suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-htp-range.h"
35 #include "app-layer-detect-proto.h"
36 #include "app-layer-frames.h"
37 #include "app-layer-events.h"
38 #include "stream-tcp-reassemble.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-inline.h"
41 #include "stream-tcp.h"
42 #include "flow.h"
43 #include "flow-util.h"
44 #include "flow-private.h"
45 #include "ippair.h"
46 #include "util-debug.h"
47 #include "util-print.h"
48 #include "util-profiling.h"
49 #include "util-validate.h"
50 #include "decode-events.h"
51 #include "app-layer-htp-mem.h"
52 #include "util-exception-policy.h"
53 
54 extern bool g_stats_eps_per_app_proto_errors;
55 /**
56  * \brief This is for the app layer in general and it contains per thread
57  * context relevant to both the alpd and alp.
58  */
59 struct AppLayerThreadCtx_ {
60  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
61  AppLayerProtoDetectThreadCtx *alpd_tctx;
62  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
63  AppLayerParserThreadCtx *alp_tctx;
64 
65 #ifdef PROFILING
66  uint64_t ticks_start;
67  uint64_t ticks_end;
68  uint64_t ticks_spent;
69  AppProto alproto;
70  uint64_t proto_detect_ticks_start;
71  uint64_t proto_detect_ticks_end;
72  uint64_t proto_detect_ticks_spent;
73 #endif
74 };
75 
76 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
77 
78 #define MAX_COUNTER_SIZE 64
79 typedef struct AppLayerCounterNames_ {
80  char name[MAX_COUNTER_SIZE];
81  char tx_name[MAX_COUNTER_SIZE];
82  char gap_error[MAX_COUNTER_SIZE];
83  char parser_error[MAX_COUNTER_SIZE];
84  char internal_error[MAX_COUNTER_SIZE];
85  char alloc_error[MAX_COUNTER_SIZE];
86  char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE];
87 } AppLayerCounterNames;
88 
89 typedef struct AppLayerCounters_ {
90  StatsCounterId counter_id;
91  StatsCounterId counter_tx_id;
92  StatsCounterId gap_error_id;
93  StatsCounterId parser_error_id;
94  StatsCounterId internal_error_id;
95  StatsCounterId alloc_error_id;
96  ExceptionPolicyCounters eps_error;
97 } AppLayerCounters;
98 
99 /* counter names. Only used at init. */
100 AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX];
101 /* counter id's. Used that runtime. */
102 AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX];
103 /* Exception policy global counters ids */
104 ExceptionPolicyCounters eps_error_summary;
105 
106 /* Settings order as in the enum */
107 // clang-format off
108 ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
109  .valid_settings_ids = {
110  /* EXCEPTION_POLICY_NOT_SET */ false,
111  /* EXCEPTION_POLICY_AUTO */ false,
112  /* EXCEPTION_POLICY_PASS_PACKET */ true,
113  /* EXCEPTION_POLICY_PASS_FLOW */ true,
114  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
115  /* EXCEPTION_POLICY_DROP_PACKET */ false,
116  /* EXCEPTION_POLICY_DROP_FLOW */ false,
117  /* EXCEPTION_POLICY_REJECT */ true,
118  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
119  },
120  .valid_settings_ips = {
121  /* EXCEPTION_POLICY_NOT_SET */ false,
122  /* EXCEPTION_POLICY_AUTO */ false,
123  /* EXCEPTION_POLICY_PASS_PACKET */ true,
124  /* EXCEPTION_POLICY_PASS_FLOW */ true,
125  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
126  /* EXCEPTION_POLICY_DROP_PACKET */ true,
127  /* EXCEPTION_POLICY_DROP_FLOW */ true,
128  /* EXCEPTION_POLICY_REJECT */ true,
129  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
130  },
131 };
132 // clang-format on
133 
134 void AppLayerSetupCounters(void);
135 void AppLayerDeSetupCounters(void);
136 
137 /***** L7 layer dispatchers *****/
138 
139 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
140  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
141  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
142  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
143 }
144 
145 /**
146  * \note id can be 0 if protocol parser is disabled but detection
147  * is enabled.
148  */
149 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
150 {
151  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_id;
152  if (likely(tv && id.id > 0)) {
153  StatsCounterIncr(&tv->stats, id);
154  }
155 }
156 
157 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
158 {
159  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_tx_id;
160  if (likely(tv && id.id > 0)) {
161  StatsCounterAddI64(&tv->stats, id, step);
162  }
163 }
164 
165 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
166 {
167  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].gap_error_id;
168  if (likely(tv && id.id > 0)) {
169  StatsCounterIncr(&tv->stats, id);
170  }
171 }
172 
173 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
174 {
175  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].alloc_error_id;
176  if (likely(tv && id.id > 0)) {
177  StatsCounterIncr(&tv->stats, id);
178  }
179 }
180 
181 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
182 {
183  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].parser_error_id;
184  if (likely(tv && id.id > 0)) {
185  StatsCounterIncr(&tv->stats, id);
186  }
187 }
188 
189 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
190 {
191  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].internal_error_id;
192  if (likely(tv && id.id > 0)) {
193  StatsCounterIncr(&tv->stats, id);
194  }
195 }
196 
197 static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy)
198 {
199 #ifdef UNITTESTS
200  if (tv == NULL) {
201  return;
202  }
203 #endif
204  StatsCounterId id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy];
205  /* for the summary values */
206  StatsCounterId g_id = eps_error_summary.eps_id[policy];
207 
208  if (likely(id.id > 0)) {
209  StatsCounterIncr(&tv->stats, id);
210  }
211  if (likely(g_id.id > 0)) {
212  StatsCounterIncr(&tv->stats, g_id);
213  }
214 }
215 
216 /* in IDS mode protocol detection is done in reverse order:
217  * when TCP data is ack'd. We want to flag the correct packet,
218  * so in this case we set a flag in the flow so that the first
219  * packet in the correct direction can be tagged.
220  *
221  * For IPS we update packet and flow. */
222 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
223 {
224  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
225  if (flags & STREAM_TOSERVER) {
226  if (p->flowflags & FLOW_PKT_TOSERVER) {
227  p->flags |= PKT_PROTO_DETECT_TS_DONE;
228  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
229  } else {
230  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
231  }
232  } else {
233  if (p->flowflags & FLOW_PKT_TOCLIENT) {
234  p->flags |= PKT_PROTO_DETECT_TC_DONE;
235  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
236  } else {
237  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
238  }
239  }
240  } else {
241  if (flags & STREAM_TOSERVER) {
242  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
243  } else {
244  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
245  }
246  }
247 }
248 
249 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
250 {
251  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
252  f, f->alproto, f->alproto_ts, f->alproto_tc);
253  FlowCleanupAppLayer(f);
254  StreamTcpDisableAppLayer(f);
255  TcpSession *ssn = f->protoctx;
256  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
257  f->alproto = ALPROTO_FAILED;
258  AppLayerIncFlowCounter(tv, f);
259 
260  if (f->alproto_tc != ALPROTO_FAILED) {
261  if (f->alproto_tc == ALPROTO_UNKNOWN) {
262  f->alproto_tc = ALPROTO_FAILED;
263  }
264  FlagPacketFlow(p, f, STREAM_TOCLIENT);
265  }
266  if (f->alproto_ts != ALPROTO_FAILED) {
267  if (f->alproto_ts == ALPROTO_UNKNOWN) {
268  f->alproto_ts = ALPROTO_FAILED;
269  }
270  FlagPacketFlow(p, f, STREAM_TOSERVER);
271  }
272  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
273  f, f->alproto, f->alproto_ts, f->alproto_tc);
274 }
275 
276 /* See if we're going to have to give up:
277  *
278  * If we're getting a lot of data in one direction and the
279  * proto for this direction is unknown, proto detect will
280  * hold up segments in the segment list in the stream.
281  * They are held so that if we detect the protocol on the
282  * opposing stream, we can still parse this side of the stream
283  * as well. However, some sessions are very unbalanced. FTP
284  * data channels, large PUT/POST request and many others, can
285  * lead to cases where we would have to store many megabytes
286  * worth of segments before we see the opposing stream. This
287  * leads to risks of resource starvation.
288  *
289  * Here a cutoff point is enforced. If we've stored 100k in
290  * one direction and we've seen no data in the other direction,
291  * we give up.
292  *
293  * Giving up means we disable applayer an set an applayer event
294  */
295 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
296  Flow *f, TcpSession *ssn, Packet *p)
297 {
298  if (ssn->state < TCP_ESTABLISHED) {
299  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
300  return;
301  }
302 
303  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
304  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
305  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
306 
307  /* at least 100000 whatever the conditions
308  * and can be more if window is bigger and if configuration allows it */
309  const uint32_t size_tc_limit =
310  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
311  const uint32_t size_ts_limit =
312  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
313 
314  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
315  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
316  {
317  goto failure;
318 
319  /* we bail out whatever the pp and pm states if
320  * we received too much data */
321  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
322  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
323  goto failure;
324 
325  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
326  size_ts > size_ts_limit && size_tc == 0) {
327  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
328  goto failure;
329 
330  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
331  size_tc > size_tc_limit && size_ts == 0) {
332  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
333  goto failure;
334 
335  /* little data in ts direction, pp done, pm not done (max
336  * depth not reached), ts direction done, lots of data in
337  * tc direction. */
338  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
339  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
340  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
341  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
342  goto failure;
343 
344  /* little data in tc direction, pp done, pm not done (max
345  * depth not reached), tc direction done, lots of data in
346  * ts direction. */
347  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
348  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
349  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
350  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
351  goto failure;
352  }
353  return;
354 
355 failure:
356  DisableAppLayer(tv, f, p);
357 }
358 
359 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
360  Packet *p, TcpSession *ssn, const TcpStream *stream)
361 {
362  TcpStream *opposing_stream = NULL;
363  if (stream == &ssn->client) {
364  opposing_stream = &ssn->server;
365  } else {
366  opposing_stream = &ssn->client;
367  }
368 
369  /* if the opposing side is not going to work, then
370  * we just have to give up. */
371  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
372  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
373  return -1;
374  }
375 
376  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
377  UPDATE_DIR_OPPOSING :
378  UPDATE_DIR_PACKET;
379  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
380  opposing_stream, p, dir);
381  return ret;
382 }
383 
384 extern enum ExceptionPolicy g_applayerparser_error_policy;
385 
386 /** \todo data const
387  * \retval int -1 error
388  * \retval int 0 ok
389  */
390 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
391  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
392  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
393 {
394  AppProto *alproto;
395  AppProto *alproto_otherdir;
396  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
397 
398  if (flags & STREAM_TOSERVER) {
399  alproto = &f->alproto_ts;
400  alproto_otherdir = &f->alproto_tc;
401  } else {
402  alproto = &f->alproto_tc;
403  alproto_otherdir = &f->alproto_ts;
404  }
405 
406  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
407 #ifdef PRINT
408  if (data_len > 0) {
409  printf("=> Init Stream Data (app layer) -- start %s%s\n",
410  flags & STREAM_TOCLIENT ? "toclient" : "",
411  flags & STREAM_TOSERVER ? "toserver" : "");
412  PrintRawDataFp(stdout, data, data_len);
413  printf("=> Init Stream Data -- end\n");
414  }
415 #endif
416 
417  bool reverse_flow = false;
418  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
419  PACKET_PROFILING_APP_PD_START(app_tctx);
420  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
421  f, data, data_len,
422  IPPROTO_TCP, flags, &reverse_flow);
423  PACKET_PROFILING_APP_PD_END(app_tctx);
424  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
425 
426  if (*alproto != ALPROTO_UNKNOWN) {
427  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
428  SCAppLayerDecoderEventsSetEventRaw(
429  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
430 
431  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
432  /* if we already invoked the parser, we go with that proto */
433  f->alproto = *alproto_otherdir;
434  } else {
435  /* no data sent to parser yet, we can still choose
436  * we're trusting the server more. */
437  if (flags & STREAM_TOCLIENT)
438  f->alproto = *alproto;
439  else
440  f->alproto = *alproto_otherdir;
441  }
442  } else {
443  f->alproto = *alproto;
444  }
445 
446  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
447  TcpSessionSetReassemblyDepth(ssn,
448  AppLayerParserGetStreamDepth(f));
449  FlagPacketFlow(p, f, flags);
450 
451  /* if protocol detection indicated that we need to reverse
452  * the direction of the flow, do it now. We flip the flow,
453  * packet and the direction flags */
454  if (reverse_flow &&
455  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
456  STREAMTCP_FLAG_MIDSTREAM)) {
457  /* but only if we didn't already detect it on the other side. */
458  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
459  SCLogDebug("reversing flow after proto detect told us so");
460  PacketSwap(p);
461  FlowSwap(f);
462  // Will reset signature groups in DetectRunSetup
463  f->de_ctx_version = UINT32_MAX;
464  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
465  if (*stream == &ssn->client) {
466  *stream = &ssn->server;
467  } else {
468  *stream = &ssn->client;
469  }
470  direction = 1 - direction;
471  } else {
472  // TODO event, error?
473  }
474  }
475 
476  /* account flow if we have both sides */
477  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
478  AppLayerIncFlowCounter(tv, f);
479  }
480 
481  /* if we have seen data from the other direction first, send
482  * data for that direction first to the parser. This shouldn't
483  * be an issue, since each stream processing happens
484  * independently of the other stream direction. At this point of
485  * call, you need to know that this function's already being
486  * called by the very same StreamReassembly() function that we
487  * will now call shortly for the opposing direction. */
488  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
489  !(flags & ssn->data_first_seen_dir))
490  {
491  SCLogDebug("protocol %s needs first data in other direction",
492  AppProtoToString(*alproto));
493 
494  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
495  p, ssn, *stream) != 0)
496  {
497  goto detect_error;
498  }
499  if (FlowChangeProto(f)) {
500  /* We have the first data which requested a protocol change from P1 to P2
501  * even if it was not recognized at first as being P1
502  * As the second data was recognized as P1, the protocol did not change !
503  */
504  FlowUnsetChangeProtoFlag(f);
505  SCAppLayerDecoderEventsSetEventRaw(
506  &p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
507  }
508  }
509 
510  /* if the parser operates such that it needs to see data from
511  * a particular direction first, we check if we have seen
512  * data from that direction first for the flow. IF it is not
513  * the same, we set an event and exit.
514  *
515  * \todo We need to figure out a more robust solution for this,
516  * as this can lead to easy evasion tactics, where the
517  * attacker can first send some dummy data in the wrong
518  * direction first to mislead our proto detection process.
519  * While doing this we need to update the parsers as well,
520  * since the parsers must be robust to see such wrong
521  * direction data.
522  * Either ways the moment we see the
523  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
524  * flow, it shows something's fishy.
525  */
526  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
527  uint8_t first_data_dir;
528  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
529 
530  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
531  SCAppLayerDecoderEventsSetEventRaw(
532  &p->app_layer_events, APPLAYER_WRONG_DIRECTION_FIRST_DATA);
533  goto detect_error;
534  }
535  /* This can happen if the current direction is not the
536  * right direction, and the data from the other(also
537  * the right direction) direction is available to be sent
538  * to the app layer, but it is not ack'ed yet and hence
539  * the forced call to STreamTcpAppLayerReassemble still
540  * hasn't managed to send data from the other direction
541  * to the app layer. */
542  if (first_data_dir && !(first_data_dir & flags)) {
543  FlowCleanupAppLayer(f);
544  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
545  FLOW_RESET_PP_DONE(f, flags);
546  FLOW_RESET_PM_DONE(f, flags);
547  FLOW_RESET_PE_DONE(f, flags);
548  SCReturnInt(-1);
549  }
550  }
551 
552  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
553  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
554 
555  /* finally, invoke the parser */
556  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
557  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
558  flags, data, data_len);
559  PACKET_PROFILING_APP_END(app_tctx);
560  p->app_update_direction = (uint8_t)app_update_dir;
561  if (r != 1) {
562  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
563  }
564  if (r == 0) {
565  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
566  TcpStream *opposing_stream;
567  if (*stream == &ssn->client) {
568  opposing_stream = &ssn->server;
569  } else {
570  opposing_stream = &ssn->client;
571  }
572  if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) {
573  // can happen in detection-only
574  AppLayerIncFlowCounter(tv, f);
575  }
576  }
577  }
578  if (r < 0) {
579  goto parser_error;
580  }
581  } else {
582  /* if the ssn is midstream, we may end up with a case where the
583  * start of an HTTP request is missing. We won't detect HTTP based
584  * on the request. However, the reply is fine, so we detect
585  * HTTP anyway. This leads to passing the incomplete request to
586  * the htp parser.
587  *
588  * This has been observed, where the http parser then saw many
589  * bogus requests in the incomplete data.
590  *
591  * To counter this case, a midstream session MUST find it's
592  * protocol in the toserver direction. If not, we assume the
593  * start of the request/toserver is incomplete and no reliable
594  * detection and parsing is possible. So we give up.
595  */
596  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
597  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
598  {
599  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
600  SCLogDebug("midstream end pd %p", ssn);
601  /* midstream and toserver detection failed: give up */
602  DisableAppLayer(tv, f, p);
603  SCReturnInt(0);
604  }
605  }
606 
607  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
608  uint8_t first_data_dir;
609  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
610 
611  /* this would handle this test case -
612  * http parser which says it wants to see toserver data first only.
613  * tcp handshake
614  * toclient data first received. - RUBBISH DATA which
615  * we don't detect as http
616  * toserver data next sent - we detect this as http.
617  * at this stage we see that toclient is the first data seen
618  * for this session and we try and redetect the app protocol,
619  * but we are unable to detect the app protocol like before.
620  * But since we have managed to detect the protocol for the
621  * other direction as http, we try to use that. At this
622  * stage we check if the direction of this stream matches
623  * to that acceptable by the app parser. If it is not the
624  * acceptable direction we error out.
625  */
626  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
627  (first_data_dir) && !(first_data_dir & flags))
628  {
629  goto detect_error;
630  }
631 
632  /* if protocol detection is marked done for our direction we
633  * pass our data on. We're only succeeded in finding one
634  * direction: the opposing stream
635  *
636  * If PD was not yet complete, we don't do anything.
637  */
638  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
639  if (data_len > 0)
640  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
641 
642  if (*alproto_otherdir != ALPROTO_FAILED) {
643  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
644  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
645  f->alproto, flags,
646  data, data_len);
647  PACKET_PROFILING_APP_END(app_tctx);
648  p->app_update_direction = (uint8_t)app_update_dir;
649  if (r != 1) {
650  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
651  }
652 
653  SCAppLayerDecoderEventsSetEventRaw(
654  &p->app_layer_events, APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
655  TcpSessionSetReassemblyDepth(ssn,
656  AppLayerParserGetStreamDepth(f));
657  AppLayerIncFlowCounter(tv, f);
658 
659  *alproto = *alproto_otherdir;
660  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
661  p->pcap_cnt, *alproto, *alproto_otherdir, r);
662  if (r < 0) {
663  goto parser_error;
664  }
665  }
666  *alproto = ALPROTO_FAILED;
667  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
668  FlagPacketFlow(p, f, flags);
669 
670  } else if (flags & STREAM_EOF) {
671  *alproto = f->alproto;
672  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
673  AppLayerIncFlowCounter(tv, f);
674  }
675  } else {
676  /* both sides unknown, let's see if we need to give up */
677  if (FlowChangeProto(f)) {
678  /* TCPProtoDetectCheckBailConditions does not work well because
679  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
680  * so, we set a lower limit to the data we inspect
681  * We could instead have set ssn->server.sb.stream_offset = 0;
682  */
683  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
684  DisableAppLayer(tv, f, p);
685  }
686  } else {
687  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
688  }
689  }
690  }
691  SCReturnInt(0);
692 parser_error:
693  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
694  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
695  SCReturnInt(-1);
696 detect_error:
697  DisableAppLayer(tv, f, p);
698  SCReturnInt(-2);
699 }
700 
701 /** \brief handle TCP data for the app-layer.
702  *
703  * First run protocol detection and then when the protocol is known invoke
704  * the app layer parser.
705  *
706  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
707  * reversed.
708  */
709 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
710  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
711  enum StreamUpdateDir app_update_dir)
712 {
713  SCEnter();
714 
715  DEBUG_ASSERT_FLOW_LOCKED(f);
716  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
717 
718  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
719  AppProto alproto;
720  int r = 0;
721 
722  SCLogDebug("data_len %u flags %02X", data_len, flags);
723  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
724  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
725  goto end;
726  }
727 
728  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
729 
730  if (flags & STREAM_TOSERVER) {
731  alproto = f->alproto_ts;
732  } else {
733  alproto = f->alproto_tc;
734  }
735 
736  /* If a gap notification, relay the notification on to the
737  * app-layer if known. */
738  if (flags & STREAM_GAP) {
739  SCLogDebug("GAP of size %u", data_len);
740  if (alproto == ALPROTO_UNKNOWN) {
741  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
742  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
743  /* if the other side didn't already find the proto, we're done */
744  if (f->alproto == ALPROTO_UNKNOWN) {
745  goto failure;
746  }
747  AppLayerIncFlowCounter(tv, f);
748  }
749  if (FlowChangeProto(f)) {
750  FlowUnsetChangeProtoFlag(f);
751  SCLogDebug("Cannot handle gap while changing protocol");
752  goto failure;
753  }
754  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
755  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
756  flags, data, data_len);
757  PACKET_PROFILING_APP_END(app_tctx);
758  p->app_update_direction = (uint8_t)app_update_dir;
759  /* ignore parser result for gap */
760  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
761  if (r < 0) {
762  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
763  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
764  SCReturnInt(-1);
765  }
766  goto end;
767  }
768 
769  /* if we don't know the proto yet and we have received a stream
770  * initializer message, we run proto detection.
771  * We receive 2 stream init msgs (one for each direction), we
772  * only run the proto detection for both and emit an event
773  * in the case protocols mismatch. */
774  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
775  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
776  /* run protocol detection */
777  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags,
778  app_update_dir) != 0) {
779  goto failure;
780  }
781  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
782  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
783  void *alstate_orig = f->alstate;
784  AppLayerParserState *alparser = f->alparser;
785  // we delay AppLayerParserStateCleanup because we may need previous parser state
786  AppLayerProtoDetectReset(f);
787  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
788  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
789  /* rerun protocol detection */
790  int rd = TCPProtoDetect(
791  tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, app_update_dir);
792  if (f->alproto == ALPROTO_UNKNOWN) {
793  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
794  // not enough data, revert AppLayerProtoDetectReset to rerun detection
795  f->alparser = alparser;
796  f->alproto = f->alproto_orig;
797  f->alproto_tc = f->alproto_orig;
798  f->alproto_ts = f->alproto_orig;
799  } else {
800  FlowUnsetChangeProtoFlag(f);
801  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
802  if (alstate_orig == f->alstate) {
803  // we just freed it
804  f->alstate = NULL;
805  }
806  }
807  if (rd != 0) {
808  SCLogDebug("proto detect failure");
809  goto failure;
810  }
811  SCLogDebug("protocol change, old %s, new %s",
812  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
813 
814  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
815  f->alproto != f->alproto_expect) {
816  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
817 
818  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
819  SCAppLayerDecoderEventsSetEventRaw(
820  &p->app_layer_events, APPLAYER_NO_TLS_AFTER_STARTTLS);
821  }
822  }
823  } else {
824  SCLogDebug("stream data (len %" PRIu32 " alproto "
825  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
826 #ifdef PRINT
827  if (data_len > 0) {
828  printf("=> Stream Data (app layer) -- start %s%s\n",
829  flags & STREAM_TOCLIENT ? "toclient" : "",
830  flags & STREAM_TOSERVER ? "toserver" : "");
831  PrintRawDataFp(stdout, data, data_len);
832  printf("=> Stream Data -- end\n");
833  }
834 #endif
835  /* if we don't have a data object here we are not getting it
836  * a start msg should have gotten us one */
837  if (f->alproto != ALPROTO_UNKNOWN) {
838  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
839  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
840  flags, data, data_len);
841  PACKET_PROFILING_APP_END(app_tctx);
842  p->app_update_direction = (uint8_t)app_update_dir;
843  if (r != 1) {
844  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
845  if (r < 0) {
846  ExceptionPolicyApply(
847  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
848  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
849  SCReturnInt(-1);
850  }
851  }
852  }
853  }
854 
855  goto end;
856  failure:
857  r = -1;
858  end:
859  SCReturnInt(r);
860 }
861 
862 /**
863  * \brief Handle a app layer UDP message
864  *
865  * If the protocol is yet unknown, the proto detection code is run first.
866  *
867  * \param dp_ctx Thread app layer detect context
868  * \param f *locked* flow
869  * \param p UDP packet
870  *
871  * \retval 0 ok
872  * \retval -1 error
873  */
874 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
875 {
876  SCEnter();
877  AppProto *alproto;
878  AppProto *alproto_otherdir;
879 
880  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
881  SCReturnInt(0);
882  }
883 
884  int r = 0;
885  uint8_t flags = 0;
886  if (p->flowflags & FLOW_PKT_TOSERVER) {
887  flags |= STREAM_TOSERVER;
888  alproto = &f->alproto_ts;
889  alproto_otherdir = &f->alproto_tc;
890  } else {
891  flags |= STREAM_TOCLIENT;
892  alproto = &f->alproto_tc;
893  alproto_otherdir = &f->alproto_ts;
894  }
895 
896  AppLayerProfilingReset(tctx);
897 
898  /* if the protocol is still unknown, run detection */
899  if (*alproto == ALPROTO_UNKNOWN) {
900  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
901  p->payload_len);
902 
903  bool reverse_flow = false;
904  PACKET_PROFILING_APP_PD_START(tctx);
905  *alproto = AppLayerProtoDetectGetProto(
906  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
907  PACKET_PROFILING_APP_PD_END(tctx);
908 
909  switch (*alproto) {
910  case ALPROTO_UNKNOWN:
911  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
912  // Use recognized side
913  f->alproto = *alproto_otherdir;
914  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
915  *alproto = *alproto_otherdir;
916  if (*alproto_otherdir == ALPROTO_FAILED) {
917  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
918  }
919  } else {
920  // First side of protocol is unknown
921  *alproto = ALPROTO_FAILED;
922  }
923  break;
924  case ALPROTO_FAILED:
925  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
926  // Use recognized side
927  f->alproto = *alproto_otherdir;
928  if (*alproto_otherdir == ALPROTO_FAILED) {
929  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
930  }
931  }
932  // else wait for second side of protocol
933  break;
934  default:
935  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
936  if (*alproto_otherdir != *alproto) {
937  SCAppLayerDecoderEventsSetEventRaw(
938  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
939  // data already sent to parser, we cannot change the protocol to use the one
940  // of the server
941  }
942  } else {
943  f->alproto = *alproto;
944  }
945  }
946  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
947  if (f->alproto == ALPROTO_UNKNOWN) {
948  // so as to increase stat about .app_layer.flow.failed_udp
949  f->alproto = ALPROTO_FAILED;
950  }
951  // If the other side is unknown, this is the first packet of the flow
952  AppLayerIncFlowCounter(tv, f);
953  }
954 
955  // parse the data if we recognized one protocol
956  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
957  if (reverse_flow) {
958  SCLogDebug("reversing flow after proto detect told us so");
959  PacketSwap(p);
960  FlowSwap(f);
961  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
962  }
963 
964  PACKET_PROFILING_APP_START(tctx, f->alproto);
965  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
966  flags, p->payload, p->payload_len);
967  PACKET_PROFILING_APP_END(tctx);
968  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
969  }
970  PACKET_PROFILING_APP_STORE(tctx, p);
971  /* we do only inspection in one direction, so flag both
972  * sides as done here */
973  FlagPacketFlow(p, f, STREAM_TOSERVER);
974  FlagPacketFlow(p, f, STREAM_TOCLIENT);
975  } else {
976  SCLogDebug("data (len %" PRIu32 " ), alproto "
977  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
978 
979  /* run the parser */
980  PACKET_PROFILING_APP_START(tctx, f->alproto);
981  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
982  flags, p->payload, p->payload_len);
983  PACKET_PROFILING_APP_END(tctx);
984  PACKET_PROFILING_APP_STORE(tctx, p);
985  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
986  }
987  if (r < 0) {
988  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
989  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
990  SCReturnInt(-1);
991  }
992 
993  SCReturnInt(r);
994 }
995 
996 /***** Utility *****/
997 
998 AppProto AppLayerGetProtoByName(const char *alproto_name)
999 {
1000  SCEnter();
1001  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
1002  SCReturnCT(r, "AppProto");
1003 }
1004 
1005 const char *AppLayerGetProtoName(AppProto alproto)
1006 {
1007  SCEnter();
1008  const char * r = AppLayerProtoDetectGetProtoName(alproto);
1009  SCReturnCT(r, "char *");
1010 }
1011 
1012 void AppLayerListSupportedProtocols(void)
1013 {
1014  SCEnter();
1015 
1016  AppProto alproto;
1017  AppProto alprotos[g_alproto_max];
1018 
1019  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1020 
1021  printf("=========Supported App Layer Protocols=========\n");
1022  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1023  if (alprotos[alproto] == 1)
1024  printf("%s\n", AppLayerGetProtoName(alproto));
1025  }
1026 
1027  SCReturn;
1028 }
1029 
1030 /***** Setup/General Registration *****/
1031 static void AppLayerNamesSetup(void)
1032 {
1033  AppProtoRegisterProtoString(ALPROTO_UNKNOWN, "unknown");
1034  AppProtoRegisterProtoString(ALPROTO_FAILED, "failed");
1035  AppProtoRegisterProtoString(ALPROTO_HTTP1, "http1");
1036  AppProtoRegisterProtoString(ALPROTO_FTP, "ftp");
1037  AppProtoRegisterProtoString(ALPROTO_SMTP, "smtp");
1038  AppProtoRegisterProtoString(ALPROTO_TLS, "tls");
1039  AppProtoRegisterProtoString(ALPROTO_SSH, "ssh");
1040  AppProtoRegisterProtoString(ALPROTO_IMAP, "imap");
1041  AppProtoRegisterProtoString(ALPROTO_JABBER, "jabber");
1042  AppProtoRegisterProtoString(ALPROTO_SMB, "smb");
1043  AppProtoRegisterProtoString(ALPROTO_DCERPC, "dcerpc");
1044  AppProtoRegisterProtoString(ALPROTO_IRC, "irc");
1045  AppProtoRegisterProtoString(ALPROTO_DNS, "dns");
1046  AppProtoRegisterProtoString(ALPROTO_MODBUS, "modbus");
1047  AppProtoRegisterProtoString(ALPROTO_ENIP, "enip");
1048  AppProtoRegisterProtoString(ALPROTO_DNP3, "dnp3");
1049  AppProtoRegisterProtoString(ALPROTO_NFS, "nfs");
1050  AppProtoRegisterProtoString(ALPROTO_NTP, "ntp");
1051  AppProtoRegisterProtoString(ALPROTO_FTPDATA, "ftp-data");
1052  AppProtoRegisterProtoString(ALPROTO_TFTP, "tftp");
1053  AppProtoRegisterProtoString(ALPROTO_IKE, "ike");
1054  AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
1055  AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
1056  AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
1057  AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
1058  AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
1059  AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
1060  AppProtoRegisterProtoString(ALPROTO_PGSQL, "pgsql");
1061  AppProtoRegisterProtoString(ALPROTO_TELNET, "telnet");
1062  AppProtoRegisterProtoString(ALPROTO_WEBSOCKET, "websocket");
1063  AppProtoRegisterProtoString(ALPROTO_LDAP, "ldap");
1064  AppProtoRegisterProtoString(ALPROTO_DOH2, "doh2");
1065  AppProtoRegisterProtoString(ALPROTO_MDNS, "mdns");
1066  AppProtoRegisterProtoString(ALPROTO_TEMPLATE, "template");
1067  AppProtoRegisterProtoString(ALPROTO_RDP, "rdp");
1068  AppProtoRegisterProtoString(ALPROTO_HTTP2, "http2");
1069  AppProtoRegisterProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht");
1070  AppProtoRegisterProtoString(ALPROTO_POP3, "pop3");
1071  AppProtoRegisterProtoString(ALPROTO_HTTP, "http");
1072 }
1073 
1074 int AppLayerSetup(void)
1075 {
1076  SCEnter();
1077 
1078  AppLayerNamesSetup();
1079  AppLayerProtoDetectSetup();
1080  AppLayerParserSetup();
1081 
1082  AppLayerParserRegisterProtocolParsers();
1083  AppLayerProtoDetectPrepareState();
1084 
1085  AppLayerSetupCounters();
1086  FrameConfigInit();
1087 
1088  SCReturnInt(0);
1089 }
1090 
1091 int AppLayerDeSetup(void)
1092 {
1093  SCEnter();
1094 
1095  AppLayerProtoDetectDeSetup();
1096  AppLayerParserDeSetup();
1097 
1098  AppLayerDeSetupCounters();
1099  FrameConfigDeInit();
1100 
1101  SCReturnInt(0);
1102 }
1103 
1104 AppLayerThreadCtx *AppLayerGetCtxThread(void)
1105 {
1106  SCEnter();
1107 
1108  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1109  if (app_tctx == NULL)
1110  goto error;
1111 
1112  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1113  goto error;
1114  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1115  goto error;
1116 
1117  goto done;
1118  error:
1119  AppLayerDestroyCtxThread(app_tctx);
1120  app_tctx = NULL;
1121  done:
1122  SCReturnPtr(app_tctx, "void *");
1123 }
1124 
1125 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1126 {
1127  SCEnter();
1128 
1129  if (app_tctx == NULL)
1130  SCReturn;
1131 
1132  if (app_tctx->alpd_tctx != NULL)
1133  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1134  if (app_tctx->alp_tctx != NULL)
1135  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1136  SCFree(app_tctx);
1137 
1138  SCReturn;
1139 }
1140 
1141 #ifdef PROFILING
1142 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1143 {
1144  PACKET_PROFILING_APP_RESET(app_tctx);
1145 }
1146 
1147 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1148 {
1149  PACKET_PROFILING_APP_STORE(app_tctx, p);
1150 }
1151 #endif
1152 
1153 /** \brief HACK to work around our broken unix manager (re)init loop
1154  */
1155 void AppLayerRegisterGlobalCounters(void)
1156 {
1157  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1158  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1159  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1160  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1161  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1162  StatsRegisterGlobalCounter("http.byterange.memuse", HTPByteRangeMemuseGlobalCounter);
1163  StatsRegisterGlobalCounter("http.byterange.memcap", HTPByteRangeMemcapGlobalCounter);
1164  StatsRegisterGlobalCounter("ippair.memuse", IPPairGetMemuse);
1165  StatsRegisterGlobalCounter("ippair.memcap", IPPairGetMemcap);
1166  StatsRegisterGlobalCounter("host.memuse", HostGetMemuse);
1167  StatsRegisterGlobalCounter("host.memcap", HostGetMemcap);
1168 }
1169 
1170 static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy)
1171 {
1172  if (EngineModeIsIPS()) {
1173  return app_layer_error_eps_stats.valid_settings_ips[policy];
1174  }
1175  return app_layer_error_eps_stats.valid_settings_ids[policy];
1176 }
1177 
1178 static void AppLayerSetupExceptionPolicyPerProtoCounters(
1179  uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix)
1180 {
1181  if (g_stats_eps_per_app_proto_errors &&
1182  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1183  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1184  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1185  snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i],
1186  sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]),
1187  "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix,
1188  ExceptionPolicyEnumToString(i, true));
1189  }
1190  }
1191  }
1192 }
1193 
1194 void AppLayerSetupCounters(void)
1195 {
1196  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1197  AppProto alprotos[g_alproto_max];
1198  const char *str = "app_layer.flow.";
1199  const char *estr = "app_layer.error.";
1200 
1201  applayer_counter_names =
1202  SCCalloc(g_alproto_max, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX]));
1203  if (unlikely(applayer_counter_names == NULL)) {
1204  FatalError("Unable to alloc applayer_counter_names.");
1205  }
1206  applayer_counters = SCCalloc(g_alproto_max, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX]));
1207  if (unlikely(applayer_counters == NULL)) {
1208  FatalError("Unable to alloc applayer_counters.");
1209  }
1210  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1211  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1212  /* Register global counters for app layer error exception policy summary */
1213  const char *eps_default_str = "exception_policy.app_layer.error.";
1214  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1215  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1216  snprintf(app_layer_error_eps_stats.eps_name[i],
1217  sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str,
1218  ExceptionPolicyEnumToString(i, true));
1219  }
1220  }
1221  }
1222 
1223  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1224 
1225  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1226  const uint8_t ipproto = ipprotos[p];
1227  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1228  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1229  uint8_t ipprotos_all[256 / 8];
1230 
1231  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1232  if (alprotos[alproto] == 1) {
1233  const char *tx_str = "app_layer.tx.";
1234  const char *alproto_str = AppLayerGetProtoName(alproto);
1235 
1236  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1237  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1238  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1239  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1240  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1241  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s",
1242  str, alproto_str, ipproto_suffix);
1243  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1244  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s",
1245  tx_str, alproto_str, ipproto_suffix);
1246 
1247  if (ipproto == IPPROTO_TCP) {
1248  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1249  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1250  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1251  }
1252  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1253  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1254  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1255  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1256  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1257  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1258  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1259  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1260  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1261 
1262  AppLayerSetupExceptionPolicyPerProtoCounters(
1263  ipproto_map, alproto, alproto_str, ipproto_suffix);
1264  } else {
1265  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1266  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str,
1267  alproto_str);
1268  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1269  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s",
1270  tx_str, alproto_str);
1271 
1272  if (ipproto == IPPROTO_TCP) {
1273  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1274  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1275  "%s%s.gap", estr, alproto_str);
1276  }
1277  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1278  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1279  "%s%s.alloc", estr, alproto_str);
1280  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1281  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1282  "%s%s.parser", estr, alproto_str);
1283  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1284  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1285  "%s%s.internal", estr, alproto_str);
1286  AppLayerSetupExceptionPolicyPerProtoCounters(
1287  ipproto_map, alproto, alproto_str, "");
1288  }
1289  } else if (alproto == ALPROTO_FAILED) {
1290  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1291  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str,
1292  "failed", ipproto_suffix);
1293  if (ipproto == IPPROTO_TCP) {
1294  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1295  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1296  "%sfailed%s.gap", estr, ipproto_suffix);
1297  }
1298  }
1299  }
1300  }
1301 }
1302 
1303 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1304 {
1305  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1306  AppProto alprotos[g_alproto_max];
1307  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1308 
1309  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1310  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1311  /* Register global counters for app layer error exception policy summary */
1312  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1313  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1314  eps_error_summary.eps_id[i] =
1315  StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], &tv->stats);
1316  }
1317  }
1318  }
1319 
1320  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1321  const uint8_t ipproto = ipprotos[p];
1322  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1323 
1324  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1325  if (alprotos[alproto] == 1) {
1326  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1327  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1328 
1329  if (AppLayerParserProtoIsRegistered(ipproto, alproto) != 1)
1330  continue;
1331 
1332  applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter(
1333  applayer_counter_names[alproto][ipproto_map].tx_name, &tv->stats);
1334 
1335  if (ipproto == IPPROTO_TCP) {
1336  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1337  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1338  }
1339  applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter(
1340  applayer_counter_names[alproto][ipproto_map].alloc_error, &tv->stats);
1341  applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter(
1342  applayer_counter_names[alproto][ipproto_map].parser_error, &tv->stats);
1343  applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter(
1344  applayer_counter_names[alproto][ipproto_map].internal_error, &tv->stats);
1345  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1346  if (g_stats_eps_per_app_proto_errors &&
1347  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1348  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1;
1349  i < EXCEPTION_POLICY_MAX; i++) {
1350  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1351  applayer_counters[alproto][ipproto_map]
1352  .eps_error.eps_id[i] = StatsRegisterCounter(
1353  applayer_counter_names[alproto][ipproto_map].eps_name[i],
1354  &tv->stats);
1355  }
1356  }
1357  }
1358  } else if (alproto == ALPROTO_FAILED) {
1359  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1360  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1361 
1362  if (ipproto == IPPROTO_TCP) {
1363  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1364  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1365  }
1366  }
1367  }
1368  }
1369 }
1370 
1371 void AppLayerDeSetupCounters(void)
1372 {
1373  SCFree(applayer_counter_names);
1374  SCFree(applayer_counters);
1375 }
1376 
1377 /***** Unittests *****/
1378 
1379 #ifdef UNITTESTS
1380 #include "pkt-var.h"
1381 #include "stream-tcp-util.h"
1382 #include "stream.h"
1383 #include "util-unittest.h"
1384 
1385 #define TEST_START \
1386  Packet *p = PacketGetFromAlloc(); \
1387  FAIL_IF_NULL(p); \
1388  Flow f; \
1389  ThreadVars tv; \
1390  StreamTcpThread *stt = NULL; \
1391  TCPHdr tcph; \
1392  PacketQueueNoLock pq; \
1393  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1394  memset(&f, 0, sizeof(Flow)); \
1395  memset(&tv, 0, sizeof(ThreadVars)); \
1396  StatsThreadInit(&tv.stats); \
1397  memset(&tcph, 0, sizeof(TCPHdr)); \
1398  \
1399  FLOW_INITIALIZE(&f); \
1400  f.flags = FLOW_IPV4; \
1401  f.proto = IPPROTO_TCP; \
1402  p->flow = &f; \
1403  PacketSetTCP(p, (uint8_t *)&tcph); \
1404  \
1405  StreamTcpInitConfig(true); \
1406  IPPairInitConfig(true); \
1407  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1408  \
1409  /* handshake */ \
1410  tcph.th_win = htons(5480); \
1411  tcph.th_flags = TH_SYN; \
1412  p->flowflags = FLOW_PKT_TOSERVER; \
1413  p->payload_len = 0; \
1414  p->payload = NULL; \
1415  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1416  TcpSession *ssn = (TcpSession *)f.protoctx; \
1417  \
1418  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1419  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1420  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1421  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1422  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1423  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1424  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1425  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1426  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1427  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1428  FAIL_IF(ssn->data_first_seen_dir != 0); \
1429  \
1430  /* handshake */ \
1431  tcph.th_ack = htonl(1); \
1432  tcph.th_flags = TH_SYN | TH_ACK; \
1433  p->flowflags = FLOW_PKT_TOCLIENT; \
1434  p->payload_len = 0; \
1435  p->payload = NULL; \
1436  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1437  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1438  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1439  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1440  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1441  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1442  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1443  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1444  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1445  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1446  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1447  FAIL_IF(ssn->data_first_seen_dir != 0); \
1448  \
1449  /* handshake */ \
1450  tcph.th_ack = htonl(1); \
1451  tcph.th_seq = htonl(1); \
1452  tcph.th_flags = TH_ACK; \
1453  p->flowflags = FLOW_PKT_TOSERVER; \
1454  p->payload_len = 0; \
1455  p->payload = NULL; \
1456  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1457  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1458  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1459  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1460  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1461  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1462  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1463  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1464  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1465  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1466  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1467  FAIL_IF(ssn->data_first_seen_dir != 0);
1468 #define TEST_END \
1469  StreamTcpSessionClear(p->flow->protoctx); \
1470  StreamTcpThreadDeinit(&tv, (void *)stt); \
1471  StreamTcpFreeConfig(true); \
1472  PacketFree(p); \
1473  FLOW_DESTROY(&f); \
1474  IPPairShutdown(); \
1475  StatsThreadCleanup(&tv.stats);
1476 
1477 /**
1478  * \test GET -> HTTP/1.1
1479  */
1480 static int AppLayerTest01(void)
1481 {
1482  TEST_START;
1483 
1484  /* full request */
1485  uint8_t request[] = {
1486  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1487  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1488  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1489  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1490  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1491  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1492  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1493  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1494  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1495  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1496  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1497  tcph.th_ack = htonl(1);
1498  tcph.th_seq = htonl(1);
1499  tcph.th_flags = TH_PUSH | TH_ACK;
1500  p->flowflags = FLOW_PKT_TOSERVER;
1501  p->payload_len = sizeof(request);
1502  p->payload = request;
1503  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1504  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1505  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1506  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1507  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1508  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1509  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1510  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1511  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1512  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1513  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1514  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1515 
1516  /* full response - request ack */
1517  uint8_t response[] = {
1518  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1519  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1520  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1521  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1522  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1523  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1524  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1525  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1526  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1527  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1528  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1529  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1530  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1531  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1532  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1533  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1534  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1535  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1536  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1537  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1538  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1539  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1540  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1541  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1542  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1543  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1544  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1545  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1546  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1547  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1548  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1549  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1550  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1551  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1552  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1553  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1554  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1555  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1556  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1557  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1558  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1559  tcph.th_ack = htonl(88);
1560  tcph.th_seq = htonl(1);
1561  tcph.th_flags = TH_PUSH | TH_ACK;
1562  p->flowflags = FLOW_PKT_TOCLIENT;
1563  p->payload_len = sizeof(response);
1564  p->payload = response;
1565  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1566  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1567  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1568  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1569  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1570  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1571  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1572  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1573  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1574  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1575  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1576  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1577 
1578  /* response ack */
1579  tcph.th_ack = htonl(328);
1580  tcph.th_seq = htonl(88);
1581  tcph.th_flags = TH_ACK;
1582  p->flowflags = FLOW_PKT_TOSERVER;
1583  p->payload_len = 0;
1584  p->payload = NULL;
1585  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1586  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1587  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1588  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1589  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1590  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1591  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1592  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1593  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1594  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1595  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1596  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1597 
1598  TEST_END;
1599  PASS;
1600 }
1601 
1602 /**
1603  * \test GE -> T -> HTTP/1.1
1604  */
1605 static int AppLayerTest02(void)
1606 {
1607  TEST_START;
1608 
1609  /* partial request */
1610  uint8_t request1[] = { 0x47, 0x45, };
1611  tcph.th_ack = htonl(1);
1612  tcph.th_seq = htonl(1);
1613  tcph.th_flags = TH_PUSH | TH_ACK;
1614  p->flowflags = FLOW_PKT_TOSERVER;
1615  p->payload_len = sizeof(request1);
1616  p->payload = request1;
1617  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1618  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1619  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1620  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1621  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1622  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1623  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1624  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1625  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1626  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1627  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1628  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1629 
1630  /* response ack against partial request */
1631  tcph.th_ack = htonl(3);
1632  tcph.th_seq = htonl(1);
1633  tcph.th_flags = TH_ACK;
1634  p->flowflags = FLOW_PKT_TOCLIENT;
1635  p->payload_len = 0;
1636  p->payload = NULL;
1637  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1638  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1639  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1640  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1641  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1642  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1643  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1644  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1645  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1646  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1647  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1648  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1649 
1650  /* complete partial request */
1651  uint8_t request2[] = {
1652  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1653  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1654  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1655  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1656  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1657  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1658  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1659  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1660  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1661  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1662  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1663  tcph.th_ack = htonl(1);
1664  tcph.th_seq = htonl(3);
1665  tcph.th_flags = TH_PUSH | TH_ACK;
1666  p->flowflags = FLOW_PKT_TOSERVER;
1667  p->payload_len = sizeof(request2);
1668  p->payload = request2;
1669  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1670  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1671  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1672  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1673  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1674  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1675  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1676  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1677  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1678  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1679  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1680  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1681 
1682  /* response - request ack */
1683  uint8_t response[] = {
1684  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1685  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1686  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1687  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1688  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1689  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1690  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1691  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1692  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1693  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1694  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1695  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1696  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1697  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1698  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1699  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1700  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1701  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1702  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1703  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1704  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1705  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1706  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1707  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1708  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1709  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1710  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1711  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1712  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1713  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1714  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1715  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1716  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1717  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1718  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1719  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1720  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1721  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1722  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1723  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1724  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1725  tcph.th_ack = htonl(88);
1726  tcph.th_seq = htonl(1);
1727  tcph.th_flags = TH_PUSH | TH_ACK;
1728  p->flowflags = FLOW_PKT_TOCLIENT;
1729  p->payload_len = sizeof(response);
1730  p->payload = response;
1731  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1732  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1733  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1734  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1735  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1736  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1737  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1738  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1739  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1740  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1741  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1742  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1743 
1744  /* response ack */
1745  tcph.th_ack = htonl(328);
1746  tcph.th_seq = htonl(88);
1747  tcph.th_flags = TH_ACK;
1748  p->flowflags = FLOW_PKT_TOSERVER;
1749  p->payload_len = 0;
1750  p->payload = NULL;
1751  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1752  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1753  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1754  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1755  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1756  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1757  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1758  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1759  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1760  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1761  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1762  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1763 
1764  TEST_END;
1765  PASS;
1766 }
1767 
1768 /**
1769  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1770  */
1771 static int AppLayerTest03(void)
1772 {
1773  TEST_START;
1774 
1775  /* request */
1776  uint8_t request[] = {
1777  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1778  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1779  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1780  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1781  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1782  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1783  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1784  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1785  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1786  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1787  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1788  tcph.th_ack = htonl(1);
1789  tcph.th_seq = htonl(1);
1790  tcph.th_flags = TH_PUSH | TH_ACK;
1791  p->flowflags = FLOW_PKT_TOSERVER;
1792  p->payload_len = sizeof(request);
1793  p->payload = request;
1794  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1795  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1796  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1797  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1798  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1799  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1800  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1801  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1802  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1803  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1804  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1805  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1806 
1807  /* rubbish response */
1808  uint8_t response[] = {
1809  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1810  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1811  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1812  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1813  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1814  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1815  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1816  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1817  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1818  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1819  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1820  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1821  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1822  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1823  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1824  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1825  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1826  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1827  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1828  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1829  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1830  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1831  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1832  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1833  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1834  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1835  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1836  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1837  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1838  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1839  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1840  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1841  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1842  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1843  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1844  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1845  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1846  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1847  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1848  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1849  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1850  tcph.th_ack = htonl(88);
1851  tcph.th_seq = htonl(1);
1852  tcph.th_flags = TH_PUSH | TH_ACK;
1853  p->flowflags = FLOW_PKT_TOCLIENT;
1854  p->payload_len = sizeof(response);
1855  p->payload = response;
1856  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1857  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1858  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1859  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1860  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1861  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1862  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1863  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1864  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1865  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1866  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1867  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1868 
1869  /* response ack */
1870  tcph.th_ack = htonl(328);
1871  tcph.th_seq = htonl(88);
1872  tcph.th_flags = TH_ACK;
1873  p->flowflags = FLOW_PKT_TOSERVER;
1874  p->payload_len = 0;
1875  p->payload = NULL;
1876  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1877  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1878  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1879  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1880  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1881  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1882  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1883  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1884  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1885  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1886  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1887  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1888 
1889  TEST_END;
1890  PASS;
1891 }
1892 
1893 /**
1894  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1895  */
1896 static int AppLayerTest04(void)
1897 {
1898  TEST_START;
1899 
1900  /* request */
1901  uint8_t request[] = {
1902  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1903  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1904  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1905  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1906  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1907  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1908  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1909  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1910  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1911  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1912  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1913  PrintRawDataFp(stdout, request, sizeof(request));
1914  tcph.th_ack = htonl(1);
1915  tcph.th_seq = htonl(1);
1916  tcph.th_flags = TH_PUSH | TH_ACK;
1917  p->flowflags = FLOW_PKT_TOSERVER;
1918  p->payload_len = sizeof(request);
1919  p->payload = request;
1920  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1921  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1922  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1923  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1924  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1925  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1926  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1927  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1928  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1929  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1930  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1931  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1932 
1933  /* partial response */
1934  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1935  PrintRawDataFp(stdout, response1, sizeof(response1));
1936  tcph.th_ack = htonl(88);
1937  tcph.th_seq = htonl(1);
1938  tcph.th_flags = TH_PUSH | TH_ACK;
1939  p->flowflags = FLOW_PKT_TOCLIENT;
1940  p->payload_len = sizeof(response1);
1941  p->payload = response1;
1942  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1943  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1944  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1945  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1946  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1947  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1948  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1949  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1950  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1951  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1952  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1953  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1954 
1955  /* partial response ack */
1956  tcph.th_ack = htonl(5);
1957  tcph.th_seq = htonl(88);
1958  tcph.th_flags = TH_ACK;
1959  p->flowflags = FLOW_PKT_TOSERVER;
1960  p->payload_len = 0;
1961  p->payload = NULL;
1962  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1963  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1964  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1965  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1966  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1967  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1968  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1969  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1970  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1971  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1972  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1973  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1974 
1975  /* remaining response */
1976  uint8_t response2[] = {
1977  0x2f, 0x31, 0x2e, 0x31,
1978  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1979  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1980  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1981  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1982  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1983  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1984  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1985  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1986  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1987  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1988  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1989  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1990  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1991  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1992  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1993  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1994  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1995  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1996  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1997  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1998  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1999  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2000  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2001  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2002  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2003  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2004  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2005  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2006  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2007  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2008  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2009  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2010  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2011  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2012  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2013  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2014  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2015  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2016  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2017  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2018  PrintRawDataFp(stdout, response2, sizeof(response2));
2019  tcph.th_ack = htonl(88);
2020  tcph.th_seq = htonl(5);
2021  tcph.th_flags = TH_PUSH | TH_ACK;
2022  p->flowflags = FLOW_PKT_TOCLIENT;
2023  p->payload_len = sizeof(response2);
2024  p->payload = response2;
2025  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2026  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2027  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2028  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2029  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2030  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2031  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2032  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2033  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2034  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2035  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2036  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2037 
2038  /* response ack */
2039  tcph.th_ack = htonl(328);
2040  tcph.th_seq = htonl(88);
2041  tcph.th_flags = TH_ACK;
2042  p->flowflags = FLOW_PKT_TOSERVER;
2043  p->payload_len = 0;
2044  p->payload = NULL;
2045  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2046  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
2047  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2048  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2049  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2050  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
2051  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2052  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2053  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2054  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2055  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2056  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2057 
2058  TEST_END;
2059  PASS;
2060 }
2061 
2062 /**
2063  * \test RUBBISH -> HTTP/1.1
2064  */
2065 static int AppLayerTest05(void)
2066 {
2067  TEST_START;
2068 
2069  /* full request */
2070  uint8_t request[] = {
2071  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2072  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2073  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2074  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2075  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2076  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2077  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2078  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2079  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2080  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2081  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2082  PrintRawDataFp(stdout, request, sizeof(request));
2083  tcph.th_ack = htonl(1);
2084  tcph.th_seq = htonl(1);
2085  tcph.th_flags = TH_PUSH | TH_ACK;
2086  p->flowflags = FLOW_PKT_TOSERVER;
2087  p->payload_len = sizeof(request);
2088  p->payload = request;
2089  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2090  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2091  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2092  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2093  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2094  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2095  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2096  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2097  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2098  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2099  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2100  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2101 
2102  /* full response - request ack */
2103  uint8_t response[] = {
2104  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2105  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2106  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2107  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2108  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2109  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2110  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2111  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2112  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2113  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2114  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2115  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2116  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2117  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2118  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2119  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2120  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2121  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2122  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2123  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2124  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2125  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2126  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2127  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2128  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2129  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2130  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2131  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2132  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2133  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2134  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2135  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2136  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2137  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2138  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2139  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2140  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2141  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2142  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2143  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2144  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2145  PrintRawDataFp(stdout, response, sizeof(response));
2146  tcph.th_ack = htonl(88);
2147  tcph.th_seq = htonl(1);
2148  tcph.th_flags = TH_PUSH | TH_ACK;
2149  p->flowflags = FLOW_PKT_TOCLIENT;
2150  p->payload_len = sizeof(response);
2151  p->payload = response;
2152  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2153  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2154  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2155  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2156  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2157  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2158  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2159  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2160  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2161  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2162  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2163  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2164 
2165  /* response ack */
2166  tcph.th_ack = htonl(328);
2167  tcph.th_seq = htonl(88);
2168  tcph.th_flags = TH_ACK;
2169  p->flowflags = FLOW_PKT_TOSERVER;
2170  p->payload_len = 0;
2171  p->payload = NULL;
2172  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2173  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2174  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2175  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2176  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2177  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2178  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2179  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2180  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2181  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2182  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2183  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2184 
2185  TEST_END;
2186  PASS;
2187 }
2188 
2189 /**
2190  * \test HTTP/1.1 -> GET
2191  */
2192 static int AppLayerTest06(void)
2193 {
2194  TEST_START;
2195 
2196  /* full response - request ack */
2197  uint8_t response[] = {
2198  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2199  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2200  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2201  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2202  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2203  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2204  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2205  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2206  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2207  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2208  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2209  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2210  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2211  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2212  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2213  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2214  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2215  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2216  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2217  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2218  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2219  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2220  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2221  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2222  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2223  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2224  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2225  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2226  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2227  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2228  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2229  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2230  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2231  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2232  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2233  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2234  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2235  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2236  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2237  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2238  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2239  tcph.th_ack = htonl(1);
2240  tcph.th_seq = htonl(1);
2241  tcph.th_flags = TH_PUSH | TH_ACK;
2242  p->flowflags = FLOW_PKT_TOCLIENT;
2243  p->payload_len = sizeof(response);
2244  p->payload = response;
2245  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2246  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2247  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2248  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2249  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2250  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2251  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2252  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2253  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2254  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2255  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2256  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2257 
2258  /* full request - response ack*/
2259  uint8_t request[] = {
2260  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2261  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2262  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2263  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2264  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2265  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2266  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2267  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2268  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2269  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2270  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2271  tcph.th_ack = htonl(328);
2272  tcph.th_seq = htonl(1);
2273  tcph.th_flags = TH_PUSH | TH_ACK;
2274  p->flowflags = FLOW_PKT_TOSERVER;
2275  p->payload_len = sizeof(request);
2276  p->payload = request;
2277  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2278  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2279  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2280  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2281  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2282  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2283  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2284  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2285  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2286  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2287  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2288  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2289 
2290  tcph.th_ack = htonl(1 + sizeof(request));
2291  tcph.th_seq = htonl(328);
2292  tcph.th_flags = TH_PUSH | TH_ACK;
2293  p->flowflags = FLOW_PKT_TOCLIENT;
2294  p->payload_len = 0;
2295  p->payload = NULL;
2296  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2297  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2298  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2299  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2300  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2301  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2302  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2303  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2304  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2305  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2306  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2307  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2308 
2309  TEST_END;
2310  PASS;
2311 }
2312 
2313 /**
2314  * \test GET -> DCERPC
2315  */
2316 static int AppLayerTest07(void)
2317 {
2318  TEST_START;
2319 
2320  /* full request */
2321  uint8_t request[] = {
2322  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2323  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2324  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2325  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2326  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2327  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2328  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2329  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2330  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2331  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2332  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2333  tcph.th_ack = htonl(1);
2334  tcph.th_seq = htonl(1);
2335  tcph.th_flags = TH_PUSH | TH_ACK;
2336  p->flowflags = FLOW_PKT_TOSERVER;
2337  p->payload_len = sizeof(request);
2338  p->payload = request;
2339  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2340  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2341  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2342  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2343  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2344  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2345  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2346  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2347  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2348  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2349  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2350  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2351 
2352  /* full response - request ack */
2353  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2354  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2355  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2356  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2357  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2358  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2359  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2360  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2361  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2362  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2363  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2364  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2365  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2366  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2367  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2368  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2369  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2370  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2371  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2372  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2373  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2374  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2375  tcph.th_ack = htonl(88);
2376  tcph.th_seq = htonl(1);
2377  tcph.th_flags = TH_PUSH | TH_ACK;
2378  p->flowflags = FLOW_PKT_TOCLIENT;
2379  p->payload_len = sizeof(response);
2380  p->payload = response;
2381  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2382  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2383  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2384  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2385  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2386  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2387  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2388  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2389  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2390  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2391  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2392  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2393 
2394  /* response ack */
2395  tcph.th_ack = htonl(328);
2396  tcph.th_seq = htonl(88);
2397  tcph.th_flags = TH_ACK;
2398  p->flowflags = FLOW_PKT_TOSERVER;
2399  p->payload_len = 0;
2400  p->payload = NULL;
2401  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2402  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2403  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2404  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2405  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2406  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2407  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2408  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2409  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2410  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2411  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2412  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2413 
2414  TEST_END;
2415  PASS;
2416 }
2417 
2418 /**
2419  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2420  * RUBBISH(TC - PM and PP DONE) ->
2421  * RUBBISH(TS - PM and PP DONE)
2422  */
2423 static int AppLayerTest09(void)
2424 {
2425  TEST_START;
2426 
2427  /* full request */
2428  uint8_t request1[] = {
2429  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2430  tcph.th_ack = htonl(1);
2431  tcph.th_seq = htonl(1);
2432  tcph.th_flags = TH_PUSH | TH_ACK;
2433  p->flowflags = FLOW_PKT_TOSERVER;
2434  p->payload_len = sizeof(request1);
2435  p->payload = request1;
2436  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2437  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2438  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2439  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2440  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2441  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2442  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2443  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2444  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2445  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2446  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2447  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2448 
2449  /* response - request ack */
2450  tcph.th_ack = htonl(9);
2451  tcph.th_seq = htonl(1);
2452  tcph.th_flags = TH_PUSH | TH_ACK;
2453  p->flowflags = FLOW_PKT_TOCLIENT;
2454  p->payload_len = 0;
2455  p->payload = NULL;
2456  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2457  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2458  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2459  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2460  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2461  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2462  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2463  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2464  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2465  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2466  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2467  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2468 
2469  /* full request */
2470  uint8_t request2[] = {
2471  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2472  tcph.th_ack = htonl(1);
2473  tcph.th_seq = htonl(9);
2474  tcph.th_flags = TH_PUSH | TH_ACK;
2475  p->flowflags = FLOW_PKT_TOSERVER;
2476  p->payload_len = sizeof(request2);
2477  p->payload = request2;
2478  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2479  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2480  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2481  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2482  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2483  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2484  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2485  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2486  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2487  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2488  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2489  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2490 
2491  /* full response - request ack */
2492  uint8_t response[] = {
2493  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2494  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2495  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2496  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2497  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2498  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2499  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2500  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2501  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2502  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2503  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2504  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2505  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2506  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2507  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2508  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2509  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2510  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2511  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2512  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2513  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2514  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2515  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2516  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2517  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2518  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2519  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2520  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2521  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2522  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2523  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2524  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2525  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2526  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2527  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2528  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2529  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2530  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2531  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2532  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2533  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2534  tcph.th_ack = htonl(18);
2535  tcph.th_seq = htonl(1);
2536  tcph.th_flags = TH_PUSH | TH_ACK;
2537  p->flowflags = FLOW_PKT_TOCLIENT;
2538  p->payload_len = sizeof(response);
2539  p->payload = response;
2540  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2541  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2542  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2543  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2544  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2545  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2546  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2547  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2548  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2549  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2550  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2551  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2552 
2553  /* response ack */
2554  tcph.th_ack = htonl(328);
2555  tcph.th_seq = htonl(18);
2556  tcph.th_flags = TH_ACK;
2557  p->flowflags = FLOW_PKT_TOSERVER;
2558  p->payload_len = 0;
2559  p->payload = NULL;
2560  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2561  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2562  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2563  FAIL_IF(f.alproto != ALPROTO_FAILED);
2564  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2565  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2566  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2567  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2568  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2569  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2570  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2571  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2572 
2573  TEST_END;
2574  PASS;
2575 }
2576 
2577 /**
2578  * \test RUBBISH(TC - PM and PP DONE) ->
2579  * RUBBISH(TS - PM and PP DONE)
2580  */
2581 static int AppLayerTest10(void)
2582 {
2583  TEST_START;
2584 
2585  /* full request */
2586  uint8_t request1[] = {
2587  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2588  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2589  tcph.th_ack = htonl(1);
2590  tcph.th_seq = htonl(1);
2591  tcph.th_flags = TH_PUSH | TH_ACK;
2592  p->flowflags = FLOW_PKT_TOSERVER;
2593  p->payload_len = sizeof(request1);
2594  p->payload = request1;
2595  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2596  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2597  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2598  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2599  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2600  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2601  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2602  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2603  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2604  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2605  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2606  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2607 
2608  /* response - request ack */
2609  tcph.th_ack = htonl(18);
2610  tcph.th_seq = htonl(1);
2611  tcph.th_flags = TH_PUSH | TH_ACK;
2612  p->flowflags = FLOW_PKT_TOCLIENT;
2613  p->payload_len = 0;
2614  p->payload = NULL;
2615  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2616  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2617  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2618  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2619  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2620  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2621  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2622  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2623  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2624  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2625  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2626  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2627 
2628  /* full response - request ack */
2629  uint8_t response[] = {
2630  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2631  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2632  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2633  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2634  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2635  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2636  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2637  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2638  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2639  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2640  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2641  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2642  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2643  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2644  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2645  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2646  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2647  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2648  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2649  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2650  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2651  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2652  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2653  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2654  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2655  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2656  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2657  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2658  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2659  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2660  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2661  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2662  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2663  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2664  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2665  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2666  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2667  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2668  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2669  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2670  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2671  tcph.th_ack = htonl(18);
2672  tcph.th_seq = htonl(1);
2673  tcph.th_flags = TH_PUSH | TH_ACK;
2674  p->flowflags = FLOW_PKT_TOCLIENT;
2675  p->payload_len = sizeof(response);
2676  p->payload = response;
2677  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2678  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2679  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2680  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2681  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2682  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2683  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2684  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2685  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2686  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2687  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2688  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2689 
2690  /* response ack */
2691  tcph.th_ack = htonl(328);
2692  tcph.th_seq = htonl(18);
2693  tcph.th_flags = TH_ACK;
2694  p->flowflags = FLOW_PKT_TOSERVER;
2695  p->payload_len = 0;
2696  p->payload = NULL;
2697  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2698  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2699  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2700  FAIL_IF(f.alproto != ALPROTO_FAILED);
2701  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2702  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2703  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2704  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2705  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2706  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2707  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2708  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2709 
2710  TEST_END;
2711  PASS;
2712 }
2713 
2714 /**
2715  * \test RUBBISH(TC - PM and PP DONE) ->
2716  * RUBBISH(TS - PM and PP NOT DONE) ->
2717  * RUBBISH(TS - PM and PP DONE)
2718  */
2719 static int AppLayerTest11(void)
2720 {
2721  TEST_START;
2722 
2723  /* full request */
2724  uint8_t request1[] = {
2725  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2726  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2727  tcph.th_ack = htonl(1);
2728  tcph.th_seq = htonl(1);
2729  tcph.th_flags = TH_PUSH | TH_ACK;
2730  p->flowflags = FLOW_PKT_TOSERVER;
2731  p->payload_len = sizeof(request1);
2732  p->payload = request1;
2733  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2734  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2735  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2736  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2737  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2738  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2739  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2740  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2741  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2742  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2743  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2744  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2745 
2746  /* response - request ack */
2747  tcph.th_ack = htonl(18);
2748  tcph.th_seq = htonl(1);
2749  tcph.th_flags = TH_PUSH | TH_ACK;
2750  p->flowflags = FLOW_PKT_TOCLIENT;
2751  p->payload_len = 0;
2752  p->payload = NULL;
2753  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2754  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2755  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2756  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2757  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2758  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2759  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2760  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2761  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2762  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2763  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2764  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2765 
2766  /* full response - request ack */
2767  uint8_t response1[] = {
2768  0x55, 0x74, 0x54, 0x50, };
2769  tcph.th_ack = htonl(18);
2770  tcph.th_seq = htonl(1);
2771  tcph.th_flags = TH_PUSH | TH_ACK;
2772  p->flowflags = FLOW_PKT_TOCLIENT;
2773  p->payload_len = sizeof(response1);
2774  p->payload = response1;
2775  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2776  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2777  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2778  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2779  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2780  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2781  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2782  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2783  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2784  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2785  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2786  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2787 
2788  /* response ack from request */
2789  tcph.th_ack = htonl(5);
2790  tcph.th_seq = htonl(18);
2791  tcph.th_flags = TH_ACK;
2792  p->flowflags = FLOW_PKT_TOSERVER;
2793  p->payload_len = 0;
2794  p->payload = NULL;
2795  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2796  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2797  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2798  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2799  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2800  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2801  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2802  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2803  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2804  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2805  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2806  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2807 
2808  uint8_t response2[] = {
2809  0x2f, 0x31, 0x2e, 0x31,
2810  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2811  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2812  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2813  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2814  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2815  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2816  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2817  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2818  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2819  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2820  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2821  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2822  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2823  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2824  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2825  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2826  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2827  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2828  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2829  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2830  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2831  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2832  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2833  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2834  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2835  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2836  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2837  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2838  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2839  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2840  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2841  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2842  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2843  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2844  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2845  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2846  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2847  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2848  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2849  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2850  tcph.th_ack = htonl(18);
2851  tcph.th_seq = htonl(5);
2852  tcph.th_flags = TH_PUSH | TH_ACK;
2853  p->flowflags = FLOW_PKT_TOCLIENT;
2854  p->payload_len = sizeof(response2);
2855  p->payload = response2;
2856  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2857  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2858  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2859  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2860  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2861  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2862  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2863  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2864  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2865  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2866  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2867  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2868 
2869  /* response ack from request */
2870  tcph.th_ack = htonl(328);
2871  tcph.th_seq = htonl(18);
2872  tcph.th_flags = TH_ACK;
2873  p->flowflags = FLOW_PKT_TOSERVER;
2874  p->payload_len = 0;
2875  p->payload = NULL;
2876  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2877  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2878  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2879  FAIL_IF(f.alproto != ALPROTO_FAILED);
2880  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2881  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2882  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2883  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2884  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2885  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2886  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2887  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2888 
2889  TEST_END;
2890  PASS;
2891 }
2892 
2893 void AppLayerUnittestsRegister(void)
2894 {
2895  SCEnter();
2896 
2897  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2898  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2899  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2900  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2901  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2902  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2903  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2904  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2905  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2906  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2907 
2908  SCReturn;
2909 }
2910 
2911 #endif /* UNITTESTS */
AppLayerCounters_::counter_tx_id
StatsCounterId counter_tx_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:279
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:187
StatsRegisterGlobalCounter
StatsCounterGlobalId StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1053
Packet_::proto
uint8_t proto
Definition: decode.h:523
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:285
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:51
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:138
AppLayerCounters_
Definition: app-layer.c:89
ippair.h
app-layer-htp-range.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1661
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
AppLayerCounterNames_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]
Definition: app-layer.c:86
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
AppLayerCounters_::gap_error_id
StatsCounterId gap_error_id
Definition: app-layer.c:92
AppLayerCounters_::internal_error_id
StatsCounterId internal_error_id
Definition: app-layer.c:94
stream-tcp.h
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7231
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(const char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:998
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1001
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
name
const char * name
Definition: detect-engine-proto.c:48
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1147
Flow_::proto
uint8_t proto
Definition: flow.h:370
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
Packet_::payload
uint8_t * payload
Definition: decode.h:605
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:62
Packet_::flags
uint32_t flags
Definition: decode.h:544
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:72
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:186
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:63
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:348
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:165
Flow_::protomap
uint8_t protomap
Definition: flow.h:437
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:68
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:57
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1135
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:223
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:228
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir app_update_dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1396
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:305
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1303
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:448
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2041
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:59
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1142
AppLayerCounterNames_
Definition: app-layer.c:79
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1633
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
handle TCP data for the app-layer.
Definition: app-layer.c:709
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:65
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6806
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
app_layer_error_eps_stats
ExceptionPolicyStatsSetts app_layer_error_eps_stats
Definition: app-layer.c:108
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:71
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2893
StatsCounterId
Definition: counters.h:30
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:49
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:80
AppLayerCounters_::counter_id
StatsCounterId counter_id
Definition: app-layer.c:90
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:1012
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1194
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
app-layer-ftp.h
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:69
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:227
MAX
#define MAX(x, y)
Definition: suricata-common.h:412
Flow_::protoctx
void * protoctx
Definition: flow.h:433
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:173
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:632
util-unittest.h
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:181
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1091
HostGetMemcap
uint64_t HostGetMemcap(void)
Return memcap value.
Definition: host.c:83
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1301
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:78
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:270
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:50
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:470
EXCEPTION_POLICY_MAX
#define EXCEPTION_POLICY_MAX
Definition: util-exception-policy-types.h:37
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1773
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:70
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1074
app-layer-expectation.h
app-layer-detect-proto.h
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:179
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
ExceptionPolicyCounters_
Definition: util-exception-policy-types.h:52
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:46
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:271
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1155
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:387
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:67
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
Definition: app-layer.c:157
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:581
util-exception-policy.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:81
HTPByteRangeMemuseGlobalCounter
uint64_t HTPByteRangeMemuseGlobalCounter(void)
Definition: app-layer-htp-range.c:62
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:59
util-print.h
IPPairGetMemcap
uint64_t IPPairGetMemcap(void)
Return memcap value.
Definition: ippair.c:81
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5668
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1869
StatsCounterIncr
void StatsCounterIncr(StatsThreadContext *stats, StatsCounterId id)
Increments the local counter.
Definition: counters.c:165
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1385
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:59
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
HostGetMemuse
uint64_t HostGetMemuse(void)
Return memuse value.
Definition: host.c:94
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:206
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:105
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:259
SCReturn
#define SCReturn
Definition: util-debug.h:283
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:278
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
Packet_
Definition: decode.h:501
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
stream-tcp-private.h
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:68
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:75
applayer_counters
AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:102
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:874
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp)
Definition: util-profiling.h:173
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:63
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:297
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:61
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:722
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1104
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:66
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:181
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:451
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:57
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:280
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1718
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:62
IPPairGetMemuse
uint64_t IPPairGetMemuse(void)
Return memuse value.
Definition: ippair.c:92
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:535
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:104
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:189
eps_error_summary
ExceptionPolicyCounters eps_error_summary
Definition: app-layer.c:104
FatalError
#define FatalError(...)
Definition: util-debug.h:514
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:48
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
applayer_counter_names
AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:100
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1302
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:40
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1565
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
app-layer-events.h
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:246
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2103
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1394
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1962
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2061
str
#define str(s)
Definition: suricata-common.h:308
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:434
ExceptionPolicyEnumToString
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
Definition: util-exception-policy.c:39
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:443
AppLayerCounters_::alloc_error_id
StatsCounterId alloc_error_id
Definition: app-layer.c:95
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:60
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7237
Flow_::alstate
void * alstate
Definition: flow.h:471
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1125
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
HTPByteRangeMemcapGlobalCounter
uint64_t HTPByteRangeMemcapGlobalCounter(void)
Definition: app-layer-htp-range.c:56
Flow_::flags
uint32_t flags
Definition: flow.h:413
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
StatsCounterId::id
uint16_t id
Definition: counters.h:31
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:86
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:61
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1005
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:155
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerCounters_::eps_error
ExceptionPolicyCounters eps_error
Definition: app-layer.c:96
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:67
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:84
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:295
app-layer-protos.h
AppLayerProfilingReset
#define AppLayerProfilingReset(app_tctx)
Definition: app-layer.h:127
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:245
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:60
TEST_END
#define TEST_END
Definition: app-layer.c:1468
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2015
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:70
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
AppLayerCounters_::parser_error_id
StatsCounterId parser_error_id
Definition: app-layer.c:93
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:197
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:51
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:444
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:76
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1482
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:85
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:285
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:195
StatsCounterAddI64
void StatsCounterAddI64(StatsThreadContext *stats, StatsCounterId id, int64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:47
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1371
ExceptionPolicyCounters_::eps_id
StatsCounterId eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:54
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
ExceptionPolicyStatsSetts_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][EXCEPTION_POLICY_COUNTER_MAX_LEN]
Definition: util-exception-policy-types.h:58
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2086
app-layer.h
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:456