suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
84 
85 /* counter names. Only used at init. */
87 /* counter id's. Used that runtime. */
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
134  } else {
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
140  } else {
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
147  } else {
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
159  TcpSession *ssn = f->protoctx;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
219  size_ts > 100000 && size_tc == 0)
220  {
223  goto failure;
224 
226  size_tc > 100000 && size_ts == 0)
227  {
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
238  {
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
249  {
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
260  {
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  bool reverse_flow = false;
328  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
329  f, data, data_len,
330  IPPROTO_TCP, flags, &reverse_flow);
331  PACKET_PROFILING_APP_PD_END(app_tctx);
332  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
333 
334  if (*alproto != ALPROTO_UNKNOWN) {
335  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
338 
340  /* if we already invoked the parser, we go with that proto */
341  f->alproto = *alproto_otherdir;
342  } else {
343  /* no data sent to parser yet, we can still choose
344  * we're trusting the server more. */
345  if (flags & STREAM_TOCLIENT)
346  f->alproto = *alproto;
347  else
348  f->alproto = *alproto_otherdir;
349  }
350  } else {
351  f->alproto = *alproto;
352  }
353 
357  FlagPacketFlow(p, f, flags);
358  /* if protocol detection indicated that we need to reverse
359  * the direction of the flow, do it now. We flip the flow,
360  * packet and the direction flags */
361  if (reverse_flow) {
362  SCLogDebug("reversing flow after proto detect told us so");
363  PacketSwap(p);
364  FlowSwap(f);
365  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
366  if (*stream == &ssn->client) {
367  *stream = &ssn->server;
368  } else {
369  *stream = &ssn->client;
370  }
371  }
372 
373  /* account flow if we have both sides */
374  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
375  AppLayerIncFlowCounter(tv, f);
376  }
377 
378  /* if we have seen data from the other direction first, send
379  * data for that direction first to the parser. This shouldn't
380  * be an issue, since each stream processing happens
381  * independently of the other stream direction. At this point of
382  * call, you need to know that this function's already being
383  * called by the very same StreamReassembly() function that we
384  * will now call shortly for the opposing direction. */
385  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
386  !(flags & ssn->data_first_seen_dir))
387  {
388  SCLogDebug("protocol %s needs first data in other direction",
389  AppProtoToString(*alproto));
390 
391  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
392  p, ssn, *stream) != 0)
393  {
394  DisableAppLayer(tv, f, p);
395  goto failure;
396  }
397  }
398 
399  /* if the parser operates such that it needs to see data from
400  * a particular direction first, we check if we have seen
401  * data from that direction first for the flow. IF it is not
402  * the same, we set an event and exit.
403  *
404  * \todo We need to figure out a more robust solution for this,
405  * as this can lead to easy evasion tactics, where the
406  * attackeer can first send some dummy data in the wrong
407  * direction first to mislead our proto detection process.
408  * While doing this we need to update the parsers as well,
409  * since the parsers must be robust to see such wrong
410  * direction data.
411  * Either ways the moment we see the
412  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
413  * flow, it shows something's fishy.
414  */
416  uint8_t first_data_dir;
417  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
418 
419  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
422  DisableAppLayer(tv, f, p);
423  goto failure;
424  }
425  /* This can happen if the current direction is not the
426  * right direction, and the data from the other(also
427  * the right direction) direction is available to be sent
428  * to the app layer, but it is not ack'ed yet and hence
429  * the forced call to STreamTcpAppLayerReassemble still
430  * hasn't managed to send data from the other direction
431  * to the app layer. */
432  if (first_data_dir && !(first_data_dir & flags)) {
435  FLOW_RESET_PP_DONE(f, flags);
436  FLOW_RESET_PM_DONE(f, flags);
437  FLOW_RESET_PE_DONE(f, flags);
438  goto failure;
439  }
440  }
441 
442  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
444 
445  /* finally, invoke the parser */
446  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
447  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
448  flags, data, data_len);
449  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
450  if (r < 0)
451  goto failure;
452  (*stream)->app_progress_rel += data_len;
453 
454  } else {
455  /* if the ssn is midstream, we may end up with a case where the
456  * start of an HTTP request is missing. We won't detect HTTP based
457  * on the request. However, the reply is fine, so we detect
458  * HTTP anyway. This leads to passing the incomplete request to
459  * the htp parser.
460  *
461  * This has been observed, where the http parser then saw many
462  * bogus requests in the incomplete data.
463  *
464  * To counter this case, a midstream session MUST find it's
465  * protocol in the toserver direction. If not, we assume the
466  * start of the request/toserver is incomplete and no reliable
467  * detection and parsing is possible. So we give up.
468  */
469  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
471  {
472  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
473  SCLogDebug("midstream end pd %p", ssn);
474  /* midstream and toserver detection failed: give up */
475  DisableAppLayer(tv, f, p);
476  goto end;
477  }
478  }
479 
480  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
481  uint8_t first_data_dir;
482  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
483 
484  /* this would handle this test case -
485  * http parser which says it wants to see toserver data first only.
486  * tcp handshake
487  * toclient data first received. - RUBBISH DATA which
488  * we don't detect as http
489  * toserver data next sent - we detect this as http.
490  * at this stage we see that toclient is the first data seen
491  * for this session and we try and redetect the app protocol,
492  * but we are unable to detect the app protocol like before.
493  * But since we have managed to detect the protocol for the
494  * other direction as http, we try to use that. At this
495  * stage we check if the direction of this stream matches
496  * to that acceptable by the app parser. If it is not the
497  * acceptable direction we error out.
498  */
500  (first_data_dir) && !(first_data_dir & flags))
501  {
502  DisableAppLayer(tv, f, p);
503  goto failure;
504  }
505 
506  /* if protocol detection is marked done for our direction we
507  * pass our data on. We're only succeeded in finding one
508  * direction: the opposing stream
509  *
510  * If PD was not yet complete, we don't do anything.
511  */
512  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
513  if (data_len > 0)
515 
516  if (*alproto_otherdir != ALPROTO_FAILED) {
517  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
518  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
519  f->alproto, flags,
520  data, data_len);
521  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
522  if (r >= 0) {
523  (*stream)->app_progress_rel += data_len;
524  }
525 
530 
531  *alproto = *alproto_otherdir;
532  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
533  p->pcap_cnt, *alproto, *alproto_otherdir, r);
534  if (r < 0)
535  goto failure;
536  }
537  *alproto = ALPROTO_FAILED;
539  AppLayerIncFlowCounter(tv, f);
540  FlagPacketFlow(p, f, flags);
541 
542  }
543  } else {
544  /* both sides unknown, let's see if we need to give up */
545  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
546  }
547  }
548 end:
549  return 0;
550 
551 failure:
552  return -1;
553 }
554 
555 /** \brief handle TCP data for the app-layer.
556  *
557  * First run protocol detection and then when the protocol is known invoke
558  * the app layer parser.
559  *
560  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
561  * reversed.
562  */
564  Packet *p, Flow *f,
565  TcpSession *ssn, TcpStream **stream,
566  uint8_t *data, uint32_t data_len,
567  uint8_t flags)
568 {
569  SCEnter();
570 
572 
573  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
575  int r = 0;
576 
577  SCLogDebug("data_len %u flags %02X", data_len, flags);
579  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
580  goto end;
581  }
582 
583  if (flags & STREAM_TOSERVER) {
584  alproto = f->alproto_ts;
585  } else {
586  alproto = f->alproto_tc;
587  }
588 
589  /* If a gap notification, relay the notification on to the
590  * app-layer if known. */
591  if (flags & STREAM_GAP) {
592  if (alproto == ALPROTO_UNKNOWN) {
594  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
595  /* if the other side didn't already find the proto, we're done */
596  if (f->alproto == ALPROTO_UNKNOWN) {
597  goto failure;
598  }
599  }
600  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
601  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
602  flags, data, data_len);
603  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
604  /* ignore parser result for gap */
605  (*stream)->app_progress_rel += data_len;
606  goto end;
607  }
608 
609  /* if we don't know the proto yet and we have received a stream
610  * initializer message, we run proto detection.
611  * We receive 2 stream init msgs (one for each direction) but we
612  * only run the proto detection once. */
613  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
614  /* run protocol detection */
615  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
616  data, data_len, flags) != 0) {
617  goto failure;
618  }
619  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
620  f->alproto_orig = f->alproto;
621  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
623  /* rerun protocol detection */
624  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
625  data, data_len, flags) != 0) {
626  SCLogDebug("proto detect failure");
627  goto failure;
628  }
629  SCLogDebug("protocol change, old %s, new %s",
631 
632  if (f->alproto_expect != ALPROTO_UNKNOWN &&
633  f->alproto != f->alproto_expect)
634  {
637 
638  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
641 
642  }
643  }
644  } else {
645  SCLogDebug("stream data (len %" PRIu32 " alproto "
646  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
647 #ifdef PRINT
648  if (data_len > 0) {
649  printf("=> Stream Data (app layer) -- start %s%s\n",
650  flags & STREAM_TOCLIENT ? "toclient" : "",
651  flags & STREAM_TOSERVER ? "toserver" : "");
652  PrintRawDataFp(stdout, data, data_len);
653  printf("=> Stream Data -- end\n");
654  }
655 #endif
656  /* if we don't have a data object here we are not getting it
657  * a start msg should have gotten us one */
658  if (f->alproto != ALPROTO_UNKNOWN) {
659  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
660  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
661  flags, data, data_len);
662  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
663  if (r >= 0) {
664  (*stream)->app_progress_rel += data_len;
665  }
666  }
667  }
668 
669  goto end;
670  failure:
671  r = -1;
672  end:
673  SCReturnInt(r);
674 }
675 
676 /**
677  * \brief Handle a app layer UDP message
678  *
679  * If the protocol is yet unknown, the proto detection code is run first.
680  *
681  * \param dp_ctx Thread app layer detect context
682  * \param f *locked* flow
683  * \param p UDP packet
684  *
685  * \retval 0 ok
686  * \retval -1 error
687  */
689 {
690  SCEnter();
691 
692  if (f->alproto == ALPROTO_FAILED) {
693  SCReturnInt(0);
694  }
695 
696  int r = 0;
697  uint8_t flags = 0;
698  if (p->flowflags & FLOW_PKT_TOSERVER) {
699  flags |= STREAM_TOSERVER;
700  } else {
701  flags |= STREAM_TOCLIENT;
702  }
703 
704  AppLayerProfilingReset(tctx);
705 
706  /* if the protocol is still unknown, run detection */
707  if (f->alproto == ALPROTO_UNKNOWN) {
708  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
709  p->payload_len);
710 
711  bool reverse_flow = false;
714  f, p->payload, p->payload_len,
715  IPPROTO_UDP, flags, &reverse_flow);
717 
718  if (f->alproto != ALPROTO_UNKNOWN) {
719  AppLayerIncFlowCounter(tv, f);
720 
721  if (reverse_flow) {
722  SCLogDebug("reversing flow after proto detect told us so");
723  PacketSwap(p);
724  FlowSwap(f);
726  }
727 
729  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
730  flags, p->payload, p->payload_len);
732  } else {
733  f->alproto = ALPROTO_FAILED;
734  AppLayerIncFlowCounter(tv, f);
735  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
736  }
738  /* we do only inspection in one direction, so flag both
739  * sides as done here */
740  FlagPacketFlow(p, f, STREAM_TOSERVER);
741  FlagPacketFlow(p, f, STREAM_TOCLIENT);
742  } else {
743  SCLogDebug("data (len %" PRIu32 " ), alproto "
744  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
745 
746  /* run the parser */
748  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
749  flags, p->payload, p->payload_len);
752  }
753 
754  SCReturnInt(r);
755 }
756 
757 /***** Utility *****/
758 
759 AppProto AppLayerGetProtoByName(char *alproto_name)
760 {
761  SCEnter();
763  SCReturnCT(r, "AppProto");
764 }
765 
767 {
768  SCEnter();
769  const char * r = AppLayerProtoDetectGetProtoName(alproto);
770  SCReturnCT(r, "char *");
771 }
772 
774 {
775  SCEnter();
776 
778  AppProto alprotos[ALPROTO_MAX];
779 
781 
782  printf("=========Supported App Layer Protocols=========\n");
783  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
784  if (alprotos[alproto] == 1)
785  printf("%s\n", AppLayerGetProtoName(alproto));
786  }
787 
788  SCReturn;
789 }
790 
791 /***** Setup/General Registration *****/
792 
793 int AppLayerSetup(void)
794 {
795  SCEnter();
796 
799 
802 
804 
805  SCReturnInt(0);
806 }
807 
809 {
810  SCEnter();
811 
814 
816 
817  SCReturnInt(0);
818 }
819 
821 {
822  SCEnter();
823 
824  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
825  if (app_tctx == NULL)
826  goto error;
827  memset(app_tctx, 0, sizeof(*app_tctx));
828 
829  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
830  goto error;
831  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
832  goto error;
833 
834  goto done;
835  error:
836  AppLayerDestroyCtxThread(app_tctx);
837  app_tctx = NULL;
838  done:
839  SCReturnPtr(app_tctx, "void *");
840 }
841 
843 {
844  SCEnter();
845 
846  if (app_tctx == NULL)
847  SCReturn;
848 
849  if (app_tctx->alpd_tctx != NULL)
851  if (app_tctx->alp_tctx != NULL)
853  SCFree(app_tctx);
854 
855  SCReturn;
856 }
857 
859 {
860  PACKET_PROFILING_APP_RESET(app_tctx);
861 }
862 
864 {
865  PACKET_PROFILING_APP_STORE(app_tctx, p);
866 }
867 
868 /** \brief HACK to work around our broken unix manager (re)init loop
869  */
871 {
876  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
877 }
878 
879 #define IPPROTOS_MAX 2
881 {
882  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
883  uint8_t ipproto;
885  AppProto alprotos[ALPROTO_MAX];
886  const char *str = "app_layer.flow.";
887 
889 
890  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
891  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
892  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
893  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
894 
895  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
896  if (alprotos[alproto] == 1) {
897  const char *tx_str = "app_layer.tx.";
898  const char *alproto_str = AppLayerGetProtoName(alproto);
899 
900  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
901  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
902  {
903  snprintf(applayer_counter_names[ipproto_map][alproto].name,
904  sizeof(applayer_counter_names[ipproto_map][alproto].name),
905  "%s%s%s", str, alproto_str, ipproto_suffix);
906  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
907  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
908  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
909  } else {
910  snprintf(applayer_counter_names[ipproto_map][alproto].name,
911  sizeof(applayer_counter_names[ipproto_map][alproto].name),
912  "%s%s", str, alproto_str);
913  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
914  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
915  "%s%s", tx_str, alproto_str);
916  }
917  } else if (alproto == ALPROTO_FAILED) {
918  snprintf(applayer_counter_names[ipproto_map][alproto].name,
919  sizeof(applayer_counter_names[ipproto_map][alproto].name),
920  "%s%s%s", str, "failed", ipproto_suffix);
921  }
922  }
923  }
924 }
925 
927 {
928  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
929  uint8_t ipproto;
931  AppProto alprotos[ALPROTO_MAX];
932 
934 
935  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
936  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
937 
938  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
939  if (alprotos[alproto] == 1) {
940  applayer_counters[ipproto_map][alproto].counter_id =
941  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
942 
943  applayer_counters[ipproto_map][alproto].counter_tx_id =
944  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
945  } else if (alproto == ALPROTO_FAILED) {
946  applayer_counters[ipproto_map][alproto].counter_id =
947  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
948  }
949  }
950  }
951 }
952 
954 {
955  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
956  memset(applayer_counters, 0, sizeof(applayer_counters));
957 }
958 
959 /***** Unittests *****/
960 
961 #ifdef UNITTESTS
962 #include "pkt-var.h"
963 #include "stream-tcp.h"
964 #include "stream-tcp-util.h"
965 #include "stream.h"
966 #include "util-unittest.h"
967 
968 #define TEST_START \
969  Packet *p = SCMalloc(SIZE_OF_PACKET);\
970  FAIL_IF_NULL(p);\
971  Flow f;\
972  ThreadVars tv;\
973  StreamTcpThread *stt = NULL;\
974  TCPHdr tcph;\
975  PacketQueue pq;\
976  memset(&pq,0,sizeof(PacketQueue));\
977  memset(p, 0, SIZE_OF_PACKET);\
978  memset (&f, 0, sizeof(Flow));\
979  memset(&tv, 0, sizeof (ThreadVars));\
980  memset(&tcph, 0, sizeof (TCPHdr));\
981 \
982  FLOW_INITIALIZE(&f);\
983  f.flags = FLOW_IPV4;\
984  f.proto = IPPROTO_TCP;\
985  p->flow = &f;\
986  p->tcph = &tcph;\
987 \
988  StreamTcpInitConfig(TRUE);\
989  IPPairInitConfig(TRUE); \
990  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
991 \
992  /* handshake */\
993  tcph.th_win = htons(5480);\
994  tcph.th_flags = TH_SYN;\
995  p->flowflags = FLOW_PKT_TOSERVER;\
996  p->payload_len = 0;\
997  p->payload = NULL;\
998  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
999  TcpSession *ssn = (TcpSession *)f.protoctx;\
1000 \
1001  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1002  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1003  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1004  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1005  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1006  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1007  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1008  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1009  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1010  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1011  FAIL_IF(ssn->data_first_seen_dir != 0);\
1012 \
1013  /* handshake */\
1014  p->tcph->th_ack = htonl(1);\
1015  p->tcph->th_flags = TH_SYN | TH_ACK;\
1016  p->flowflags = FLOW_PKT_TOCLIENT;\
1017  p->payload_len = 0;\
1018  p->payload = NULL;\
1019  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1020  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1021  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1022  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1023  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1024  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1025  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1026  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1027  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1028  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1029  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1030  FAIL_IF(ssn->data_first_seen_dir != 0);\
1031 \
1032  /* handshake */\
1033  p->tcph->th_ack = htonl(1);\
1034  p->tcph->th_seq = htonl(1);\
1035  p->tcph->th_flags = TH_ACK;\
1036  p->flowflags = FLOW_PKT_TOSERVER;\
1037  p->payload_len = 0;\
1038  p->payload = NULL;\
1039  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1040  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1041  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1042  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1043  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1044  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1045  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1046  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1047  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1048  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1049  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1050  FAIL_IF(ssn->data_first_seen_dir != 0);
1051 #define TEST_END \
1052  StreamTcpSessionClear(p->flow->protoctx);\
1053  StreamTcpThreadDeinit(&tv, (void *)stt); \
1054  StreamTcpFreeConfig(TRUE);\
1055  PACKET_DESTRUCTOR(p);\
1056  SCFree(p);\
1057  FLOW_DESTROY(&f); \
1058  StatsThreadCleanup(&tv);
1059 
1060 /**
1061  * \test GET -> HTTP/1.1
1062  */
1063 static int AppLayerTest01(void)
1064 {
1065  TEST_START;
1066 
1067  /* full request */
1068  uint8_t request[] = {
1069  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1070  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1071  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1072  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1073  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1074  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1075  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1076  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1077  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1078  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1079  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1080  p->tcph->th_ack = htonl(1);
1081  p->tcph->th_seq = htonl(1);
1082  p->tcph->th_flags = TH_PUSH | TH_ACK;
1084  p->payload_len = sizeof(request);
1085  p->payload = request;
1086  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1098 
1099  /* full response - request ack */
1100  uint8_t response[] = {
1101  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1102  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1103  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1104  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1105  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1106  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1107  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1108  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1109  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1110  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1111  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1112  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1113  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1114  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1115  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1116  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1117  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1118  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1119  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1120  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1121  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1122  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1123  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1124  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1125  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1126  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1127  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1128  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1129  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1130  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1131  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1132  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1133  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1134  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1135  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1136  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1137  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1138  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1139  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1140  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1141  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1142  p->tcph->th_ack = htonl(88);
1143  p->tcph->th_seq = htonl(1);
1144  p->tcph->th_flags = TH_PUSH | TH_ACK;
1146  p->payload_len = sizeof(response);
1147  p->payload = response;
1148  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1160 
1161  /* response ack */
1162  p->tcph->th_ack = htonl(328);
1163  p->tcph->th_seq = htonl(88);
1164  p->tcph->th_flags = TH_ACK;
1166  p->payload_len = 0;
1167  p->payload = NULL;
1168  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1180 
1181  TEST_END;
1182  PASS;
1183 }
1184 
1185 /**
1186  * \test GE -> T -> HTTP/1.1
1187  */
1188 static int AppLayerTest02(void)
1189 {
1190  TEST_START;
1191 
1192  /* partial request */
1193  uint8_t request1[] = { 0x47, 0x45, };
1194  p->tcph->th_ack = htonl(1);
1195  p->tcph->th_seq = htonl(1);
1196  p->tcph->th_flags = TH_PUSH | TH_ACK;
1198  p->payload_len = sizeof(request1);
1199  p->payload = request1;
1200  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1212 
1213  /* response ack against partial request */
1214  p->tcph->th_ack = htonl(3);
1215  p->tcph->th_seq = htonl(1);
1216  p->tcph->th_flags = TH_ACK;
1218  p->payload_len = 0;
1219  p->payload = NULL;
1220  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1232 
1233  /* complete partial request */
1234  uint8_t request2[] = {
1235  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1236  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1237  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1238  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1239  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1240  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1241  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1242  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1243  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1244  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1245  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1246  p->tcph->th_ack = htonl(1);
1247  p->tcph->th_seq = htonl(3);
1248  p->tcph->th_flags = TH_PUSH | TH_ACK;
1250  p->payload_len = sizeof(request2);
1251  p->payload = request2;
1252  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1264 
1265  /* response - request ack */
1266  uint8_t response[] = {
1267  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1268  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1269  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1270  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1271  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1272  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1273  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1274  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1275  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1276  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1277  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1278  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1279  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1280  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1281  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1282  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1283  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1284  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1285  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1286  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1287  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1288  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1289  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1290  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1291  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1292  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1293  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1294  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1295  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1296  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1297  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1298  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1299  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1300  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1301  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1302  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1303  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1304  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1305  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1306  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1307  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1308  p->tcph->th_ack = htonl(88);
1309  p->tcph->th_seq = htonl(1);
1310  p->tcph->th_flags = TH_PUSH | TH_ACK;
1312  p->payload_len = sizeof(response);
1313  p->payload = response;
1314  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1326 
1327  /* response ack */
1328  p->tcph->th_ack = htonl(328);
1329  p->tcph->th_seq = htonl(88);
1330  p->tcph->th_flags = TH_ACK;
1332  p->payload_len = 0;
1333  p->payload = NULL;
1334  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1346 
1347  TEST_END;
1348  PASS;
1349 }
1350 
1351 /**
1352  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1353  */
1354 static int AppLayerTest03(void)
1355 {
1356  TEST_START;
1357 
1358  /* request */
1359  uint8_t request[] = {
1360  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1361  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1362  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1363  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1364  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1365  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1366  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1367  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1368  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1369  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1370  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1371  p->tcph->th_ack = htonl(1);
1372  p->tcph->th_seq = htonl(1);
1373  p->tcph->th_flags = TH_PUSH | TH_ACK;
1375  p->payload_len = sizeof(request);
1376  p->payload = request;
1377  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1389 
1390  /* rubbish response */
1391  uint8_t response[] = {
1392  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1393  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1394  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1395  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1396  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1397  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1398  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1399  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1400  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1401  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1402  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1403  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1404  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1405  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1406  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1407  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1408  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1409  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1410  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1411  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1412  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1413  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1414  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1415  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1416  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1417  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1418  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1419  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1420  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1421  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1422  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1423  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1424  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1425  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1426  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1427  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1428  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1429  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1430  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1431  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1432  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1433  p->tcph->th_ack = htonl(88);
1434  p->tcph->th_seq = htonl(1);
1435  p->tcph->th_flags = TH_PUSH | TH_ACK;
1437  p->payload_len = sizeof(response);
1438  p->payload = response;
1439  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1451 
1452  /* response ack */
1453  p->tcph->th_ack = htonl(328);
1454  p->tcph->th_seq = htonl(88);
1455  p->tcph->th_flags = TH_ACK;
1457  p->payload_len = 0;
1458  p->payload = NULL;
1459  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1471 
1472  TEST_END;
1473  PASS;
1474 }
1475 
1476 /**
1477  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1478  */
1479 static int AppLayerTest04(void)
1480 {
1481  TEST_START;
1482 
1483  /* request */
1484  uint8_t request[] = {
1485  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1486  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1487  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1488  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1489  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1490  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1491  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1492  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1493  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1494  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1495  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1496  PrintRawDataFp(stdout, request, sizeof(request));
1497  p->tcph->th_ack = htonl(1);
1498  p->tcph->th_seq = htonl(1);
1499  p->tcph->th_flags = TH_PUSH | TH_ACK;
1501  p->payload_len = sizeof(request);
1502  p->payload = request;
1503  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1514  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1515 
1516  /* partial response */
1517  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1518  PrintRawDataFp(stdout, response1, sizeof(response1));
1519  p->tcph->th_ack = htonl(88);
1520  p->tcph->th_seq = htonl(1);
1521  p->tcph->th_flags = TH_PUSH | TH_ACK;
1523  p->payload_len = sizeof(response1);
1524  p->payload = response1;
1525  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1528  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1529  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1536  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1537 
1538  /* partial response ack */
1539  p->tcph->th_ack = htonl(5);
1540  p->tcph->th_seq = htonl(88);
1541  p->tcph->th_flags = TH_ACK;
1543  p->payload_len = 0;
1544  p->payload = NULL;
1545  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1548  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1549  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1555  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1556  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1557 
1558  /* remaining response */
1559  uint8_t response2[] = {
1560  0x2f, 0x31, 0x2e, 0x31,
1561  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1562  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1563  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1564  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1565  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1566  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1567  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1568  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1569  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1570  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1571  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1572  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1573  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1574  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1575  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1576  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1577  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1578  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1579  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1580  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1581  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1582  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1583  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1584  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1585  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1586  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1587  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1588  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1589  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1590  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1591  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1592  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1593  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1594  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1595  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1596  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1597  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1598  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1599  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1600  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1601  PrintRawDataFp(stdout, response2, sizeof(response2));
1602  p->tcph->th_ack = htonl(88);
1603  p->tcph->th_seq = htonl(5);
1604  p->tcph->th_flags = TH_PUSH | TH_ACK;
1606  p->payload_len = sizeof(response2);
1607  p->payload = response2;
1608  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1611  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1612  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1618  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1619  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1620 
1621  /* response ack */
1622  p->tcph->th_ack = htonl(328);
1623  p->tcph->th_seq = htonl(88);
1624  p->tcph->th_flags = TH_ACK;
1626  p->payload_len = 0;
1627  p->payload = NULL;
1628  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1629  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1631  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1632  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1633  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1638  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1639  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1640 
1641  TEST_END;
1642  PASS;
1643 }
1644 
1645 /**
1646  * \test RUBBISH -> HTTP/1.1
1647  */
1648 static int AppLayerTest05(void)
1649 {
1650  TEST_START;
1651 
1652  /* full request */
1653  uint8_t request[] = {
1654  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1655  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1656  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1657  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1658  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1659  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1660  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1661  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1662  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1663  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1664  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1665  PrintRawDataFp(stdout, request, sizeof(request));
1666  p->tcph->th_ack = htonl(1);
1667  p->tcph->th_seq = htonl(1);
1668  p->tcph->th_flags = TH_PUSH | TH_ACK;
1670  p->payload_len = sizeof(request);
1671  p->payload = request;
1672  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1684 
1685  /* full response - request ack */
1686  uint8_t response[] = {
1687  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1688  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1689  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1690  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1691  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1692  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1693  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1694  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1695  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1696  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1697  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1698  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1699  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1700  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1701  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1702  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1703  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1704  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1705  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1706  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1707  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1708  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1709  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1710  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1711  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1712  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1713  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1714  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1715  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1716  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1717  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1718  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1719  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1720  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1721  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1722  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1723  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1724  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1725  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1726  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1727  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1728  PrintRawDataFp(stdout, response, sizeof(response));
1729  p->tcph->th_ack = htonl(88);
1730  p->tcph->th_seq = htonl(1);
1731  p->tcph->th_flags = TH_PUSH | TH_ACK;
1733  p->payload_len = sizeof(response);
1734  p->payload = response;
1735  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1747 
1748  /* response ack */
1749  p->tcph->th_ack = htonl(328);
1750  p->tcph->th_seq = htonl(88);
1751  p->tcph->th_flags = TH_ACK;
1753  p->payload_len = 0;
1754  p->payload = NULL;
1755  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1767 
1768  TEST_END;
1769  PASS;
1770 }
1771 
1772 /**
1773  * \test HTTP/1.1 -> GET
1774  */
1775 static int AppLayerTest06(void)
1776 {
1777  TEST_START;
1778 
1779  /* full response - request ack */
1780  uint8_t response[] = {
1781  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1782  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1783  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1784  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1785  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1786  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1787  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1788  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1789  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1790  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1791  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1792  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1793  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1794  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1795  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1796  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1797  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1798  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1799  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1800  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1801  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1802  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1803  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1804  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1805  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1806  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1807  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1808  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1809  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1810  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1811  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1812  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1813  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1814  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1815  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1816  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1817  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1818  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1819  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1820  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1821  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1822  p->tcph->th_ack = htonl(1);
1823  p->tcph->th_seq = htonl(1);
1824  p->tcph->th_flags = TH_PUSH | TH_ACK;
1826  p->payload_len = sizeof(response);
1827  p->payload = response;
1828  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1840 
1841  /* full request - response ack*/
1842  uint8_t request[] = {
1843  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1844  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1845  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1846  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1847  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1848  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1849  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1850  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1851  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1852  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1853  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1854  p->tcph->th_ack = htonl(328);
1855  p->tcph->th_seq = htonl(1);
1856  p->tcph->th_flags = TH_PUSH | TH_ACK;
1858  p->payload_len = sizeof(request);
1859  p->payload = request;
1860  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1872 
1873  p->tcph->th_ack = htonl(1 + sizeof(request));
1874  p->tcph->th_seq = htonl(328);
1875  p->tcph->th_flags = TH_PUSH | TH_ACK;
1877  p->payload_len = 0;
1878  p->payload = NULL;
1879  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1891 
1892  TEST_END;
1893  PASS;
1894 }
1895 
1896 /**
1897  * \test GET -> DCERPC
1898  */
1899 static int AppLayerTest07(void)
1900 {
1901  TEST_START;
1902 
1903  /* full request */
1904  uint8_t request[] = {
1905  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1906  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1907  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1908  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1909  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1910  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1911  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1912  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1913  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1914  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1915  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1916  p->tcph->th_ack = htonl(1);
1917  p->tcph->th_seq = htonl(1);
1918  p->tcph->th_flags = TH_PUSH | TH_ACK;
1920  p->payload_len = sizeof(request);
1921  p->payload = request;
1922  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1934 
1935  /* full response - request ack */
1936  uint8_t response[] = {
1937  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1938  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1939  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1940  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1941  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1942  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1943  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1944  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1945  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1946  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1947  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1948  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1949  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1950  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1951  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1952  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1953  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1954  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1955  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1956  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1957  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1958  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1959  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1960  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1961  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1962  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1963  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1964  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1965  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1966  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1967  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1968  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1969  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1970  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1971  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1972  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1973  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1974  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1975  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1976  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1977  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1978  p->tcph->th_ack = htonl(88);
1979  p->tcph->th_seq = htonl(1);
1980  p->tcph->th_flags = TH_PUSH | TH_ACK;
1982  p->payload_len = sizeof(response);
1983  p->payload = response;
1984  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1996 
1997  /* response ack */
1998  p->tcph->th_ack = htonl(328);
1999  p->tcph->th_seq = htonl(88);
2000  p->tcph->th_flags = TH_ACK;
2002  p->payload_len = 0;
2003  p->payload = NULL;
2004  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2016 
2017  TEST_END;
2018  PASS;
2019 }
2020 
2021 /**
2022  * \test SMB -> HTTP/1.1
2023  */
2024 static int AppLayerTest08(void)
2025 {
2026  TEST_START;
2027 
2028  /* full request */
2029  uint8_t request[] = {
2030  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2031  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2032  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2033  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2034  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2035  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2036  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2037  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2038  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2039  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2040  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2041  p->tcph->th_ack = htonl(1);
2042  p->tcph->th_seq = htonl(1);
2043  p->tcph->th_flags = TH_PUSH | TH_ACK;
2045  p->payload_len = sizeof(request);
2046  p->payload = request;
2047  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2059 
2060  /* full response - request ack */
2061  uint8_t response[] = {
2062  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2063  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2064  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2065  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2066  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2067  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2068  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2069  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2070  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2071  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2072  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2073  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2074  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2075  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2076  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2077  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2078  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2079  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2080  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2081  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2082  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2083  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2084  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2085  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2086  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2087  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2088  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2089  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2090  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2091  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2092  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2093  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2094  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2095  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2096  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2097  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2098  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2099  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2100  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2101  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2102  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2103  p->tcph->th_ack = htonl(88);
2104  p->tcph->th_seq = htonl(1);
2105  p->tcph->th_flags = TH_PUSH | TH_ACK;
2107  p->payload_len = sizeof(response);
2108  p->payload = response;
2109  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2121 
2122  /* response ack */
2123  p->tcph->th_ack = htonl(328);
2124  p->tcph->th_seq = htonl(88);
2125  p->tcph->th_flags = TH_ACK;
2127  p->payload_len = 0;
2128  p->payload = NULL;
2129  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2141 
2142  TEST_END;
2143  PASS;
2144 }
2145 
2146 /**
2147  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2148  * RUBBISH(TC - PM and PP DONE) ->
2149  * RUBBISH(TS - PM and PP DONE)
2150  */
2151 static int AppLayerTest09(void)
2152 {
2153  TEST_START;
2154 
2155  /* full request */
2156  uint8_t request1[] = {
2157  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2158  p->tcph->th_ack = htonl(1);
2159  p->tcph->th_seq = htonl(1);
2160  p->tcph->th_flags = TH_PUSH | TH_ACK;
2162  p->payload_len = sizeof(request1);
2163  p->payload = request1;
2164  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2176 
2177  /* response - request ack */
2178  p->tcph->th_ack = htonl(9);
2179  p->tcph->th_seq = htonl(1);
2180  p->tcph->th_flags = TH_PUSH | TH_ACK;
2182  p->payload_len = 0;
2183  p->payload = NULL;
2184  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2196 
2197  /* full request */
2198  uint8_t request2[] = {
2199  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2200  p->tcph->th_ack = htonl(1);
2201  p->tcph->th_seq = htonl(9);
2202  p->tcph->th_flags = TH_PUSH | TH_ACK;
2204  p->payload_len = sizeof(request2);
2205  p->payload = request2;
2206  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2218 
2219  /* full response - request ack */
2220  uint8_t response[] = {
2221  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2222  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2223  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2224  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2225  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2226  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2227  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2228  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2229  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2230  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2231  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2232  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2233  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2234  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2235  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2236  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2237  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2238  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2239  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2240  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2241  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2242  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2243  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2244  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2245  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2246  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2247  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2248  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2249  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2250  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2251  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2252  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2253  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2254  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2255  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2256  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2257  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2258  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2259  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2260  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2261  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2262  p->tcph->th_ack = htonl(18);
2263  p->tcph->th_seq = htonl(1);
2264  p->tcph->th_flags = TH_PUSH | TH_ACK;
2266  p->payload_len = sizeof(response);
2267  p->payload = response;
2268  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2280 
2281  /* response ack */
2282  p->tcph->th_ack = htonl(328);
2283  p->tcph->th_seq = htonl(18);
2284  p->tcph->th_flags = TH_ACK;
2286  p->payload_len = 0;
2287  p->payload = NULL;
2288  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2300 
2301  TEST_END;
2302  PASS;
2303 }
2304 
2305 /**
2306  * \test RUBBISH(TC - PM and PP DONE) ->
2307  * RUBBISH(TS - PM and PP DONE)
2308  */
2309 static int AppLayerTest10(void)
2310 {
2311  TEST_START;
2312 
2313  /* full request */
2314  uint8_t request1[] = {
2315  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2316  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2317  p->tcph->th_ack = htonl(1);
2318  p->tcph->th_seq = htonl(1);
2319  p->tcph->th_flags = TH_PUSH | TH_ACK;
2321  p->payload_len = sizeof(request1);
2322  p->payload = request1;
2323  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2335 
2336  /* response - request ack */
2337  p->tcph->th_ack = htonl(18);
2338  p->tcph->th_seq = htonl(1);
2339  p->tcph->th_flags = TH_PUSH | TH_ACK;
2341  p->payload_len = 0;
2342  p->payload = NULL;
2343  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2355 
2356  /* full response - request ack */
2357  uint8_t response[] = {
2358  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2359  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2360  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2361  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2362  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2363  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2364  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2365  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2366  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2367  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2368  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2369  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2370  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2371  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2372  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2373  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2374  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2375  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2376  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2377  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2378  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2379  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2380  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2381  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2382  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2383  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2384  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2385  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2386  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2387  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2388  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2389  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2390  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2391  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2392  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2393  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2394  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2395  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2396  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2397  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2398  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2399  p->tcph->th_ack = htonl(18);
2400  p->tcph->th_seq = htonl(1);
2401  p->tcph->th_flags = TH_PUSH | TH_ACK;
2403  p->payload_len = sizeof(response);
2404  p->payload = response;
2405  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2417 
2418  /* response ack */
2419  p->tcph->th_ack = htonl(328);
2420  p->tcph->th_seq = htonl(18);
2421  p->tcph->th_flags = TH_ACK;
2423  p->payload_len = 0;
2424  p->payload = NULL;
2425  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2437 
2438  TEST_END;
2439  PASS;
2440 }
2441 
2442 /**
2443  * \test RUBBISH(TC - PM and PP DONE) ->
2444  * RUBBISH(TS - PM and PP NOT DONE) ->
2445  * RUBBISH(TS - PM and PP DONE)
2446  */
2447 static int AppLayerTest11(void)
2448 {
2449  TEST_START;
2450 
2451  /* full request */
2452  uint8_t request1[] = {
2453  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2454  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2455  p->tcph->th_ack = htonl(1);
2456  p->tcph->th_seq = htonl(1);
2457  p->tcph->th_flags = TH_PUSH | TH_ACK;
2459  p->payload_len = sizeof(request1);
2460  p->payload = request1;
2461  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2473 
2474  /* response - request ack */
2475  p->tcph->th_ack = htonl(18);
2476  p->tcph->th_seq = htonl(1);
2477  p->tcph->th_flags = TH_PUSH | TH_ACK;
2479  p->payload_len = 0;
2480  p->payload = NULL;
2481  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2493 
2494  /* full response - request ack */
2495  uint8_t response1[] = {
2496  0x55, 0x74, 0x54, 0x50, };
2497  p->tcph->th_ack = htonl(18);
2498  p->tcph->th_seq = htonl(1);
2499  p->tcph->th_flags = TH_PUSH | TH_ACK;
2501  p->payload_len = sizeof(response1);
2502  p->payload = response1;
2503  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2515 
2516  /* response ack from request */
2517  p->tcph->th_ack = htonl(5);
2518  p->tcph->th_seq = htonl(18);
2519  p->tcph->th_flags = TH_ACK;
2521  p->payload_len = 0;
2522  p->payload = NULL;
2523  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2535 
2536  uint8_t response2[] = {
2537  0x2f, 0x31, 0x2e, 0x31,
2538  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2539  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2540  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2541  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2542  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2543  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2544  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2545  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2546  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2547  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2548  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2549  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2550  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2551  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2552  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2553  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2554  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2555  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2556  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2557  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2558  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2559  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2560  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2561  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2562  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2563  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2564  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2565  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2566  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2567  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2568  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2569  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2570  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2571  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2572  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2573  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2574  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2575  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2576  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2577  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2578  p->tcph->th_ack = htonl(18);
2579  p->tcph->th_seq = htonl(5);
2580  p->tcph->th_flags = TH_PUSH | TH_ACK;
2582  p->payload_len = sizeof(response2);
2583  p->payload = response2;
2584  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2596 
2597  /* response ack from request */
2598  p->tcph->th_ack = htonl(328);
2599  p->tcph->th_seq = htonl(18);
2600  p->tcph->th_flags = TH_ACK;
2602  p->payload_len = 0;
2603  p->payload = NULL;
2604  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2616 
2617  TEST_END;
2618  PASS;
2619 }
2620 
2622 {
2623  SCEnter();
2624 
2625  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2626  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2627  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2628  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2629  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2630  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2631  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2632  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2633  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2634  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2635  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2636 
2637  SCReturn;
2638 }
2639 
2640 #endif /* UNITTESTS */
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
AppProto alproto_expect
Definition: flow.h:418
uint16_t flags
void FlowSwap(Flow *f)
swap the flow&#39;s direction
Definition: flow.c:289
#define SCLogDebug(...)
Definition: util-debug.h:335
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
AppProto alproto_tc
Definition: flow.h:411
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:567
#define TEST_END
Definition: app-layer.c:1051
uint16_t counter_id
Definition: app-layer.c:81
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
#define BUG_ON(x)
uint8_t proto
Definition: flow.h:344
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:808
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
#define PASS
Pass the test.
int AppLayerParserDeSetup(void)
#define STREAMTCP_STREAM_FLAG_GAP
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:858
#define SWAP_FLAGS(flags, a, b)
void StreamTcpDisableAppLayer(Flow *f)
uint64_t HTPMemuseGlobalCounter(void)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define IPPROTOS_MAX
Definition: app-layer.c:879
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:793
uint64_t ticks_spent
Definition: app-layer.c:66
uint64_t pcap_cnt
Definition: decode.h:561
uint16_t AppProto
uint64_t FTPMemuseGlobalCounter(void)
TCPHdr * tcph
Definition: decode.h:522
int EngineModeIsIPS(void)
Definition: suricata.c:245
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:863
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:759
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
uint64_t ticks_start
Definition: app-layer.c:64
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
#define STREAMTCP_FLAG_MIDSTREAM
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:773
#define SCReturnCT(x, type)
Definition: util-debug.h:351
void * protoctx
Definition: flow.h:400
uint64_t ExpectationGetCounter(void)
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
#define PACKET_PROFILING_APP_PD_START(dp)
void AppLayerParserRegisterProtocolParsers(void)
AppProto alproto
Definition: app-layer.c:67
struct AppLayerCounters_ AppLayerCounters
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:931
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4674
AppProto alproto_orig
Definition: flow.h:415
AppProto alproto_ts
Definition: flow.h:410
#define str(s)
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:258
uint16_t counter_tx_id
Definition: app-layer.c:82
#define STREAM_GAP
Definition: stream.h:33
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:820
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:248
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1114
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define DEBUG_ASSERT_FLOW_LOCKED(f)
#define SCEnter(...)
Definition: util-debug.h:337
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2621
uint64_t HTPMemcapGlobalCounter(void)
#define TH_ACK
Definition: decode-tcp.h:39
uint8_t flowflags
Definition: decode.h:439
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
struct AppLayerCounterNames_ AppLayerCounterNames
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
#define TH_PUSH
Definition: decode-tcp.h:38
uint64_t FTPMemcapGlobalCounter(void)
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:989
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:430
int8_t data_first_seen_dir
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
#define SCReturnInt(x)
Definition: util-debug.h:341
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
int AppLayerParserSetup(void)
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:563
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:953
#define SCMalloc(a)
Definition: util-mem.h:222
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
#define SCFree(a)
Definition: util-mem.h:322
#define PACKET_PROFILING_APP_STORE(dp, p)
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:249
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:842
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:870
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAM_START
Definition: stream.h:29
void AppLayerSetupCounters(void)
Definition: app-layer.c:880
#define STREAM_TOSERVER
Definition: stream.h:31
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
#define TEST_START
Definition: app-layer.c:968
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:256
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6286
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:766
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
#define PACKET_PROFILING_APP_END(dp, id)
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:257
#define PACKET_PROFILING_APP_RESET(dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:688
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
The app layer protocol detection thread context.
uint32_t flags
Definition: decode.h:443
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:541
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
#define likely(expr)
Definition: util-optimize.h:32
uint64_t ticks_end
Definition: app-layer.c:65
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6280
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
uint8_t protomap
Definition: flow.h:404
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
uint32_t flags
Definition: flow.h:379
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
#define PACKET_PROFILING_APP_PD_END(dp)
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:926
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1115
#define PACKET_PROFILING_APP_START(dp, id)