suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
84 
85 /* counter names. Only used at init. */
87 /* counter id's. Used that runtime. */
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
134  } else {
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
140  } else {
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
147  } else {
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
159  TcpSession *ssn = f->protoctx;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
219  size_ts > 100000 && size_tc == 0)
220  {
223  goto failure;
224 
226  size_tc > 100000 && size_ts == 0)
227  {
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
238  {
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
249  {
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
260  {
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  bool reverse_flow = false;
328  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
329  f, data, data_len,
330  IPPROTO_TCP, flags, &reverse_flow);
331  PACKET_PROFILING_APP_PD_END(app_tctx);
332  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
333 
334  if (*alproto != ALPROTO_UNKNOWN) {
335  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
338 
340  /* if we already invoked the parser, we go with that proto */
341  f->alproto = *alproto_otherdir;
342  } else {
343  /* no data sent to parser yet, we can still choose
344  * we're trusting the server more. */
345  if (flags & STREAM_TOCLIENT)
346  f->alproto = *alproto;
347  else
348  f->alproto = *alproto_otherdir;
349  }
350  } else {
351  f->alproto = *alproto;
352  }
353 
357  FlagPacketFlow(p, f, flags);
358  /* if protocol detection indicated that we need to reverse
359  * the direction of the flow, do it now. We flip the flow,
360  * packet and the direction flags */
361  if (reverse_flow) {
362  SCLogDebug("reversing flow after proto detect told us so");
363  PacketSwap(p);
364  FlowSwap(f);
365  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
366  }
367 
368  /* account flow if we have both sides */
369  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
370  AppLayerIncFlowCounter(tv, f);
371  }
372 
373  /* if we have seen data from the other direction first, send
374  * data for that direction first to the parser. This shouldn't
375  * be an issue, since each stream processing happens
376  * independently of the other stream direction. At this point of
377  * call, you need to know that this function's already being
378  * called by the very same StreamReassembly() function that we
379  * will now call shortly for the opposing direction. */
380  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
381  !(flags & ssn->data_first_seen_dir))
382  {
383  SCLogDebug("protocol %s needs first data in other direction",
384  AppProtoToString(*alproto));
385 
386  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
387  p, ssn, stream) != 0)
388  {
389  DisableAppLayer(tv, f, p);
390  goto failure;
391  }
392  }
393 
394  /* if the parser operates such that it needs to see data from
395  * a particular direction first, we check if we have seen
396  * data from that direction first for the flow. IF it is not
397  * the same, we set an event and exit.
398  *
399  * \todo We need to figure out a more robust solution for this,
400  * as this can lead to easy evasion tactics, where the
401  * attackeer can first send some dummy data in the wrong
402  * direction first to mislead our proto detection process.
403  * While doing this we need to update the parsers as well,
404  * since the parsers must be robust to see such wrong
405  * direction data.
406  * Either ways the moment we see the
407  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
408  * flow, it shows something's fishy.
409  */
411  uint8_t first_data_dir;
412  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
413 
414  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
417  DisableAppLayer(tv, f, p);
418  goto failure;
419  }
420  /* This can happen if the current direction is not the
421  * right direction, and the data from the other(also
422  * the right direction) direction is available to be sent
423  * to the app layer, but it is not ack'ed yet and hence
424  * the forced call to STreamTcpAppLayerReassemble still
425  * hasn't managed to send data from the other direction
426  * to the app layer. */
427  if (first_data_dir && !(first_data_dir & flags)) {
430  FLOW_RESET_PP_DONE(f, flags);
431  FLOW_RESET_PM_DONE(f, flags);
432  FLOW_RESET_PE_DONE(f, flags);
433  goto failure;
434  }
435  }
436 
437  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
439 
440  /* finally, invoke the parser */
441  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
442  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
443  flags, data, data_len);
444  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
445  if (r < 0)
446  goto failure;
447 
448  } else {
449  /* if the ssn is midstream, we may end up with a case where the
450  * start of an HTTP request is missing. We won't detect HTTP based
451  * on the request. However, the reply is fine, so we detect
452  * HTTP anyway. This leads to passing the incomplete request to
453  * the htp parser.
454  *
455  * This has been observed, where the http parser then saw many
456  * bogus requests in the incomplete data.
457  *
458  * To counter this case, a midstream session MUST find it's
459  * protocol in the toserver direction. If not, we assume the
460  * start of the request/toserver is incomplete and no reliable
461  * detection and parsing is possible. So we give up.
462  */
463  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
465  {
466  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
467  SCLogDebug("midstream end pd %p", ssn);
468  /* midstream and toserver detection failed: give up */
469  DisableAppLayer(tv, f, p);
470  goto end;
471  }
472  }
473 
474  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
475  uint8_t first_data_dir;
476  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
477 
478  /* this would handle this test case -
479  * http parser which says it wants to see toserver data first only.
480  * tcp handshake
481  * toclient data first received. - RUBBISH DATA which
482  * we don't detect as http
483  * toserver data next sent - we detect this as http.
484  * at this stage we see that toclient is the first data seen
485  * for this session and we try and redetect the app protocol,
486  * but we are unable to detect the app protocol like before.
487  * But since we have managed to detect the protocol for the
488  * other direction as http, we try to use that. At this
489  * stage we check if the direction of this stream matches
490  * to that acceptable by the app parser. If it is not the
491  * acceptable direction we error out.
492  */
494  (first_data_dir) && !(first_data_dir & flags))
495  {
496  DisableAppLayer(tv, f, p);
497  goto failure;
498  }
499 
500  /* if protocol detection is marked done for our direction we
501  * pass our data on. We're only succeeded in finding one
502  * direction: the opposing stream
503  *
504  * If PD was not yet complete, we don't do anything.
505  */
506  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
507  if (data_len > 0)
509 
510  if (*alproto_otherdir != ALPROTO_FAILED) {
511  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
512  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
513  f->alproto, flags,
514  data, data_len);
515  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
516 
521 
522  *alproto = *alproto_otherdir;
523  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
524  p->pcap_cnt, *alproto, *alproto_otherdir, r);
525  if (r < 0)
526  goto failure;
527  }
528  *alproto = ALPROTO_FAILED;
530  AppLayerIncFlowCounter(tv, f);
531  FlagPacketFlow(p, f, flags);
532 
533  }
534  } else {
535  /* both sides unknown, let's see if we need to give up */
536  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
537  }
538  }
539 end:
540  return 0;
541 
542 failure:
543  return -1;
544 }
545 
546 /** \brief handle TCP data for the app-layer.
547  *
548  * First run protocol detection and then when the protocol is known invoke
549  * the app layer parser.
550  */
552  Packet *p, Flow *f,
553  TcpSession *ssn, TcpStream *stream,
554  uint8_t *data, uint32_t data_len,
555  uint8_t flags)
556 {
557  SCEnter();
558 
560 
561  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
563  int r = 0;
564 
565  SCLogDebug("data_len %u flags %02X", data_len, flags);
567  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
568  goto end;
569  }
570 
571  if (flags & STREAM_TOSERVER) {
572  alproto = f->alproto_ts;
573  } else {
574  alproto = f->alproto_tc;
575  }
576 
577  /* If a gap notification, relay the notification on to the
578  * app-layer if known. */
579  if (flags & STREAM_GAP) {
580  if (alproto == ALPROTO_UNKNOWN) {
582  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
583  /* if the other side didn't already find the proto, we're done */
584  if (f->alproto == ALPROTO_UNKNOWN)
585  goto end;
586 
587  }
588  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
589  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
590  flags, data, data_len);
591  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
592  goto end;
593  }
594 
595  /* if we don't know the proto yet and we have received a stream
596  * initializer message, we run proto detection.
597  * We receive 2 stream init msgs (one for each direction) but we
598  * only run the proto detection once. */
599  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
600  /* run protocol detection */
601  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
602  data, data_len, flags) != 0) {
603  goto failure;
604  }
605  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
606  f->alproto_orig = f->alproto;
607  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
609  /* rerun protocol detection */
610  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
611  data, data_len, flags) != 0) {
612  SCLogDebug("proto detect failure");
613  goto failure;
614  }
615  SCLogDebug("protocol change, old %s, new %s",
617 
618  if (f->alproto_expect != ALPROTO_UNKNOWN &&
619  f->alproto != f->alproto_expect)
620  {
623 
624  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
627 
628  }
629  }
630  } else {
631  SCLogDebug("stream data (len %" PRIu32 " alproto "
632  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
633 #ifdef PRINT
634  if (data_len > 0) {
635  printf("=> Stream Data (app layer) -- start %s%s\n",
636  flags & STREAM_TOCLIENT ? "toclient" : "",
637  flags & STREAM_TOSERVER ? "toserver" : "");
638  PrintRawDataFp(stdout, data, data_len);
639  printf("=> Stream Data -- end\n");
640  }
641 #endif
642  /* if we don't have a data object here we are not getting it
643  * a start msg should have gotten us one */
644  if (f->alproto != ALPROTO_UNKNOWN) {
645  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
646  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
647  flags, data, data_len);
648  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
649  }
650  }
651 
652  goto end;
653  failure:
654  r = -1;
655  end:
656  SCReturnInt(r);
657 }
658 
659 /**
660  * \brief Handle a app layer UDP message
661  *
662  * If the protocol is yet unknown, the proto detection code is run first.
663  *
664  * \param dp_ctx Thread app layer detect context
665  * \param f *locked* flow
666  * \param p UDP packet
667  *
668  * \retval 0 ok
669  * \retval -1 error
670  */
672 {
673  SCEnter();
674 
675  if (f->alproto == ALPROTO_FAILED) {
676  SCReturnInt(0);
677  }
678 
679  int r = 0;
680  uint8_t flags = 0;
681  if (p->flowflags & FLOW_PKT_TOSERVER) {
682  flags |= STREAM_TOSERVER;
683  } else {
684  flags |= STREAM_TOCLIENT;
685  }
686 
687  AppLayerProfilingReset(tctx);
688 
689  /* if the protocol is still unknown, run detection */
690  if (f->alproto == ALPROTO_UNKNOWN) {
691  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
692  p->payload_len);
693 
694  bool reverse_flow = false;
697  f, p->payload, p->payload_len,
698  IPPROTO_UDP, flags, &reverse_flow);
700 
701  if (f->alproto != ALPROTO_UNKNOWN) {
702  AppLayerIncFlowCounter(tv, f);
703 
704  if (reverse_flow) {
705  SCLogDebug("reversing flow after proto detect told us so");
706  PacketSwap(p);
707  FlowSwap(f);
709  }
710 
712  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
713  flags, p->payload, p->payload_len);
715  } else {
716  f->alproto = ALPROTO_FAILED;
717  AppLayerIncFlowCounter(tv, f);
718  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
719  }
721  /* we do only inspection in one direction, so flag both
722  * sides as done here */
723  FlagPacketFlow(p, f, STREAM_TOSERVER);
724  FlagPacketFlow(p, f, STREAM_TOCLIENT);
725  } else {
726  SCLogDebug("data (len %" PRIu32 " ), alproto "
727  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
728 
729  /* run the parser */
731  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
732  flags, p->payload, p->payload_len);
735  }
736 
737  SCReturnInt(r);
738 }
739 
740 /***** Utility *****/
741 
742 AppProto AppLayerGetProtoByName(char *alproto_name)
743 {
744  SCEnter();
746  SCReturnCT(r, "AppProto");
747 }
748 
750 {
751  SCEnter();
752  const char * r = AppLayerProtoDetectGetProtoName(alproto);
753  SCReturnCT(r, "char *");
754 }
755 
757 {
758  SCEnter();
759 
761  AppProto alprotos[ALPROTO_MAX];
762 
764 
765  printf("=========Supported App Layer Protocols=========\n");
766  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
767  if (alprotos[alproto] == 1)
768  printf("%s\n", AppLayerGetProtoName(alproto));
769  }
770 
771  SCReturn;
772 }
773 
774 /***** Setup/General Registration *****/
775 
776 int AppLayerSetup(void)
777 {
778  SCEnter();
779 
782 
785 
787 
788  SCReturnInt(0);
789 }
790 
792 {
793  SCEnter();
794 
797 
799 
800  SCReturnInt(0);
801 }
802 
804 {
805  SCEnter();
806 
807  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
808  if (app_tctx == NULL)
809  goto error;
810  memset(app_tctx, 0, sizeof(*app_tctx));
811 
812  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
813  goto error;
814  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
815  goto error;
816 
817  goto done;
818  error:
819  AppLayerDestroyCtxThread(app_tctx);
820  app_tctx = NULL;
821  done:
822  SCReturnPtr(app_tctx, "void *");
823 }
824 
826 {
827  SCEnter();
828 
829  if (app_tctx == NULL)
830  SCReturn;
831 
832  if (app_tctx->alpd_tctx != NULL)
834  if (app_tctx->alp_tctx != NULL)
836  SCFree(app_tctx);
837 
838  SCReturn;
839 }
840 
842 {
843  PACKET_PROFILING_APP_RESET(app_tctx);
844 }
845 
847 {
848  PACKET_PROFILING_APP_STORE(app_tctx, p);
849 }
850 
851 /** \brief HACK to work around our broken unix manager (re)init loop
852  */
854 {
859  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
860 }
861 
862 #define IPPROTOS_MAX 2
864 {
865  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
866  uint8_t ipproto;
868  AppProto alprotos[ALPROTO_MAX];
869  const char *str = "app_layer.flow.";
870 
872 
873  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
874  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
875  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
876  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
877 
878  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
879  if (alprotos[alproto] == 1) {
880  const char *tx_str = "app_layer.tx.";
881  const char *alproto_str = AppLayerGetProtoName(alproto);
882 
883  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
884  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
885  {
886  snprintf(applayer_counter_names[ipproto_map][alproto].name,
887  sizeof(applayer_counter_names[ipproto_map][alproto].name),
888  "%s%s%s", str, alproto_str, ipproto_suffix);
889  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
890  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
891  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
892  } else {
893  snprintf(applayer_counter_names[ipproto_map][alproto].name,
894  sizeof(applayer_counter_names[ipproto_map][alproto].name),
895  "%s%s", str, alproto_str);
896  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
897  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
898  "%s%s", tx_str, alproto_str);
899  }
900  } else if (alproto == ALPROTO_FAILED) {
901  snprintf(applayer_counter_names[ipproto_map][alproto].name,
902  sizeof(applayer_counter_names[ipproto_map][alproto].name),
903  "%s%s%s", str, "failed", ipproto_suffix);
904  }
905  }
906  }
907 }
908 
910 {
911  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
912  uint8_t ipproto;
914  AppProto alprotos[ALPROTO_MAX];
915 
917 
918  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
919  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
920 
921  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
922  if (alprotos[alproto] == 1) {
923  applayer_counters[ipproto_map][alproto].counter_id =
924  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
925 
926  applayer_counters[ipproto_map][alproto].counter_tx_id =
927  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
928  } else if (alproto == ALPROTO_FAILED) {
929  applayer_counters[ipproto_map][alproto].counter_id =
930  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
931  }
932  }
933  }
934 }
935 
937 {
938  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
939  memset(applayer_counters, 0, sizeof(applayer_counters));
940 }
941 
942 /***** Unittests *****/
943 
944 #ifdef UNITTESTS
945 #include "pkt-var.h"
946 #include "stream-tcp.h"
947 #include "stream-tcp-util.h"
948 #include "stream.h"
949 #include "util-unittest.h"
950 
951 #define TEST_START \
952  Packet *p = SCMalloc(SIZE_OF_PACKET);\
953  FAIL_IF_NULL(p);\
954  Flow f;\
955  ThreadVars tv;\
956  StreamTcpThread *stt = NULL;\
957  TCPHdr tcph;\
958  PacketQueue pq;\
959  memset(&pq,0,sizeof(PacketQueue));\
960  memset(p, 0, SIZE_OF_PACKET);\
961  memset (&f, 0, sizeof(Flow));\
962  memset(&tv, 0, sizeof (ThreadVars));\
963  memset(&tcph, 0, sizeof (TCPHdr));\
964 \
965  FLOW_INITIALIZE(&f);\
966  f.flags = FLOW_IPV4;\
967  f.proto = IPPROTO_TCP;\
968  p->flow = &f;\
969  p->tcph = &tcph;\
970 \
971  StreamTcpInitConfig(TRUE);\
972  IPPairInitConfig(TRUE); \
973  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
974 \
975  /* handshake */\
976  tcph.th_win = htons(5480);\
977  tcph.th_flags = TH_SYN;\
978  p->flowflags = FLOW_PKT_TOSERVER;\
979  p->payload_len = 0;\
980  p->payload = NULL;\
981  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
982  TcpSession *ssn = (TcpSession *)f.protoctx;\
983 \
984  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
985  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
986  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
987  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
988  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
989  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
990  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
991  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
992  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
993  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
994  FAIL_IF(ssn->data_first_seen_dir != 0);\
995 \
996  /* handshake */\
997  p->tcph->th_ack = htonl(1);\
998  p->tcph->th_flags = TH_SYN | TH_ACK;\
999  p->flowflags = FLOW_PKT_TOCLIENT;\
1000  p->payload_len = 0;\
1001  p->payload = NULL;\
1002  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1003  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1004  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1005  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1006  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1007  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1008  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1009  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1010  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1011  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1012  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1013  FAIL_IF(ssn->data_first_seen_dir != 0);\
1014 \
1015  /* handshake */\
1016  p->tcph->th_ack = htonl(1);\
1017  p->tcph->th_seq = htonl(1);\
1018  p->tcph->th_flags = TH_ACK;\
1019  p->flowflags = FLOW_PKT_TOSERVER;\
1020  p->payload_len = 0;\
1021  p->payload = NULL;\
1022  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1023  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1024  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1025  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1026  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1027  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1028  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1029  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1030  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1031  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1032  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1033  FAIL_IF(ssn->data_first_seen_dir != 0);
1034 #define TEST_END \
1035  StreamTcpSessionClear(p->flow->protoctx);\
1036  StreamTcpThreadDeinit(&tv, (void *)stt); \
1037  StreamTcpFreeConfig(TRUE);\
1038  PACKET_DESTRUCTOR(p);\
1039  SCFree(p);\
1040  FLOW_DESTROY(&f); \
1041  StatsThreadCleanup(&tv);
1042 
1043 /**
1044  * \test GET -> HTTP/1.1
1045  */
1046 static int AppLayerTest01(void)
1047 {
1048  TEST_START;
1049 
1050  /* full request */
1051  uint8_t request[] = {
1052  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1053  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1054  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1055  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1056  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1057  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1058  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1059  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1060  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1061  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1062  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1063  p->tcph->th_ack = htonl(1);
1064  p->tcph->th_seq = htonl(1);
1065  p->tcph->th_flags = TH_PUSH | TH_ACK;
1067  p->payload_len = sizeof(request);
1068  p->payload = request;
1069  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1081 
1082  /* full response - request ack */
1083  uint8_t response[] = {
1084  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1085  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1086  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1087  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1088  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1089  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1090  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1091  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1092  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1093  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1094  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1095  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1096  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1097  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1098  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1099  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1100  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1101  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1102  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1103  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1104  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1105  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1106  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1107  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1108  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1109  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1110  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1111  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1112  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1113  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1114  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1115  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1116  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1117  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1118  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1119  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1120  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1121  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1122  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1123  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1124  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1125  p->tcph->th_ack = htonl(88);
1126  p->tcph->th_seq = htonl(1);
1127  p->tcph->th_flags = TH_PUSH | TH_ACK;
1129  p->payload_len = sizeof(response);
1130  p->payload = response;
1131  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1143 
1144  /* response ack */
1145  p->tcph->th_ack = htonl(328);
1146  p->tcph->th_seq = htonl(88);
1147  p->tcph->th_flags = TH_ACK;
1149  p->payload_len = 0;
1150  p->payload = NULL;
1151  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1163 
1164  TEST_END;
1165  PASS;
1166 }
1167 
1168 /**
1169  * \test GE -> T -> HTTP/1.1
1170  */
1171 static int AppLayerTest02(void)
1172 {
1173  TEST_START;
1174 
1175  /* partial request */
1176  uint8_t request1[] = { 0x47, 0x45, };
1177  p->tcph->th_ack = htonl(1);
1178  p->tcph->th_seq = htonl(1);
1179  p->tcph->th_flags = TH_PUSH | TH_ACK;
1181  p->payload_len = sizeof(request1);
1182  p->payload = request1;
1183  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1195 
1196  /* response ack against partial request */
1197  p->tcph->th_ack = htonl(3);
1198  p->tcph->th_seq = htonl(1);
1199  p->tcph->th_flags = TH_ACK;
1201  p->payload_len = 0;
1202  p->payload = NULL;
1203  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1215 
1216  /* complete partial request */
1217  uint8_t request2[] = {
1218  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1219  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1220  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1221  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1222  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1223  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1224  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1225  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1226  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1227  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1228  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1229  p->tcph->th_ack = htonl(1);
1230  p->tcph->th_seq = htonl(3);
1231  p->tcph->th_flags = TH_PUSH | TH_ACK;
1233  p->payload_len = sizeof(request2);
1234  p->payload = request2;
1235  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1247 
1248  /* response - request ack */
1249  uint8_t response[] = {
1250  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1251  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1252  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1253  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1254  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1255  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1256  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1257  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1258  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1259  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1260  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1261  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1262  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1263  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1264  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1265  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1266  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1267  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1268  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1269  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1270  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1271  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1272  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1273  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1274  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1275  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1276  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1277  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1278  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1279  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1280  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1281  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1282  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1283  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1284  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1285  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1286  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1287  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1288  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1289  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1290  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1291  p->tcph->th_ack = htonl(88);
1292  p->tcph->th_seq = htonl(1);
1293  p->tcph->th_flags = TH_PUSH | TH_ACK;
1295  p->payload_len = sizeof(response);
1296  p->payload = response;
1297  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1309 
1310  /* response ack */
1311  p->tcph->th_ack = htonl(328);
1312  p->tcph->th_seq = htonl(88);
1313  p->tcph->th_flags = TH_ACK;
1315  p->payload_len = 0;
1316  p->payload = NULL;
1317  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1329 
1330  TEST_END;
1331  PASS;
1332 }
1333 
1334 /**
1335  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1336  */
1337 static int AppLayerTest03(void)
1338 {
1339  TEST_START;
1340 
1341  /* request */
1342  uint8_t request[] = {
1343  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1344  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1345  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1346  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1347  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1348  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1349  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1350  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1351  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1352  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1353  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1354  p->tcph->th_ack = htonl(1);
1355  p->tcph->th_seq = htonl(1);
1356  p->tcph->th_flags = TH_PUSH | TH_ACK;
1358  p->payload_len = sizeof(request);
1359  p->payload = request;
1360  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1372 
1373  /* rubbish response */
1374  uint8_t response[] = {
1375  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1376  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1377  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1378  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1379  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1380  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1381  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1382  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1383  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1384  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1385  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1386  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1387  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1388  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1389  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1390  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1391  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1392  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1393  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1394  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1395  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1396  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1397  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1398  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1399  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1400  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1401  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1402  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1403  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1404  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1405  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1406  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1407  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1408  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1409  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1410  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1411  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1412  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1413  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1414  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1415  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1416  p->tcph->th_ack = htonl(88);
1417  p->tcph->th_seq = htonl(1);
1418  p->tcph->th_flags = TH_PUSH | TH_ACK;
1420  p->payload_len = sizeof(response);
1421  p->payload = response;
1422  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1434 
1435  /* response ack */
1436  p->tcph->th_ack = htonl(328);
1437  p->tcph->th_seq = htonl(88);
1438  p->tcph->th_flags = TH_ACK;
1440  p->payload_len = 0;
1441  p->payload = NULL;
1442  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1454 
1455  TEST_END;
1456  PASS;
1457 }
1458 
1459 /**
1460  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1461  */
1462 static int AppLayerTest04(void)
1463 {
1464  TEST_START;
1465 
1466  /* request */
1467  uint8_t request[] = {
1468  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1469  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1470  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1471  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1472  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1473  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1474  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1475  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1476  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1477  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1478  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1479  PrintRawDataFp(stdout, request, sizeof(request));
1480  p->tcph->th_ack = htonl(1);
1481  p->tcph->th_seq = htonl(1);
1482  p->tcph->th_flags = TH_PUSH | TH_ACK;
1484  p->payload_len = sizeof(request);
1485  p->payload = request;
1486  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1497  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1498 
1499  /* partial response */
1500  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1501  PrintRawDataFp(stdout, response1, sizeof(response1));
1502  p->tcph->th_ack = htonl(88);
1503  p->tcph->th_seq = htonl(1);
1504  p->tcph->th_flags = TH_PUSH | TH_ACK;
1506  p->payload_len = sizeof(response1);
1507  p->payload = response1;
1508  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1511  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1512  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1519  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1520 
1521  /* partial response ack */
1522  p->tcph->th_ack = htonl(5);
1523  p->tcph->th_seq = htonl(88);
1524  p->tcph->th_flags = TH_ACK;
1526  p->payload_len = 0;
1527  p->payload = NULL;
1528  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1531  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1532  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1538  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1539  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1540 
1541  /* remaining response */
1542  uint8_t response2[] = {
1543  0x2f, 0x31, 0x2e, 0x31,
1544  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1545  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1546  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1547  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1548  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1549  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1550  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1551  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1552  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1553  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1554  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1555  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1556  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1557  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1558  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1559  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1560  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1561  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1562  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1563  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1564  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1565  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1566  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1567  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1568  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1569  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1570  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1571  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1572  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1573  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1574  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1575  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1576  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1577  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1578  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1579  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1580  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1581  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1582  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1583  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1584  PrintRawDataFp(stdout, response2, sizeof(response2));
1585  p->tcph->th_ack = htonl(88);
1586  p->tcph->th_seq = htonl(5);
1587  p->tcph->th_flags = TH_PUSH | TH_ACK;
1589  p->payload_len = sizeof(response2);
1590  p->payload = response2;
1591  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1594  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1595  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1601  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1602  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1603 
1604  /* response ack */
1605  p->tcph->th_ack = htonl(328);
1606  p->tcph->th_seq = htonl(88);
1607  p->tcph->th_flags = TH_ACK;
1609  p->payload_len = 0;
1610  p->payload = NULL;
1611  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1612  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1614  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1615  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1616  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1621  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1622  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1623 
1624  TEST_END;
1625  PASS;
1626 }
1627 
1628 /**
1629  * \test RUBBISH -> HTTP/1.1
1630  */
1631 static int AppLayerTest05(void)
1632 {
1633  TEST_START;
1634 
1635  /* full request */
1636  uint8_t request[] = {
1637  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1638  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1639  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1640  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1641  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1642  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1643  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1644  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1645  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1646  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1647  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1648  PrintRawDataFp(stdout, request, sizeof(request));
1649  p->tcph->th_ack = htonl(1);
1650  p->tcph->th_seq = htonl(1);
1651  p->tcph->th_flags = TH_PUSH | TH_ACK;
1653  p->payload_len = sizeof(request);
1654  p->payload = request;
1655  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1667 
1668  /* full response - request ack */
1669  uint8_t response[] = {
1670  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1671  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1672  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1673  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1674  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1675  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1676  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1677  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1678  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1679  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1680  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1681  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1682  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1683  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1684  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1685  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1686  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1687  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1688  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1689  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1690  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1691  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1692  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1693  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1694  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1695  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1696  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1697  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1698  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1699  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1700  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1701  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1702  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1703  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1704  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1705  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1706  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1707  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1708  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1709  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1710  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1711  PrintRawDataFp(stdout, response, sizeof(response));
1712  p->tcph->th_ack = htonl(88);
1713  p->tcph->th_seq = htonl(1);
1714  p->tcph->th_flags = TH_PUSH | TH_ACK;
1716  p->payload_len = sizeof(response);
1717  p->payload = response;
1718  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1730 
1731  /* response ack */
1732  p->tcph->th_ack = htonl(328);
1733  p->tcph->th_seq = htonl(88);
1734  p->tcph->th_flags = TH_ACK;
1736  p->payload_len = 0;
1737  p->payload = NULL;
1738  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1750 
1751  TEST_END;
1752  PASS;
1753 }
1754 
1755 /**
1756  * \test HTTP/1.1 -> GET
1757  */
1758 static int AppLayerTest06(void)
1759 {
1760  TEST_START;
1761 
1762  /* full response - request ack */
1763  uint8_t response[] = {
1764  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1765  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1766  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1767  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1768  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1769  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1770  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1771  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1772  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1773  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1774  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1775  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1776  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1777  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1778  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1779  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1780  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1781  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1782  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1783  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1784  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1785  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1786  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1787  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1788  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1789  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1790  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1791  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1792  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1793  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1794  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1795  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1796  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1797  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1798  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1799  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1800  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1801  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1802  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1803  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1804  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1805  p->tcph->th_ack = htonl(1);
1806  p->tcph->th_seq = htonl(1);
1807  p->tcph->th_flags = TH_PUSH | TH_ACK;
1809  p->payload_len = sizeof(response);
1810  p->payload = response;
1811  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1823 
1824  /* full request - response ack*/
1825  uint8_t request[] = {
1826  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1827  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1828  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1829  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1830  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1831  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1832  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1833  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1834  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1835  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1836  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1837  p->tcph->th_ack = htonl(328);
1838  p->tcph->th_seq = htonl(1);
1839  p->tcph->th_flags = TH_PUSH | TH_ACK;
1841  p->payload_len = sizeof(request);
1842  p->payload = request;
1843  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1855 
1856  p->tcph->th_ack = htonl(1 + sizeof(request));
1857  p->tcph->th_seq = htonl(328);
1858  p->tcph->th_flags = TH_PUSH | TH_ACK;
1860  p->payload_len = 0;
1861  p->payload = NULL;
1862  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1874 
1875  TEST_END;
1876  PASS;
1877 }
1878 
1879 /**
1880  * \test GET -> DCERPC
1881  */
1882 static int AppLayerTest07(void)
1883 {
1884  TEST_START;
1885 
1886  /* full request */
1887  uint8_t request[] = {
1888  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1889  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1890  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1891  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1892  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1893  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1894  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1895  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1896  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1897  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1898  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1899  p->tcph->th_ack = htonl(1);
1900  p->tcph->th_seq = htonl(1);
1901  p->tcph->th_flags = TH_PUSH | TH_ACK;
1903  p->payload_len = sizeof(request);
1904  p->payload = request;
1905  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1917 
1918  /* full response - request ack */
1919  uint8_t response[] = {
1920  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1921  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1922  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1923  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1924  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1925  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1926  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1927  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1928  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1929  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1930  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1931  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1932  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1933  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1934  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1935  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1936  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1937  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1938  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1939  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1940  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1941  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1942  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1943  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1944  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1945  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1946  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1947  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1948  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1949  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1950  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1951  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1952  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1953  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1954  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1955  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1956  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1957  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1958  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1959  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1960  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1961  p->tcph->th_ack = htonl(88);
1962  p->tcph->th_seq = htonl(1);
1963  p->tcph->th_flags = TH_PUSH | TH_ACK;
1965  p->payload_len = sizeof(response);
1966  p->payload = response;
1967  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1979 
1980  /* response ack */
1981  p->tcph->th_ack = htonl(328);
1982  p->tcph->th_seq = htonl(88);
1983  p->tcph->th_flags = TH_ACK;
1985  p->payload_len = 0;
1986  p->payload = NULL;
1987  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1999 
2000  TEST_END;
2001  PASS;
2002 }
2003 
2004 /**
2005  * \test SMB -> HTTP/1.1
2006  */
2007 static int AppLayerTest08(void)
2008 {
2009  TEST_START;
2010 
2011  /* full request */
2012  uint8_t request[] = {
2013  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2014  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2015  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2016  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2017  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2018  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2019  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2020  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2021  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2022  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2023  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2024  p->tcph->th_ack = htonl(1);
2025  p->tcph->th_seq = htonl(1);
2026  p->tcph->th_flags = TH_PUSH | TH_ACK;
2028  p->payload_len = sizeof(request);
2029  p->payload = request;
2030  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2042 
2043  /* full response - request ack */
2044  uint8_t response[] = {
2045  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2046  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2047  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2048  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2049  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2050  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2051  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2052  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2053  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2054  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2055  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2056  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2057  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2058  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2059  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2060  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2061  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2062  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2063  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2064  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2065  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2066  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2067  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2068  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2069  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2070  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2071  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2072  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2073  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2074  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2075  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2076  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2077  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2078  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2079  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2080  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2081  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2082  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2083  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2084  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2085  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2086  p->tcph->th_ack = htonl(88);
2087  p->tcph->th_seq = htonl(1);
2088  p->tcph->th_flags = TH_PUSH | TH_ACK;
2090  p->payload_len = sizeof(response);
2091  p->payload = response;
2092  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2104 
2105  /* response ack */
2106  p->tcph->th_ack = htonl(328);
2107  p->tcph->th_seq = htonl(88);
2108  p->tcph->th_flags = TH_ACK;
2110  p->payload_len = 0;
2111  p->payload = NULL;
2112  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2124 
2125  TEST_END;
2126  PASS;
2127 }
2128 
2129 /**
2130  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2131  * RUBBISH(TC - PM and PP DONE) ->
2132  * RUBBISH(TS - PM and PP DONE)
2133  */
2134 static int AppLayerTest09(void)
2135 {
2136  TEST_START;
2137 
2138  /* full request */
2139  uint8_t request1[] = {
2140  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2141  p->tcph->th_ack = htonl(1);
2142  p->tcph->th_seq = htonl(1);
2143  p->tcph->th_flags = TH_PUSH | TH_ACK;
2145  p->payload_len = sizeof(request1);
2146  p->payload = request1;
2147  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2159 
2160  /* response - request ack */
2161  p->tcph->th_ack = htonl(9);
2162  p->tcph->th_seq = htonl(1);
2163  p->tcph->th_flags = TH_PUSH | TH_ACK;
2165  p->payload_len = 0;
2166  p->payload = NULL;
2167  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2179 
2180  /* full request */
2181  uint8_t request2[] = {
2182  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2183  p->tcph->th_ack = htonl(1);
2184  p->tcph->th_seq = htonl(9);
2185  p->tcph->th_flags = TH_PUSH | TH_ACK;
2187  p->payload_len = sizeof(request2);
2188  p->payload = request2;
2189  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2201 
2202  /* full response - request ack */
2203  uint8_t response[] = {
2204  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2205  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2206  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2207  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2208  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2209  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2210  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2211  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2212  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2213  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2214  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2215  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2216  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2217  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2218  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2219  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2220  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2221  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2222  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2223  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2224  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2225  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2226  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2227  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2228  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2229  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2230  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2231  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2232  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2233  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2234  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2235  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2236  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2237  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2238  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2239  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2240  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2241  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2242  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2243  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2244  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2245  p->tcph->th_ack = htonl(18);
2246  p->tcph->th_seq = htonl(1);
2247  p->tcph->th_flags = TH_PUSH | TH_ACK;
2249  p->payload_len = sizeof(response);
2250  p->payload = response;
2251  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2263 
2264  /* response ack */
2265  p->tcph->th_ack = htonl(328);
2266  p->tcph->th_seq = htonl(18);
2267  p->tcph->th_flags = TH_ACK;
2269  p->payload_len = 0;
2270  p->payload = NULL;
2271  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2283 
2284  TEST_END;
2285  PASS;
2286 }
2287 
2288 /**
2289  * \test RUBBISH(TC - PM and PP DONE) ->
2290  * RUBBISH(TS - PM and PP DONE)
2291  */
2292 static int AppLayerTest10(void)
2293 {
2294  TEST_START;
2295 
2296  /* full request */
2297  uint8_t request1[] = {
2298  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2299  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2300  p->tcph->th_ack = htonl(1);
2301  p->tcph->th_seq = htonl(1);
2302  p->tcph->th_flags = TH_PUSH | TH_ACK;
2304  p->payload_len = sizeof(request1);
2305  p->payload = request1;
2306  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2318 
2319  /* response - request ack */
2320  p->tcph->th_ack = htonl(18);
2321  p->tcph->th_seq = htonl(1);
2322  p->tcph->th_flags = TH_PUSH | TH_ACK;
2324  p->payload_len = 0;
2325  p->payload = NULL;
2326  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2338 
2339  /* full response - request ack */
2340  uint8_t response[] = {
2341  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2342  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2343  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2344  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2345  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2346  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2347  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2348  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2349  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2350  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2351  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2352  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2353  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2354  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2355  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2356  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2357  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2358  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2359  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2360  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2361  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2362  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2363  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2364  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2365  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2366  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2367  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2368  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2369  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2370  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2371  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2372  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2373  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2374  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2375  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2376  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2377  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2378  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2379  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2380  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2381  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2382  p->tcph->th_ack = htonl(18);
2383  p->tcph->th_seq = htonl(1);
2384  p->tcph->th_flags = TH_PUSH | TH_ACK;
2386  p->payload_len = sizeof(response);
2387  p->payload = response;
2388  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2400 
2401  /* response ack */
2402  p->tcph->th_ack = htonl(328);
2403  p->tcph->th_seq = htonl(18);
2404  p->tcph->th_flags = TH_ACK;
2406  p->payload_len = 0;
2407  p->payload = NULL;
2408  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2420 
2421  TEST_END;
2422  PASS;
2423 }
2424 
2425 /**
2426  * \test RUBBISH(TC - PM and PP DONE) ->
2427  * RUBBISH(TS - PM and PP NOT DONE) ->
2428  * RUBBISH(TS - PM and PP DONE)
2429  */
2430 static int AppLayerTest11(void)
2431 {
2432  TEST_START;
2433 
2434  /* full request */
2435  uint8_t request1[] = {
2436  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2437  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2438  p->tcph->th_ack = htonl(1);
2439  p->tcph->th_seq = htonl(1);
2440  p->tcph->th_flags = TH_PUSH | TH_ACK;
2442  p->payload_len = sizeof(request1);
2443  p->payload = request1;
2444  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2456 
2457  /* response - request ack */
2458  p->tcph->th_ack = htonl(18);
2459  p->tcph->th_seq = htonl(1);
2460  p->tcph->th_flags = TH_PUSH | TH_ACK;
2462  p->payload_len = 0;
2463  p->payload = NULL;
2464  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2476 
2477  /* full response - request ack */
2478  uint8_t response1[] = {
2479  0x55, 0x74, 0x54, 0x50, };
2480  p->tcph->th_ack = htonl(18);
2481  p->tcph->th_seq = htonl(1);
2482  p->tcph->th_flags = TH_PUSH | TH_ACK;
2484  p->payload_len = sizeof(response1);
2485  p->payload = response1;
2486  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2498 
2499  /* response ack from request */
2500  p->tcph->th_ack = htonl(5);
2501  p->tcph->th_seq = htonl(18);
2502  p->tcph->th_flags = TH_ACK;
2504  p->payload_len = 0;
2505  p->payload = NULL;
2506  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2518 
2519  uint8_t response2[] = {
2520  0x2f, 0x31, 0x2e, 0x31,
2521  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2522  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2523  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2524  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2525  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2526  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2527  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2528  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2529  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2530  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2531  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2532  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2533  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2534  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2535  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2536  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2537  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2538  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2539  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2540  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2541  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2542  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2543  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2544  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2545  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2546  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2547  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2548  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2549  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2550  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2551  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2552  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2553  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2554  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2555  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2556  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2557  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2558  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2559  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2560  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2561  p->tcph->th_ack = htonl(18);
2562  p->tcph->th_seq = htonl(5);
2563  p->tcph->th_flags = TH_PUSH | TH_ACK;
2565  p->payload_len = sizeof(response2);
2566  p->payload = response2;
2567  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2579 
2580  /* response ack from request */
2581  p->tcph->th_ack = htonl(328);
2582  p->tcph->th_seq = htonl(18);
2583  p->tcph->th_flags = TH_ACK;
2585  p->payload_len = 0;
2586  p->payload = NULL;
2587  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2599 
2600  TEST_END;
2601  PASS;
2602 }
2603 
2605 {
2606  SCEnter();
2607 
2608  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2609  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2610  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2611  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2612  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2613  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2614  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2615  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2616  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2617  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2618  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2619 
2620  SCReturn;
2621 }
2622 
2623 #endif /* UNITTESTS */
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
AppProto alproto_expect
Definition: flow.h:418
uint16_t flags
void FlowSwap(Flow *f)
swap the flow&#39;s direction
Definition: flow.c:289
#define SCLogDebug(...)
Definition: util-debug.h:335
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
AppProto alproto_tc
Definition: flow.h:411
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:567
#define TEST_END
Definition: app-layer.c:1034
uint16_t counter_id
Definition: app-layer.c:81
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
#define BUG_ON(x)
uint8_t proto
Definition: flow.h:344
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:791
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
#define PASS
Pass the test.
int AppLayerParserDeSetup(void)
#define STREAMTCP_STREAM_FLAG_GAP
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:841
#define SWAP_FLAGS(flags, a, b)
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:551
void StreamTcpDisableAppLayer(Flow *f)
uint64_t HTPMemuseGlobalCounter(void)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define IPPROTOS_MAX
Definition: app-layer.c:862
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:776
uint64_t ticks_spent
Definition: app-layer.c:66
uint64_t pcap_cnt
Definition: decode.h:561
uint16_t AppProto
uint64_t FTPMemuseGlobalCounter(void)
TCPHdr * tcph
Definition: decode.h:520
int EngineModeIsIPS(void)
Definition: suricata.c:241
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:846
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:742
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
uint64_t ticks_start
Definition: app-layer.c:64
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
#define STREAMTCP_FLAG_MIDSTREAM
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:756
#define SCReturnCT(x, type)
Definition: util-debug.h:351
void * protoctx
Definition: flow.h:400
uint64_t ExpectationGetCounter(void)
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
#define PACKET_PROFILING_APP_PD_START(dp)
void AppLayerParserRegisterProtocolParsers(void)
AppProto alproto
Definition: app-layer.c:67
struct AppLayerCounters_ AppLayerCounters
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4674
AppProto alproto_orig
Definition: flow.h:415
AppProto alproto_ts
Definition: flow.h:410
#define str(s)
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:258
uint16_t counter_tx_id
Definition: app-layer.c:82
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:803
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:248
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1116
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define DEBUG_ASSERT_FLOW_LOCKED(f)
#define SCEnter(...)
Definition: util-debug.h:337
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2604
uint64_t HTPMemcapGlobalCounter(void)
#define TH_ACK
Definition: decode-tcp.h:39
uint8_t flowflags
Definition: decode.h:437
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
struct AppLayerCounterNames_ AppLayerCounterNames
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
#define TH_PUSH
Definition: decode-tcp.h:38
uint64_t FTPMemcapGlobalCounter(void)
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1000
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:418
int8_t data_first_seen_dir
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
#define SCReturnInt(x)
Definition: util-debug.h:341
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
int AppLayerParserSetup(void)
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:936
#define SCMalloc(a)
Definition: util-mem.h:166
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
#define SCFree(a)
Definition: util-mem.h:228
#define PACKET_PROFILING_APP_STORE(dp, p)
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:249
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:825
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:853
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAM_START
Definition: stream.h:29
void AppLayerSetupCounters(void)
Definition: app-layer.c:863
#define STREAM_TOSERVER
Definition: stream.h:31
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
#define TEST_START
Definition: app-layer.c:951
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:256
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6286
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:749
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
#define PACKET_PROFILING_APP_END(dp, id)
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:257
#define PACKET_PROFILING_APP_RESET(dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:671
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
The app layer protocol detection thread context.
uint32_t flags
Definition: decode.h:441
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:541
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
#define likely(expr)
Definition: util-optimize.h:32
uint64_t ticks_end
Definition: app-layer.c:65
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6280
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
uint8_t protomap
Definition: flow.h:404
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
uint32_t flags
Definition: flow.h:379
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
#define PACKET_PROFILING_APP_PD_END(dp)
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:909
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1117
#define PACKET_PROFILING_APP_START(dp, id)