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
611  goto end;
612  }
613 
614  /* if we don't know the proto yet and we have received a stream
615  * initializer message, we run proto detection.
616  * We receive 2 stream init msgs (one for each direction) but we
617  * only run the proto detection once. */
618  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
619  /* run protocol detection */
620  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
621  data, data_len, flags) != 0) {
622  goto failure;
623  }
624  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
625  f->alproto_orig = f->alproto;
626  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
627  AppLayerProtoDetectReset(f);
628  /* rerun protocol detection */
629  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
630  data, data_len, flags) != 0) {
631  SCLogDebug("proto detect failure");
632  goto failure;
633  }
634  SCLogDebug("protocol change, old %s, new %s",
635  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
636 
637  if (f->alproto_expect != ALPROTO_UNKNOWN &&
638  f->alproto != f->alproto_expect)
639  {
640  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
641  APPLAYER_UNEXPECTED_PROTOCOL);
642 
643  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
644  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
645  APPLAYER_NO_TLS_AFTER_STARTTLS);
646 
647  }
648  }
649  } else {
650  SCLogDebug("stream data (len %" PRIu32 " alproto "
651  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
652 #ifdef PRINT
653  if (data_len > 0) {
654  printf("=> Stream Data (app layer) -- start %s%s\n",
655  flags & STREAM_TOCLIENT ? "toclient" : "",
656  flags & STREAM_TOSERVER ? "toserver" : "");
657  PrintRawDataFp(stdout, data, data_len);
658  printf("=> Stream Data -- end\n");
659  }
660 #endif
661  /* if we don't have a data object here we are not getting it
662  * a start msg should have gotten us one */
663  if (f->alproto != ALPROTO_UNKNOWN) {
664  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
665  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
666  flags, data, data_len);
667  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
668  if (r == 0) {
669  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
670  }
671  }
672  }
673 
674  goto end;
675  failure:
676  r = -1;
677  end:
678  SCReturnInt(r);
679 }
680 
681 /**
682  * \brief Handle a app layer UDP message
683  *
684  * If the protocol is yet unknown, the proto detection code is run first.
685  *
686  * \param dp_ctx Thread app layer detect context
687  * \param f *locked* flow
688  * \param p UDP packet
689  *
690  * \retval 0 ok
691  * \retval -1 error
692  */
693 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
694 {
695  SCEnter();
696 
697  if (f->alproto == ALPROTO_FAILED) {
698  SCReturnInt(0);
699  }
700 
701  int r = 0;
702  uint8_t flags = 0;
703  if (p->flowflags & FLOW_PKT_TOSERVER) {
704  flags |= STREAM_TOSERVER;
705  } else {
706  flags |= STREAM_TOCLIENT;
707  }
708 
709  AppLayerProfilingReset(tctx);
710 
711  /* if the protocol is still unknown, run detection */
712  if (f->alproto == ALPROTO_UNKNOWN) {
713  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
714  p->payload_len);
715 
716  bool reverse_flow = false;
717  PACKET_PROFILING_APP_PD_START(tctx);
718  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
719  f, p->payload, p->payload_len,
720  IPPROTO_UDP, flags, &reverse_flow);
721  PACKET_PROFILING_APP_PD_END(tctx);
722 
723  if (f->alproto != ALPROTO_UNKNOWN) {
724  AppLayerIncFlowCounter(tv, f);
725 
726  if (reverse_flow) {
727  SCLogDebug("reversing flow after proto detect told us so");
728  PacketSwap(p);
729  FlowSwap(f);
730  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
731  }
732 
733  PACKET_PROFILING_APP_START(tctx, f->alproto);
734  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
735  flags, p->payload, p->payload_len);
736  PACKET_PROFILING_APP_END(tctx, f->alproto);
737  } else {
738  f->alproto = ALPROTO_FAILED;
739  AppLayerIncFlowCounter(tv, f);
740  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
741  }
742  PACKET_PROFILING_APP_STORE(tctx, p);
743  /* we do only inspection in one direction, so flag both
744  * sides as done here */
745  FlagPacketFlow(p, f, STREAM_TOSERVER);
746  FlagPacketFlow(p, f, STREAM_TOCLIENT);
747  } else {
748  SCLogDebug("data (len %" PRIu32 " ), alproto "
749  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
750 
751  /* run the parser */
752  PACKET_PROFILING_APP_START(tctx, f->alproto);
753  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
754  flags, p->payload, p->payload_len);
755  PACKET_PROFILING_APP_END(tctx, f->alproto);
756  PACKET_PROFILING_APP_STORE(tctx, p);
757  }
758 
759  SCReturnInt(r);
760 }
761 
762 /***** Utility *****/
763 
764 AppProto AppLayerGetProtoByName(char *alproto_name)
765 {
766  SCEnter();
767  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
768  SCReturnCT(r, "AppProto");
769 }
770 
771 const char *AppLayerGetProtoName(AppProto alproto)
772 {
773  SCEnter();
774  const char * r = AppLayerProtoDetectGetProtoName(alproto);
775  SCReturnCT(r, "char *");
776 }
777 
778 void AppLayerListSupportedProtocols(void)
779 {
780  SCEnter();
781 
782  AppProto alproto;
783  AppProto alprotos[ALPROTO_MAX];
784 
785  AppLayerProtoDetectSupportedAppProtocols(alprotos);
786 
787  printf("=========Supported App Layer Protocols=========\n");
788  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
789  if (alprotos[alproto] == 1)
790  printf("%s\n", AppLayerGetProtoName(alproto));
791  }
792 
793  SCReturn;
794 }
795 
796 /***** Setup/General Registration *****/
797 
798 int AppLayerSetup(void)
799 {
800  SCEnter();
801 
802  AppLayerProtoDetectSetup();
803  AppLayerParserSetup();
804 
805  AppLayerParserRegisterProtocolParsers();
806  AppLayerProtoDetectPrepareState();
807 
808  AppLayerSetupCounters();
809 
810  SCReturnInt(0);
811 }
812 
813 int AppLayerDeSetup(void)
814 {
815  SCEnter();
816 
817  AppLayerProtoDetectDeSetup();
818  AppLayerParserDeSetup();
819 
820  AppLayerDeSetupCounters();
821 
822  SCReturnInt(0);
823 }
824 
825 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
826 {
827  SCEnter();
828 
829  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
830  if (app_tctx == NULL)
831  goto error;
832  memset(app_tctx, 0, sizeof(*app_tctx));
833 
834  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
835  goto error;
836  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
837  goto error;
838 
839  goto done;
840  error:
841  AppLayerDestroyCtxThread(app_tctx);
842  app_tctx = NULL;
843  done:
844  SCReturnPtr(app_tctx, "void *");
845 }
846 
847 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
848 {
849  SCEnter();
850 
851  if (app_tctx == NULL)
852  SCReturn;
853 
854  if (app_tctx->alpd_tctx != NULL)
855  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
856  if (app_tctx->alp_tctx != NULL)
857  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
858  SCFree(app_tctx);
859 
860  SCReturn;
861 }
862 
863 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
864 {
865  PACKET_PROFILING_APP_RESET(app_tctx);
866 }
867 
868 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
869 {
870  PACKET_PROFILING_APP_STORE(app_tctx, p);
871 }
872 
873 /** \brief HACK to work around our broken unix manager (re)init loop
874  */
875 void AppLayerRegisterGlobalCounters(void)
876 {
877  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
878  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
879  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
880  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
881  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
882 }
883 
884 #define IPPROTOS_MAX 2
885 void AppLayerSetupCounters()
886 {
887  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
888  uint8_t ipproto;
889  AppProto alproto;
890  AppProto alprotos[ALPROTO_MAX];
891  const char *str = "app_layer.flow.";
892 
893  AppLayerProtoDetectSupportedAppProtocols(alprotos);
894 
895  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
896  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
897  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
898  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
899 
900  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
901  if (alprotos[alproto] == 1) {
902  const char *tx_str = "app_layer.tx.";
903  const char *alproto_str = AppLayerGetProtoName(alproto);
904 
905  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
906  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
907  {
908  snprintf(applayer_counter_names[ipproto_map][alproto].name,
909  sizeof(applayer_counter_names[ipproto_map][alproto].name),
910  "%s%s%s", str, alproto_str, ipproto_suffix);
911  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
912  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
913  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
914  } else {
915  snprintf(applayer_counter_names[ipproto_map][alproto].name,
916  sizeof(applayer_counter_names[ipproto_map][alproto].name),
917  "%s%s", str, alproto_str);
918  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
919  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
920  "%s%s", tx_str, alproto_str);
921  }
922  } else if (alproto == ALPROTO_FAILED) {
923  snprintf(applayer_counter_names[ipproto_map][alproto].name,
924  sizeof(applayer_counter_names[ipproto_map][alproto].name),
925  "%s%s%s", str, "failed", ipproto_suffix);
926  }
927  }
928  }
929 }
930 
931 void AppLayerRegisterThreadCounters(ThreadVars *tv)
932 {
933  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
934  uint8_t ipproto;
935  AppProto alproto;
936  AppProto alprotos[ALPROTO_MAX];
937 
938  AppLayerProtoDetectSupportedAppProtocols(alprotos);
939 
940  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
941  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
942 
943  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
944  if (alprotos[alproto] == 1) {
945  applayer_counters[ipproto_map][alproto].counter_id =
946  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
947 
948  applayer_counters[ipproto_map][alproto].counter_tx_id =
949  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
950  } else if (alproto == ALPROTO_FAILED) {
951  applayer_counters[ipproto_map][alproto].counter_id =
952  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
953  }
954  }
955  }
956 }
957 
958 void AppLayerDeSetupCounters()
959 {
960  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
961  memset(applayer_counters, 0, sizeof(applayer_counters));
962 }
963 
964 /***** Unittests *****/
965 
966 #ifdef UNITTESTS
967 #include "pkt-var.h"
968 #include "stream-tcp.h"
969 #include "stream-tcp-util.h"
970 #include "stream.h"
971 #include "util-unittest.h"
972 
973 #define TEST_START \
974  Packet *p = SCMalloc(SIZE_OF_PACKET);\
975  FAIL_IF_NULL(p);\
976  Flow f;\
977  ThreadVars tv;\
978  StreamTcpThread *stt = NULL;\
979  TCPHdr tcph;\
980  PacketQueueNoLock pq;\
981  memset(&pq,0,sizeof(PacketQueueNoLock));\
982  memset(p, 0, SIZE_OF_PACKET);\
983  memset (&f, 0, sizeof(Flow));\
984  memset(&tv, 0, sizeof (ThreadVars));\
985  memset(&tcph, 0, sizeof (TCPHdr));\
986 \
987  FLOW_INITIALIZE(&f);\
988  f.flags = FLOW_IPV4;\
989  f.proto = IPPROTO_TCP;\
990  p->flow = &f;\
991  p->tcph = &tcph;\
992 \
993  StreamTcpInitConfig(TRUE);\
994  IPPairInitConfig(TRUE); \
995  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
996 \
997  /* handshake */\
998  tcph.th_win = htons(5480);\
999  tcph.th_flags = TH_SYN;\
1000  p->flowflags = FLOW_PKT_TOSERVER;\
1001  p->payload_len = 0;\
1002  p->payload = NULL;\
1003  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1004  TcpSession *ssn = (TcpSession *)f.protoctx;\
1005 \
1006  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1007  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1008  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1009  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1010  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1011  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1012  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1013  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1014  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1015  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1016  FAIL_IF(ssn->data_first_seen_dir != 0);\
1017 \
1018  /* handshake */\
1019  p->tcph->th_ack = htonl(1);\
1020  p->tcph->th_flags = TH_SYN | TH_ACK;\
1021  p->flowflags = FLOW_PKT_TOCLIENT;\
1022  p->payload_len = 0;\
1023  p->payload = NULL;\
1024  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1025  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1026  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1027  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1028  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1029  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1030  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1031  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1032  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1033  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1034  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1035  FAIL_IF(ssn->data_first_seen_dir != 0);\
1036 \
1037  /* handshake */\
1038  p->tcph->th_ack = htonl(1);\
1039  p->tcph->th_seq = htonl(1);\
1040  p->tcph->th_flags = TH_ACK;\
1041  p->flowflags = FLOW_PKT_TOSERVER;\
1042  p->payload_len = 0;\
1043  p->payload = NULL;\
1044  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1045  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1046  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1047  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1048  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1049  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1050  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1051  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1052  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1053  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1054  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1055  FAIL_IF(ssn->data_first_seen_dir != 0);
1056 #define TEST_END \
1057  StreamTcpSessionClear(p->flow->protoctx);\
1058  StreamTcpThreadDeinit(&tv, (void *)stt); \
1059  StreamTcpFreeConfig(TRUE);\
1060  PACKET_DESTRUCTOR(p);\
1061  SCFree(p);\
1062  FLOW_DESTROY(&f); \
1063  StatsThreadCleanup(&tv);
1064 
1065 /**
1066  * \test GET -> HTTP/1.1
1067  */
1068 static int AppLayerTest01(void)
1069 {
1070  TEST_START;
1071 
1072  /* full request */
1073  uint8_t request[] = {
1074  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1075  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1076  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1077  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1078  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1079  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1080  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1081  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1082  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1083  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1084  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1085  p->tcph->th_ack = htonl(1);
1086  p->tcph->th_seq = htonl(1);
1087  p->tcph->th_flags = TH_PUSH | TH_ACK;
1088  p->flowflags = FLOW_PKT_TOSERVER;
1089  p->payload_len = sizeof(request);
1090  p->payload = request;
1091  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1092  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1093  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1094  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1095  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1096  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1097  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1098  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1099  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1100  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1101  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1102  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1103 
1104  /* full response - request ack */
1105  uint8_t response[] = {
1106  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1107  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1108  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1109  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1110  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1111  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1112  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1113  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1114  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1115  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1116  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1117  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1118  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1119  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1120  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1121  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1122  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1123  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1124  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1125  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1126  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1127  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1128  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1129  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1130  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1131  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1132  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1133  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1134  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1135  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1136  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1137  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1138  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1139  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1140  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1141  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1142  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1143  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1144  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1145  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1146  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1147  p->tcph->th_ack = htonl(88);
1148  p->tcph->th_seq = htonl(1);
1149  p->tcph->th_flags = TH_PUSH | TH_ACK;
1150  p->flowflags = FLOW_PKT_TOCLIENT;
1151  p->payload_len = sizeof(response);
1152  p->payload = response;
1153  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1154  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1155  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1156  FAIL_IF(f.alproto != ALPROTO_HTTP);
1157  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1158  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1159  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1160  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1161  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1162  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1163  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1164  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1165 
1166  /* response ack */
1167  p->tcph->th_ack = htonl(328);
1168  p->tcph->th_seq = htonl(88);
1169  p->tcph->th_flags = TH_ACK;
1170  p->flowflags = FLOW_PKT_TOSERVER;
1171  p->payload_len = 0;
1172  p->payload = NULL;
1173  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1174  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1175  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1176  FAIL_IF(f.alproto != ALPROTO_HTTP);
1177  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1178  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1179  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1180  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1181  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1182  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1183  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1184  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1185 
1186  TEST_END;
1187  PASS;
1188 }
1189 
1190 /**
1191  * \test GE -> T -> HTTP/1.1
1192  */
1193 static int AppLayerTest02(void)
1194 {
1195  TEST_START;
1196 
1197  /* partial request */
1198  uint8_t request1[] = { 0x47, 0x45, };
1199  p->tcph->th_ack = htonl(1);
1200  p->tcph->th_seq = htonl(1);
1201  p->tcph->th_flags = TH_PUSH | TH_ACK;
1202  p->flowflags = FLOW_PKT_TOSERVER;
1203  p->payload_len = sizeof(request1);
1204  p->payload = request1;
1205  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1206  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1207  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1208  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1209  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1210  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1211  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1212  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1213  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1214  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1215  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1216  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1217 
1218  /* response ack against partial request */
1219  p->tcph->th_ack = htonl(3);
1220  p->tcph->th_seq = htonl(1);
1221  p->tcph->th_flags = TH_ACK;
1222  p->flowflags = FLOW_PKT_TOCLIENT;
1223  p->payload_len = 0;
1224  p->payload = NULL;
1225  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1226  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1227  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1228  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1229  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1230  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1231  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1232  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1233  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1234  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1235  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1236  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1237 
1238  /* complete partial request */
1239  uint8_t request2[] = {
1240  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1241  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1242  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1243  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1244  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1245  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1246  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1247  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1248  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1249  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1250  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1251  p->tcph->th_ack = htonl(1);
1252  p->tcph->th_seq = htonl(3);
1253  p->tcph->th_flags = TH_PUSH | TH_ACK;
1254  p->flowflags = FLOW_PKT_TOSERVER;
1255  p->payload_len = sizeof(request2);
1256  p->payload = request2;
1257  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1258  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1259  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1260  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1261  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1262  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1263  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1264  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1265  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1266  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1267  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1268  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1269 
1270  /* response - request ack */
1271  uint8_t response[] = {
1272  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1273  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1274  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1275  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1276  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1277  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1278  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1279  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1280  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1281  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1282  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1283  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1284  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1285  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1286  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1287  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1288  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1289  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1290  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1291  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1292  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1293  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1294  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1295  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1296  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1297  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1298  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1299  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1300  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1301  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1302  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1303  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1304  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1305  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1306  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1307  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1308  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1309  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1310  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1311  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1312  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1313  p->tcph->th_ack = htonl(88);
1314  p->tcph->th_seq = htonl(1);
1315  p->tcph->th_flags = TH_PUSH | TH_ACK;
1316  p->flowflags = FLOW_PKT_TOCLIENT;
1317  p->payload_len = sizeof(response);
1318  p->payload = response;
1319  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1320  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1321  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1322  FAIL_IF(f.alproto != ALPROTO_HTTP);
1323  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1324  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1325  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1326  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1327  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1328  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1329  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1330  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1331 
1332  /* response ack */
1333  p->tcph->th_ack = htonl(328);
1334  p->tcph->th_seq = htonl(88);
1335  p->tcph->th_flags = TH_ACK;
1336  p->flowflags = FLOW_PKT_TOSERVER;
1337  p->payload_len = 0;
1338  p->payload = NULL;
1339  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1340  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1341  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1342  FAIL_IF(f.alproto != ALPROTO_HTTP);
1343  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1344  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1345  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1346  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1347  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1348  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1349  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1350  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1351 
1352  TEST_END;
1353  PASS;
1354 }
1355 
1356 /**
1357  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1358  */
1359 static int AppLayerTest03(void)
1360 {
1361  TEST_START;
1362 
1363  /* request */
1364  uint8_t request[] = {
1365  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1366  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1367  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1368  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1369  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1370  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1371  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1372  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1373  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1374  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1375  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1376  p->tcph->th_ack = htonl(1);
1377  p->tcph->th_seq = htonl(1);
1378  p->tcph->th_flags = TH_PUSH | TH_ACK;
1379  p->flowflags = FLOW_PKT_TOSERVER;
1380  p->payload_len = sizeof(request);
1381  p->payload = request;
1382  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1383  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1384  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1385  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1386  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1387  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1388  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1389  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1390  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1391  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1392  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1393  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1394 
1395  /* rubbish response */
1396  uint8_t response[] = {
1397  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1398  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1399  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1400  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1401  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1402  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1403  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1404  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1405  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1406  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1407  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1408  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1409  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1410  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1411  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1412  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1413  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1414  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1415  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1416  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1417  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1418  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1419  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1420  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1421  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1422  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1423  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1424  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1425  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1426  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1427  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1428  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1429  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1430  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1431  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1432  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1433  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1434  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1435  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1436  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1437  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1438  p->tcph->th_ack = htonl(88);
1439  p->tcph->th_seq = htonl(1);
1440  p->tcph->th_flags = TH_PUSH | TH_ACK;
1441  p->flowflags = FLOW_PKT_TOCLIENT;
1442  p->payload_len = sizeof(response);
1443  p->payload = response;
1444  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1445  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1446  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1447  FAIL_IF(f.alproto != ALPROTO_HTTP);
1448  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1449  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1450  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1451  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1452  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1453  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1454  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1455  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1456 
1457  /* response ack */
1458  p->tcph->th_ack = htonl(328);
1459  p->tcph->th_seq = htonl(88);
1460  p->tcph->th_flags = TH_ACK;
1461  p->flowflags = FLOW_PKT_TOSERVER;
1462  p->payload_len = 0;
1463  p->payload = NULL;
1464  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1465  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1466  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1467  FAIL_IF(f.alproto != ALPROTO_HTTP);
1468  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1469  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1470  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1471  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1472  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1473  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1474  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1475  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1476 
1477  TEST_END;
1478  PASS;
1479 }
1480 
1481 /**
1482  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1483  */
1484 static int AppLayerTest04(void)
1485 {
1486  TEST_START;
1487 
1488  /* request */
1489  uint8_t request[] = {
1490  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1491  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1492  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1493  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1494  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1495  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1496  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1497  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1498  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1499  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1500  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1501  PrintRawDataFp(stdout, request, sizeof(request));
1502  p->tcph->th_ack = htonl(1);
1503  p->tcph->th_seq = htonl(1);
1504  p->tcph->th_flags = TH_PUSH | TH_ACK;
1505  p->flowflags = FLOW_PKT_TOSERVER;
1506  p->payload_len = sizeof(request);
1507  p->payload = request;
1508  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1509  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1510  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1511  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1512  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1513  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1514  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1515  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1516  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1517  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1518  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1519  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1520 
1521  /* partial response */
1522  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1523  PrintRawDataFp(stdout, response1, sizeof(response1));
1524  p->tcph->th_ack = htonl(88);
1525  p->tcph->th_seq = htonl(1);
1526  p->tcph->th_flags = TH_PUSH | TH_ACK;
1527  p->flowflags = FLOW_PKT_TOCLIENT;
1528  p->payload_len = sizeof(response1);
1529  p->payload = response1;
1530  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1531  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1532  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1533  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1534  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1535  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1536  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1537  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1538  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1539  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1540  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1541  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1542 
1543  /* partial response ack */
1544  p->tcph->th_ack = htonl(5);
1545  p->tcph->th_seq = htonl(88);
1546  p->tcph->th_flags = TH_ACK;
1547  p->flowflags = FLOW_PKT_TOSERVER;
1548  p->payload_len = 0;
1549  p->payload = NULL;
1550  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1551  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1552  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1553  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1554  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1555  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1556  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1557  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1558  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1559  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1560  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1561  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1562 
1563  /* remaining response */
1564  uint8_t response2[] = {
1565  0x2f, 0x31, 0x2e, 0x31,
1566  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1567  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1568  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1569  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1570  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1571  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1572  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1573  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1574  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1575  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1576  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1577  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1578  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1579  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1580  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1581  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1582  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1583  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1584  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1585  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1586  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1587  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1588  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1589  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1590  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1591  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1592  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1593  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1594  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1595  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1596  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1597  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1598  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1599  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1600  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1601  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1602  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1603  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1604  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1605  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1606  PrintRawDataFp(stdout, response2, sizeof(response2));
1607  p->tcph->th_ack = htonl(88);
1608  p->tcph->th_seq = htonl(5);
1609  p->tcph->th_flags = TH_PUSH | TH_ACK;
1610  p->flowflags = FLOW_PKT_TOCLIENT;
1611  p->payload_len = sizeof(response2);
1612  p->payload = response2;
1613  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1614  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1615  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1616  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1617  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1618  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1619  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1620  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1621  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1622  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1623  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1624  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1625 
1626  /* response ack */
1627  p->tcph->th_ack = htonl(328);
1628  p->tcph->th_seq = htonl(88);
1629  p->tcph->th_flags = TH_ACK;
1630  p->flowflags = FLOW_PKT_TOSERVER;
1631  p->payload_len = 0;
1632  p->payload = NULL;
1633  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1634  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1635  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1636  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1637  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1638  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1639  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1640  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1641  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1642  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1643  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1644  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1645 
1646  TEST_END;
1647  PASS;
1648 }
1649 
1650 /**
1651  * \test RUBBISH -> HTTP/1.1
1652  */
1653 static int AppLayerTest05(void)
1654 {
1655  TEST_START;
1656 
1657  /* full request */
1658  uint8_t request[] = {
1659  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1660  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1661  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1662  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1663  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1664  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1665  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1666  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1667  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1668  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1669  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1670  PrintRawDataFp(stdout, request, sizeof(request));
1671  p->tcph->th_ack = htonl(1);
1672  p->tcph->th_seq = htonl(1);
1673  p->tcph->th_flags = TH_PUSH | TH_ACK;
1674  p->flowflags = FLOW_PKT_TOSERVER;
1675  p->payload_len = sizeof(request);
1676  p->payload = request;
1677  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1678  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1679  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1680  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1681  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1682  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1683  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1684  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1685  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1686  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1687  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1688  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1689 
1690  /* full response - request ack */
1691  uint8_t response[] = {
1692  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1693  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1694  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1695  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1696  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1697  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1698  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1699  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1700  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1701  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1702  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1703  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1704  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1705  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1706  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1707  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1708  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1709  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1710  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1711  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1712  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1713  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1714  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1715  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1716  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1717  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1718  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1719  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1720  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1721  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1722  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1723  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1724  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1725  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1726  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1727  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1728  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1729  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1730  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1731  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1732  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1733  PrintRawDataFp(stdout, response, sizeof(response));
1734  p->tcph->th_ack = htonl(88);
1735  p->tcph->th_seq = htonl(1);
1736  p->tcph->th_flags = TH_PUSH | TH_ACK;
1737  p->flowflags = FLOW_PKT_TOCLIENT;
1738  p->payload_len = sizeof(response);
1739  p->payload = response;
1740  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1741  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1742  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1743  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1744  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1745  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1746  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1747  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1748  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1749  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1750  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1751  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1752 
1753  /* response ack */
1754  p->tcph->th_ack = htonl(328);
1755  p->tcph->th_seq = htonl(88);
1756  p->tcph->th_flags = TH_ACK;
1757  p->flowflags = FLOW_PKT_TOSERVER;
1758  p->payload_len = 0;
1759  p->payload = NULL;
1760  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1761  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1762  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1763  FAIL_IF(f.alproto != ALPROTO_HTTP);
1764  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1765  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1766  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1767  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1768  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1769  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1770  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1771  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1772 
1773  TEST_END;
1774  PASS;
1775 }
1776 
1777 /**
1778  * \test HTTP/1.1 -> GET
1779  */
1780 static int AppLayerTest06(void)
1781 {
1782  TEST_START;
1783 
1784  /* full response - request ack */
1785  uint8_t response[] = {
1786  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1787  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1788  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1789  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1790  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1791  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1792  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1793  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1794  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1795  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1796  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1797  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1798  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1799  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1800  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1801  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1802  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1803  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1804  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1805  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1806  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1807  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1808  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1809  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1810  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1811  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1812  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1813  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1814  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1815  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1816  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1817  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1818  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1819  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1820  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1821  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1822  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1823  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1824  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1825  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1826  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1827  p->tcph->th_ack = htonl(1);
1828  p->tcph->th_seq = htonl(1);
1829  p->tcph->th_flags = TH_PUSH | TH_ACK;
1830  p->flowflags = FLOW_PKT_TOCLIENT;
1831  p->payload_len = sizeof(response);
1832  p->payload = response;
1833  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1834  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1835  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1836  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1837  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1838  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1839  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1840  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1841  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1842  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1843  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1844  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1845 
1846  /* full request - response ack*/
1847  uint8_t request[] = {
1848  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1849  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1850  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1851  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1852  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1853  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1854  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1855  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1856  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1857  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1858  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1859  p->tcph->th_ack = htonl(328);
1860  p->tcph->th_seq = htonl(1);
1861  p->tcph->th_flags = TH_PUSH | TH_ACK;
1862  p->flowflags = FLOW_PKT_TOSERVER;
1863  p->payload_len = sizeof(request);
1864  p->payload = request;
1865  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1866  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1867  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1868  FAIL_IF(f.alproto != ALPROTO_HTTP);
1869  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1870  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1871  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1872  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1873  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1874  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1875  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1876  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1877 
1878  p->tcph->th_ack = htonl(1 + sizeof(request));
1879  p->tcph->th_seq = htonl(328);
1880  p->tcph->th_flags = TH_PUSH | TH_ACK;
1881  p->flowflags = FLOW_PKT_TOCLIENT;
1882  p->payload_len = 0;
1883  p->payload = NULL;
1884  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1885  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1886  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1887  FAIL_IF(f.alproto != ALPROTO_HTTP);
1888  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1889  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1890  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1891  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1892  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1893  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1894  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1895  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1896 
1897  TEST_END;
1898  PASS;
1899 }
1900 
1901 /**
1902  * \test GET -> DCERPC
1903  */
1904 static int AppLayerTest07(void)
1905 {
1906  TEST_START;
1907 
1908  /* full request */
1909  uint8_t request[] = {
1910  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1911  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1912  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1913  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1914  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1915  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1916  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1917  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1918  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1919  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1920  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1921  p->tcph->th_ack = htonl(1);
1922  p->tcph->th_seq = htonl(1);
1923  p->tcph->th_flags = TH_PUSH | TH_ACK;
1924  p->flowflags = FLOW_PKT_TOSERVER;
1925  p->payload_len = sizeof(request);
1926  p->payload = request;
1927  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1928  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1929  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1930  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1931  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1932  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1933  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1934  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1935  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1936  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1937  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1938  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1939 
1940  /* full response - request ack */
1941  uint8_t response[] = {
1942  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1943  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1944  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1945  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1946  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1947  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1948  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1949  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1950  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1951  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1952  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1953  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1954  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1955  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1956  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1957  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1958  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1959  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1960  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1961  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1962  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1963  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1964  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1965  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1966  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1967  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1968  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1969  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1970  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1971  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1972  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1973  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1974  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1975  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1976  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1977  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1978  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1979  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1980  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1981  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1982  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1983  p->tcph->th_ack = htonl(88);
1984  p->tcph->th_seq = htonl(1);
1985  p->tcph->th_flags = TH_PUSH | TH_ACK;
1986  p->flowflags = FLOW_PKT_TOCLIENT;
1987  p->payload_len = sizeof(response);
1988  p->payload = response;
1989  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1990  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1991  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1992  FAIL_IF(f.alproto != ALPROTO_HTTP);
1993  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1994  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1995  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1996  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1997  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1998  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1999  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2000  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2001 
2002  /* response ack */
2003  p->tcph->th_ack = htonl(328);
2004  p->tcph->th_seq = htonl(88);
2005  p->tcph->th_flags = TH_ACK;
2006  p->flowflags = FLOW_PKT_TOSERVER;
2007  p->payload_len = 0;
2008  p->payload = NULL;
2009  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2010  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2011  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2012  FAIL_IF(f.alproto != ALPROTO_HTTP);
2013  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2014  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2015  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2016  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2017  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2018  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2019  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2020  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2021 
2022  TEST_END;
2023  PASS;
2024 }
2025 
2026 /**
2027  * \test SMB -> HTTP/1.1
2028  */
2029 static int AppLayerTest08(void)
2030 {
2031  TEST_START;
2032 
2033  /* full request */
2034  uint8_t request[] = {
2035  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2036  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2037  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2038  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2039  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2040  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2041  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2042  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2043  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2044  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2045  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2046  p->tcph->th_ack = htonl(1);
2047  p->tcph->th_seq = htonl(1);
2048  p->tcph->th_flags = TH_PUSH | TH_ACK;
2049  p->flowflags = FLOW_PKT_TOSERVER;
2050  p->payload_len = sizeof(request);
2051  p->payload = request;
2052  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2053  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2054  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2055  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2056  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2057  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2058  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2059  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2060  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2061  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2062  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2063  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2064 
2065  /* full response - request ack */
2066  uint8_t response[] = {
2067  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2068  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2069  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2070  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2071  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2072  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2073  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2074  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2075  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2076  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2077  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2078  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2079  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2080  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2081  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2082  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2083  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2084  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2085  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2086  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2087  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2088  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2089  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2090  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2091  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2092  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2093  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2094  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2095  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2096  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2097  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2098  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2099  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2100  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2101  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2102  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2103  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2104  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2105  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2106  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2107  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2108  p->tcph->th_ack = htonl(88);
2109  p->tcph->th_seq = htonl(1);
2110  p->tcph->th_flags = TH_PUSH | TH_ACK;
2111  p->flowflags = FLOW_PKT_TOCLIENT;
2112  p->payload_len = sizeof(response);
2113  p->payload = response;
2114  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2115  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2116  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2117  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2118  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2119  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2120  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2121  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2122  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2123  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2124  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2125  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2126 
2127  /* response ack */
2128  p->tcph->th_ack = htonl(328);
2129  p->tcph->th_seq = htonl(88);
2130  p->tcph->th_flags = TH_ACK;
2131  p->flowflags = FLOW_PKT_TOSERVER;
2132  p->payload_len = 0;
2133  p->payload = NULL;
2134  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2135  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2136  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2137  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2138  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2139  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2140  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2141  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2142  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2143  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2144  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2145  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2146 
2147  TEST_END;
2148  PASS;
2149 }
2150 
2151 /**
2152  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2153  * RUBBISH(TC - PM and PP DONE) ->
2154  * RUBBISH(TS - PM and PP DONE)
2155  */
2156 static int AppLayerTest09(void)
2157 {
2158  TEST_START;
2159 
2160  /* full request */
2161  uint8_t request1[] = {
2162  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2163  p->tcph->th_ack = htonl(1);
2164  p->tcph->th_seq = htonl(1);
2165  p->tcph->th_flags = TH_PUSH | TH_ACK;
2166  p->flowflags = FLOW_PKT_TOSERVER;
2167  p->payload_len = sizeof(request1);
2168  p->payload = request1;
2169  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2170  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2171  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2172  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2173  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2174  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2175  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2176  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2177  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2178  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2179  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2180  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2181 
2182  /* response - request ack */
2183  p->tcph->th_ack = htonl(9);
2184  p->tcph->th_seq = htonl(1);
2185  p->tcph->th_flags = TH_PUSH | TH_ACK;
2186  p->flowflags = FLOW_PKT_TOCLIENT;
2187  p->payload_len = 0;
2188  p->payload = NULL;
2189  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2190  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2191  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2192  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2193  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2194  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2195  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2196  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2197  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2198  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2199  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2200  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2201 
2202  /* full request */
2203  uint8_t request2[] = {
2204  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2205  p->tcph->th_ack = htonl(1);
2206  p->tcph->th_seq = htonl(9);
2207  p->tcph->th_flags = TH_PUSH | TH_ACK;
2208  p->flowflags = FLOW_PKT_TOSERVER;
2209  p->payload_len = sizeof(request2);
2210  p->payload = request2;
2211  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2212  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2213  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2214  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2215  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2216  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2217  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2218  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2219  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2220  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2221  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2222  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2223 
2224  /* full response - request ack */
2225  uint8_t response[] = {
2226  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2227  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2228  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2229  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2230  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2231  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2232  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2233  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2234  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2235  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2236  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2237  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2238  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2239  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2240  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2241  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2242  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2243  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2244  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2245  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2246  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2247  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2248  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2249  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2250  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2251  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2252  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2253  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2254  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2255  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2256  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2257  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2258  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2259  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2260  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2261  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2262  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2263  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2264  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2265  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2266  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2267  p->tcph->th_ack = htonl(18);
2268  p->tcph->th_seq = htonl(1);
2269  p->tcph->th_flags = TH_PUSH | TH_ACK;
2270  p->flowflags = FLOW_PKT_TOCLIENT;
2271  p->payload_len = sizeof(response);
2272  p->payload = response;
2273  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2274  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2275  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2276  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2277  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2278  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2279  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2280  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2281  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2282  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2283  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2284  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2285 
2286  /* response ack */
2287  p->tcph->th_ack = htonl(328);
2288  p->tcph->th_seq = htonl(18);
2289  p->tcph->th_flags = TH_ACK;
2290  p->flowflags = FLOW_PKT_TOSERVER;
2291  p->payload_len = 0;
2292  p->payload = NULL;
2293  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2294  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2295  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2296  FAIL_IF(f.alproto != ALPROTO_FAILED);
2297  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2298  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2299  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2300  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2301  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2302  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2303  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2304  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2305 
2306  TEST_END;
2307  PASS;
2308 }
2309 
2310 /**
2311  * \test RUBBISH(TC - PM and PP DONE) ->
2312  * RUBBISH(TS - PM and PP DONE)
2313  */
2314 static int AppLayerTest10(void)
2315 {
2316  TEST_START;
2317 
2318  /* full request */
2319  uint8_t request1[] = {
2320  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2321  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2322  p->tcph->th_ack = htonl(1);
2323  p->tcph->th_seq = htonl(1);
2324  p->tcph->th_flags = TH_PUSH | TH_ACK;
2325  p->flowflags = FLOW_PKT_TOSERVER;
2326  p->payload_len = sizeof(request1);
2327  p->payload = request1;
2328  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2329  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2330  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2331  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2332  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2333  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2334  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2335  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2336  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2337  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2338  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2339  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2340 
2341  /* response - request ack */
2342  p->tcph->th_ack = htonl(18);
2343  p->tcph->th_seq = htonl(1);
2344  p->tcph->th_flags = TH_PUSH | TH_ACK;
2345  p->flowflags = FLOW_PKT_TOCLIENT;
2346  p->payload_len = 0;
2347  p->payload = NULL;
2348  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2349  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2350  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2351  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2352  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2353  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2354  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2355  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2356  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2357  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2358  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2359  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2360 
2361  /* full response - request ack */
2362  uint8_t response[] = {
2363  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2364  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2365  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2366  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2367  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2368  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2369  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2370  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2371  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2372  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2373  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2374  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2375  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2376  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2377  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2378  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2379  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2380  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2381  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2382  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2383  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2384  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2385  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2386  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2387  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2388  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2389  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2390  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2391  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2392  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2393  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2394  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2395  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2396  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2397  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2398  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2399  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2400  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2401  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2402  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2403  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2404  p->tcph->th_ack = htonl(18);
2405  p->tcph->th_seq = htonl(1);
2406  p->tcph->th_flags = TH_PUSH | TH_ACK;
2407  p->flowflags = FLOW_PKT_TOCLIENT;
2408  p->payload_len = sizeof(response);
2409  p->payload = response;
2410  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2411  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2412  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2413  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2414  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2415  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2416  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2417  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2418  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2419  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2420  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2421  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2422 
2423  /* response ack */
2424  p->tcph->th_ack = htonl(328);
2425  p->tcph->th_seq = htonl(18);
2426  p->tcph->th_flags = TH_ACK;
2427  p->flowflags = FLOW_PKT_TOSERVER;
2428  p->payload_len = 0;
2429  p->payload = NULL;
2430  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2431  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2432  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2433  FAIL_IF(f.alproto != ALPROTO_FAILED);
2434  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2435  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2436  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2437  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2438  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2439  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2440  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2441  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2442 
2443  TEST_END;
2444  PASS;
2445 }
2446 
2447 /**
2448  * \test RUBBISH(TC - PM and PP DONE) ->
2449  * RUBBISH(TS - PM and PP NOT DONE) ->
2450  * RUBBISH(TS - PM and PP DONE)
2451  */
2452 static int AppLayerTest11(void)
2453 {
2454  TEST_START;
2455 
2456  /* full request */
2457  uint8_t request1[] = {
2458  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2459  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2460  p->tcph->th_ack = htonl(1);
2461  p->tcph->th_seq = htonl(1);
2462  p->tcph->th_flags = TH_PUSH | TH_ACK;
2463  p->flowflags = FLOW_PKT_TOSERVER;
2464  p->payload_len = sizeof(request1);
2465  p->payload = request1;
2466  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2467  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2468  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2469  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2470  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2471  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2472  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2473  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2474  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2475  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2476  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2477  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2478 
2479  /* response - request ack */
2480  p->tcph->th_ack = htonl(18);
2481  p->tcph->th_seq = htonl(1);
2482  p->tcph->th_flags = TH_PUSH | TH_ACK;
2483  p->flowflags = FLOW_PKT_TOCLIENT;
2484  p->payload_len = 0;
2485  p->payload = NULL;
2486  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2487  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2488  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2489  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2490  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2491  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2492  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2493  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2494  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2495  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2496  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2497  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2498 
2499  /* full response - request ack */
2500  uint8_t response1[] = {
2501  0x55, 0x74, 0x54, 0x50, };
2502  p->tcph->th_ack = htonl(18);
2503  p->tcph->th_seq = htonl(1);
2504  p->tcph->th_flags = TH_PUSH | TH_ACK;
2505  p->flowflags = FLOW_PKT_TOCLIENT;
2506  p->payload_len = sizeof(response1);
2507  p->payload = response1;
2508  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2509  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2510  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2511  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2512  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2513  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2514  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2515  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2516  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2517  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2518  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2519  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2520 
2521  /* response ack from request */
2522  p->tcph->th_ack = htonl(5);
2523  p->tcph->th_seq = htonl(18);
2524  p->tcph->th_flags = TH_ACK;
2525  p->flowflags = FLOW_PKT_TOSERVER;
2526  p->payload_len = 0;
2527  p->payload = NULL;
2528  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2529  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2530  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2531  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2532  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2533  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2534  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2535  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2536  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2537  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2538  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2539  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2540 
2541  uint8_t response2[] = {
2542  0x2f, 0x31, 0x2e, 0x31,
2543  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2544  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2545  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2546  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2547  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2548  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2549  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2550  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2551  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2552  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2553  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2554  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2555  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2556  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2557  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2558  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2559  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2560  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2561  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2562  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2563  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2564  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2565  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2566  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2567  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2568  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2569  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2570  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2571  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2572  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2573  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2574  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2575  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2576  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2577  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2578  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2579  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2580  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2581  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2582  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2583  p->tcph->th_ack = htonl(18);
2584  p->tcph->th_seq = htonl(5);
2585  p->tcph->th_flags = TH_PUSH | TH_ACK;
2586  p->flowflags = FLOW_PKT_TOCLIENT;
2587  p->payload_len = sizeof(response2);
2588  p->payload = response2;
2589  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2590  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2591  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2592  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2593  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2594  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2595  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2596  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2597  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2598  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2599  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2600  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2601 
2602  /* response ack from request */
2603  p->tcph->th_ack = htonl(328);
2604  p->tcph->th_seq = htonl(18);
2605  p->tcph->th_flags = TH_ACK;
2606  p->flowflags = FLOW_PKT_TOSERVER;
2607  p->payload_len = 0;
2608  p->payload = NULL;
2609  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2610  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2611  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2612  FAIL_IF(f.alproto != ALPROTO_FAILED);
2613  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2614  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2615  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2616  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2617  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2618  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2619  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2620  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2621 
2622  TEST_END;
2623  PASS;
2624 }
2625 
2626 void AppLayerUnittestsRegister(void)
2627 {
2628  SCEnter();
2629 
2630  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2631  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2632  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2633  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2634  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2635  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2636  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2637  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2638  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2639  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2640  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2641 
2642  SCReturn;
2643 }
2644 
2645 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:80
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:272
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpStream_
Definition: stream-tcp-private.h:94
AppLayerCounters_
Definition: app-layer.c:79
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:139
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1767
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:118
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:81
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
stream-tcp.h
SCFree
#define SCFree(a)
Definition: util-mem.h:322
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:562
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:997
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:868
Flow_::proto
uint8_t proto
Definition: flow.h:359
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
Packet_::payload
uint8_t * payload
Definition: decode.h:541
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6262
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:444
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:340
Flow_::protomap
uint8_t protomap
Definition: flow.h:418
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1086
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:931
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:429
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:170
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:863
AppLayerCounterNames_
Definition: app-layer.c:74
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:216
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5857
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2626
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:778
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:885
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:66
Flow_::protoctx
void * protoctx
Definition: flow.h:414
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:76
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:568
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:764
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:813
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1101
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:73
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:263
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1559
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:798
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1118
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:565
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:264
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:875
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:442
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:825
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4766
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:884
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1872
TEST_START
#define TEST_START
Definition: app-layer.c:973
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
SCReturn
#define SCReturn
Definition: util-debug.h:339
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:271
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:408
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:693
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:176
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:217
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:432
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:2
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1181
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:336
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:273
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:523
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1798
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1102
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1430
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:303
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:147
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2070
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1957
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2048
str
#define str(s)
Definition: suricata-common.h:256
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:378
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:424
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6268
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:847
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:394
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:771
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:112
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:61
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:351
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:187
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1056
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2011
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
likely
#define likely(expr)
Definition: util-optimize.h:32
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:198
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:85
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:75
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:254
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1493
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:425
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1569
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:423
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:958
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2065
app-layer.h