suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
70 #endif
71 };
72 
73 #define MAX_COUNTER_SIZE 64
74 typedef struct AppLayerCounterNames_ {
78 
79 typedef struct AppLayerCounters_ {
80  uint16_t counter_id;
81  uint16_t counter_tx_id;
83 
84 /* counter names. Only used at init. */
86 /* counter id's. Used that runtime. */
88 
89 void AppLayerSetupCounters(void);
90 void AppLayerDeSetupCounters(void);
91 
92 /***** L7 layer dispatchers *****/
93 
94 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
95  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
98 }
99 
100 /**
101  * \note id can be 0 if protocol parser is disabled but detection
102  * is enabled.
103  */
104 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
105 {
106  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
107  if (likely(tv && id > 0)) {
108  StatsIncr(tv, id);
109  }
110 }
111 
112 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
113 {
114  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
115  if (likely(tv && id > 0)) {
116  StatsAddUI64(tv, id, step);
117  }
118 }
119 
120 /* in IDS mode protocol detection is done in reverse order:
121  * when TCP data is ack'd. We want to flag the correct packet,
122  * so in this case we set a flag in the flow so that the first
123  * packet in the correct direction can be tagged.
124  *
125  * For IPS things are much simpler, and we don't use the flow
126  * flag. We just tag the packet directly. */
127 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
128 {
129  if (EngineModeIsIPS()) {
130  if (flags & STREAM_TOSERVER) {
131  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  } else {
135  }
136  } else {
137  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  } else {
141  }
142  }
143  } else {
144  if (flags & STREAM_TOSERVER) {
146  } else {
148  }
149  }
150 }
151 
152 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
153 {
154  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
155  f, f->alproto, f->alproto_ts, f->alproto_tc);
158  TcpSession *ssn = f->protoctx;
160  f->alproto = ALPROTO_FAILED;
161  AppLayerIncFlowCounter(tv, f);
162 
163  if (f->alproto_tc != ALPROTO_FAILED) {
164  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  }
167  FlagPacketFlow(p, f, STREAM_TOCLIENT);
168  }
169  if (f->alproto_ts != ALPROTO_FAILED) {
170  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  }
173  FlagPacketFlow(p, f, STREAM_TOSERVER);
174  }
175  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
176  f, f->alproto, f->alproto_ts, f->alproto_tc);
177 }
178 
179 /* See if we're going to have to give up:
180  *
181  * If we're getting a lot of data in one direction and the
182  * proto for this direction is unknown, proto detect will
183  * hold up segments in the segment list in the stream.
184  * They are held so that if we detect the protocol on the
185  * opposing stream, we can still parse this side of the stream
186  * as well. However, some sessions are very unbalanced. FTP
187  * data channels, large PUT/POST request and many others, can
188  * lead to cases where we would have to store many megabytes
189  * worth of segments before we see the opposing stream. This
190  * leads to risks of resource starvation.
191  *
192  * Here a cutoff point is enforced. If we've stored 100k in
193  * one direction and we've seen no data in the other direction,
194  * we give up.
195  *
196  * Giving up means we disable applayer an set an applayer event
197  */
198 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
199  Flow *f, TcpSession *ssn, Packet *p)
200 {
201  if (ssn->state < TCP_ESTABLISHED) {
202  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
203  return;
204  }
205 
206  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
207  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
208  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
209 
210 #ifdef DEBUG_VALIDATION
211  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
212  BUG_ON(size_ts > 1000000UL);
213  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
214  BUG_ON(size_tc > 1000000UL);
215 #endif /* DEBUG_VALIDATION */
216 
217  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
218  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
219  {
220  goto failure;
221 
223  size_ts > 100000 && size_tc == 0)
224  {
227  goto failure;
228 
230  size_tc > 100000 && size_ts == 0)
231  {
234  goto failure;
235 
236  /* little data in ts direction, pp done, pm not done (max
237  * depth not reached), ts direction done, lots of data in
238  * tc direction. */
239  } else if (size_tc > 100000 &&
242  {
245  goto failure;
246 
247  /* little data in tc direction, pp done, pm not done (max
248  * depth not reached), tc direction done, lots of data in
249  * ts direction. */
250  } else if (size_ts > 100000 &&
253  {
256  goto failure;
257 
258  /* in case of really low TS data (e.g. 4 bytes) we can have
259  * the PP complete, PM not complete (depth not reached) and
260  * the TC side also not recognized (proto unknown) */
261  } else if (size_tc > 100000 &&
264  {
267  goto failure;
268  }
269  return;
270 
271 failure:
272  DisableAppLayer(tv, f, p);
273  return;
274 }
275 
276 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
277  TcpReassemblyThreadCtx *ra_ctx,
278  Packet *p, TcpSession *ssn, TcpStream *stream)
279 {
280  TcpStream *opposing_stream = NULL;
281  if (stream == &ssn->client) {
282  opposing_stream = &ssn->server;
283  } else {
284  opposing_stream = &ssn->client;
285  }
286 
287  /* if the opposing side is not going to work, then
288  * we just have to give up. */
289  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
290  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
291  return -1;
292  }
293 
294  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
297  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
298  opposing_stream, p, dir);
299  return ret;
300 }
301 
302 /** \todo data const
303  * \retval int -1 error
304  * \retval int 0 ok
305  */
306 static int TCPProtoDetect(ThreadVars *tv,
307  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
308  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
309  uint8_t *data, uint32_t data_len, uint8_t flags)
310 {
311  AppProto *alproto;
312  AppProto *alproto_otherdir;
313  int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
314 
315  if (flags & STREAM_TOSERVER) {
316  alproto = &f->alproto_ts;
317  alproto_otherdir = &f->alproto_tc;
318  } else {
319  alproto = &f->alproto_tc;
320  alproto_otherdir = &f->alproto_ts;
321  }
322 
323  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
324 #ifdef PRINT
325  if (data_len > 0) {
326  printf("=> Init Stream Data (app layer) -- start %s%s\n",
327  flags & STREAM_TOCLIENT ? "toclient" : "",
328  flags & STREAM_TOSERVER ? "toserver" : "");
329  PrintRawDataFp(stdout, data, data_len);
330  printf("=> Init Stream Data -- end\n");
331  }
332 #endif
333 
334  bool reverse_flow = false;
336  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
337  f, data, data_len,
338  IPPROTO_TCP, flags, &reverse_flow);
339  PACKET_PROFILING_APP_PD_END(app_tctx);
340  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
341 
342  if (*alproto != ALPROTO_UNKNOWN) {
343  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
346 
348  /* if we already invoked the parser, we go with that proto */
349  f->alproto = *alproto_otherdir;
350  } else {
351  /* no data sent to parser yet, we can still choose
352  * we're trusting the server more. */
353  if (flags & STREAM_TOCLIENT)
354  f->alproto = *alproto;
355  else
356  f->alproto = *alproto_otherdir;
357  }
358  } else {
359  f->alproto = *alproto;
360  }
361 
365  FlagPacketFlow(p, f, flags);
366  /* if protocol detection indicated that we need to reverse
367  * the direction of the flow, do it now. We flip the flow,
368  * packet and the direction flags */
369  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
370  SCLogDebug("reversing flow after proto detect told us so");
371  PacketSwap(p);
372  FlowSwap(f);
374  if (*stream == &ssn->client) {
375  *stream = &ssn->server;
376  } else {
377  *stream = &ssn->client;
378  }
379  direction = 1 - direction;
380  }
381 
382  /* account flow if we have both sides */
383  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
384  AppLayerIncFlowCounter(tv, f);
385  }
386 
387  /* if we have seen data from the other direction first, send
388  * data for that direction first to the parser. This shouldn't
389  * be an issue, since each stream processing happens
390  * independently of the other stream direction. At this point of
391  * call, you need to know that this function's already being
392  * called by the very same StreamReassembly() function that we
393  * will now call shortly for the opposing direction. */
395  !(flags & ssn->data_first_seen_dir))
396  {
397  SCLogDebug("protocol %s needs first data in other direction",
398  AppProtoToString(*alproto));
399 
400  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
401  p, ssn, *stream) != 0)
402  {
403  DisableAppLayer(tv, f, p);
404  SCReturnInt(-1);
405  }
406  }
407 
408  /* if the parser operates such that it needs to see data from
409  * a particular direction first, we check if we have seen
410  * data from that direction first for the flow. IF it is not
411  * the same, we set an event and exit.
412  *
413  * \todo We need to figure out a more robust solution for this,
414  * as this can lead to easy evasion tactics, where the
415  * attackeer can first send some dummy data in the wrong
416  * direction first to mislead our proto detection process.
417  * While doing this we need to update the parsers as well,
418  * since the parsers must be robust to see such wrong
419  * direction data.
420  * Either ways the moment we see the
421  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
422  * flow, it shows something's fishy.
423  */
425  uint8_t first_data_dir;
426  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
427 
428  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
431  DisableAppLayer(tv, f, p);
432  SCReturnInt(-1);
433  }
434  /* This can happen if the current direction is not the
435  * right direction, and the data from the other(also
436  * the right direction) direction is available to be sent
437  * to the app layer, but it is not ack'ed yet and hence
438  * the forced call to STreamTcpAppLayerReassemble still
439  * hasn't managed to send data from the other direction
440  * to the app layer. */
441  if (first_data_dir && !(first_data_dir & flags)) {
447  SCReturnInt(-1);
448  }
449  }
450 
451  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
453 
454  /* finally, invoke the parser */
455  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
456  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
457  flags, data, data_len);
458  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
459  if (r < 0) {
460  SCReturnInt(-1);
461  } else if (r == 0) {
462  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
463  }
464  } else {
465  /* if the ssn is midstream, we may end up with a case where the
466  * start of an HTTP request is missing. We won't detect HTTP based
467  * on the request. However, the reply is fine, so we detect
468  * HTTP anyway. This leads to passing the incomplete request to
469  * the htp parser.
470  *
471  * This has been observed, where the http parser then saw many
472  * bogus requests in the incomplete data.
473  *
474  * To counter this case, a midstream session MUST find it's
475  * protocol in the toserver direction. If not, we assume the
476  * start of the request/toserver is incomplete and no reliable
477  * detection and parsing is possible. So we give up.
478  */
479  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
481  {
483  SCLogDebug("midstream end pd %p", ssn);
484  /* midstream and toserver detection failed: give up */
485  DisableAppLayer(tv, f, p);
486  SCReturnInt(0);
487  }
488  }
489 
490  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
491  uint8_t first_data_dir;
492  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
493 
494  /* this would handle this test case -
495  * http parser which says it wants to see toserver data first only.
496  * tcp handshake
497  * toclient data first received. - RUBBISH DATA which
498  * we don't detect as http
499  * toserver data next sent - we detect this as http.
500  * at this stage we see that toclient is the first data seen
501  * for this session and we try and redetect the app protocol,
502  * but we are unable to detect the app protocol like before.
503  * But since we have managed to detect the protocol for the
504  * other direction as http, we try to use that. At this
505  * stage we check if the direction of this stream matches
506  * to that acceptable by the app parser. If it is not the
507  * acceptable direction we error out.
508  */
510  (first_data_dir) && !(first_data_dir & flags))
511  {
512  DisableAppLayer(tv, f, p);
513  SCReturnInt(-1);
514  }
515 
516  /* if protocol detection is marked done for our direction we
517  * pass our data on. We're only succeeded in finding one
518  * direction: the opposing stream
519  *
520  * If PD was not yet complete, we don't do anything.
521  */
522  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
523  if (data_len > 0)
525 
526  if (*alproto_otherdir != ALPROTO_FAILED) {
527  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
528  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
529  f->alproto, flags,
530  data, data_len);
531  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
532  if (r == 0) {
533  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
534  }
535 
540 
541  *alproto = *alproto_otherdir;
542  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
543  p->pcap_cnt, *alproto, *alproto_otherdir, r);
544  if (r < 0) {
545  SCReturnInt(-1);
546  }
547  }
548  *alproto = ALPROTO_FAILED;
550  AppLayerIncFlowCounter(tv, f);
551  FlagPacketFlow(p, f, flags);
552 
553  }
554  } else {
555  /* both sides unknown, let's see if we need to give up */
556  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
557  }
558  }
559  SCReturnInt(0);
560 }
561 
562 /** \brief handle TCP data for the app-layer.
563  *
564  * First run protocol detection and then when the protocol is known invoke
565  * the app layer parser.
566  *
567  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
568  * reversed.
569  */
571  Packet *p, Flow *f,
572  TcpSession *ssn, TcpStream **stream,
573  uint8_t *data, uint32_t data_len,
574  uint8_t flags)
575 {
576  SCEnter();
577 
579  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
580 
581  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
582  AppProto alproto;
583  int r = 0;
584 
585  SCLogDebug("data_len %u flags %02X", data_len, flags);
587  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
588  goto end;
589  }
590 
591  const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
592 
593  if (flags & STREAM_TOSERVER) {
594  alproto = f->alproto_ts;
595  } else {
596  alproto = f->alproto_tc;
597  }
598 
599  /* If a gap notification, relay the notification on to the
600  * app-layer if known. */
601  if (flags & STREAM_GAP) {
602  if (alproto == ALPROTO_UNKNOWN) {
604  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
605  /* if the other side didn't already find the proto, we're done */
606  if (f->alproto == ALPROTO_UNKNOWN) {
607  goto failure;
608  }
609  }
610  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
611  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
612  flags, data, data_len);
613  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
614  /* ignore parser result for gap */
615  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
616  goto end;
617  }
618 
619  /* if we don't know the proto yet and we have received a stream
620  * initializer message, we run proto detection.
621  * We receive 2 stream init msgs (one for each direction) but we
622  * only run the proto detection once. */
623  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
624  /* run protocol detection */
625  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
626  data, data_len, flags) != 0) {
627  goto failure;
628  }
629  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
630  f->alproto_orig = f->alproto;
631  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
633  /* rerun protocol detection */
634  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
635  data, data_len, flags) != 0) {
636  SCLogDebug("proto detect failure");
637  goto failure;
638  }
639  SCLogDebug("protocol change, old %s, new %s",
641 
642  if (f->alproto_expect != ALPROTO_UNKNOWN &&
643  f->alproto != f->alproto_expect)
644  {
647 
648  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
651 
652  }
653  }
654  } else {
655  SCLogDebug("stream data (len %" PRIu32 " alproto "
656  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
657 #ifdef PRINT
658  if (data_len > 0) {
659  printf("=> Stream Data (app layer) -- start %s%s\n",
660  flags & STREAM_TOCLIENT ? "toclient" : "",
661  flags & STREAM_TOSERVER ? "toserver" : "");
662  PrintRawDataFp(stdout, data, data_len);
663  printf("=> Stream Data -- end\n");
664  }
665 #endif
666  /* if we don't have a data object here we are not getting it
667  * a start msg should have gotten us one */
668  if (f->alproto != ALPROTO_UNKNOWN) {
669  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
670  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
671  flags, data, data_len);
672  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
673  if (r == 0) {
674  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
675  }
676  }
677  }
678 
679  goto end;
680  failure:
681  r = -1;
682  end:
683  SCReturnInt(r);
684 }
685 
686 /**
687  * \brief Handle a app layer UDP message
688  *
689  * If the protocol is yet unknown, the proto detection code is run first.
690  *
691  * \param dp_ctx Thread app layer detect context
692  * \param f *locked* flow
693  * \param p UDP packet
694  *
695  * \retval 0 ok
696  * \retval -1 error
697  */
699 {
700  SCEnter();
701 
702  if (f->alproto == ALPROTO_FAILED) {
703  SCReturnInt(0);
704  }
705 
706  int r = 0;
707  uint8_t flags = 0;
708  if (p->flowflags & FLOW_PKT_TOSERVER) {
710  } else {
712  }
713 
714  AppLayerProfilingReset(tctx);
715 
716  /* if the protocol is still unknown, run detection */
717  if (f->alproto == ALPROTO_UNKNOWN) {
718  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
719  p->payload_len);
720 
721  bool reverse_flow = false;
724  f, p->payload, p->payload_len,
725  IPPROTO_UDP, flags, &reverse_flow);
727 
728  if (f->alproto != ALPROTO_UNKNOWN) {
729  AppLayerIncFlowCounter(tv, f);
730 
731  if (reverse_flow) {
732  SCLogDebug("reversing flow after proto detect told us so");
733  PacketSwap(p);
734  FlowSwap(f);
736  }
737 
739  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
740  flags, p->payload, p->payload_len);
742  } else {
743  f->alproto = ALPROTO_FAILED;
744  AppLayerIncFlowCounter(tv, f);
745  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
746  }
748  /* we do only inspection in one direction, so flag both
749  * sides as done here */
750  FlagPacketFlow(p, f, STREAM_TOSERVER);
751  FlagPacketFlow(p, f, STREAM_TOCLIENT);
752  } else {
753  SCLogDebug("data (len %" PRIu32 " ), alproto "
754  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
755 
756  /* run the parser */
758  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
759  flags, p->payload, p->payload_len);
762  }
763 
764  SCReturnInt(r);
765 }
766 
767 /***** Utility *****/
768 
769 AppProto AppLayerGetProtoByName(char *alproto_name)
770 {
771  SCEnter();
773  SCReturnCT(r, "AppProto");
774 }
775 
776 const char *AppLayerGetProtoName(AppProto alproto)
777 {
778  SCEnter();
779  const char * r = AppLayerProtoDetectGetProtoName(alproto);
780  SCReturnCT(r, "char *");
781 }
782 
784 {
785  SCEnter();
786 
787  AppProto alproto;
788  AppProto alprotos[ALPROTO_MAX];
789 
791 
792  printf("=========Supported App Layer Protocols=========\n");
793  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
794  if (alprotos[alproto] == 1)
795  printf("%s\n", AppLayerGetProtoName(alproto));
796  }
797 
798  SCReturn;
799 }
800 
801 /***** Setup/General Registration *****/
802 
803 int AppLayerSetup(void)
804 {
805  SCEnter();
806 
809 
812 
814 
815  SCReturnInt(0);
816 }
817 
819 {
820  SCEnter();
821 
824 
826 
827  SCReturnInt(0);
828 }
829 
831 {
832  SCEnter();
833 
834  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
835  if (app_tctx == NULL)
836  goto error;
837  memset(app_tctx, 0, sizeof(*app_tctx));
838 
839  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
840  goto error;
841  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
842  goto error;
843 
844  goto done;
845  error:
846  AppLayerDestroyCtxThread(app_tctx);
847  app_tctx = NULL;
848  done:
849  SCReturnPtr(app_tctx, "void *");
850 }
851 
853 {
854  SCEnter();
855 
856  if (app_tctx == NULL)
857  SCReturn;
858 
859  if (app_tctx->alpd_tctx != NULL)
861  if (app_tctx->alp_tctx != NULL)
863  SCFree(app_tctx);
864 
865  SCReturn;
866 }
867 
869 {
870  PACKET_PROFILING_APP_RESET(app_tctx);
871 }
872 
874 {
875  PACKET_PROFILING_APP_STORE(app_tctx, p);
876 }
877 
878 /** \brief HACK to work around our broken unix manager (re)init loop
879  */
881 {
886  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
887 }
888 
889 #define IPPROTOS_MAX 2
891 {
892  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
893  uint8_t ipproto;
894  AppProto alproto;
895  AppProto alprotos[ALPROTO_MAX];
896  const char *str = "app_layer.flow.";
897 
899 
900  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
901  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
902  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
903  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
904 
905  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
906  if (alprotos[alproto] == 1) {
907  const char *tx_str = "app_layer.tx.";
908  const char *alproto_str = AppLayerGetProtoName(alproto);
909 
910  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
911  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
912  {
913  snprintf(applayer_counter_names[ipproto_map][alproto].name,
914  sizeof(applayer_counter_names[ipproto_map][alproto].name),
915  "%s%s%s", str, alproto_str, ipproto_suffix);
916  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
917  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
918  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
919  } else {
920  snprintf(applayer_counter_names[ipproto_map][alproto].name,
921  sizeof(applayer_counter_names[ipproto_map][alproto].name),
922  "%s%s", str, alproto_str);
923  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
924  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
925  "%s%s", tx_str, alproto_str);
926  }
927  } else if (alproto == ALPROTO_FAILED) {
928  snprintf(applayer_counter_names[ipproto_map][alproto].name,
929  sizeof(applayer_counter_names[ipproto_map][alproto].name),
930  "%s%s%s", str, "failed", ipproto_suffix);
931  }
932  }
933  }
934 }
935 
937 {
938  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
939  uint8_t ipproto;
940  AppProto alproto;
941  AppProto alprotos[ALPROTO_MAX];
942 
944 
945  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
946  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
947 
948  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
949  if (alprotos[alproto] == 1) {
950  applayer_counters[ipproto_map][alproto].counter_id =
951  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
952 
953  applayer_counters[ipproto_map][alproto].counter_tx_id =
954  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
955  } else if (alproto == ALPROTO_FAILED) {
956  applayer_counters[ipproto_map][alproto].counter_id =
957  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
958  }
959  }
960  }
961 }
962 
964 {
966  memset(applayer_counters, 0, sizeof(applayer_counters));
967 }
968 
969 /***** Unittests *****/
970 
971 #ifdef UNITTESTS
972 #include "pkt-var.h"
973 #include "stream-tcp.h"
974 #include "stream-tcp-util.h"
975 #include "stream.h"
976 #include "util-unittest.h"
977 
978 #define TEST_START \
979  Packet *p = SCMalloc(SIZE_OF_PACKET);\
980  FAIL_IF_NULL(p);\
981  Flow f;\
982  ThreadVars tv;\
983  StreamTcpThread *stt = NULL;\
984  TCPHdr tcph;\
985  PacketQueueNoLock pq;\
986  memset(&pq,0,sizeof(PacketQueueNoLock));\
987  memset(p, 0, SIZE_OF_PACKET);\
988  memset (&f, 0, sizeof(Flow));\
989  memset(&tv, 0, sizeof (ThreadVars));\
990  memset(&tcph, 0, sizeof (TCPHdr));\
991 \
992  FLOW_INITIALIZE(&f);\
993  f.flags = FLOW_IPV4;\
994  f.proto = IPPROTO_TCP;\
995  p->flow = &f;\
996  p->tcph = &tcph;\
997 \
998  StreamTcpInitConfig(TRUE);\
999  IPPairInitConfig(TRUE); \
1000  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
1001 \
1002  /* handshake */\
1003  tcph.th_win = htons(5480);\
1004  tcph.th_flags = TH_SYN;\
1005  p->flowflags = FLOW_PKT_TOSERVER;\
1006  p->payload_len = 0;\
1007  p->payload = NULL;\
1008  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1009  TcpSession *ssn = (TcpSession *)f.protoctx;\
1010 \
1011  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1012  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1013  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1014  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1015  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1016  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1017  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1018  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1019  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1020  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1021  FAIL_IF(ssn->data_first_seen_dir != 0);\
1022 \
1023  /* handshake */\
1024  p->tcph->th_ack = htonl(1);\
1025  p->tcph->th_flags = TH_SYN | TH_ACK;\
1026  p->flowflags = FLOW_PKT_TOCLIENT;\
1027  p->payload_len = 0;\
1028  p->payload = NULL;\
1029  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1030  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1031  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1032  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1033  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1034  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1035  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1036  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1037  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1038  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1039  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1040  FAIL_IF(ssn->data_first_seen_dir != 0);\
1041 \
1042  /* handshake */\
1043  p->tcph->th_ack = htonl(1);\
1044  p->tcph->th_seq = htonl(1);\
1045  p->tcph->th_flags = TH_ACK;\
1046  p->flowflags = FLOW_PKT_TOSERVER;\
1047  p->payload_len = 0;\
1048  p->payload = NULL;\
1049  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1050  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1051  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1052  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1053  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1054  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1055  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1056  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1057  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1058  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1059  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1060  FAIL_IF(ssn->data_first_seen_dir != 0);
1061 #define TEST_END \
1062  StreamTcpSessionClear(p->flow->protoctx);\
1063  StreamTcpThreadDeinit(&tv, (void *)stt); \
1064  StreamTcpFreeConfig(TRUE);\
1065  PACKET_DESTRUCTOR(p);\
1066  SCFree(p);\
1067  FLOW_DESTROY(&f); \
1068  StatsThreadCleanup(&tv);
1069 
1070 /**
1071  * \test GET -> HTTP/1.1
1072  */
1073 static int AppLayerTest01(void)
1074 {
1075  TEST_START;
1076 
1077  /* full request */
1078  uint8_t request[] = {
1079  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1080  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1081  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1082  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1083  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1084  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1085  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1086  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1087  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1088  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1089  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1090  p->tcph->th_ack = htonl(1);
1091  p->tcph->th_seq = htonl(1);
1092  p->tcph->th_flags = TH_PUSH | TH_ACK;
1094  p->payload_len = sizeof(request);
1095  p->payload = request;
1096  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1108 
1109  /* full response - request ack */
1110  uint8_t response[] = {
1111  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1112  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1113  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1114  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1115  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1116  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1117  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1118  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1119  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1120  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1121  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1122  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1123  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1124  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1125  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1126  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1127  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1128  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1129  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1130  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1131  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1132  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1133  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1134  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1135  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1136  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1137  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1138  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1139  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1140  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1141  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1142  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1143  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1144  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1145  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1146  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1147  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1148  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1149  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1150  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1151  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1152  p->tcph->th_ack = htonl(88);
1153  p->tcph->th_seq = htonl(1);
1154  p->tcph->th_flags = TH_PUSH | TH_ACK;
1156  p->payload_len = sizeof(response);
1157  p->payload = response;
1158  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1170 
1171  /* response ack */
1172  p->tcph->th_ack = htonl(328);
1173  p->tcph->th_seq = htonl(88);
1174  p->tcph->th_flags = TH_ACK;
1176  p->payload_len = 0;
1177  p->payload = NULL;
1178  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1190 
1191  TEST_END;
1192  PASS;
1193 }
1194 
1195 /**
1196  * \test GE -> T -> HTTP/1.1
1197  */
1198 static int AppLayerTest02(void)
1199 {
1200  TEST_START;
1201 
1202  /* partial request */
1203  uint8_t request1[] = { 0x47, 0x45, };
1204  p->tcph->th_ack = htonl(1);
1205  p->tcph->th_seq = htonl(1);
1206  p->tcph->th_flags = TH_PUSH | TH_ACK;
1208  p->payload_len = sizeof(request1);
1209  p->payload = request1;
1210  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1222 
1223  /* response ack against partial request */
1224  p->tcph->th_ack = htonl(3);
1225  p->tcph->th_seq = htonl(1);
1226  p->tcph->th_flags = TH_ACK;
1228  p->payload_len = 0;
1229  p->payload = NULL;
1230  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1242 
1243  /* complete partial request */
1244  uint8_t request2[] = {
1245  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1246  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1247  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1248  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1249  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1250  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1251  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1252  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1253  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1254  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1255  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1256  p->tcph->th_ack = htonl(1);
1257  p->tcph->th_seq = htonl(3);
1258  p->tcph->th_flags = TH_PUSH | TH_ACK;
1260  p->payload_len = sizeof(request2);
1261  p->payload = request2;
1262  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1274 
1275  /* response - request ack */
1276  uint8_t response[] = {
1277  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1278  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1279  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1280  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1281  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1282  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1283  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1284  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1285  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1286  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1287  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1288  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1289  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1290  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1291  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1292  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1293  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1294  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1295  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1296  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1297  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1298  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1299  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1300  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1301  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1302  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1303  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1304  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1305  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1306  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1307  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1308  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1309  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1310  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1311  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1312  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1313  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1314  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1315  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1316  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1317  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1318  p->tcph->th_ack = htonl(88);
1319  p->tcph->th_seq = htonl(1);
1320  p->tcph->th_flags = TH_PUSH | TH_ACK;
1322  p->payload_len = sizeof(response);
1323  p->payload = response;
1324  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1336 
1337  /* response ack */
1338  p->tcph->th_ack = htonl(328);
1339  p->tcph->th_seq = htonl(88);
1340  p->tcph->th_flags = TH_ACK;
1342  p->payload_len = 0;
1343  p->payload = NULL;
1344  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1356 
1357  TEST_END;
1358  PASS;
1359 }
1360 
1361 /**
1362  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1363  */
1364 static int AppLayerTest03(void)
1365 {
1366  TEST_START;
1367 
1368  /* request */
1369  uint8_t request[] = {
1370  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1371  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1372  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1373  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1374  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1375  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1376  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1377  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1378  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1379  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1380  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1381  p->tcph->th_ack = htonl(1);
1382  p->tcph->th_seq = htonl(1);
1383  p->tcph->th_flags = TH_PUSH | TH_ACK;
1385  p->payload_len = sizeof(request);
1386  p->payload = request;
1387  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1399 
1400  /* rubbish response */
1401  uint8_t response[] = {
1402  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1403  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1404  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1405  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1406  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1407  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1408  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1409  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1410  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1411  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1412  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1413  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1414  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1415  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1416  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1417  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1418  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1419  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1420  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1421  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1422  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1423  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1424  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1425  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1426  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1427  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1428  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1429  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1430  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1431  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1432  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1433  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1434  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1435  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1436  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1437  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1438  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1439  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1440  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1441  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1442  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1443  p->tcph->th_ack = htonl(88);
1444  p->tcph->th_seq = htonl(1);
1445  p->tcph->th_flags = TH_PUSH | TH_ACK;
1447  p->payload_len = sizeof(response);
1448  p->payload = response;
1449  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1461 
1462  /* response ack */
1463  p->tcph->th_ack = htonl(328);
1464  p->tcph->th_seq = htonl(88);
1465  p->tcph->th_flags = TH_ACK;
1467  p->payload_len = 0;
1468  p->payload = NULL;
1469  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1481 
1482  TEST_END;
1483  PASS;
1484 }
1485 
1486 /**
1487  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1488  */
1489 static int AppLayerTest04(void)
1490 {
1491  TEST_START;
1492 
1493  /* request */
1494  uint8_t request[] = {
1495  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1496  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1497  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1498  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1499  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1500  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1501  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1502  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1503  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1504  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1505  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1506  PrintRawDataFp(stdout, request, sizeof(request));
1507  p->tcph->th_ack = htonl(1);
1508  p->tcph->th_seq = htonl(1);
1509  p->tcph->th_flags = TH_PUSH | TH_ACK;
1511  p->payload_len = sizeof(request);
1512  p->payload = request;
1513  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1524  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1525 
1526  /* partial response */
1527  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1528  PrintRawDataFp(stdout, response1, sizeof(response1));
1529  p->tcph->th_ack = htonl(88);
1530  p->tcph->th_seq = htonl(1);
1531  p->tcph->th_flags = TH_PUSH | TH_ACK;
1533  p->payload_len = sizeof(response1);
1534  p->payload = response1;
1535  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1538  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1539  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1546  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1547 
1548  /* partial response ack */
1549  p->tcph->th_ack = htonl(5);
1550  p->tcph->th_seq = htonl(88);
1551  p->tcph->th_flags = TH_ACK;
1553  p->payload_len = 0;
1554  p->payload = NULL;
1555  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1558  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1559  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1565  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1566  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1567 
1568  /* remaining response */
1569  uint8_t response2[] = {
1570  0x2f, 0x31, 0x2e, 0x31,
1571  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1572  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1573  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1574  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1575  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1576  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1577  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1578  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1579  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1580  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1581  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1582  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1583  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1584  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1585  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1586  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1587  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1588  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1589  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1590  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1591  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1592  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1593  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1594  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1595  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1596  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1597  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1598  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1599  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1600  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1601  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1602  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1603  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1604  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1605  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1606  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1607  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1608  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1609  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1610  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1611  PrintRawDataFp(stdout, response2, sizeof(response2));
1612  p->tcph->th_ack = htonl(88);
1613  p->tcph->th_seq = htonl(5);
1614  p->tcph->th_flags = TH_PUSH | TH_ACK;
1616  p->payload_len = sizeof(response2);
1617  p->payload = response2;
1618  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1621  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1622  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1628  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1629  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1630 
1631  /* response ack */
1632  p->tcph->th_ack = htonl(328);
1633  p->tcph->th_seq = htonl(88);
1634  p->tcph->th_flags = TH_ACK;
1636  p->payload_len = 0;
1637  p->payload = NULL;
1638  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1639  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1641  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1642  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1643  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1648  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1649  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1650 
1651  TEST_END;
1652  PASS;
1653 }
1654 
1655 /**
1656  * \test RUBBISH -> HTTP/1.1
1657  */
1658 static int AppLayerTest05(void)
1659 {
1660  TEST_START;
1661 
1662  /* full request */
1663  uint8_t request[] = {
1664  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1665  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1666  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1667  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1668  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1669  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1670  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1671  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1672  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1673  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1674  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1675  PrintRawDataFp(stdout, request, sizeof(request));
1676  p->tcph->th_ack = htonl(1);
1677  p->tcph->th_seq = htonl(1);
1678  p->tcph->th_flags = TH_PUSH | TH_ACK;
1680  p->payload_len = sizeof(request);
1681  p->payload = request;
1682  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1694 
1695  /* full response - request ack */
1696  uint8_t response[] = {
1697  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1698  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1699  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1700  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1701  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1702  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1703  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1704  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1705  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1706  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1707  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1708  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1709  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1710  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1711  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1712  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1713  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1714  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1715  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1716  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1717  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1718  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1719  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1720  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1721  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1722  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1723  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1724  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1725  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1726  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1727  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1728  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1729  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1730  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1731  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1732  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1733  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1734  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1735  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1736  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1737  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1738  PrintRawDataFp(stdout, response, sizeof(response));
1739  p->tcph->th_ack = htonl(88);
1740  p->tcph->th_seq = htonl(1);
1741  p->tcph->th_flags = TH_PUSH | TH_ACK;
1743  p->payload_len = sizeof(response);
1744  p->payload = response;
1745  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1757 
1758  /* response ack */
1759  p->tcph->th_ack = htonl(328);
1760  p->tcph->th_seq = htonl(88);
1761  p->tcph->th_flags = TH_ACK;
1763  p->payload_len = 0;
1764  p->payload = NULL;
1765  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1777 
1778  TEST_END;
1779  PASS;
1780 }
1781 
1782 /**
1783  * \test HTTP/1.1 -> GET
1784  */
1785 static int AppLayerTest06(void)
1786 {
1787  TEST_START;
1788 
1789  /* full response - request ack */
1790  uint8_t response[] = {
1791  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1792  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1793  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1794  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1795  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1796  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1797  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1798  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1799  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1800  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1801  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1802  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1803  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1804  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1805  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1806  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1807  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1808  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1809  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1810  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1811  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1812  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1813  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1814  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1815  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1816  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1817  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1818  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1819  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1820  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1821  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1822  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1823  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1824  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1825  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1826  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1827  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1828  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1829  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1830  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1831  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1832  p->tcph->th_ack = htonl(1);
1833  p->tcph->th_seq = htonl(1);
1834  p->tcph->th_flags = TH_PUSH | TH_ACK;
1836  p->payload_len = sizeof(response);
1837  p->payload = response;
1838  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1850 
1851  /* full request - response ack*/
1852  uint8_t request[] = {
1853  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1854  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1855  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1856  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1857  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1858  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1859  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1860  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1861  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1862  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1863  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1864  p->tcph->th_ack = htonl(328);
1865  p->tcph->th_seq = htonl(1);
1866  p->tcph->th_flags = TH_PUSH | TH_ACK;
1868  p->payload_len = sizeof(request);
1869  p->payload = request;
1870  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1882 
1883  p->tcph->th_ack = htonl(1 + sizeof(request));
1884  p->tcph->th_seq = htonl(328);
1885  p->tcph->th_flags = TH_PUSH | TH_ACK;
1887  p->payload_len = 0;
1888  p->payload = NULL;
1889  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1901 
1902  TEST_END;
1903  PASS;
1904 }
1905 
1906 /**
1907  * \test GET -> DCERPC
1908  */
1909 static int AppLayerTest07(void)
1910 {
1911  TEST_START;
1912 
1913  /* full request */
1914  uint8_t request[] = {
1915  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1916  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1917  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1918  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1919  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1920  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1921  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1922  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1923  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1924  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1925  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1926  p->tcph->th_ack = htonl(1);
1927  p->tcph->th_seq = htonl(1);
1928  p->tcph->th_flags = TH_PUSH | TH_ACK;
1930  p->payload_len = sizeof(request);
1931  p->payload = request;
1932  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1944 
1945  /* full response - request ack */
1946  uint8_t response[] = {
1947  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1948  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1949  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1950  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1951  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1952  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1953  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1954  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1955  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1956  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1957  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1958  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1959  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1960  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1961  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1962  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1963  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1964  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1965  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1966  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1967  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1968  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1969  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1970  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1971  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1972  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1973  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1974  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1975  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1976  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1977  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1978  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1979  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1980  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1981  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1982  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1983  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1984  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1985  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1986  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1987  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1988  p->tcph->th_ack = htonl(88);
1989  p->tcph->th_seq = htonl(1);
1990  p->tcph->th_flags = TH_PUSH | TH_ACK;
1992  p->payload_len = sizeof(response);
1993  p->payload = response;
1994  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2006 
2007  /* response ack */
2008  p->tcph->th_ack = htonl(328);
2009  p->tcph->th_seq = htonl(88);
2010  p->tcph->th_flags = TH_ACK;
2012  p->payload_len = 0;
2013  p->payload = NULL;
2014  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2026 
2027  TEST_END;
2028  PASS;
2029 }
2030 
2031 /**
2032  * \test SMB -> HTTP/1.1
2033  */
2034 static int AppLayerTest08(void)
2035 {
2036  TEST_START;
2037 
2038  /* full request */
2039  uint8_t request[] = {
2040  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2041  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2042  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2043  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2044  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2045  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2046  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2047  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2048  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2049  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2050  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2051  p->tcph->th_ack = htonl(1);
2052  p->tcph->th_seq = htonl(1);
2053  p->tcph->th_flags = TH_PUSH | TH_ACK;
2055  p->payload_len = sizeof(request);
2056  p->payload = request;
2057  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2069 
2070  /* full response - request ack */
2071  uint8_t response[] = {
2072  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2073  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2074  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2075  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2076  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2077  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2078  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2079  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2080  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2081  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2082  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2083  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2084  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2085  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2086  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2087  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2088  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2089  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2090  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2091  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2092  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2093  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2094  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2095  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2096  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2097  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2098  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2099  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2100  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2101  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2102  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2103  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2104  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2105  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2106  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2107  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2108  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2109  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2110  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2111  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2112  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2113  p->tcph->th_ack = htonl(88);
2114  p->tcph->th_seq = htonl(1);
2115  p->tcph->th_flags = TH_PUSH | TH_ACK;
2117  p->payload_len = sizeof(response);
2118  p->payload = response;
2119  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2131 
2132  /* response ack */
2133  p->tcph->th_ack = htonl(328);
2134  p->tcph->th_seq = htonl(88);
2135  p->tcph->th_flags = TH_ACK;
2137  p->payload_len = 0;
2138  p->payload = NULL;
2139  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2151 
2152  TEST_END;
2153  PASS;
2154 }
2155 
2156 /**
2157  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2158  * RUBBISH(TC - PM and PP DONE) ->
2159  * RUBBISH(TS - PM and PP DONE)
2160  */
2161 static int AppLayerTest09(void)
2162 {
2163  TEST_START;
2164 
2165  /* full request */
2166  uint8_t request1[] = {
2167  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2168  p->tcph->th_ack = htonl(1);
2169  p->tcph->th_seq = htonl(1);
2170  p->tcph->th_flags = TH_PUSH | TH_ACK;
2172  p->payload_len = sizeof(request1);
2173  p->payload = request1;
2174  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2186 
2187  /* response - request ack */
2188  p->tcph->th_ack = htonl(9);
2189  p->tcph->th_seq = htonl(1);
2190  p->tcph->th_flags = TH_PUSH | TH_ACK;
2192  p->payload_len = 0;
2193  p->payload = NULL;
2194  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2206 
2207  /* full request */
2208  uint8_t request2[] = {
2209  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2210  p->tcph->th_ack = htonl(1);
2211  p->tcph->th_seq = htonl(9);
2212  p->tcph->th_flags = TH_PUSH | TH_ACK;
2214  p->payload_len = sizeof(request2);
2215  p->payload = request2;
2216  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2228 
2229  /* full response - request ack */
2230  uint8_t response[] = {
2231  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2232  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2233  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2234  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2235  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2236  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2237  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2238  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2239  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2240  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2241  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2242  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2243  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2244  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2245  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2246  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2247  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2248  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2249  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2250  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2251  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2252  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2253  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2254  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2255  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2256  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2257  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2258  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2259  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2260  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2261  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2262  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2263  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2264  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2265  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2266  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2267  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2268  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2269  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2270  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2271  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2272  p->tcph->th_ack = htonl(18);
2273  p->tcph->th_seq = htonl(1);
2274  p->tcph->th_flags = TH_PUSH | TH_ACK;
2276  p->payload_len = sizeof(response);
2277  p->payload = response;
2278  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2290 
2291  /* response ack */
2292  p->tcph->th_ack = htonl(328);
2293  p->tcph->th_seq = htonl(18);
2294  p->tcph->th_flags = TH_ACK;
2296  p->payload_len = 0;
2297  p->payload = NULL;
2298  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2310 
2311  TEST_END;
2312  PASS;
2313 }
2314 
2315 /**
2316  * \test RUBBISH(TC - PM and PP DONE) ->
2317  * RUBBISH(TS - PM and PP DONE)
2318  */
2319 static int AppLayerTest10(void)
2320 {
2321  TEST_START;
2322 
2323  /* full request */
2324  uint8_t request1[] = {
2325  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2326  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2327  p->tcph->th_ack = htonl(1);
2328  p->tcph->th_seq = htonl(1);
2329  p->tcph->th_flags = TH_PUSH | TH_ACK;
2331  p->payload_len = sizeof(request1);
2332  p->payload = request1;
2333  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2345 
2346  /* response - request ack */
2347  p->tcph->th_ack = htonl(18);
2348  p->tcph->th_seq = htonl(1);
2349  p->tcph->th_flags = TH_PUSH | TH_ACK;
2351  p->payload_len = 0;
2352  p->payload = NULL;
2353  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2365 
2366  /* full response - request ack */
2367  uint8_t response[] = {
2368  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2369  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2370  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2371  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2372  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2373  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2374  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2375  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2376  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2377  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2378  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2379  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2380  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2381  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2382  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2383  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2384  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2385  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2386  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2387  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2388  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2389  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2390  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2391  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2392  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2393  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2394  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2395  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2396  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2397  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2398  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2399  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2400  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2401  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2402  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2403  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2404  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2405  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2406  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2407  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2408  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2409  p->tcph->th_ack = htonl(18);
2410  p->tcph->th_seq = htonl(1);
2411  p->tcph->th_flags = TH_PUSH | TH_ACK;
2413  p->payload_len = sizeof(response);
2414  p->payload = response;
2415  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2427 
2428  /* response ack */
2429  p->tcph->th_ack = htonl(328);
2430  p->tcph->th_seq = htonl(18);
2431  p->tcph->th_flags = TH_ACK;
2433  p->payload_len = 0;
2434  p->payload = NULL;
2435  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2447 
2448  TEST_END;
2449  PASS;
2450 }
2451 
2452 /**
2453  * \test RUBBISH(TC - PM and PP DONE) ->
2454  * RUBBISH(TS - PM and PP NOT DONE) ->
2455  * RUBBISH(TS - PM and PP DONE)
2456  */
2457 static int AppLayerTest11(void)
2458 {
2459  TEST_START;
2460 
2461  /* full request */
2462  uint8_t request1[] = {
2463  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2464  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2465  p->tcph->th_ack = htonl(1);
2466  p->tcph->th_seq = htonl(1);
2467  p->tcph->th_flags = TH_PUSH | TH_ACK;
2469  p->payload_len = sizeof(request1);
2470  p->payload = request1;
2471  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2483 
2484  /* response - request ack */
2485  p->tcph->th_ack = htonl(18);
2486  p->tcph->th_seq = htonl(1);
2487  p->tcph->th_flags = TH_PUSH | TH_ACK;
2489  p->payload_len = 0;
2490  p->payload = NULL;
2491  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2503 
2504  /* full response - request ack */
2505  uint8_t response1[] = {
2506  0x55, 0x74, 0x54, 0x50, };
2507  p->tcph->th_ack = htonl(18);
2508  p->tcph->th_seq = htonl(1);
2509  p->tcph->th_flags = TH_PUSH | TH_ACK;
2511  p->payload_len = sizeof(response1);
2512  p->payload = response1;
2513  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2525 
2526  /* response ack from request */
2527  p->tcph->th_ack = htonl(5);
2528  p->tcph->th_seq = htonl(18);
2529  p->tcph->th_flags = TH_ACK;
2531  p->payload_len = 0;
2532  p->payload = NULL;
2533  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2545 
2546  uint8_t response2[] = {
2547  0x2f, 0x31, 0x2e, 0x31,
2548  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2549  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2550  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2551  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2552  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2553  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2554  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2555  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2556  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2557  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2558  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2559  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2560  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2561  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2562  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2563  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2564  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2565  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2566  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2567  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2568  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2569  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2570  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2571  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2572  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2573  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2574  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2575  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2576  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2577  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2578  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2579  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2580  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2581  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2582  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2583  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2584  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2585  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2586  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2587  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2588  p->tcph->th_ack = htonl(18);
2589  p->tcph->th_seq = htonl(5);
2590  p->tcph->th_flags = TH_PUSH | TH_ACK;
2592  p->payload_len = sizeof(response2);
2593  p->payload = response2;
2594  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2606 
2607  /* response ack from request */
2608  p->tcph->th_ack = htonl(328);
2609  p->tcph->th_seq = htonl(18);
2610  p->tcph->th_flags = TH_ACK;
2612  p->payload_len = 0;
2613  p->payload = NULL;
2614  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2626 
2627  TEST_END;
2628  PASS;
2629 }
2630 
2632 {
2633  SCEnter();
2634 
2635  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2636  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2637  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2638  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2639  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2640  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2641  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2642  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2643  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2644  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2645  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2646 
2647  SCReturn;
2648 }
2649 
2650 #endif /* UNITTESTS */
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:80
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:274
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpStream_
Definition: stream-tcp-private.h:94
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:47
AppLayerCounters_
Definition: app-layer.c:79
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:141
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1765
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:141
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:81
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:87
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:564
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1003
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:873
Flow_::proto
uint8_t proto
Definition: flow.h:361
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
Packet_::payload
uint8_t * payload
Definition: decode.h:543
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6259
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:446
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:48
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:343
Flow_::protomap
uint8_t protomap
Definition: flow.h:420
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1076
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:280
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:936
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:431
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:169
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:868
AppLayerCounterNames_
Definition: app-layer.c:74
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:143
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:5854
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2631
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:783
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:890
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:66
Flow_::protoctx
void * protoctx
Definition: flow.h:416
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:76
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:544
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:570
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:769
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:269
STREAM_START
#define STREAM_START
Definition: stream.h:29
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:818
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1111
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:73
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:158
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:265
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1548
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:803
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1118
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:49
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
util-debug.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:570
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:266
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:880
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:443
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:50
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:830
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:4763
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:889
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1870
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:262
TEST_START
#define TEST_START
Definition: app-layer.c:978
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:51
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
SCReturn
#define SCReturn
Definition: util-debug.h:302
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:273
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:278
Packet_
Definition: decode.h:411
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:79
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:698
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:276
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:175
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:434
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:336
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:275
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:525
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1796
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:162
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1112
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1419
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:305
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2068
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1955
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2046
str
#define str(s)
Definition: suricata-common.h:273
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:401
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:426
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6265
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:852
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186
Flow_::flags
uint32_t flags
Definition: flow.h:396
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:776
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:112
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:61
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:243
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:187
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:200
TEST_END
#define TEST_END
Definition: app-layer.c:1061
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2009
likely
#define likely(expr)
Definition: util-optimize.h:32
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:198
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:85
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:75
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:256
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1491
TcpSession_
Definition: stream-tcp-private.h:260
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:265
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:427
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1567
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:945
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:52
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:963
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:213
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2063
app-layer.h