suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-frames.h"
36 #include "stream-tcp-reassemble.h"
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-inline.h"
39 #include "stream-tcp.h"
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-private.h"
43 #include "ippair.h"
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 #include "app-layer-htp-mem.h"
50 #include "util-exception-policy.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
56 struct AppLayerThreadCtx_ {
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58  AppLayerProtoDetectThreadCtx *alpd_tctx;
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60  AppLayerParserThreadCtx *alp_tctx;
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
66  AppProto alproto;
67  uint64_t proto_detect_ticks_start;
68  uint64_t proto_detect_ticks_end;
69  uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
77  char name[MAX_COUNTER_SIZE];
78  char tx_name[MAX_COUNTER_SIZE];
79  char gap_error[MAX_COUNTER_SIZE];
80  char parser_error[MAX_COUNTER_SIZE];
81  char internal_error[MAX_COUNTER_SIZE];
82  char alloc_error[MAX_COUNTER_SIZE];
83 } AppLayerCounterNames;
84 
85 typedef struct AppLayerCounters_ {
86  uint16_t counter_id;
87  uint16_t counter_tx_id;
88  uint16_t gap_error_id;
89  uint16_t parser_error_id;
90  uint16_t internal_error_id;
91  uint16_t alloc_error_id;
92 } AppLayerCounters;
93 
94 /* counter names. Only used at init. */
95 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
96 /* counter id's. Used that runtime. */
97 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
98 
99 void AppLayerSetupCounters(void);
100 void AppLayerDeSetupCounters(void);
101 
102 /***** L7 layer dispatchers *****/
103 
104 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
105  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
106  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
107  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
108 }
109 
110 /**
111  * \note id can be 0 if protocol parser is disabled but detection
112  * is enabled.
113  */
114 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
117  if (likely(tv && id > 0)) {
118  StatsIncr(tv, id);
119  }
120 }
121 
122 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
123 {
124  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
125  if (likely(tv && id > 0)) {
126  StatsAddUI64(tv, id, step);
127  }
128 }
129 
130 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
131 {
132  const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id;
133  if (likely(tv && id > 0)) {
134  StatsIncr(tv, id);
135  }
136 }
137 
138 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
139 {
140  const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id;
141  if (likely(tv && id > 0)) {
142  StatsIncr(tv, id);
143  }
144 }
145 
146 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
147 {
148  const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id;
149  if (likely(tv && id > 0)) {
150  StatsIncr(tv, id);
151  }
152 }
153 
154 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
155 {
156  const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id;
157  if (likely(tv && id > 0)) {
158  StatsIncr(tv, id);
159  }
160 }
161 
162 /* in IDS mode protocol detection is done in reverse order:
163  * when TCP data is ack'd. We want to flag the correct packet,
164  * so in this case we set a flag in the flow so that the first
165  * packet in the correct direction can be tagged.
166  *
167  * For IPS we update packet and flow. */
168 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
169 {
170  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
171  if (flags & STREAM_TOSERVER) {
172  if (p->flowflags & FLOW_PKT_TOSERVER) {
173  p->flags |= PKT_PROTO_DETECT_TS_DONE;
174  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
175  } else {
176  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
177  }
178  } else {
179  if (p->flowflags & FLOW_PKT_TOCLIENT) {
180  p->flags |= PKT_PROTO_DETECT_TC_DONE;
181  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
182  } else {
183  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
184  }
185  }
186  } else {
187  if (flags & STREAM_TOSERVER) {
188  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
189  } else {
190  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
191  }
192  }
193 }
194 
195 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
196 {
197  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
198  f, f->alproto, f->alproto_ts, f->alproto_tc);
199  FlowCleanupAppLayer(f);
200  StreamTcpDisableAppLayer(f);
201  TcpSession *ssn = f->protoctx;
202  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
203  f->alproto = ALPROTO_FAILED;
204  AppLayerIncFlowCounter(tv, f);
205 
206  if (f->alproto_tc != ALPROTO_FAILED) {
207  if (f->alproto_tc == ALPROTO_UNKNOWN) {
208  f->alproto_tc = ALPROTO_FAILED;
209  }
210  FlagPacketFlow(p, f, STREAM_TOCLIENT);
211  }
212  if (f->alproto_ts != ALPROTO_FAILED) {
213  if (f->alproto_ts == ALPROTO_UNKNOWN) {
214  f->alproto_ts = ALPROTO_FAILED;
215  }
216  FlagPacketFlow(p, f, STREAM_TOSERVER);
217  }
218  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
219  f, f->alproto, f->alproto_ts, f->alproto_tc);
220 }
221 
222 /* See if we're going to have to give up:
223  *
224  * If we're getting a lot of data in one direction and the
225  * proto for this direction is unknown, proto detect will
226  * hold up segments in the segment list in the stream.
227  * They are held so that if we detect the protocol on the
228  * opposing stream, we can still parse this side of the stream
229  * as well. However, some sessions are very unbalanced. FTP
230  * data channels, large PUT/POST request and many others, can
231  * lead to cases where we would have to store many megabytes
232  * worth of segments before we see the opposing stream. This
233  * leads to risks of resource starvation.
234  *
235  * Here a cutoff point is enforced. If we've stored 100k in
236  * one direction and we've seen no data in the other direction,
237  * we give up.
238  *
239  * Giving up means we disable applayer an set an applayer event
240  */
241 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
242  Flow *f, TcpSession *ssn, Packet *p)
243 {
244  if (ssn->state < TCP_ESTABLISHED) {
245  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
246  return;
247  }
248 
249  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
250  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
251  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
252 
253  /* at least 100000 whatever the conditions
254  * and can be more if window is bigger and if configuration allows it */
255  const uint32_t size_tc_limit =
256  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
257  const uint32_t size_ts_limit =
258  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
259 
260  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
261  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
262  {
263  goto failure;
264 
265  /* we bail out whatever the pp and pm states if
266  * we received too much data */
267  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
268  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
269  goto failure;
270 
271  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
272  size_ts > size_ts_limit && size_tc == 0) {
273  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
274  APPLAYER_PROTO_DETECTION_SKIPPED);
275  goto failure;
276 
277  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
278  size_tc > size_tc_limit && size_ts == 0) {
279  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
280  APPLAYER_PROTO_DETECTION_SKIPPED);
281  goto failure;
282 
283  /* little data in ts direction, pp done, pm not done (max
284  * depth not reached), ts direction done, lots of data in
285  * tc direction. */
286  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
287  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
288  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
289  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
290  APPLAYER_PROTO_DETECTION_SKIPPED);
291  goto failure;
292 
293  /* little data in tc direction, pp done, pm not done (max
294  * depth not reached), tc direction done, lots of data in
295  * ts direction. */
296  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
297  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
298  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
299  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
300  APPLAYER_PROTO_DETECTION_SKIPPED);
301  goto failure;
302  }
303  return;
304 
305 failure:
306  DisableAppLayer(tv, f, p);
307  return;
308 }
309 
310 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
311  Packet *p, TcpSession *ssn, const TcpStream *stream)
312 {
313  TcpStream *opposing_stream = NULL;
314  if (stream == &ssn->client) {
315  opposing_stream = &ssn->server;
316  } else {
317  opposing_stream = &ssn->client;
318  }
319 
320  /* if the opposing side is not going to work, then
321  * we just have to give up. */
322  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
323  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
324  return -1;
325  }
326 
327  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
328  UPDATE_DIR_OPPOSING :
329  UPDATE_DIR_PACKET;
330  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
331  opposing_stream, p, dir);
332  return ret;
333 }
334 
335 extern enum ExceptionPolicy g_applayerparser_error_policy;
336 
337 /** \todo data const
338  * \retval int -1 error
339  * \retval int 0 ok
340  */
341 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
342  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
343  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir dir)
344 {
345  AppProto *alproto;
346  AppProto *alproto_otherdir;
347  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
348 
349  if (flags & STREAM_TOSERVER) {
350  alproto = &f->alproto_ts;
351  alproto_otherdir = &f->alproto_tc;
352  } else {
353  alproto = &f->alproto_tc;
354  alproto_otherdir = &f->alproto_ts;
355  }
356 
357  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
358 #ifdef PRINT
359  if (data_len > 0) {
360  printf("=> Init Stream Data (app layer) -- start %s%s\n",
361  flags & STREAM_TOCLIENT ? "toclient" : "",
362  flags & STREAM_TOSERVER ? "toserver" : "");
363  PrintRawDataFp(stdout, data, data_len);
364  printf("=> Init Stream Data -- end\n");
365  }
366 #endif
367 
368  bool reverse_flow = false;
369  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
370  PACKET_PROFILING_APP_PD_START(app_tctx);
371  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
372  f, data, data_len,
373  IPPROTO_TCP, flags, &reverse_flow);
374  PACKET_PROFILING_APP_PD_END(app_tctx);
375  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
376 
377  if (*alproto != ALPROTO_UNKNOWN) {
378  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
379  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
380  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
381 
382  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
383  /* if we already invoked the parser, we go with that proto */
384  f->alproto = *alproto_otherdir;
385  } else {
386  /* no data sent to parser yet, we can still choose
387  * we're trusting the server more. */
388  if (flags & STREAM_TOCLIENT)
389  f->alproto = *alproto;
390  else
391  f->alproto = *alproto_otherdir;
392  }
393  } else {
394  f->alproto = *alproto;
395  }
396 
397  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
398  TcpSessionSetReassemblyDepth(ssn,
399  AppLayerParserGetStreamDepth(f));
400  FlagPacketFlow(p, f, flags);
401 
402  /* if protocol detection indicated that we need to reverse
403  * the direction of the flow, do it now. We flip the flow,
404  * packet and the direction flags */
405  if (reverse_flow &&
406  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
407  STREAMTCP_FLAG_MIDSTREAM)) {
408  /* but only if we didn't already detect it on the other side. */
409  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
410  SCLogDebug("reversing flow after proto detect told us so");
411  PacketSwap(p);
412  FlowSwap(f);
413  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
414  if (*stream == &ssn->client) {
415  *stream = &ssn->server;
416  } else {
417  *stream = &ssn->client;
418  }
419  direction = 1 - direction;
420  } else {
421  // TODO event, error?
422  }
423  }
424 
425  /* account flow if we have both sides */
426  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
427  AppLayerIncFlowCounter(tv, f);
428  }
429 
430  /* if we have seen data from the other direction first, send
431  * data for that direction first to the parser. This shouldn't
432  * be an issue, since each stream processing happens
433  * independently of the other stream direction. At this point of
434  * call, you need to know that this function's already being
435  * called by the very same StreamReassembly() function that we
436  * will now call shortly for the opposing direction. */
437  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
438  !(flags & ssn->data_first_seen_dir))
439  {
440  SCLogDebug("protocol %s needs first data in other direction",
441  AppProtoToString(*alproto));
442 
443  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
444  p, ssn, *stream) != 0)
445  {
446  goto detect_error;
447  }
448  if (FlowChangeProto(f)) {
449  /* We have the first data which requested a protocol change from P1 to P2
450  * even if it was not recognized at first as being P1
451  * As the second data was recognized as P1, the protocol did not change !
452  */
453  FlowUnsetChangeProtoFlag(f);
454  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
455  APPLAYER_UNEXPECTED_PROTOCOL);
456  }
457  }
458 
459  /* if the parser operates such that it needs to see data from
460  * a particular direction first, we check if we have seen
461  * data from that direction first for the flow. IF it is not
462  * the same, we set an event and exit.
463  *
464  * \todo We need to figure out a more robust solution for this,
465  * as this can lead to easy evasion tactics, where the
466  * attacker can first send some dummy data in the wrong
467  * direction first to mislead our proto detection process.
468  * While doing this we need to update the parsers as well,
469  * since the parsers must be robust to see such wrong
470  * direction data.
471  * Either ways the moment we see the
472  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
473  * flow, it shows something's fishy.
474  */
475  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
476  uint8_t first_data_dir;
477  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
478 
479  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
480  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
481  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
482  goto detect_error;
483  }
484  /* This can happen if the current direction is not the
485  * right direction, and the data from the other(also
486  * the right direction) direction is available to be sent
487  * to the app layer, but it is not ack'ed yet and hence
488  * the forced call to STreamTcpAppLayerReassemble still
489  * hasn't managed to send data from the other direction
490  * to the app layer. */
491  if (first_data_dir && !(first_data_dir & flags)) {
492  FlowCleanupAppLayer(f);
493  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
494  FLOW_RESET_PP_DONE(f, flags);
495  FLOW_RESET_PM_DONE(f, flags);
496  FLOW_RESET_PE_DONE(f, flags);
497  SCReturnInt(-1);
498  }
499  }
500 
501  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
502  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
503 
504  /* finally, invoke the parser */
505  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
506  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
507  flags, data, data_len);
508  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
509  p->app_update_direction = (uint8_t)dir;
510  if (r != 1) {
511  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
512  }
513  if (r < 0) {
514  goto parser_error;
515  }
516  } else {
517  /* if the ssn is midstream, we may end up with a case where the
518  * start of an HTTP request is missing. We won't detect HTTP based
519  * on the request. However, the reply is fine, so we detect
520  * HTTP anyway. This leads to passing the incomplete request to
521  * the htp parser.
522  *
523  * This has been observed, where the http parser then saw many
524  * bogus requests in the incomplete data.
525  *
526  * To counter this case, a midstream session MUST find it's
527  * protocol in the toserver direction. If not, we assume the
528  * start of the request/toserver is incomplete and no reliable
529  * detection and parsing is possible. So we give up.
530  */
531  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
532  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
533  {
534  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
535  SCLogDebug("midstream end pd %p", ssn);
536  /* midstream and toserver detection failed: give up */
537  DisableAppLayer(tv, f, p);
538  SCReturnInt(0);
539  }
540  }
541 
542  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
543  uint8_t first_data_dir;
544  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
545 
546  /* this would handle this test case -
547  * http parser which says it wants to see toserver data first only.
548  * tcp handshake
549  * toclient data first received. - RUBBISH DATA which
550  * we don't detect as http
551  * toserver data next sent - we detect this as http.
552  * at this stage we see that toclient is the first data seen
553  * for this session and we try and redetect the app protocol,
554  * but we are unable to detect the app protocol like before.
555  * But since we have managed to detect the protocol for the
556  * other direction as http, we try to use that. At this
557  * stage we check if the direction of this stream matches
558  * to that acceptable by the app parser. If it is not the
559  * acceptable direction we error out.
560  */
561  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
562  (first_data_dir) && !(first_data_dir & flags))
563  {
564  goto detect_error;
565  }
566 
567  /* if protocol detection is marked done for our direction we
568  * pass our data on. We're only succeeded in finding one
569  * direction: the opposing stream
570  *
571  * If PD was not yet complete, we don't do anything.
572  */
573  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
574  if (data_len > 0)
575  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
576 
577  if (*alproto_otherdir != ALPROTO_FAILED) {
578  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
579  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
580  f->alproto, flags,
581  data, data_len);
582  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
583  p->app_update_direction = (uint8_t)dir;
584  if (r != 1) {
585  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
586  }
587 
588  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
589  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
590  TcpSessionSetReassemblyDepth(ssn,
591  AppLayerParserGetStreamDepth(f));
592 
593  *alproto = *alproto_otherdir;
594  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
595  p->pcap_cnt, *alproto, *alproto_otherdir, r);
596  if (r < 0) {
597  goto parser_error;
598  }
599  }
600  *alproto = ALPROTO_FAILED;
601  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
602  AppLayerIncFlowCounter(tv, f);
603  FlagPacketFlow(p, f, flags);
604 
605  } else if (flags & STREAM_EOF) {
606  *alproto = f->alproto;
607  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
608  AppLayerIncFlowCounter(tv, f);
609  }
610  } else {
611  /* both sides unknown, let's see if we need to give up */
612  if (FlowChangeProto(f)) {
613  /* TCPProtoDetectCheckBailConditions does not work well because
614  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
615  * so, we set a lower limit to the data we inspect
616  * We could instead have set ssn->server.sb.stream_offset = 0;
617  */
618  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
619  DisableAppLayer(tv, f, p);
620  }
621  } else {
622  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
623  }
624  }
625  }
626  SCReturnInt(0);
627 parser_error:
628  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
629  SCReturnInt(-1);
630 detect_error:
631  DisableAppLayer(tv, f, p);
632  SCReturnInt(-2);
633 }
634 
635 /** \brief handle TCP data for the app-layer.
636  *
637  * First run protocol detection and then when the protocol is known invoke
638  * the app layer parser.
639  *
640  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
641  * reversed.
642  */
643 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
644  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
645  enum StreamUpdateDir dir)
646 {
647  SCEnter();
648 
649  DEBUG_ASSERT_FLOW_LOCKED(f);
650  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
651 
652  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
653  AppProto alproto;
654  int r = 0;
655 
656  SCLogDebug("data_len %u flags %02X", data_len, flags);
657  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
658  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
659  goto end;
660  }
661 
662  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
663 
664  if (flags & STREAM_TOSERVER) {
665  alproto = f->alproto_ts;
666  } else {
667  alproto = f->alproto_tc;
668  }
669 
670  /* If a gap notification, relay the notification on to the
671  * app-layer if known. */
672  if (flags & STREAM_GAP) {
673  if (alproto == ALPROTO_UNKNOWN) {
674  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
675  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
676  /* if the other side didn't already find the proto, we're done */
677  if (f->alproto == ALPROTO_UNKNOWN) {
678  goto failure;
679  }
680  AppLayerIncFlowCounter(tv, f);
681  }
682  if (FlowChangeProto(f)) {
683  FlowUnsetChangeProtoFlag(f);
684  SCLogDebug("Cannot handle gap while changing protocol");
685  goto failure;
686  }
687  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
688  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
689  flags, data, data_len);
690  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
691  p->app_update_direction = (uint8_t)dir;
692  /* ignore parser result for gap */
693  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
694  if (r < 0) {
695  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
696  SCReturnInt(-1);
697  }
698  goto end;
699  }
700 
701  /* if we don't know the proto yet and we have received a stream
702  * initializer message, we run proto detection.
703  * We receive 2 stream init msgs (one for each direction), we
704  * only run the proto detection for both and emit an event
705  * in the case protocols mismatch. */
706  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
707  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
708  /* run protocol detection */
709  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir) !=
710  0) {
711  goto failure;
712  }
713  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
714  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
715  void *alstate_orig = f->alstate;
716  AppLayerParserState *alparser = f->alparser;
717  // we delay AppLayerParserStateCleanup because we may need previous parser state
718  AppLayerProtoDetectReset(f);
719  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
720  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
721  /* rerun protocol detection */
722  int rd =
723  TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir);
724  if (f->alproto == ALPROTO_UNKNOWN) {
725  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
726  // not enough data, revert AppLayerProtoDetectReset to rerun detection
727  f->alparser = alparser;
728  f->alproto = f->alproto_orig;
729  f->alproto_tc = f->alproto_orig;
730  f->alproto_ts = f->alproto_orig;
731  } else {
732  FlowUnsetChangeProtoFlag(f);
733  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
734  if (alstate_orig == f->alstate) {
735  // we just freed it
736  f->alstate = NULL;
737  }
738  }
739  if (rd != 0) {
740  SCLogDebug("proto detect failure");
741  goto failure;
742  }
743  SCLogDebug("protocol change, old %s, new %s",
744  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
745 
746  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
747  f->alproto != f->alproto_expect) {
748  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
749  APPLAYER_UNEXPECTED_PROTOCOL);
750 
751  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
752  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
753  APPLAYER_NO_TLS_AFTER_STARTTLS);
754 
755  }
756  }
757  } else {
758  SCLogDebug("stream data (len %" PRIu32 " alproto "
759  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
760 #ifdef PRINT
761  if (data_len > 0) {
762  printf("=> Stream Data (app layer) -- start %s%s\n",
763  flags & STREAM_TOCLIENT ? "toclient" : "",
764  flags & STREAM_TOSERVER ? "toserver" : "");
765  PrintRawDataFp(stdout, data, data_len);
766  printf("=> Stream Data -- end\n");
767  }
768 #endif
769  /* if we don't have a data object here we are not getting it
770  * a start msg should have gotten us one */
771  if (f->alproto != ALPROTO_UNKNOWN) {
772  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
773  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
774  flags, data, data_len);
775  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
776  p->app_update_direction = (uint8_t)dir;
777  if (r != 1) {
778  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
779  if (r < 0) {
780  ExceptionPolicyApply(
781  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
782  SCReturnInt(-1);
783  }
784  }
785  }
786  }
787 
788  goto end;
789  failure:
790  r = -1;
791  end:
792  SCReturnInt(r);
793 }
794 
795 /**
796  * \brief Handle a app layer UDP message
797  *
798  * If the protocol is yet unknown, the proto detection code is run first.
799  *
800  * \param dp_ctx Thread app layer detect context
801  * \param f *locked* flow
802  * \param p UDP packet
803  *
804  * \retval 0 ok
805  * \retval -1 error
806  */
807 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
808 {
809  SCEnter();
810  AppProto *alproto;
811  AppProto *alproto_otherdir;
812 
813  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
814  SCReturnInt(0);
815  }
816 
817  int r = 0;
818  uint8_t flags = 0;
819  if (p->flowflags & FLOW_PKT_TOSERVER) {
820  flags |= STREAM_TOSERVER;
821  alproto = &f->alproto_ts;
822  alproto_otherdir = &f->alproto_tc;
823  } else {
824  flags |= STREAM_TOCLIENT;
825  alproto = &f->alproto_tc;
826  alproto_otherdir = &f->alproto_ts;
827  }
828 
829  AppLayerProfilingReset(tctx);
830 
831  /* if the protocol is still unknown, run detection */
832  if (*alproto == ALPROTO_UNKNOWN) {
833  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
834  p->payload_len);
835 
836  bool reverse_flow = false;
837  PACKET_PROFILING_APP_PD_START(tctx);
838  *alproto = AppLayerProtoDetectGetProto(
839  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
840  PACKET_PROFILING_APP_PD_END(tctx);
841 
842  switch (*alproto) {
843  case ALPROTO_UNKNOWN:
844  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
845  // Use recognized side
846  f->alproto = *alproto_otherdir;
847  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
848  *alproto = *alproto_otherdir;
849  if (*alproto_otherdir == ALPROTO_FAILED) {
850  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
851  }
852  } else {
853  // First side of protocol is unknown
854  *alproto = ALPROTO_FAILED;
855  }
856  break;
857  case ALPROTO_FAILED:
858  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
859  // Use recognized side
860  f->alproto = *alproto_otherdir;
861  if (*alproto_otherdir == ALPROTO_FAILED) {
862  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
863  }
864  }
865  // else wait for second side of protocol
866  break;
867  default:
868  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
869  if (*alproto_otherdir != *alproto) {
870  AppLayerDecoderEventsSetEventRaw(
871  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
872  // data already sent to parser, we cannot change the protocol to use the one
873  // of the server
874  }
875  } else {
876  f->alproto = *alproto;
877  }
878  }
879  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
880  if (f->alproto == ALPROTO_UNKNOWN) {
881  // so as to increase stat about .app_layer.flow.failed_udp
882  f->alproto = ALPROTO_FAILED;
883  }
884  // If the other side is unknown, this is the first packet of the flow
885  AppLayerIncFlowCounter(tv, f);
886  }
887 
888  // parse the data if we recognized one protocol
889  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
890  if (reverse_flow) {
891  SCLogDebug("reversing flow after proto detect told us so");
892  PacketSwap(p);
893  FlowSwap(f);
894  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
895  }
896 
897  PACKET_PROFILING_APP_START(tctx, f->alproto);
898  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
899  flags, p->payload, p->payload_len);
900  PACKET_PROFILING_APP_END(tctx, f->alproto);
901  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
902  }
903  PACKET_PROFILING_APP_STORE(tctx, p);
904  /* we do only inspection in one direction, so flag both
905  * sides as done here */
906  FlagPacketFlow(p, f, STREAM_TOSERVER);
907  FlagPacketFlow(p, f, STREAM_TOCLIENT);
908  } else {
909  SCLogDebug("data (len %" PRIu32 " ), alproto "
910  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
911 
912  /* run the parser */
913  PACKET_PROFILING_APP_START(tctx, f->alproto);
914  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
915  flags, p->payload, p->payload_len);
916  PACKET_PROFILING_APP_END(tctx, f->alproto);
917  PACKET_PROFILING_APP_STORE(tctx, p);
918  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
919  }
920  if (r < 0) {
921  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
922  SCReturnInt(-1);
923  }
924 
925  SCReturnInt(r);
926 }
927 
928 /***** Utility *****/
929 
930 AppProto AppLayerGetProtoByName(char *alproto_name)
931 {
932  SCEnter();
933  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
934  SCReturnCT(r, "AppProto");
935 }
936 
937 const char *AppLayerGetProtoName(AppProto alproto)
938 {
939  SCEnter();
940  const char * r = AppLayerProtoDetectGetProtoName(alproto);
941  SCReturnCT(r, "char *");
942 }
943 
944 void AppLayerListSupportedProtocols(void)
945 {
946  SCEnter();
947 
948  AppProto alproto;
949  AppProto alprotos[ALPROTO_MAX];
950 
951  AppLayerProtoDetectSupportedAppProtocols(alprotos);
952 
953  printf("=========Supported App Layer Protocols=========\n");
954  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
955  if (alprotos[alproto] == 1)
956  printf("%s\n", AppLayerGetProtoName(alproto));
957  }
958 
959  SCReturn;
960 }
961 
962 /***** Setup/General Registration *****/
963 
964 int AppLayerSetup(void)
965 {
966  SCEnter();
967 
968  AppLayerProtoDetectSetup();
969  AppLayerParserSetup();
970 
971  AppLayerParserRegisterProtocolParsers();
972  AppLayerProtoDetectPrepareState();
973 
974  AppLayerSetupCounters();
975 
976  SCReturnInt(0);
977 }
978 
979 int AppLayerDeSetup(void)
980 {
981  SCEnter();
982 
983  AppLayerProtoDetectDeSetup();
984  AppLayerParserDeSetup();
985 
986  AppLayerDeSetupCounters();
987 
988  SCReturnInt(0);
989 }
990 
991 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
992 {
993  SCEnter();
994 
995  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
996  if (app_tctx == NULL)
997  goto error;
998 
999  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1000  goto error;
1001  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1002  goto error;
1003 
1004  goto done;
1005  error:
1006  AppLayerDestroyCtxThread(app_tctx);
1007  app_tctx = NULL;
1008  done:
1009  SCReturnPtr(app_tctx, "void *");
1010 }
1011 
1012 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1013 {
1014  SCEnter();
1015 
1016  if (app_tctx == NULL)
1017  SCReturn;
1018 
1019  if (app_tctx->alpd_tctx != NULL)
1020  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1021  if (app_tctx->alp_tctx != NULL)
1022  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1023  SCFree(app_tctx);
1024 
1025  SCReturn;
1026 }
1027 
1028 #ifdef PROFILING
1029 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1030 {
1031  PACKET_PROFILING_APP_RESET(app_tctx);
1032 }
1033 
1034 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1035 {
1036  PACKET_PROFILING_APP_STORE(app_tctx, p);
1037 }
1038 #endif
1039 
1040 /** \brief HACK to work around our broken unix manager (re)init loop
1041  */
1042 void AppLayerRegisterGlobalCounters(void)
1043 {
1044  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1045  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1046  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1047  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1048  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1049 }
1050 
1051 #define IPPROTOS_MAX 2
1052 void AppLayerSetupCounters(void)
1053 {
1054  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1055  AppProto alprotos[ALPROTO_MAX];
1056  const char *str = "app_layer.flow.";
1057  const char *estr = "app_layer.error.";
1058 
1059  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1060 
1061  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1062  const uint8_t ipproto = ipprotos[p];
1063  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1064  const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP;
1065  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1066 
1067  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1068  if (alprotos[alproto] == 1) {
1069  const char *tx_str = "app_layer.tx.";
1070  const char *alproto_str = AppLayerGetProtoName(alproto);
1071 
1072  if (AppLayerParserProtoIsRegistered(ipproto, alproto) &&
1073  AppLayerParserProtoIsRegistered(other_ipproto, alproto)) {
1074  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1075  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1076  "%s%s%s", str, alproto_str, ipproto_suffix);
1077  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1078  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1079  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
1080 
1081  if (ipproto == IPPROTO_TCP) {
1082  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1083  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1084  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1085  }
1086  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1087  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1088  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1089  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1090  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1091  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1092  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1093  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1094  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1095  } else {
1096  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1097  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1098  "%s%s", str, alproto_str);
1099  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1100  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1101  "%s%s", tx_str, alproto_str);
1102 
1103  if (ipproto == IPPROTO_TCP) {
1104  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1105  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1106  "%s%s.gap", estr, alproto_str);
1107  }
1108  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1109  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1110  "%s%s.alloc", estr, alproto_str);
1111  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1112  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1113  "%s%s.parser", estr, alproto_str);
1114  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1115  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1116  "%s%s.internal", estr, alproto_str);
1117  }
1118  } else if (alproto == ALPROTO_FAILED) {
1119  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1120  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1121  "%s%s%s", str, "failed", ipproto_suffix);
1122  if (ipproto == IPPROTO_TCP) {
1123  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1124  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1125  "%sfailed%s.gap", estr, ipproto_suffix);
1126  }
1127  }
1128  }
1129  }
1130 }
1131 
1132 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1133 {
1134  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1135  AppProto alprotos[ALPROTO_MAX];
1136  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1137 
1138  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1139  const uint8_t ipproto = ipprotos[p];
1140  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1141 
1142  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1143  if (alprotos[alproto] == 1) {
1144  applayer_counters[ipproto_map][alproto].counter_id =
1145  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1146 
1147  applayer_counters[ipproto_map][alproto].counter_tx_id =
1148  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
1149 
1150  if (ipproto == IPPROTO_TCP) {
1151  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1152  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1153  }
1154  applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter(
1155  applayer_counter_names[ipproto_map][alproto].alloc_error, tv);
1156  applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter(
1157  applayer_counter_names[ipproto_map][alproto].parser_error, tv);
1158  applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter(
1159  applayer_counter_names[ipproto_map][alproto].internal_error, tv);
1160  } else if (alproto == ALPROTO_FAILED) {
1161  applayer_counters[ipproto_map][alproto].counter_id =
1162  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1163 
1164  if (ipproto == IPPROTO_TCP) {
1165  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1166  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1167  }
1168  }
1169  }
1170  }
1171 }
1172 
1173 void AppLayerDeSetupCounters(void)
1174 {
1175  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1176  memset(applayer_counters, 0, sizeof(applayer_counters));
1177 }
1178 
1179 /***** Unittests *****/
1180 
1181 #ifdef UNITTESTS
1182 #include "pkt-var.h"
1183 #include "stream-tcp-util.h"
1184 #include "stream.h"
1185 #include "util-unittest.h"
1186 
1187 #define TEST_START \
1188  Packet *p = PacketGetFromAlloc(); \
1189  FAIL_IF_NULL(p); \
1190  Flow f; \
1191  ThreadVars tv; \
1192  StreamTcpThread *stt = NULL; \
1193  TCPHdr tcph; \
1194  PacketQueueNoLock pq; \
1195  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1196  memset(&f, 0, sizeof(Flow)); \
1197  memset(&tv, 0, sizeof(ThreadVars)); \
1198  memset(&tcph, 0, sizeof(TCPHdr)); \
1199  \
1200  FLOW_INITIALIZE(&f); \
1201  f.flags = FLOW_IPV4; \
1202  f.proto = IPPROTO_TCP; \
1203  p->flow = &f; \
1204  p->tcph = &tcph; \
1205  \
1206  StreamTcpInitConfig(true); \
1207  IPPairInitConfig(true); \
1208  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1209  \
1210  /* handshake */ \
1211  tcph.th_win = htons(5480); \
1212  tcph.th_flags = TH_SYN; \
1213  p->flowflags = FLOW_PKT_TOSERVER; \
1214  p->payload_len = 0; \
1215  p->payload = NULL; \
1216  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1217  TcpSession *ssn = (TcpSession *)f.protoctx; \
1218  \
1219  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1220  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1221  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1222  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1223  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1224  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1225  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1226  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1227  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1228  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1229  FAIL_IF(ssn->data_first_seen_dir != 0); \
1230  \
1231  /* handshake */ \
1232  p->tcph->th_ack = htonl(1); \
1233  p->tcph->th_flags = TH_SYN | TH_ACK; \
1234  p->flowflags = FLOW_PKT_TOCLIENT; \
1235  p->payload_len = 0; \
1236  p->payload = NULL; \
1237  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1238  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1239  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1240  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1241  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1242  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1243  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1244  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1245  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1246  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1247  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1248  FAIL_IF(ssn->data_first_seen_dir != 0); \
1249  \
1250  /* handshake */ \
1251  p->tcph->th_ack = htonl(1); \
1252  p->tcph->th_seq = htonl(1); \
1253  p->tcph->th_flags = TH_ACK; \
1254  p->flowflags = FLOW_PKT_TOSERVER; \
1255  p->payload_len = 0; \
1256  p->payload = NULL; \
1257  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1258  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1259  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1260  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1261  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1262  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1263  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1264  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1265  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1266  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1267  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1268  FAIL_IF(ssn->data_first_seen_dir != 0);
1269 #define TEST_END \
1270  StreamTcpSessionClear(p->flow->protoctx); \
1271  StreamTcpThreadDeinit(&tv, (void *)stt); \
1272  StreamTcpFreeConfig(true); \
1273  PacketFree(p); \
1274  FLOW_DESTROY(&f); \
1275  StatsThreadCleanup(&tv);
1276 
1277 /**
1278  * \test GET -> HTTP/1.1
1279  */
1280 static int AppLayerTest01(void)
1281 {
1282  TEST_START;
1283 
1284  /* full request */
1285  uint8_t request[] = {
1286  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1287  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1288  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1289  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1290  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1291  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1292  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1293  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1294  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1295  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1296  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1297  p->tcph->th_ack = htonl(1);
1298  p->tcph->th_seq = htonl(1);
1299  p->tcph->th_flags = TH_PUSH | TH_ACK;
1300  p->flowflags = FLOW_PKT_TOSERVER;
1301  p->payload_len = sizeof(request);
1302  p->payload = request;
1303  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1304  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1305  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1306  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1307  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1308  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1309  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1310  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1311  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1312  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1313  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1314  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1315 
1316  /* full response - request ack */
1317  uint8_t response[] = {
1318  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1319  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1320  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1321  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1322  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1323  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1324  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1325  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1326  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1327  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1328  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1329  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1330  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1331  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1332  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1333  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1334  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1335  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1336  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1337  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1338  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1339  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1340  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1341  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1342  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1343  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1344  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1345  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1346  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1347  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1348  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1349  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1350  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1351  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1352  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1353  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1354  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1355  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1356  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1357  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1358  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1359  p->tcph->th_ack = htonl(88);
1360  p->tcph->th_seq = htonl(1);
1361  p->tcph->th_flags = TH_PUSH | TH_ACK;
1362  p->flowflags = FLOW_PKT_TOCLIENT;
1363  p->payload_len = sizeof(response);
1364  p->payload = response;
1365  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1366  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1367  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1368  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1369  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1370  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1371  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1372  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1373  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1374  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1375  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1376  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1377 
1378  /* response ack */
1379  p->tcph->th_ack = htonl(328);
1380  p->tcph->th_seq = htonl(88);
1381  p->tcph->th_flags = TH_ACK;
1382  p->flowflags = FLOW_PKT_TOSERVER;
1383  p->payload_len = 0;
1384  p->payload = NULL;
1385  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1386  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1387  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1388  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1389  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1390  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1391  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1392  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1393  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1394  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1395  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1396  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1397 
1398  TEST_END;
1399  PASS;
1400 }
1401 
1402 /**
1403  * \test GE -> T -> HTTP/1.1
1404  */
1405 static int AppLayerTest02(void)
1406 {
1407  TEST_START;
1408 
1409  /* partial request */
1410  uint8_t request1[] = { 0x47, 0x45, };
1411  p->tcph->th_ack = htonl(1);
1412  p->tcph->th_seq = htonl(1);
1413  p->tcph->th_flags = TH_PUSH | TH_ACK;
1414  p->flowflags = FLOW_PKT_TOSERVER;
1415  p->payload_len = sizeof(request1);
1416  p->payload = request1;
1417  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1418  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1419  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1420  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1421  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1422  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1423  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1424  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1425  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1426  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1427  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1428  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1429 
1430  /* response ack against partial request */
1431  p->tcph->th_ack = htonl(3);
1432  p->tcph->th_seq = htonl(1);
1433  p->tcph->th_flags = TH_ACK;
1434  p->flowflags = FLOW_PKT_TOCLIENT;
1435  p->payload_len = 0;
1436  p->payload = NULL;
1437  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1438  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1439  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1440  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1441  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1442  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1443  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1444  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1445  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1446  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1447  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1448  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1449 
1450  /* complete partial request */
1451  uint8_t request2[] = {
1452  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1453  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1454  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1455  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1456  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1457  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1458  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1459  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1460  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1461  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1462  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1463  p->tcph->th_ack = htonl(1);
1464  p->tcph->th_seq = htonl(3);
1465  p->tcph->th_flags = TH_PUSH | TH_ACK;
1466  p->flowflags = FLOW_PKT_TOSERVER;
1467  p->payload_len = sizeof(request2);
1468  p->payload = request2;
1469  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1470  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1471  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1472  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1473  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1474  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1475  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1476  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1477  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1478  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1479  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1480  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1481 
1482  /* response - request ack */
1483  uint8_t response[] = {
1484  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1485  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1486  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1487  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1488  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1489  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1490  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1491  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1492  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1493  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1494  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1495  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1496  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1497  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1498  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1499  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1500  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1501  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1502  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1503  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1504  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1505  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1506  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1507  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1508  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1509  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1510  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1511  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1512  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1513  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1514  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1515  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1516  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1517  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1518  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1519  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1520  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1521  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1522  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1523  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1524  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1525  p->tcph->th_ack = htonl(88);
1526  p->tcph->th_seq = htonl(1);
1527  p->tcph->th_flags = TH_PUSH | TH_ACK;
1528  p->flowflags = FLOW_PKT_TOCLIENT;
1529  p->payload_len = sizeof(response);
1530  p->payload = response;
1531  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1532  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1533  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1534  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1535  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1536  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1537  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1538  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1539  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1540  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1541  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1542  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1543 
1544  /* response ack */
1545  p->tcph->th_ack = htonl(328);
1546  p->tcph->th_seq = htonl(88);
1547  p->tcph->th_flags = TH_ACK;
1548  p->flowflags = FLOW_PKT_TOSERVER;
1549  p->payload_len = 0;
1550  p->payload = NULL;
1551  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1552  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1553  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1554  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1555  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1556  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1557  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1558  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1559  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1560  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1561  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1562  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1563 
1564  TEST_END;
1565  PASS;
1566 }
1567 
1568 /**
1569  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1570  */
1571 static int AppLayerTest03(void)
1572 {
1573  TEST_START;
1574 
1575  /* request */
1576  uint8_t request[] = {
1577  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1578  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1579  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1580  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1581  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1582  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1583  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1584  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1585  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1586  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1587  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1588  p->tcph->th_ack = htonl(1);
1589  p->tcph->th_seq = htonl(1);
1590  p->tcph->th_flags = TH_PUSH | TH_ACK;
1591  p->flowflags = FLOW_PKT_TOSERVER;
1592  p->payload_len = sizeof(request);
1593  p->payload = request;
1594  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1595  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1596  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1597  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1598  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1599  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1600  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1601  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1602  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1603  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1604  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1605  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1606 
1607  /* rubbish response */
1608  uint8_t response[] = {
1609  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1610  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1611  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1612  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1613  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1614  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1615  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1616  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1617  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1618  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1619  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1620  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1621  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1622  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1623  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1624  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1625  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1626  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1627  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1628  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1629  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1630  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1631  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1632  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1633  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1634  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1635  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1636  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1637  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1638  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1639  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1640  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1641  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1642  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1643  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1644  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1645  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1646  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1647  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1648  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1649  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1650  p->tcph->th_ack = htonl(88);
1651  p->tcph->th_seq = htonl(1);
1652  p->tcph->th_flags = TH_PUSH | TH_ACK;
1653  p->flowflags = FLOW_PKT_TOCLIENT;
1654  p->payload_len = sizeof(response);
1655  p->payload = response;
1656  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1657  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1658  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1659  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1660  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1661  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1662  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1663  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1664  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1665  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1666  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1667  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1668 
1669  /* response ack */
1670  p->tcph->th_ack = htonl(328);
1671  p->tcph->th_seq = htonl(88);
1672  p->tcph->th_flags = TH_ACK;
1673  p->flowflags = FLOW_PKT_TOSERVER;
1674  p->payload_len = 0;
1675  p->payload = NULL;
1676  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1677  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1678  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1679  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1680  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1681  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1682  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1683  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1684  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1685  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1686  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1687  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1688 
1689  TEST_END;
1690  PASS;
1691 }
1692 
1693 /**
1694  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1695  */
1696 static int AppLayerTest04(void)
1697 {
1698  TEST_START;
1699 
1700  /* request */
1701  uint8_t request[] = {
1702  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1703  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1704  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1705  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1706  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1707  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1708  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1709  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1710  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1711  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1712  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1713  PrintRawDataFp(stdout, request, sizeof(request));
1714  p->tcph->th_ack = htonl(1);
1715  p->tcph->th_seq = htonl(1);
1716  p->tcph->th_flags = TH_PUSH | TH_ACK;
1717  p->flowflags = FLOW_PKT_TOSERVER;
1718  p->payload_len = sizeof(request);
1719  p->payload = request;
1720  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1721  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1722  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1723  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1724  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1725  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1726  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1727  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1728  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1729  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1730  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1731  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1732 
1733  /* partial response */
1734  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1735  PrintRawDataFp(stdout, response1, sizeof(response1));
1736  p->tcph->th_ack = htonl(88);
1737  p->tcph->th_seq = htonl(1);
1738  p->tcph->th_flags = TH_PUSH | TH_ACK;
1739  p->flowflags = FLOW_PKT_TOCLIENT;
1740  p->payload_len = sizeof(response1);
1741  p->payload = response1;
1742  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1743  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1744  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1745  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1746  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1747  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1748  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1749  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1750  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1751  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1752  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1753  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1754 
1755  /* partial response ack */
1756  p->tcph->th_ack = htonl(5);
1757  p->tcph->th_seq = htonl(88);
1758  p->tcph->th_flags = TH_ACK;
1759  p->flowflags = FLOW_PKT_TOSERVER;
1760  p->payload_len = 0;
1761  p->payload = NULL;
1762  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1763  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1764  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1765  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1766  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1767  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1768  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1769  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1770  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1771  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1772  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1773  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1774 
1775  /* remaining response */
1776  uint8_t response2[] = {
1777  0x2f, 0x31, 0x2e, 0x31,
1778  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1779  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1780  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1781  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1782  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1783  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1784  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1785  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1786  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1787  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1788  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1789  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1790  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1791  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1792  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1793  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1794  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1795  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1796  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1797  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1798  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1799  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1800  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1801  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1802  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1803  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1804  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1805  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1806  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1807  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1808  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1809  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1810  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1811  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1812  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1813  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1814  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1815  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1816  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1817  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1818  PrintRawDataFp(stdout, response2, sizeof(response2));
1819  p->tcph->th_ack = htonl(88);
1820  p->tcph->th_seq = htonl(5);
1821  p->tcph->th_flags = TH_PUSH | TH_ACK;
1822  p->flowflags = FLOW_PKT_TOCLIENT;
1823  p->payload_len = sizeof(response2);
1824  p->payload = response2;
1825  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1826  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1827  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1828  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1829  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1830  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1831  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1832  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1833  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1834  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1835  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1836  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1837 
1838  /* response ack */
1839  p->tcph->th_ack = htonl(328);
1840  p->tcph->th_seq = htonl(88);
1841  p->tcph->th_flags = TH_ACK;
1842  p->flowflags = FLOW_PKT_TOSERVER;
1843  p->payload_len = 0;
1844  p->payload = NULL;
1845  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1846  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1847  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1848  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1849  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1850  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1851  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1852  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1853  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1854  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1855  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1856  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1857 
1858  TEST_END;
1859  PASS;
1860 }
1861 
1862 /**
1863  * \test RUBBISH -> HTTP/1.1
1864  */
1865 static int AppLayerTest05(void)
1866 {
1867  TEST_START;
1868 
1869  /* full request */
1870  uint8_t request[] = {
1871  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1872  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1873  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1874  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1875  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1876  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1877  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1878  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1879  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1880  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1881  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1882  PrintRawDataFp(stdout, request, sizeof(request));
1883  p->tcph->th_ack = htonl(1);
1884  p->tcph->th_seq = htonl(1);
1885  p->tcph->th_flags = TH_PUSH | TH_ACK;
1886  p->flowflags = FLOW_PKT_TOSERVER;
1887  p->payload_len = sizeof(request);
1888  p->payload = request;
1889  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1890  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1891  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1892  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1893  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1894  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1895  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1896  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1897  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1898  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1899  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1900  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1901 
1902  /* full response - request ack */
1903  uint8_t response[] = {
1904  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1905  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1906  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1907  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1908  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1909  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1910  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1911  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1912  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1913  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1914  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1915  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1916  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1917  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1918  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1919  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1920  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1921  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1922  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1923  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1924  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1925  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1926  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1927  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1928  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1929  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1930  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1931  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1932  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1933  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1934  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1935  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1936  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1937  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1938  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1939  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1940  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1941  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1942  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1943  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1944  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1945  PrintRawDataFp(stdout, response, sizeof(response));
1946  p->tcph->th_ack = htonl(88);
1947  p->tcph->th_seq = htonl(1);
1948  p->tcph->th_flags = TH_PUSH | TH_ACK;
1949  p->flowflags = FLOW_PKT_TOCLIENT;
1950  p->payload_len = sizeof(response);
1951  p->payload = response;
1952  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1953  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1954  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1955  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1956  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1957  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1958  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1959  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1960  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1961  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1962  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1963  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1964 
1965  /* response ack */
1966  p->tcph->th_ack = htonl(328);
1967  p->tcph->th_seq = htonl(88);
1968  p->tcph->th_flags = TH_ACK;
1969  p->flowflags = FLOW_PKT_TOSERVER;
1970  p->payload_len = 0;
1971  p->payload = NULL;
1972  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1973  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1974  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1975  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1976  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1977  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1978  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1979  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1980  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1981  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1982  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1983  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1984 
1985  TEST_END;
1986  PASS;
1987 }
1988 
1989 /**
1990  * \test HTTP/1.1 -> GET
1991  */
1992 static int AppLayerTest06(void)
1993 {
1994  TEST_START;
1995 
1996  /* full response - request ack */
1997  uint8_t response[] = {
1998  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1999  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2000  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2001  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2002  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2003  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2004  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2005  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2006  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2007  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2008  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2009  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2010  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2011  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2012  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2013  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2014  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2015  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2016  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2017  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2018  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2019  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2020  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2021  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2022  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2023  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2024  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2025  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2026  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2027  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2028  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2029  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2030  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2031  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2032  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2033  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2034  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2035  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2036  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2037  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2038  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2039  p->tcph->th_ack = htonl(1);
2040  p->tcph->th_seq = htonl(1);
2041  p->tcph->th_flags = TH_PUSH | TH_ACK;
2042  p->flowflags = FLOW_PKT_TOCLIENT;
2043  p->payload_len = sizeof(response);
2044  p->payload = response;
2045  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2046  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2047  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2048  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2049  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2050  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2051  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2052  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2053  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2054  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2055  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2056  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2057 
2058  /* full request - response ack*/
2059  uint8_t request[] = {
2060  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2061  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2062  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2063  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2064  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2065  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2066  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2067  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2068  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2069  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2070  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2071  p->tcph->th_ack = htonl(328);
2072  p->tcph->th_seq = htonl(1);
2073  p->tcph->th_flags = TH_PUSH | TH_ACK;
2074  p->flowflags = FLOW_PKT_TOSERVER;
2075  p->payload_len = sizeof(request);
2076  p->payload = request;
2077  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2078  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2079  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2080  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2081  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2082  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2083  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2084  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2085  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2086  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2087  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2088  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2089 
2090  p->tcph->th_ack = htonl(1 + sizeof(request));
2091  p->tcph->th_seq = htonl(328);
2092  p->tcph->th_flags = TH_PUSH | TH_ACK;
2093  p->flowflags = FLOW_PKT_TOCLIENT;
2094  p->payload_len = 0;
2095  p->payload = NULL;
2096  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2097  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2098  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2099  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2100  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2101  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2102  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2103  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2104  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2105  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2106  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2107  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2108 
2109  TEST_END;
2110  PASS;
2111 }
2112 
2113 /**
2114  * \test GET -> DCERPC
2115  */
2116 static int AppLayerTest07(void)
2117 {
2118  TEST_START;
2119 
2120  /* full request */
2121  uint8_t request[] = {
2122  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2123  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2124  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2125  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2126  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2127  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2128  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2129  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2130  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2131  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2132  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2133  p->tcph->th_ack = htonl(1);
2134  p->tcph->th_seq = htonl(1);
2135  p->tcph->th_flags = TH_PUSH | TH_ACK;
2136  p->flowflags = FLOW_PKT_TOSERVER;
2137  p->payload_len = sizeof(request);
2138  p->payload = request;
2139  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2140  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2141  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2142  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2143  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2144  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2145  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2146  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2147  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2148  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2149  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2150  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2151 
2152  /* full response - request ack */
2153  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2154  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2155  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2156  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2157  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2158  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2159  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2160  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2161  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2162  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2163  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2164  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2165  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2166  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2167  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2168  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2169  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2170  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2171  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2172  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2173  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2174  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2175  p->tcph->th_ack = htonl(88);
2176  p->tcph->th_seq = htonl(1);
2177  p->tcph->th_flags = TH_PUSH | TH_ACK;
2178  p->flowflags = FLOW_PKT_TOCLIENT;
2179  p->payload_len = sizeof(response);
2180  p->payload = response;
2181  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2182  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2183  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2184  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2185  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2186  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2187  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2188  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2189  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2190  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2191  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2192  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2193 
2194  /* response ack */
2195  p->tcph->th_ack = htonl(328);
2196  p->tcph->th_seq = htonl(88);
2197  p->tcph->th_flags = TH_ACK;
2198  p->flowflags = FLOW_PKT_TOSERVER;
2199  p->payload_len = 0;
2200  p->payload = NULL;
2201  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2202  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2203  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2204  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2205  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2206  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2207  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2208  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2209  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2210  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2211  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2212  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2213 
2214  TEST_END;
2215  PASS;
2216 }
2217 
2218 /**
2219  * \test SMB -> HTTP/1.1
2220  */
2221 static int AppLayerTest08(void)
2222 {
2223  TEST_START;
2224 
2225  /* full request */
2226  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2227  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2228  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2229  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2230  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2231  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2232  p->tcph->th_ack = htonl(1);
2233  p->tcph->th_seq = htonl(1);
2234  p->tcph->th_flags = TH_PUSH | TH_ACK;
2235  p->flowflags = FLOW_PKT_TOSERVER;
2236  p->payload_len = sizeof(request);
2237  p->payload = request;
2238  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2239  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2240  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2241  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2242  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2243  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2244  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2245  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2246  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2247  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2248  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2249  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2250 
2251  /* full response - request ack */
2252  uint8_t response[] = {
2253  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2254  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2255  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2256  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2257  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2258  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2259  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2260  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2261  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2262  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2263  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2264  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2265  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2266  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2267  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2268  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2269  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2270  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2271  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2272  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2273  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2274  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2275  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2276  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2277  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2278  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2279  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2280  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2281  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2282  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2283  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2284  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2285  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2286  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2287  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2288  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2289  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2290  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2291  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2292  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2293  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2294  p->tcph->th_ack = htonl(88);
2295  p->tcph->th_seq = htonl(1);
2296  p->tcph->th_flags = TH_PUSH | TH_ACK;
2297  p->flowflags = FLOW_PKT_TOCLIENT;
2298  p->payload_len = sizeof(response);
2299  p->payload = response;
2300  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2301  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2302  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2303  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2304  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2305  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2306  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2307  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2308  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2309  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2310  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2311  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2312 
2313  /* response ack */
2314  p->tcph->th_ack = htonl(328);
2315  p->tcph->th_seq = htonl(88);
2316  p->tcph->th_flags = TH_ACK;
2317  p->flowflags = FLOW_PKT_TOSERVER;
2318  p->payload_len = 0;
2319  p->payload = NULL;
2320  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2321  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2322  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2323  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2324  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2325  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2326  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2327  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2328  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2329  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2330  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2331  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2332 
2333  TEST_END;
2334  PASS;
2335 }
2336 
2337 /**
2338  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2339  * RUBBISH(TC - PM and PP DONE) ->
2340  * RUBBISH(TS - PM and PP DONE)
2341  */
2342 static int AppLayerTest09(void)
2343 {
2344  TEST_START;
2345 
2346  /* full request */
2347  uint8_t request1[] = {
2348  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2349  p->tcph->th_ack = htonl(1);
2350  p->tcph->th_seq = htonl(1);
2351  p->tcph->th_flags = TH_PUSH | TH_ACK;
2352  p->flowflags = FLOW_PKT_TOSERVER;
2353  p->payload_len = sizeof(request1);
2354  p->payload = request1;
2355  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2356  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2357  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2358  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2359  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2360  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2361  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2362  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2363  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2364  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2365  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2366  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2367 
2368  /* response - request ack */
2369  p->tcph->th_ack = htonl(9);
2370  p->tcph->th_seq = htonl(1);
2371  p->tcph->th_flags = TH_PUSH | TH_ACK;
2372  p->flowflags = FLOW_PKT_TOCLIENT;
2373  p->payload_len = 0;
2374  p->payload = NULL;
2375  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2376  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2377  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2378  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2379  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2380  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2381  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2382  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2383  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2384  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2385  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2386  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2387 
2388  /* full request */
2389  uint8_t request2[] = {
2390  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2391  p->tcph->th_ack = htonl(1);
2392  p->tcph->th_seq = htonl(9);
2393  p->tcph->th_flags = TH_PUSH | TH_ACK;
2394  p->flowflags = FLOW_PKT_TOSERVER;
2395  p->payload_len = sizeof(request2);
2396  p->payload = request2;
2397  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2398  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2399  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2400  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2401  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2402  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2403  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2404  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2405  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2406  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2407  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2408  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2409 
2410  /* full response - request ack */
2411  uint8_t response[] = {
2412  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2413  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2414  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2415  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2416  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2417  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2418  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2419  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2420  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2421  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2422  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2423  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2424  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2425  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2426  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2427  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2428  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2429  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2430  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2431  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2432  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2433  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2434  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2435  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2436  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2437  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2438  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2439  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2440  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2441  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2442  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2443  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2444  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2445  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2446  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2447  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2448  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2449  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2450  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2451  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2452  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2453  p->tcph->th_ack = htonl(18);
2454  p->tcph->th_seq = htonl(1);
2455  p->tcph->th_flags = TH_PUSH | TH_ACK;
2456  p->flowflags = FLOW_PKT_TOCLIENT;
2457  p->payload_len = sizeof(response);
2458  p->payload = response;
2459  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2460  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2461  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2462  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2463  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2464  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2465  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2466  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2467  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2468  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2469  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2470  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2471 
2472  /* response ack */
2473  p->tcph->th_ack = htonl(328);
2474  p->tcph->th_seq = htonl(18);
2475  p->tcph->th_flags = TH_ACK;
2476  p->flowflags = FLOW_PKT_TOSERVER;
2477  p->payload_len = 0;
2478  p->payload = NULL;
2479  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2480  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2481  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2482  FAIL_IF(f.alproto != ALPROTO_FAILED);
2483  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2484  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2485  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2486  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2487  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2488  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2489  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2490  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2491 
2492  TEST_END;
2493  PASS;
2494 }
2495 
2496 /**
2497  * \test RUBBISH(TC - PM and PP DONE) ->
2498  * RUBBISH(TS - PM and PP DONE)
2499  */
2500 static int AppLayerTest10(void)
2501 {
2502  TEST_START;
2503 
2504  /* full request */
2505  uint8_t request1[] = {
2506  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2507  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2508  p->tcph->th_ack = htonl(1);
2509  p->tcph->th_seq = htonl(1);
2510  p->tcph->th_flags = TH_PUSH | TH_ACK;
2511  p->flowflags = FLOW_PKT_TOSERVER;
2512  p->payload_len = sizeof(request1);
2513  p->payload = request1;
2514  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2515  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2516  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2517  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2518  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2519  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2520  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2521  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2522  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2523  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2524  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2525  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2526 
2527  /* response - request ack */
2528  p->tcph->th_ack = htonl(18);
2529  p->tcph->th_seq = htonl(1);
2530  p->tcph->th_flags = TH_PUSH | TH_ACK;
2531  p->flowflags = FLOW_PKT_TOCLIENT;
2532  p->payload_len = 0;
2533  p->payload = NULL;
2534  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2535  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2536  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2537  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2538  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2539  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2540  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2541  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2542  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2543  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2544  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2545  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2546 
2547  /* full response - request ack */
2548  uint8_t response[] = {
2549  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2550  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2551  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2552  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2553  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2554  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2555  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2556  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2557  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2558  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2559  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2560  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2561  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2562  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2563  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2564  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2565  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2566  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2567  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2568  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2569  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2570  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2571  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2572  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2573  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2574  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2575  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2576  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2577  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2578  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2579  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2580  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2581  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2582  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2583  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2584  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2585  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2586  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2587  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2588  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2589  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2590  p->tcph->th_ack = htonl(18);
2591  p->tcph->th_seq = htonl(1);
2592  p->tcph->th_flags = TH_PUSH | TH_ACK;
2593  p->flowflags = FLOW_PKT_TOCLIENT;
2594  p->payload_len = sizeof(response);
2595  p->payload = response;
2596  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2597  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2598  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2599  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2600  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2601  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2602  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2603  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2604  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2605  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2606  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2607  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2608 
2609  /* response ack */
2610  p->tcph->th_ack = htonl(328);
2611  p->tcph->th_seq = htonl(18);
2612  p->tcph->th_flags = TH_ACK;
2613  p->flowflags = FLOW_PKT_TOSERVER;
2614  p->payload_len = 0;
2615  p->payload = NULL;
2616  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2617  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2618  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2619  FAIL_IF(f.alproto != ALPROTO_FAILED);
2620  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2621  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2622  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2623  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2624  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2625  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2626  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2627  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2628 
2629  TEST_END;
2630  PASS;
2631 }
2632 
2633 /**
2634  * \test RUBBISH(TC - PM and PP DONE) ->
2635  * RUBBISH(TS - PM and PP NOT DONE) ->
2636  * RUBBISH(TS - PM and PP DONE)
2637  */
2638 static int AppLayerTest11(void)
2639 {
2640  TEST_START;
2641 
2642  /* full request */
2643  uint8_t request1[] = {
2644  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2645  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2646  p->tcph->th_ack = htonl(1);
2647  p->tcph->th_seq = htonl(1);
2648  p->tcph->th_flags = TH_PUSH | TH_ACK;
2649  p->flowflags = FLOW_PKT_TOSERVER;
2650  p->payload_len = sizeof(request1);
2651  p->payload = request1;
2652  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2653  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2654  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2655  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2656  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2657  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2658  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2659  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2660  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2661  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2662  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2663  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2664 
2665  /* response - request ack */
2666  p->tcph->th_ack = htonl(18);
2667  p->tcph->th_seq = htonl(1);
2668  p->tcph->th_flags = TH_PUSH | TH_ACK;
2669  p->flowflags = FLOW_PKT_TOCLIENT;
2670  p->payload_len = 0;
2671  p->payload = NULL;
2672  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2673  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2674  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2675  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2676  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2677  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2678  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2679  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2680  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2681  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2682  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2683  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2684 
2685  /* full response - request ack */
2686  uint8_t response1[] = {
2687  0x55, 0x74, 0x54, 0x50, };
2688  p->tcph->th_ack = htonl(18);
2689  p->tcph->th_seq = htonl(1);
2690  p->tcph->th_flags = TH_PUSH | TH_ACK;
2691  p->flowflags = FLOW_PKT_TOCLIENT;
2692  p->payload_len = sizeof(response1);
2693  p->payload = response1;
2694  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2695  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2696  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2697  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2698  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2699  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2700  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2701  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2702  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2703  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2704  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2705  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2706 
2707  /* response ack from request */
2708  p->tcph->th_ack = htonl(5);
2709  p->tcph->th_seq = htonl(18);
2710  p->tcph->th_flags = TH_ACK;
2711  p->flowflags = FLOW_PKT_TOSERVER;
2712  p->payload_len = 0;
2713  p->payload = NULL;
2714  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2715  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2716  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2717  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2718  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2719  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2720  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2721  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2722  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2723  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2724  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2725  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2726 
2727  uint8_t response2[] = {
2728  0x2f, 0x31, 0x2e, 0x31,
2729  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2730  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2731  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2732  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2733  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2734  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2735  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2736  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2737  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2738  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2739  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2740  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2741  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2742  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2743  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2744  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2745  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2746  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2747  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2748  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2749  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2750  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2751  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2752  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2753  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2754  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2755  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2756  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2757  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2758  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2759  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2760  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2761  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2762  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2763  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2764  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2765  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2766  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2767  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2768  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2769  p->tcph->th_ack = htonl(18);
2770  p->tcph->th_seq = htonl(5);
2771  p->tcph->th_flags = TH_PUSH | TH_ACK;
2772  p->flowflags = FLOW_PKT_TOCLIENT;
2773  p->payload_len = sizeof(response2);
2774  p->payload = response2;
2775  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2776  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2777  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2778  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2779  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2780  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2781  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2782  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2783  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2784  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2785  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2786  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2787 
2788  /* response ack from request */
2789  p->tcph->th_ack = htonl(328);
2790  p->tcph->th_seq = htonl(18);
2791  p->tcph->th_flags = TH_ACK;
2792  p->flowflags = FLOW_PKT_TOSERVER;
2793  p->payload_len = 0;
2794  p->payload = NULL;
2795  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2796  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2797  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2798  FAIL_IF(f.alproto != ALPROTO_FAILED);
2799  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2800  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2801  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2802  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2803  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2804  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2805  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2806  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2807 
2808  TEST_END;
2809  PASS;
2810 }
2811 
2812 void AppLayerUnittestsRegister(void)
2813 {
2814  SCEnter();
2815 
2816  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2817  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2818  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2819  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2820  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2821  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2822  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2823  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2824  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2825  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2826  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2827 
2828  SCReturn;
2829 }
2830 
2831 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:86
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:280
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:223
Packet_::proto
uint8_t proto
Definition: decode.h:452
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:282
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:48
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:68
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:88
AppLayerCounters_
Definition: app-layer.c:85
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:146
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1721
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:87
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:97
stream-tcp.h
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6853
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:598
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1029
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1034
Flow_::proto
uint8_t proto
Definition: flow.h:371
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:577
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:467
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:49
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:187
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:64
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:349
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:130
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:90
Flow_::protomap
uint8_t protomap
Definition: flow.h:443
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:74
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1162
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:230
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1132
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:454
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:167
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1029
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1633
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:313
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:221
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6429
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2812
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:83
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:944
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1052
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
Flow_::protoctx
void * protoctx
Definition: flow.h:439
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:138
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:578
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:604
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:930
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:182
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:89
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:979
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1038
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:271
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:473
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1736
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:964
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1353
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:50
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:173
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:139
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:272
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1042
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:397
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:490
util-exception-policy.h
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:51
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:991
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5312
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:1051
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1869
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1187
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:52
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:207
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:135
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:101
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy.h:27
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:261
SCReturn
#define SCReturn
Definition: util-debug.h:273
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:279
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
Packet_
Definition: decode.h:430
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:807
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:101
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:299
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:717
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:146
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:173
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:222
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:457
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:292
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1304
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:451
suricata-common.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir dir)
handle TCP data for the app-layer.
Definition: app-layer.c:643
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:281
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:557
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1751
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:91
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:464
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:100
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:154
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1039
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1594
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:284
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2101
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1419
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1963
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2059
str
#define str(s)
Definition: suricata-common.h:291
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:417
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:449
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6859
Flow_::alstate
void * alstate
Definition: flow.h:474
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1012
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
Flow_::flags
uint32_t flags
Definition: flow.h:419
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:89
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:937
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:159
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:122
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:228
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
TEST_END
#define TEST_END
Definition: app-layer.c:1269
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:53
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:173
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2016
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:95
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:233
TcpSession_
Definition: stream-tcp-private.h:283
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:450
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1522
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:448
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:971
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:196
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1173
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2084
app-layer.h