suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-htp-range.h"
35 #include "app-layer-detect-proto.h"
36 #include "app-layer-frames.h"
37 #include "app-layer-events.h"
38 #include "stream-tcp-reassemble.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-inline.h"
41 #include "stream-tcp.h"
42 #include "flow.h"
43 #include "flow-util.h"
44 #include "flow-private.h"
45 #include "ippair.h"
46 #include "util-debug.h"
47 #include "util-print.h"
48 #include "util-profiling.h"
49 #include "util-validate.h"
50 #include "decode-events.h"
51 #include "app-layer-htp-mem.h"
52 #include "util-exception-policy.h"
53 
54 extern bool g_stats_eps_per_app_proto_errors;
55 /**
56  * \brief This is for the app layer in general and it contains per thread
57  * context relevant to both the alpd and alp.
58  */
59 struct AppLayerThreadCtx_ {
60  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
61  AppLayerProtoDetectThreadCtx *alpd_tctx;
62  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
63  AppLayerParserThreadCtx *alp_tctx;
64 
65 #ifdef PROFILING
66  uint64_t ticks_start;
67  uint64_t ticks_end;
68  uint64_t ticks_spent;
69  AppProto alproto;
70  uint64_t proto_detect_ticks_start;
71  uint64_t proto_detect_ticks_end;
72  uint64_t proto_detect_ticks_spent;
73 #endif
74 };
75 
76 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
77 
78 #define MAX_COUNTER_SIZE 64
79 typedef struct AppLayerCounterNames_ {
80  char name[MAX_COUNTER_SIZE];
81  char tx_name[MAX_COUNTER_SIZE];
82  char gap_error[MAX_COUNTER_SIZE];
83  char parser_error[MAX_COUNTER_SIZE];
84  char internal_error[MAX_COUNTER_SIZE];
85  char alloc_error[MAX_COUNTER_SIZE];
86  char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE];
87 } AppLayerCounterNames;
88 
89 typedef struct AppLayerCounters_ {
90  StatsCounterId counter_id;
91  StatsCounterId counter_tx_id;
92  StatsCounterId gap_error_id;
93  StatsCounterId parser_error_id;
94  StatsCounterId internal_error_id;
95  StatsCounterId alloc_error_id;
96  ExceptionPolicyCounters eps_error;
97 } AppLayerCounters;
98 
99 /* counter names. Only used at init. */
100 AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX];
101 /* counter id's. Used that runtime. */
102 AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX];
103 /* Exception policy global counters ids */
104 ExceptionPolicyCounters eps_error_summary;
105 
106 /* Settings order as in the enum */
107 // clang-format off
108 ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
109  .valid_settings_ids = {
110  /* EXCEPTION_POLICY_NOT_SET */ false,
111  /* EXCEPTION_POLICY_AUTO */ false,
112  /* EXCEPTION_POLICY_PASS_PACKET */ true,
113  /* EXCEPTION_POLICY_PASS_FLOW */ true,
114  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
115  /* EXCEPTION_POLICY_DROP_PACKET */ false,
116  /* EXCEPTION_POLICY_DROP_FLOW */ false,
117  /* EXCEPTION_POLICY_REJECT */ true,
118  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
119  },
120  .valid_settings_ips = {
121  /* EXCEPTION_POLICY_NOT_SET */ false,
122  /* EXCEPTION_POLICY_AUTO */ false,
123  /* EXCEPTION_POLICY_PASS_PACKET */ true,
124  /* EXCEPTION_POLICY_PASS_FLOW */ true,
125  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
126  /* EXCEPTION_POLICY_DROP_PACKET */ true,
127  /* EXCEPTION_POLICY_DROP_FLOW */ true,
128  /* EXCEPTION_POLICY_REJECT */ true,
129  /* EXCEPTION_POLICY_REJECT_BOTH */ true,
130  },
131 };
132 // clang-format on
133 
134 void AppLayerSetupCounters(void);
135 void AppLayerDeSetupCounters(void);
136 
137 /***** L7 layer dispatchers *****/
138 
139 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
140  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
141  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
142  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
143 }
144 
145 /**
146  * \note id can be 0 if protocol parser is disabled but detection
147  * is enabled.
148  */
149 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
150 {
151  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_id;
152  if (likely(tv && id.id > 0)) {
153  StatsCounterIncr(&tv->stats, id);
154  }
155 }
156 
157 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
158 {
159  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].counter_tx_id;
160  if (likely(tv && id.id > 0)) {
161  StatsCounterAddI64(&tv->stats, id, step);
162  }
163 }
164 
165 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
166 {
167  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].gap_error_id;
168  if (likely(tv && id.id > 0)) {
169  StatsCounterIncr(&tv->stats, id);
170  }
171 }
172 
173 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
174 {
175  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].alloc_error_id;
176  if (likely(tv && id.id > 0)) {
177  StatsCounterIncr(&tv->stats, id);
178  }
179 }
180 
181 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
182 {
183  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].parser_error_id;
184  if (likely(tv && id.id > 0)) {
185  StatsCounterIncr(&tv->stats, id);
186  }
187 }
188 
189 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
190 {
191  const StatsCounterId id = applayer_counters[f->alproto][f->protomap].internal_error_id;
192  if (likely(tv && id.id > 0)) {
193  StatsCounterIncr(&tv->stats, id);
194  }
195 }
196 
197 static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy)
198 {
199 #ifdef UNITTESTS
200  if (tv == NULL) {
201  return;
202  }
203 #endif
204  StatsCounterId id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy];
205  /* for the summary values */
206  StatsCounterId g_id = eps_error_summary.eps_id[policy];
207 
208  if (likely(id.id > 0)) {
209  StatsCounterIncr(&tv->stats, id);
210  }
211  if (likely(g_id.id > 0)) {
212  StatsCounterIncr(&tv->stats, g_id);
213  }
214 }
215 
216 /* in IDS mode protocol detection is done in reverse order:
217  * when TCP data is ack'd. We want to flag the correct packet,
218  * so in this case we set a flag in the flow so that the first
219  * packet in the correct direction can be tagged.
220  *
221  * For IPS we update packet and flow. */
222 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
223 {
224  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
225  if (flags & STREAM_TOSERVER) {
226  if (p->flowflags & FLOW_PKT_TOSERVER) {
227  p->flags |= PKT_PROTO_DETECT_TS_DONE;
228  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
229  } else {
230  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
231  }
232  } else {
233  if (p->flowflags & FLOW_PKT_TOCLIENT) {
234  p->flags |= PKT_PROTO_DETECT_TC_DONE;
235  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
236  } else {
237  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
238  }
239  }
240  } else {
241  if (flags & STREAM_TOSERVER) {
242  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
243  } else {
244  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
245  }
246  }
247 }
248 
249 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
250 {
251  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
252  f, f->alproto, f->alproto_ts, f->alproto_tc);
253  FlowCleanupAppLayer(f);
254  StreamTcpDisableAppLayer(f);
255  TcpSession *ssn = f->protoctx;
256  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
257  f->alproto = ALPROTO_FAILED;
258  AppLayerIncFlowCounter(tv, f);
259 
260  if (f->alproto_tc != ALPROTO_FAILED) {
261  if (f->alproto_tc == ALPROTO_UNKNOWN) {
262  f->alproto_tc = ALPROTO_FAILED;
263  }
264  FlagPacketFlow(p, f, STREAM_TOCLIENT);
265  }
266  if (f->alproto_ts != ALPROTO_FAILED) {
267  if (f->alproto_ts == ALPROTO_UNKNOWN) {
268  f->alproto_ts = ALPROTO_FAILED;
269  }
270  FlagPacketFlow(p, f, STREAM_TOSERVER);
271  }
272  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
273  f, f->alproto, f->alproto_ts, f->alproto_tc);
274 }
275 
276 /* See if we're going to have to give up:
277  *
278  * If we're getting a lot of data in one direction and the
279  * proto for this direction is unknown, proto detect will
280  * hold up segments in the segment list in the stream.
281  * They are held so that if we detect the protocol on the
282  * opposing stream, we can still parse this side of the stream
283  * as well. However, some sessions are very unbalanced. FTP
284  * data channels, large PUT/POST request and many others, can
285  * lead to cases where we would have to store many megabytes
286  * worth of segments before we see the opposing stream. This
287  * leads to risks of resource starvation.
288  *
289  * Here a cutoff point is enforced. If we've stored 100k in
290  * one direction and we've seen no data in the other direction,
291  * we give up.
292  *
293  * Giving up means we disable applayer an set an applayer event
294  */
295 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
296  Flow *f, TcpSession *ssn, Packet *p)
297 {
298  if (ssn->state < TCP_ESTABLISHED) {
299  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
300  return;
301  }
302 
303  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
304  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
305  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
306 
307  /* at least 100000 whatever the conditions
308  * and can be more if window is bigger and if configuration allows it */
309  const uint32_t size_tc_limit =
310  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
311  const uint32_t size_ts_limit =
312  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
313 
314  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
315  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
316  {
317  goto failure;
318 
319  /* we bail out whatever the pp and pm states if
320  * we received too much data */
321  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
322  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
323  goto failure;
324 
325  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
326  size_ts > size_ts_limit && size_tc == 0) {
327  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
328  goto failure;
329 
330  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
331  size_tc > size_tc_limit && size_ts == 0) {
332  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
333  goto failure;
334 
335  /* little data in ts direction, pp done, pm not done (max
336  * depth not reached), ts direction done, lots of data in
337  * tc direction. */
338  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
339  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
340  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
341  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
342  goto failure;
343 
344  /* little data in tc direction, pp done, pm not done (max
345  * depth not reached), tc direction done, lots of data in
346  * ts direction. */
347  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
348  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
349  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
350  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
351  goto failure;
352  }
353  return;
354 
355 failure:
356  DisableAppLayer(tv, f, p);
357 }
358 
359 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
360  Packet *p, TcpSession *ssn, const TcpStream *stream)
361 {
362  TcpStream *opposing_stream = NULL;
363  if (stream == &ssn->client) {
364  opposing_stream = &ssn->server;
365  } else {
366  opposing_stream = &ssn->client;
367  }
368 
369  /* if the opposing side is not going to work, then
370  * we just have to give up. */
371  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
372  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
373  return -1;
374  }
375 
376  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
377  UPDATE_DIR_OPPOSING :
378  UPDATE_DIR_PACKET;
379  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
380  opposing_stream, p, dir);
381  return ret;
382 }
383 
384 extern enum ExceptionPolicy g_applayerparser_error_policy;
385 
386 /** \todo data const
387  * \retval int -1 error
388  * \retval int 0 ok
389  */
390 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
391  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
392  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
393 {
394  AppProto *alproto;
395  AppProto *alproto_otherdir;
396  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
397 
398  if (flags & STREAM_TOSERVER) {
399  alproto = &f->alproto_ts;
400  alproto_otherdir = &f->alproto_tc;
401  } else {
402  alproto = &f->alproto_tc;
403  alproto_otherdir = &f->alproto_ts;
404  }
405 
406  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
407 #ifdef PRINT
408  if (data_len > 0) {
409  printf("=> Init Stream Data (app layer) -- start %s%s\n",
410  flags & STREAM_TOCLIENT ? "toclient" : "",
411  flags & STREAM_TOSERVER ? "toserver" : "");
412  PrintRawDataFp(stdout, data, data_len);
413  printf("=> Init Stream Data -- end\n");
414  }
415 #endif
416 
417  bool reverse_flow = false;
418  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
419  PACKET_PROFILING_APP_PD_START(app_tctx);
420  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
421  f, data, data_len,
422  IPPROTO_TCP, flags, &reverse_flow);
423  PACKET_PROFILING_APP_PD_END(app_tctx);
424  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
425 
426  if (*alproto != ALPROTO_UNKNOWN) {
427  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
428  SCAppLayerDecoderEventsSetEventRaw(
429  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
430 
431  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
432  /* if we already invoked the parser, we go with that proto */
433  f->alproto = *alproto_otherdir;
434  } else {
435  /* no data sent to parser yet, we can still choose
436  * we're trusting the server more. */
437  if (flags & STREAM_TOCLIENT)
438  f->alproto = *alproto;
439  else
440  f->alproto = *alproto_otherdir;
441  }
442  } else {
443  f->alproto = *alproto;
444  }
445 
446  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
447  TcpSessionSetReassemblyDepth(ssn,
448  AppLayerParserGetStreamDepth(f));
449  FlagPacketFlow(p, f, flags);
450 
451  /* if protocol detection indicated that we need to reverse
452  * the direction of the flow, do it now. We flip the flow,
453  * packet and the direction flags */
454  if (reverse_flow &&
455  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
456  STREAMTCP_FLAG_MIDSTREAM)) {
457  /* but only if we didn't already detect it on the other side. */
458  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
459  SCLogDebug("reversing flow after proto detect told us so");
460  PacketSwap(p);
461  FlowSwap(f);
462  // Will reset signature groups in DetectRunSetup
463  f->de_ctx_version = UINT32_MAX;
464  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
465  if (*stream == &ssn->client) {
466  *stream = &ssn->server;
467  } else {
468  *stream = &ssn->client;
469  }
470  direction = 1 - direction;
471  } else {
472  // TODO event, error?
473  }
474  }
475 
476  /* account flow if we have both sides */
477  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
478  AppLayerIncFlowCounter(tv, f);
479  }
480 
481  /* if we have seen data from the other direction first, send
482  * data for that direction first to the parser. This shouldn't
483  * be an issue, since each stream processing happens
484  * independently of the other stream direction. At this point of
485  * call, you need to know that this function's already being
486  * called by the very same StreamReassembly() function that we
487  * will now call shortly for the opposing direction. */
488  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
489  !(flags & ssn->data_first_seen_dir))
490  {
491  SCLogDebug("protocol %s needs first data in other direction",
492  AppProtoToString(*alproto));
493 
494  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
495  p, ssn, *stream) != 0)
496  {
497  goto detect_error;
498  }
499  if (FlowChangeProto(f)) {
500  /* We have the first data which requested a protocol change from P1 to P2
501  * even if it was not recognized at first as being P1
502  * As the second data was recognized as P1, the protocol did not change !
503  */
504  FlowUnsetChangeProtoFlag(f);
505  SCAppLayerDecoderEventsSetEventRaw(
506  &p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
507  }
508  }
509 
510  /* if the parser operates such that it needs to see data from
511  * a particular direction first, we check if we have seen
512  * data from that direction first for the flow. IF it is not
513  * the same, we set an event and exit.
514  *
515  * \todo We need to figure out a more robust solution for this,
516  * as this can lead to easy evasion tactics, where the
517  * attacker can first send some dummy data in the wrong
518  * direction first to mislead our proto detection process.
519  * While doing this we need to update the parsers as well,
520  * since the parsers must be robust to see such wrong
521  * direction data.
522  * Either ways the moment we see the
523  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
524  * flow, it shows something's fishy.
525  */
526  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
527  uint8_t first_data_dir;
528  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
529 
530  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
531  SCAppLayerDecoderEventsSetEventRaw(
532  &p->app_layer_events, APPLAYER_WRONG_DIRECTION_FIRST_DATA);
533  goto detect_error;
534  }
535  /* This can happen if the current direction is not the
536  * right direction, and the data from the other(also
537  * the right direction) direction is available to be sent
538  * to the app layer, but it is not ack'ed yet and hence
539  * the forced call to STreamTcpAppLayerReassemble still
540  * hasn't managed to send data from the other direction
541  * to the app layer. */
542  if (first_data_dir && !(first_data_dir & flags)) {
543  FlowCleanupAppLayer(f);
544  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
545  FLOW_RESET_PP_DONE(f, flags);
546  FLOW_RESET_PM_DONE(f, flags);
547  FLOW_RESET_PE_DONE(f, flags);
548  SCReturnInt(-1);
549  }
550  }
551 
552  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
553  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
554 
555  /* finally, invoke the parser */
556  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
557  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
558  flags, data, data_len);
559  PACKET_PROFILING_APP_END(app_tctx);
560  p->app_update_direction = (uint8_t)app_update_dir;
561  if (r != 1) {
562  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
563  }
564  if (r == 0) {
565  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
566  TcpStream *opposing_stream;
567  if (*stream == &ssn->client) {
568  opposing_stream = &ssn->server;
569  } else {
570  opposing_stream = &ssn->client;
571  }
572  if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) {
573  // can happen in detection-only
574  AppLayerIncFlowCounter(tv, f);
575  }
576  }
577  }
578  if (r < 0) {
579  goto parser_error;
580  }
581  } else {
582  /* if the ssn is midstream, we may end up with a case where the
583  * start of an HTTP request is missing. We won't detect HTTP based
584  * on the request. However, the reply is fine, so we detect
585  * HTTP anyway. This leads to passing the incomplete request to
586  * the htp parser.
587  *
588  * This has been observed, where the http parser then saw many
589  * bogus requests in the incomplete data.
590  *
591  * To counter this case, a midstream session MUST find it's
592  * protocol in the toserver direction. If not, we assume the
593  * start of the request/toserver is incomplete and no reliable
594  * detection and parsing is possible. So we give up.
595  */
596  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
597  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
598  {
599  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
600  SCLogDebug("midstream end pd %p", ssn);
601  /* midstream and toserver detection failed: give up */
602  DisableAppLayer(tv, f, p);
603  SCReturnInt(0);
604  }
605  }
606 
607  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
608  uint8_t first_data_dir;
609  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
610 
611  /* this would handle this test case -
612  * http parser which says it wants to see toserver data first only.
613  * tcp handshake
614  * toclient data first received. - RUBBISH DATA which
615  * we don't detect as http
616  * toserver data next sent - we detect this as http.
617  * at this stage we see that toclient is the first data seen
618  * for this session and we try and redetect the app protocol,
619  * but we are unable to detect the app protocol like before.
620  * But since we have managed to detect the protocol for the
621  * other direction as http, we try to use that. At this
622  * stage we check if the direction of this stream matches
623  * to that acceptable by the app parser. If it is not the
624  * acceptable direction we error out.
625  */
626  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
627  (first_data_dir) && !(first_data_dir & flags))
628  {
629  goto detect_error;
630  }
631 
632  /* if protocol detection is marked done for our direction we
633  * pass our data on. We're only succeeded in finding one
634  * direction: the opposing stream
635  *
636  * If PD was not yet complete, we don't do anything.
637  */
638  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
639  if (data_len > 0)
640  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
641 
642  if (*alproto_otherdir != ALPROTO_FAILED) {
643  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
644  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
645  f->alproto, flags,
646  data, data_len);
647  PACKET_PROFILING_APP_END(app_tctx);
648  p->app_update_direction = (uint8_t)app_update_dir;
649  if (r != 1) {
650  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
651  }
652 
653  SCAppLayerDecoderEventsSetEventRaw(
654  &p->app_layer_events, APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
655  TcpSessionSetReassemblyDepth(ssn,
656  AppLayerParserGetStreamDepth(f));
657  AppLayerIncFlowCounter(tv, f);
658 
659  *alproto = *alproto_otherdir;
660  SCLogDebug("packet %" PRIu64 ": pd done(us %u them %u), parser called (r==%d), "
661  "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
662  PcapPacketCntGet(p), *alproto, *alproto_otherdir, r);
663  if (r < 0) {
664  goto parser_error;
665  }
666  }
667  *alproto = ALPROTO_FAILED;
668  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
669  FlagPacketFlow(p, f, flags);
670 
671  } else if (flags & STREAM_EOF) {
672  *alproto = f->alproto;
673  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
674  AppLayerIncFlowCounter(tv, f);
675  }
676  } else {
677  /* both sides unknown, let's see if we need to give up */
678  if (FlowChangeProto(f)) {
679  /* TCPProtoDetectCheckBailConditions does not work well because
680  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
681  * so, we set a lower limit to the data we inspect
682  * We could instead have set ssn->server.sb.stream_offset = 0;
683  */
684  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
685  DisableAppLayer(tv, f, p);
686  }
687  } else {
688  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
689  }
690  }
691  }
692  SCReturnInt(0);
693 parser_error:
694  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
695  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
696  SCReturnInt(-1);
697 detect_error:
698  DisableAppLayer(tv, f, p);
699  SCReturnInt(-2);
700 }
701 
702 /** \brief handle TCP data for the app-layer.
703  *
704  * First run protocol detection and then when the protocol is known invoke
705  * the app layer parser.
706  *
707  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
708  * reversed.
709  */
710 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
711  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
712  enum StreamUpdateDir app_update_dir)
713 {
714  SCEnter();
715 
716  DEBUG_ASSERT_FLOW_LOCKED(f);
717  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
718 
719  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
720  AppProto alproto;
721  int r = 0;
722 
723  SCLogDebug("data_len %u flags %02X", data_len, flags);
724  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
725  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
726  goto end;
727  }
728 
729  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
730 
731  if (flags & STREAM_TOSERVER) {
732  alproto = f->alproto_ts;
733  } else {
734  alproto = f->alproto_tc;
735  }
736 
737  /* If a gap notification, relay the notification on to the
738  * app-layer if known. */
739  if (flags & STREAM_GAP) {
740  SCLogDebug("GAP of size %u", data_len);
741  if (alproto == ALPROTO_UNKNOWN) {
742  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
743  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
744  /* if the other side didn't already find the proto, we're done */
745  if (f->alproto == ALPROTO_UNKNOWN) {
746  goto failure;
747  }
748  AppLayerIncFlowCounter(tv, f);
749  }
750  if (FlowChangeProto(f)) {
751  FlowUnsetChangeProtoFlag(f);
752  SCLogDebug("Cannot handle gap while changing protocol");
753  goto failure;
754  }
755  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
756  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
757  flags, data, data_len);
758  PACKET_PROFILING_APP_END(app_tctx);
759  p->app_update_direction = (uint8_t)app_update_dir;
760  /* ignore parser result for gap */
761  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
762  if (r < 0) {
763  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
764  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
765  SCReturnInt(-1);
766  }
767  goto end;
768  }
769 
770  /* if we don't know the proto yet and we have received a stream
771  * initializer message, we run proto detection.
772  * We receive 2 stream init msgs (one for each direction), we
773  * only run the proto detection for both and emit an event
774  * in the case protocols mismatch. */
775  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
776  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
777  /* run protocol detection */
778  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags,
779  app_update_dir) != 0) {
780  goto failure;
781  }
782  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
783  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
784  void *alstate_orig = f->alstate;
785  AppLayerParserState *alparser = f->alparser;
786  // we delay AppLayerParserStateCleanup because we may need previous parser state
787  AppLayerProtoDetectReset(f);
788  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
789  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
790  /* rerun protocol detection */
791  int rd = TCPProtoDetect(
792  tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, app_update_dir);
793  if (f->alproto == ALPROTO_UNKNOWN) {
794  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
795  // not enough data, revert AppLayerProtoDetectReset to rerun detection
796  f->alparser = alparser;
797  f->alproto = f->alproto_orig;
798  f->alproto_tc = f->alproto_orig;
799  f->alproto_ts = f->alproto_orig;
800  } else {
801  FlowUnsetChangeProtoFlag(f);
802  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
803  if (alstate_orig == f->alstate) {
804  // we just freed it
805  f->alstate = NULL;
806  }
807  }
808  if (rd != 0) {
809  SCLogDebug("proto detect failure");
810  goto failure;
811  }
812  SCLogDebug("protocol change, old %s, new %s",
813  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
814 
815  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
816  f->alproto != f->alproto_expect) {
817  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
818 
819  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
820  SCAppLayerDecoderEventsSetEventRaw(
821  &p->app_layer_events, APPLAYER_NO_TLS_AFTER_STARTTLS);
822  }
823  }
824  } else {
825  SCLogDebug("stream data (len %" PRIu32 " alproto "
826  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
827 #ifdef PRINT
828  if (data_len > 0) {
829  printf("=> Stream Data (app layer) -- start %s%s\n",
830  flags & STREAM_TOCLIENT ? "toclient" : "",
831  flags & STREAM_TOSERVER ? "toserver" : "");
832  PrintRawDataFp(stdout, data, data_len);
833  printf("=> Stream Data -- end\n");
834  }
835 #endif
836  /* if we don't have a data object here we are not getting it
837  * a start msg should have gotten us one */
838  if (f->alproto != ALPROTO_UNKNOWN) {
839  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
840  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
841  flags, data, data_len);
842  PACKET_PROFILING_APP_END(app_tctx);
843  p->app_update_direction = (uint8_t)app_update_dir;
844  if (r != 1) {
845  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
846  if (r < 0) {
847  ExceptionPolicyApply(
848  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
849  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
850  SCReturnInt(-1);
851  }
852  }
853  }
854  }
855 
856  goto end;
857  failure:
858  r = -1;
859  end:
860  SCReturnInt(r);
861 }
862 
863 /**
864  * \brief Handle a app layer UDP message
865  *
866  * If the protocol is yet unknown, the proto detection code is run first.
867  *
868  * \param dp_ctx Thread app layer detect context
869  * \param f *locked* flow
870  * \param p UDP packet
871  *
872  * \retval 0 ok
873  * \retval -1 error
874  */
875 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
876 {
877  SCEnter();
878  AppProto *alproto;
879  AppProto *alproto_otherdir;
880 
881  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
882  SCReturnInt(0);
883  }
884 
885  int r = 0;
886  uint8_t flags = 0;
887  if (p->flowflags & FLOW_PKT_TOSERVER) {
888  flags |= STREAM_TOSERVER;
889  alproto = &f->alproto_ts;
890  alproto_otherdir = &f->alproto_tc;
891  } else {
892  flags |= STREAM_TOCLIENT;
893  alproto = &f->alproto_tc;
894  alproto_otherdir = &f->alproto_ts;
895  }
896 
897  AppLayerProfilingReset(tctx);
898 
899  /* if the protocol is still unknown, run detection */
900  if (*alproto == ALPROTO_UNKNOWN) {
901  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
902  p->payload_len);
903 
904  bool reverse_flow = false;
905  PACKET_PROFILING_APP_PD_START(tctx);
906  *alproto = AppLayerProtoDetectGetProto(
907  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
908  PACKET_PROFILING_APP_PD_END(tctx);
909 
910  switch (*alproto) {
911  case ALPROTO_UNKNOWN:
912  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
913  // Use recognized side
914  f->alproto = *alproto_otherdir;
915  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
916  *alproto = *alproto_otherdir;
917  if (*alproto_otherdir == ALPROTO_FAILED) {
918  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
919  }
920  } else {
921  // First side of protocol is unknown
922  *alproto = ALPROTO_FAILED;
923  }
924  break;
925  case ALPROTO_FAILED:
926  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
927  // Use recognized side
928  f->alproto = *alproto_otherdir;
929  if (*alproto_otherdir == ALPROTO_FAILED) {
930  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
931  }
932  }
933  // else wait for second side of protocol
934  break;
935  default:
936  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
937  if (*alproto_otherdir != *alproto) {
938  SCAppLayerDecoderEventsSetEventRaw(
939  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
940  // data already sent to parser, we cannot change the protocol to use the one
941  // of the server
942  }
943  } else {
944  f->alproto = *alproto;
945  }
946  }
947  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
948  if (f->alproto == ALPROTO_UNKNOWN) {
949  // so as to increase stat about .app_layer.flow.failed_udp
950  f->alproto = ALPROTO_FAILED;
951  }
952  // If the other side is unknown, this is the first packet of the flow
953  AppLayerIncFlowCounter(tv, f);
954  }
955 
956  // parse the data if we recognized one protocol
957  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
958  if (reverse_flow) {
959  SCLogDebug("reversing flow after proto detect told us so");
960  PacketSwap(p);
961  FlowSwap(f);
962  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
963  }
964 
965  PACKET_PROFILING_APP_START(tctx, f->alproto);
966  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
967  flags, p->payload, p->payload_len);
968  PACKET_PROFILING_APP_END(tctx);
969  if (f->flags & FLOW_NOPAYLOAD_INSPECTION &&
970  SCAppLayerParserStateIssetFlag(f->alparser, APP_LAYER_PARSER_BYPASS_READY)) {
971  PacketBypassCallback(p);
972  }
973  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
974  }
975  PACKET_PROFILING_APP_STORE(tctx, p);
976  /* we do only inspection in one direction, so flag both
977  * sides as done here */
978  FlagPacketFlow(p, f, STREAM_TOSERVER);
979  FlagPacketFlow(p, f, STREAM_TOCLIENT);
980  } else {
981  SCLogDebug("data (len %" PRIu32 " ), alproto "
982  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
983 
984  /* run the parser */
985  PACKET_PROFILING_APP_START(tctx, f->alproto);
986  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
987  flags, p->payload, p->payload_len);
988  if (f->flags & FLOW_NOPAYLOAD_INSPECTION &&
989  SCAppLayerParserStateIssetFlag(f->alparser, APP_LAYER_PARSER_BYPASS_READY)) {
990  PacketBypassCallback(p);
991  }
992  PACKET_PROFILING_APP_END(tctx);
993  PACKET_PROFILING_APP_STORE(tctx, p);
994  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
995  }
996  if (r < 0) {
997  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
998  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
999  SCReturnInt(-1);
1000  }
1001 
1002  SCReturnInt(r);
1003 }
1004 
1005 /***** Utility *****/
1006 
1007 AppProto AppLayerGetProtoByName(const char *alproto_name)
1008 {
1009  SCEnter();
1010  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
1011  SCReturnCT(r, "AppProto");
1012 }
1013 
1014 const char *AppLayerGetProtoName(AppProto alproto)
1015 {
1016  SCEnter();
1017  const char * r = AppLayerProtoDetectGetProtoName(alproto);
1018  SCReturnCT(r, "char *");
1019 }
1020 
1021 void AppLayerListSupportedProtocols(void)
1022 {
1023  SCEnter();
1024 
1025  AppProto alproto;
1026  AppProto alprotos[g_alproto_max];
1027 
1028  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1029 
1030  printf("=========Supported App Layer Protocols=========\n");
1031  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1032  if (alprotos[alproto] == 1)
1033  printf("%s\n", AppLayerGetProtoName(alproto));
1034  }
1035 
1036  SCReturn;
1037 }
1038 
1039 /***** Setup/General Registration *****/
1040 static void AppLayerNamesSetup(void)
1041 {
1042  AppProtoRegisterProtoString(ALPROTO_UNKNOWN, "unknown");
1043  AppProtoRegisterProtoString(ALPROTO_FAILED, "failed");
1044  AppProtoRegisterProtoString(ALPROTO_HTTP1, "http1");
1045  AppProtoRegisterProtoString(ALPROTO_FTP, "ftp");
1046  AppProtoRegisterProtoString(ALPROTO_SMTP, "smtp");
1047  AppProtoRegisterProtoString(ALPROTO_TLS, "tls");
1048  AppProtoRegisterProtoString(ALPROTO_SSH, "ssh");
1049  AppProtoRegisterProtoString(ALPROTO_IMAP, "imap");
1050  AppProtoRegisterProtoString(ALPROTO_JABBER, "jabber");
1051  AppProtoRegisterProtoString(ALPROTO_SMB, "smb");
1052  AppProtoRegisterProtoString(ALPROTO_DCERPC, "dcerpc");
1053  AppProtoRegisterProtoString(ALPROTO_IRC, "irc");
1054  AppProtoRegisterProtoString(ALPROTO_DNS, "dns");
1055  AppProtoRegisterProtoString(ALPROTO_MODBUS, "modbus");
1056  AppProtoRegisterProtoString(ALPROTO_ENIP, "enip");
1057  AppProtoRegisterProtoString(ALPROTO_DNP3, "dnp3");
1058  AppProtoRegisterProtoString(ALPROTO_NFS, "nfs");
1059  AppProtoRegisterProtoString(ALPROTO_NTP, "ntp");
1060  AppProtoRegisterProtoString(ALPROTO_FTPDATA, "ftp-data");
1061  AppProtoRegisterProtoString(ALPROTO_TFTP, "tftp");
1062  AppProtoRegisterProtoString(ALPROTO_IKE, "ike");
1063  AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
1064  AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
1065  AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
1066  AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
1067  AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
1068  AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
1069  AppProtoRegisterProtoString(ALPROTO_PGSQL, "pgsql");
1070  AppProtoRegisterProtoString(ALPROTO_TELNET, "telnet");
1071  AppProtoRegisterProtoString(ALPROTO_WEBSOCKET, "websocket");
1072  AppProtoRegisterProtoString(ALPROTO_LDAP, "ldap");
1073  AppProtoRegisterProtoString(ALPROTO_DOH2, "doh2");
1074  AppProtoRegisterProtoString(ALPROTO_MDNS, "mdns");
1075  AppProtoRegisterProtoString(ALPROTO_TEMPLATE, "template");
1076  AppProtoRegisterProtoString(ALPROTO_RDP, "rdp");
1077  AppProtoRegisterProtoString(ALPROTO_HTTP2, "http2");
1078  AppProtoRegisterProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht");
1079  AppProtoRegisterProtoString(ALPROTO_POP3, "pop3");
1080  AppProtoRegisterProtoString(ALPROTO_HTTP, "http");
1081 }
1082 
1083 int AppLayerSetup(void)
1084 {
1085  SCEnter();
1086 
1087  AppLayerNamesSetup();
1088  AppLayerProtoDetectSetup();
1089  AppLayerParserSetup();
1090 
1091  AppLayerParserRegisterProtocolParsers();
1092  AppLayerProtoDetectPrepareState();
1093 
1094  AppLayerSetupCounters();
1095  FrameConfigInit();
1096 
1097  SCReturnInt(0);
1098 }
1099 
1100 int AppLayerDeSetup(void)
1101 {
1102  SCEnter();
1103 
1104  AppLayerProtoDetectDeSetup();
1105  AppLayerParserDeSetup();
1106 
1107  AppLayerDeSetupCounters();
1108  FrameConfigDeInit();
1109 
1110  SCReturnInt(0);
1111 }
1112 
1113 AppLayerThreadCtx *AppLayerGetCtxThread(void)
1114 {
1115  SCEnter();
1116 
1117  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1118  if (app_tctx == NULL)
1119  goto error;
1120 
1121  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1122  goto error;
1123  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1124  goto error;
1125 
1126  goto done;
1127  error:
1128  AppLayerDestroyCtxThread(app_tctx);
1129  app_tctx = NULL;
1130  done:
1131  SCReturnPtr(app_tctx, "void *");
1132 }
1133 
1134 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1135 {
1136  SCEnter();
1137 
1138  if (app_tctx == NULL)
1139  SCReturn;
1140 
1141  if (app_tctx->alpd_tctx != NULL)
1142  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1143  if (app_tctx->alp_tctx != NULL)
1144  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1145  SCFree(app_tctx);
1146 
1147  SCReturn;
1148 }
1149 
1150 #ifdef PROFILING
1151 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1152 {
1153  PACKET_PROFILING_APP_RESET(app_tctx);
1154 }
1155 
1156 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1157 {
1158  PACKET_PROFILING_APP_STORE(app_tctx, p);
1159 }
1160 #endif
1161 
1162 /** \brief HACK to work around our broken unix manager (re)init loop
1163  */
1164 void AppLayerRegisterGlobalCounters(void)
1165 {
1166  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1167  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1168  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1169  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1170  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1171  StatsRegisterGlobalCounter("http.byterange.memuse", HTPByteRangeMemuseGlobalCounter);
1172  StatsRegisterGlobalCounter("http.byterange.memcap", HTPByteRangeMemcapGlobalCounter);
1173  StatsRegisterGlobalCounter("ippair.memuse", IPPairGetMemuse);
1174  StatsRegisterGlobalCounter("ippair.memcap", IPPairGetMemcap);
1175  StatsRegisterGlobalCounter("host.memuse", HostGetMemuse);
1176  StatsRegisterGlobalCounter("host.memcap", HostGetMemcap);
1177 }
1178 
1179 static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy)
1180 {
1181  if (EngineModeIsIPS()) {
1182  return app_layer_error_eps_stats.valid_settings_ips[policy];
1183  }
1184  return app_layer_error_eps_stats.valid_settings_ids[policy];
1185 }
1186 
1187 static void AppLayerSetupExceptionPolicyPerProtoCounters(
1188  uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix)
1189 {
1190  if (g_stats_eps_per_app_proto_errors &&
1191  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1192  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1193  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1194  snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i],
1195  sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]),
1196  "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix,
1197  ExceptionPolicyEnumToString(i, true));
1198  }
1199  }
1200  }
1201 }
1202 
1203 void AppLayerSetupCounters(void)
1204 {
1205  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1206  AppProto alprotos[g_alproto_max];
1207  const char *str = "app_layer.flow.";
1208  const char *estr = "app_layer.error.";
1209 
1210  applayer_counter_names =
1211  SCCalloc(g_alproto_max, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX]));
1212  if (unlikely(applayer_counter_names == NULL)) {
1213  FatalError("Unable to alloc applayer_counter_names.");
1214  }
1215  applayer_counters = SCCalloc(g_alproto_max, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX]));
1216  if (unlikely(applayer_counters == NULL)) {
1217  FatalError("Unable to alloc applayer_counters.");
1218  }
1219  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1220  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1221  /* Register global counters for app layer error exception policy summary */
1222  const char *eps_default_str = "exception_policy.app_layer.error.";
1223  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1224  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1225  snprintf(app_layer_error_eps_stats.eps_name[i],
1226  sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str,
1227  ExceptionPolicyEnumToString(i, true));
1228  }
1229  }
1230  }
1231 
1232  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1233 
1234  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1235  const uint8_t ipproto = ipprotos[p];
1236  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1237  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1238  uint8_t ipprotos_all[256 / 8];
1239 
1240  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1241  if (alprotos[alproto] == 1) {
1242  const char *tx_str = "app_layer.tx.";
1243  const char *alproto_str = AppLayerGetProtoName(alproto);
1244 
1245  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1246  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1247  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1248  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1249  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1250  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s",
1251  str, alproto_str, ipproto_suffix);
1252  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1253  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s",
1254  tx_str, alproto_str, ipproto_suffix);
1255 
1256  if (ipproto == IPPROTO_TCP) {
1257  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1258  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1259  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1260  }
1261  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1262  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1263  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1264  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1265  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1266  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1267  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1268  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1269  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1270 
1271  AppLayerSetupExceptionPolicyPerProtoCounters(
1272  ipproto_map, alproto, alproto_str, ipproto_suffix);
1273  } else {
1274  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1275  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str,
1276  alproto_str);
1277  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1278  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s",
1279  tx_str, alproto_str);
1280 
1281  if (ipproto == IPPROTO_TCP) {
1282  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1283  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1284  "%s%s.gap", estr, alproto_str);
1285  }
1286  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1287  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1288  "%s%s.alloc", estr, alproto_str);
1289  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1290  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1291  "%s%s.parser", estr, alproto_str);
1292  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1293  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1294  "%s%s.internal", estr, alproto_str);
1295  AppLayerSetupExceptionPolicyPerProtoCounters(
1296  ipproto_map, alproto, alproto_str, "");
1297  }
1298  } else if (alproto == ALPROTO_FAILED) {
1299  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1300  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str,
1301  "failed", ipproto_suffix);
1302  if (ipproto == IPPROTO_TCP) {
1303  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1304  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1305  "%sfailed%s.gap", estr, ipproto_suffix);
1306  }
1307  }
1308  }
1309  }
1310 }
1311 
1312 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1313 {
1314  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1315  AppProto alprotos[g_alproto_max];
1316  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1317 
1318  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1319  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1320  /* Register global counters for app layer error exception policy summary */
1321  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1322  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1323  eps_error_summary.eps_id[i] =
1324  StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], &tv->stats);
1325  }
1326  }
1327  }
1328 
1329  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1330  const uint8_t ipproto = ipprotos[p];
1331  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1332 
1333  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1334  if (alprotos[alproto] == 1) {
1335  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1336  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1337 
1338  if (AppLayerParserProtoIsRegistered(ipproto, alproto) != 1)
1339  continue;
1340 
1341  applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter(
1342  applayer_counter_names[alproto][ipproto_map].tx_name, &tv->stats);
1343 
1344  if (ipproto == IPPROTO_TCP) {
1345  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1346  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1347  }
1348  applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter(
1349  applayer_counter_names[alproto][ipproto_map].alloc_error, &tv->stats);
1350  applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter(
1351  applayer_counter_names[alproto][ipproto_map].parser_error, &tv->stats);
1352  applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter(
1353  applayer_counter_names[alproto][ipproto_map].internal_error, &tv->stats);
1354  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1355  if (g_stats_eps_per_app_proto_errors &&
1356  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1357  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1;
1358  i < EXCEPTION_POLICY_MAX; i++) {
1359  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1360  applayer_counters[alproto][ipproto_map]
1361  .eps_error.eps_id[i] = StatsRegisterCounter(
1362  applayer_counter_names[alproto][ipproto_map].eps_name[i],
1363  &tv->stats);
1364  }
1365  }
1366  }
1367  } else if (alproto == ALPROTO_FAILED) {
1368  applayer_counters[alproto][ipproto_map].counter_id = StatsRegisterCounter(
1369  applayer_counter_names[alproto][ipproto_map].name, &tv->stats);
1370 
1371  if (ipproto == IPPROTO_TCP) {
1372  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1373  applayer_counter_names[alproto][ipproto_map].gap_error, &tv->stats);
1374  }
1375  }
1376  }
1377  }
1378 }
1379 
1380 void AppLayerDeSetupCounters(void)
1381 {
1382  SCFree(applayer_counter_names);
1383  SCFree(applayer_counters);
1384 }
1385 
1386 /***** Unittests *****/
1387 
1388 #ifdef UNITTESTS
1389 #include "pkt-var.h"
1390 #include "stream-tcp-util.h"
1391 #include "stream.h"
1392 #include "util-unittest.h"
1393 
1394 #define TEST_START \
1395  Packet *p = PacketGetFromAlloc(); \
1396  FAIL_IF_NULL(p); \
1397  Flow f; \
1398  ThreadVars tv; \
1399  StreamTcpThread *stt = NULL; \
1400  TCPHdr tcph; \
1401  PacketQueueNoLock pq; \
1402  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1403  memset(&f, 0, sizeof(Flow)); \
1404  memset(&tv, 0, sizeof(ThreadVars)); \
1405  StatsThreadInit(&tv.stats); \
1406  memset(&tcph, 0, sizeof(TCPHdr)); \
1407  \
1408  FLOW_INITIALIZE(&f); \
1409  f.flags = FLOW_IPV4; \
1410  f.proto = IPPROTO_TCP; \
1411  p->flow = &f; \
1412  PacketSetTCP(p, (uint8_t *)&tcph); \
1413  \
1414  StreamTcpInitConfig(true); \
1415  IPPairInitConfig(true); \
1416  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1417  \
1418  /* handshake */ \
1419  tcph.th_win = htons(5480); \
1420  tcph.th_flags = TH_SYN; \
1421  p->flowflags = FLOW_PKT_TOSERVER; \
1422  p->payload_len = 0; \
1423  p->payload = NULL; \
1424  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1425  TcpSession *ssn = (TcpSession *)f.protoctx; \
1426  \
1427  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1428  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1429  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1430  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1431  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1432  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1433  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1434  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1435  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1436  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1437  FAIL_IF(ssn->data_first_seen_dir != 0); \
1438  \
1439  /* handshake */ \
1440  tcph.th_ack = htonl(1); \
1441  tcph.th_flags = TH_SYN | TH_ACK; \
1442  p->flowflags = FLOW_PKT_TOCLIENT; \
1443  p->payload_len = 0; \
1444  p->payload = NULL; \
1445  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1446  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1447  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1448  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1449  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1450  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1451  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1452  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1453  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1454  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1455  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1456  FAIL_IF(ssn->data_first_seen_dir != 0); \
1457  \
1458  /* handshake */ \
1459  tcph.th_ack = htonl(1); \
1460  tcph.th_seq = htonl(1); \
1461  tcph.th_flags = TH_ACK; \
1462  p->flowflags = FLOW_PKT_TOSERVER; \
1463  p->payload_len = 0; \
1464  p->payload = NULL; \
1465  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1466  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1467  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1468  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1469  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1470  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1471  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1472  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1473  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1474  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1475  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1476  FAIL_IF(ssn->data_first_seen_dir != 0);
1477 #define TEST_END \
1478  StreamTcpSessionClear(p->flow->protoctx); \
1479  StreamTcpThreadDeinit(&tv, (void *)stt); \
1480  StreamTcpFreeConfig(true); \
1481  PacketFree(p); \
1482  FLOW_DESTROY(&f); \
1483  IPPairShutdown(); \
1484  StatsThreadCleanup(&tv.stats);
1485 
1486 /**
1487  * \test GET -> HTTP/1.1
1488  */
1489 static int AppLayerTest01(void)
1490 {
1491  TEST_START;
1492 
1493  /* full request */
1494  uint8_t request[] = {
1495  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1496  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1497  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1498  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1499  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1500  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1501  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1502  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1503  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1504  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1505  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1506  tcph.th_ack = htonl(1);
1507  tcph.th_seq = htonl(1);
1508  tcph.th_flags = TH_PUSH | TH_ACK;
1509  p->flowflags = FLOW_PKT_TOSERVER;
1510  p->payload_len = sizeof(request);
1511  p->payload = request;
1512  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1513  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1514  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1515  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1516  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1517  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1518  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1519  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1520  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1521  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1522  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1523  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1524 
1525  /* full response - request ack */
1526  uint8_t response[] = {
1527  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1528  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1529  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1530  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1531  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1532  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1533  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1534  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1535  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1536  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1537  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1538  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1539  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1540  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1541  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1542  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1543  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1544  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1545  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1546  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1547  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1548  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1549  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1550  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1551  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1552  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1553  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1554  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1555  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1556  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1557  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1558  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1559  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1560  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1561  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1562  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1563  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1564  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1565  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1566  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1567  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1568  tcph.th_ack = htonl(88);
1569  tcph.th_seq = htonl(1);
1570  tcph.th_flags = TH_PUSH | TH_ACK;
1571  p->flowflags = FLOW_PKT_TOCLIENT;
1572  p->payload_len = sizeof(response);
1573  p->payload = response;
1574  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1575  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1576  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1577  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1578  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1579  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1580  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1581  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1582  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1583  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1584  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1585  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1586 
1587  /* response ack */
1588  tcph.th_ack = htonl(328);
1589  tcph.th_seq = htonl(88);
1590  tcph.th_flags = TH_ACK;
1591  p->flowflags = FLOW_PKT_TOSERVER;
1592  p->payload_len = 0;
1593  p->payload = NULL;
1594  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1595  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1596  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1597  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1598  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1599  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1600  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1601  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1602  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1603  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1604  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1605  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1606 
1607  TEST_END;
1608  PASS;
1609 }
1610 
1611 /**
1612  * \test GE -> T -> HTTP/1.1
1613  */
1614 static int AppLayerTest02(void)
1615 {
1616  TEST_START;
1617 
1618  /* partial request */
1619  uint8_t request1[] = { 0x47, 0x45, };
1620  tcph.th_ack = htonl(1);
1621  tcph.th_seq = htonl(1);
1622  tcph.th_flags = TH_PUSH | TH_ACK;
1623  p->flowflags = FLOW_PKT_TOSERVER;
1624  p->payload_len = sizeof(request1);
1625  p->payload = request1;
1626  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1627  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1628  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1629  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1630  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1631  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1632  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1633  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1634  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1635  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1636  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1637  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1638 
1639  /* response ack against partial request */
1640  tcph.th_ack = htonl(3);
1641  tcph.th_seq = htonl(1);
1642  tcph.th_flags = TH_ACK;
1643  p->flowflags = FLOW_PKT_TOCLIENT;
1644  p->payload_len = 0;
1645  p->payload = NULL;
1646  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1647  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1648  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1649  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1650  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1651  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1652  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1653  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1654  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1655  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1656  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1657  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1658 
1659  /* complete partial request */
1660  uint8_t request2[] = {
1661  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1662  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1663  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1664  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1665  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1666  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1667  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1668  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1669  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1670  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1671  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1672  tcph.th_ack = htonl(1);
1673  tcph.th_seq = htonl(3);
1674  tcph.th_flags = TH_PUSH | TH_ACK;
1675  p->flowflags = FLOW_PKT_TOSERVER;
1676  p->payload_len = sizeof(request2);
1677  p->payload = request2;
1678  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1679  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1680  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1681  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1682  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1683  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1684  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1685  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1686  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1687  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1688  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1689  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1690 
1691  /* response - request ack */
1692  uint8_t response[] = {
1693  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1694  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1695  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1696  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1697  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1698  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1699  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1700  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1701  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1702  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1703  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1704  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1705  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1706  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1707  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1708  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1709  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1710  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1711  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1712  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1713  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1714  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1715  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1716  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1717  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1718  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1719  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1720  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1721  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1722  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1723  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1724  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1725  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1726  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1727  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1728  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1729  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1730  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1731  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1732  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1733  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1734  tcph.th_ack = htonl(88);
1735  tcph.th_seq = htonl(1);
1736  tcph.th_flags = TH_PUSH | TH_ACK;
1737  p->flowflags = FLOW_PKT_TOCLIENT;
1738  p->payload_len = sizeof(response);
1739  p->payload = response;
1740  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1741  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1742  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1743  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1744  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1745  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1746  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1747  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1748  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1749  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1750  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1751  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1752 
1753  /* response ack */
1754  tcph.th_ack = htonl(328);
1755  tcph.th_seq = htonl(88);
1756  tcph.th_flags = TH_ACK;
1757  p->flowflags = FLOW_PKT_TOSERVER;
1758  p->payload_len = 0;
1759  p->payload = NULL;
1760  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1761  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1762  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1763  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1764  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1765  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1766  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1767  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1768  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1769  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1770  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1771  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1772 
1773  TEST_END;
1774  PASS;
1775 }
1776 
1777 /**
1778  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1779  */
1780 static int AppLayerTest03(void)
1781 {
1782  TEST_START;
1783 
1784  /* request */
1785  uint8_t request[] = {
1786  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1787  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1788  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1789  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1790  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1791  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1792  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1793  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1794  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1795  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1796  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1797  tcph.th_ack = htonl(1);
1798  tcph.th_seq = htonl(1);
1799  tcph.th_flags = TH_PUSH | TH_ACK;
1800  p->flowflags = FLOW_PKT_TOSERVER;
1801  p->payload_len = sizeof(request);
1802  p->payload = request;
1803  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1804  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1805  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1806  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1807  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1808  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1809  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1810  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1811  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1812  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1813  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1814  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1815 
1816  /* rubbish response */
1817  uint8_t response[] = {
1818  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1819  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1820  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1821  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1822  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1823  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1824  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1825  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1826  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1827  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1828  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1829  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1830  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1831  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1832  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1833  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1834  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1835  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1836  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1837  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1838  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1839  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1840  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1841  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1842  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1843  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1844  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1845  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1846  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1847  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1848  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1849  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1850  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1851  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1852  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1853  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1854  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1855  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1856  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1857  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1858  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1859  tcph.th_ack = htonl(88);
1860  tcph.th_seq = htonl(1);
1861  tcph.th_flags = TH_PUSH | TH_ACK;
1862  p->flowflags = FLOW_PKT_TOCLIENT;
1863  p->payload_len = sizeof(response);
1864  p->payload = response;
1865  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1866  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1867  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1868  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1869  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1870  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1871  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1872  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1873  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1874  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1875  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1876  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1877 
1878  /* response ack */
1879  tcph.th_ack = htonl(328);
1880  tcph.th_seq = htonl(88);
1881  tcph.th_flags = TH_ACK;
1882  p->flowflags = FLOW_PKT_TOSERVER;
1883  p->payload_len = 0;
1884  p->payload = NULL;
1885  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1886  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1887  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1888  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1889  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1890  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1891  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1892  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1893  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1894  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1895  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1896  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1897 
1898  TEST_END;
1899  PASS;
1900 }
1901 
1902 /**
1903  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1904  */
1905 static int AppLayerTest04(void)
1906 {
1907  TEST_START;
1908 
1909  /* request */
1910  uint8_t request[] = {
1911  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1912  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1913  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1914  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1915  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1916  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1917  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1918  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1919  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1920  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1921  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1922  PrintRawDataFp(stdout, request, sizeof(request));
1923  tcph.th_ack = htonl(1);
1924  tcph.th_seq = htonl(1);
1925  tcph.th_flags = TH_PUSH | TH_ACK;
1926  p->flowflags = FLOW_PKT_TOSERVER;
1927  p->payload_len = sizeof(request);
1928  p->payload = request;
1929  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1930  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1931  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1932  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1933  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1934  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1935  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1936  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1937  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1938  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1939  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1940  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1941 
1942  /* partial response */
1943  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1944  PrintRawDataFp(stdout, response1, sizeof(response1));
1945  tcph.th_ack = htonl(88);
1946  tcph.th_seq = htonl(1);
1947  tcph.th_flags = TH_PUSH | TH_ACK;
1948  p->flowflags = FLOW_PKT_TOCLIENT;
1949  p->payload_len = sizeof(response1);
1950  p->payload = response1;
1951  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1952  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1953  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1954  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1955  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1956  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1957  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1958  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1959  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1960  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1961  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1962  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1963 
1964  /* partial response ack */
1965  tcph.th_ack = htonl(5);
1966  tcph.th_seq = htonl(88);
1967  tcph.th_flags = TH_ACK;
1968  p->flowflags = FLOW_PKT_TOSERVER;
1969  p->payload_len = 0;
1970  p->payload = NULL;
1971  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1972  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1973  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1974  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1975  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1976  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1977  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1978  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1979  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1980  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1981  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1982  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1983 
1984  /* remaining response */
1985  uint8_t response2[] = {
1986  0x2f, 0x31, 0x2e, 0x31,
1987  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1988  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1989  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1990  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1991  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1992  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1993  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1994  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1995  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1996  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1997  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1998  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1999  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2000  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2001  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2002  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2003  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2004  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2005  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2006  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2007  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2008  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2009  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2010  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2011  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2012  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2013  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2014  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2015  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2016  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2017  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2018  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2019  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2020  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2021  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2022  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2023  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2024  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2025  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2026  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2027  PrintRawDataFp(stdout, response2, sizeof(response2));
2028  tcph.th_ack = htonl(88);
2029  tcph.th_seq = htonl(5);
2030  tcph.th_flags = TH_PUSH | TH_ACK;
2031  p->flowflags = FLOW_PKT_TOCLIENT;
2032  p->payload_len = sizeof(response2);
2033  p->payload = response2;
2034  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2035  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2036  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2037  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2038  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2039  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2040  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2041  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2042  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2043  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2044  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2045  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2046 
2047  /* response ack */
2048  tcph.th_ack = htonl(328);
2049  tcph.th_seq = htonl(88);
2050  tcph.th_flags = TH_ACK;
2051  p->flowflags = FLOW_PKT_TOSERVER;
2052  p->payload_len = 0;
2053  p->payload = NULL;
2054  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2055  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
2056  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2057  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2058  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2059  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
2060  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2061  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2062  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2063  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2064  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2065  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2066 
2067  TEST_END;
2068  PASS;
2069 }
2070 
2071 /**
2072  * \test RUBBISH -> HTTP/1.1
2073  */
2074 static int AppLayerTest05(void)
2075 {
2076  TEST_START;
2077 
2078  /* full request */
2079  uint8_t request[] = {
2080  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2081  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2082  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2083  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2084  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2085  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2086  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2087  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2088  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2089  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2090  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2091  PrintRawDataFp(stdout, request, sizeof(request));
2092  tcph.th_ack = htonl(1);
2093  tcph.th_seq = htonl(1);
2094  tcph.th_flags = TH_PUSH | TH_ACK;
2095  p->flowflags = FLOW_PKT_TOSERVER;
2096  p->payload_len = sizeof(request);
2097  p->payload = request;
2098  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2099  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2100  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2101  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2102  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2103  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2104  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2105  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2106  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2107  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2108  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2109  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2110 
2111  /* full response - request ack */
2112  uint8_t response[] = {
2113  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2114  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2115  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2116  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2117  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2118  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2119  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2120  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2121  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2122  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2123  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2124  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2125  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2126  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2127  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2128  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2129  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2130  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2131  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2132  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2133  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2134  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2135  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2136  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2137  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2138  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2139  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2140  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2141  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2142  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2143  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2144  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2145  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2146  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2147  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2148  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2149  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2150  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2151  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2152  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2153  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2154  PrintRawDataFp(stdout, response, sizeof(response));
2155  tcph.th_ack = htonl(88);
2156  tcph.th_seq = htonl(1);
2157  tcph.th_flags = TH_PUSH | TH_ACK;
2158  p->flowflags = FLOW_PKT_TOCLIENT;
2159  p->payload_len = sizeof(response);
2160  p->payload = response;
2161  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2162  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2163  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2164  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2165  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2166  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2167  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2168  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2169  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2170  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2171  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2172  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2173 
2174  /* response ack */
2175  tcph.th_ack = htonl(328);
2176  tcph.th_seq = htonl(88);
2177  tcph.th_flags = TH_ACK;
2178  p->flowflags = FLOW_PKT_TOSERVER;
2179  p->payload_len = 0;
2180  p->payload = NULL;
2181  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2182  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2183  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2184  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2185  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2186  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2187  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2188  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2189  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2190  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2191  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2192  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2193 
2194  TEST_END;
2195  PASS;
2196 }
2197 
2198 /**
2199  * \test HTTP/1.1 -> GET
2200  */
2201 static int AppLayerTest06(void)
2202 {
2203  TEST_START;
2204 
2205  /* full response - request ack */
2206  uint8_t response[] = {
2207  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2208  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2209  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2210  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2211  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2212  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2213  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2214  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2215  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2216  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2217  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2218  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2219  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2220  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2221  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2222  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2223  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2224  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2225  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2226  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2227  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2228  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2229  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2230  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2231  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2232  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2233  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2234  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2235  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2236  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2237  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2238  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2239  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2240  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2241  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2242  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2243  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2244  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2245  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2246  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2247  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2248  tcph.th_ack = htonl(1);
2249  tcph.th_seq = htonl(1);
2250  tcph.th_flags = TH_PUSH | TH_ACK;
2251  p->flowflags = FLOW_PKT_TOCLIENT;
2252  p->payload_len = sizeof(response);
2253  p->payload = response;
2254  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2255  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2256  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2257  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2258  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2259  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2260  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2261  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2262  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2263  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2264  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2265  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2266 
2267  /* full request - response ack*/
2268  uint8_t request[] = {
2269  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2270  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2271  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2272  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2273  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2274  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2275  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2276  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2277  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2278  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2279  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2280  tcph.th_ack = htonl(328);
2281  tcph.th_seq = htonl(1);
2282  tcph.th_flags = TH_PUSH | TH_ACK;
2283  p->flowflags = FLOW_PKT_TOSERVER;
2284  p->payload_len = sizeof(request);
2285  p->payload = request;
2286  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2287  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2288  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2289  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2290  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2291  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2292  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2293  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2294  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2295  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2296  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2297  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2298 
2299  tcph.th_ack = htonl(1 + sizeof(request));
2300  tcph.th_seq = htonl(328);
2301  tcph.th_flags = TH_PUSH | TH_ACK;
2302  p->flowflags = FLOW_PKT_TOCLIENT;
2303  p->payload_len = 0;
2304  p->payload = NULL;
2305  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2306  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2307  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2308  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2309  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2310  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2311  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2312  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2313  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2314  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2315  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2316  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2317 
2318  TEST_END;
2319  PASS;
2320 }
2321 
2322 /**
2323  * \test GET -> DCERPC
2324  */
2325 static int AppLayerTest07(void)
2326 {
2327  TEST_START;
2328 
2329  /* full request */
2330  uint8_t request[] = {
2331  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2332  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2333  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2334  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2335  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2336  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2337  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2338  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2339  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2340  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2341  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2342  tcph.th_ack = htonl(1);
2343  tcph.th_seq = htonl(1);
2344  tcph.th_flags = TH_PUSH | TH_ACK;
2345  p->flowflags = FLOW_PKT_TOSERVER;
2346  p->payload_len = sizeof(request);
2347  p->payload = request;
2348  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2349  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2350  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2351  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2352  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2353  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2354  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2355  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2356  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2357  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2358  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2359  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2360 
2361  /* full response - request ack */
2362  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2363  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2364  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2365  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2366  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2367  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2368  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2369  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2370  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2371  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2372  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2373  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2374  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2375  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2376  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2377  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2378  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2379  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2380  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2381  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2382  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2383  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2384  tcph.th_ack = htonl(88);
2385  tcph.th_seq = htonl(1);
2386  tcph.th_flags = TH_PUSH | TH_ACK;
2387  p->flowflags = FLOW_PKT_TOCLIENT;
2388  p->payload_len = sizeof(response);
2389  p->payload = response;
2390  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2391  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2392  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2393  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2394  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2395  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2396  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2397  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2398  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2399  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2400  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2401  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2402 
2403  /* response ack */
2404  tcph.th_ack = htonl(328);
2405  tcph.th_seq = htonl(88);
2406  tcph.th_flags = TH_ACK;
2407  p->flowflags = FLOW_PKT_TOSERVER;
2408  p->payload_len = 0;
2409  p->payload = NULL;
2410  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2411  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2412  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2413  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2414  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2415  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2416  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2417  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2418  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2419  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2420  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2421  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2422 
2423  TEST_END;
2424  PASS;
2425 }
2426 
2427 /**
2428  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2429  * RUBBISH(TC - PM and PP DONE) ->
2430  * RUBBISH(TS - PM and PP DONE)
2431  */
2432 static int AppLayerTest09(void)
2433 {
2434  TEST_START;
2435 
2436  /* full request */
2437  uint8_t request1[] = {
2438  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2439  tcph.th_ack = htonl(1);
2440  tcph.th_seq = htonl(1);
2441  tcph.th_flags = TH_PUSH | TH_ACK;
2442  p->flowflags = FLOW_PKT_TOSERVER;
2443  p->payload_len = sizeof(request1);
2444  p->payload = request1;
2445  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2446  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2447  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2448  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2449  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2450  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2451  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2452  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2453  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2454  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2455  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2456  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2457 
2458  /* response - request ack */
2459  tcph.th_ack = htonl(9);
2460  tcph.th_seq = htonl(1);
2461  tcph.th_flags = TH_PUSH | TH_ACK;
2462  p->flowflags = FLOW_PKT_TOCLIENT;
2463  p->payload_len = 0;
2464  p->payload = NULL;
2465  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2466  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2467  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2468  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2469  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2470  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2471  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2472  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2473  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2474  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2475  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2476  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2477 
2478  /* full request */
2479  uint8_t request2[] = {
2480  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2481  tcph.th_ack = htonl(1);
2482  tcph.th_seq = htonl(9);
2483  tcph.th_flags = TH_PUSH | TH_ACK;
2484  p->flowflags = FLOW_PKT_TOSERVER;
2485  p->payload_len = sizeof(request2);
2486  p->payload = request2;
2487  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2488  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2489  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2490  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2491  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2492  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2493  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2494  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2495  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2496  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2497  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2498  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2499 
2500  /* full response - request ack */
2501  uint8_t response[] = {
2502  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2503  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2504  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2505  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2506  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2507  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2508  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2509  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2510  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2511  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2512  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2513  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2514  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2515  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2516  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2517  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2518  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2519  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2520  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2521  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2522  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2523  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2524  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2525  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2526  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2527  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2528  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2529  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2530  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2531  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2532  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2533  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2534  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2535  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2536  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2537  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2538  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2539  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2540  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2541  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2542  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2543  tcph.th_ack = htonl(18);
2544  tcph.th_seq = htonl(1);
2545  tcph.th_flags = TH_PUSH | TH_ACK;
2546  p->flowflags = FLOW_PKT_TOCLIENT;
2547  p->payload_len = sizeof(response);
2548  p->payload = response;
2549  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2550  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2551  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2552  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2553  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2554  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2555  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2556  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2557  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2558  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2559  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2560  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2561 
2562  /* response ack */
2563  tcph.th_ack = htonl(328);
2564  tcph.th_seq = htonl(18);
2565  tcph.th_flags = TH_ACK;
2566  p->flowflags = FLOW_PKT_TOSERVER;
2567  p->payload_len = 0;
2568  p->payload = NULL;
2569  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2570  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2571  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2572  FAIL_IF(f.alproto != ALPROTO_FAILED);
2573  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2574  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2575  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2576  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2577  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2578  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2579  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2580  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2581 
2582  TEST_END;
2583  PASS;
2584 }
2585 
2586 /**
2587  * \test RUBBISH(TC - PM and PP DONE) ->
2588  * RUBBISH(TS - PM and PP DONE)
2589  */
2590 static int AppLayerTest10(void)
2591 {
2592  TEST_START;
2593 
2594  /* full request */
2595  uint8_t request1[] = {
2596  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2597  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2598  tcph.th_ack = htonl(1);
2599  tcph.th_seq = htonl(1);
2600  tcph.th_flags = TH_PUSH | TH_ACK;
2601  p->flowflags = FLOW_PKT_TOSERVER;
2602  p->payload_len = sizeof(request1);
2603  p->payload = request1;
2604  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2605  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2606  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2607  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2608  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2609  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2610  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2611  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2612  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2613  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2614  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2615  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2616 
2617  /* response - request ack */
2618  tcph.th_ack = htonl(18);
2619  tcph.th_seq = htonl(1);
2620  tcph.th_flags = TH_PUSH | TH_ACK;
2621  p->flowflags = FLOW_PKT_TOCLIENT;
2622  p->payload_len = 0;
2623  p->payload = NULL;
2624  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2625  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2626  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2627  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2628  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2629  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2630  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2631  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2632  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2633  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2634  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2635  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2636 
2637  /* full response - request ack */
2638  uint8_t response[] = {
2639  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2640  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2641  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2642  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2643  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2644  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2645  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2646  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2647  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2648  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2649  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2650  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2651  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2652  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2653  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2654  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2655  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2656  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2657  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2658  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2659  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2660  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2661  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2662  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2663  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2664  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2665  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2666  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2667  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2668  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2669  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2670  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2671  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2672  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2673  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2674  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2675  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2676  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2677  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2678  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2679  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2680  tcph.th_ack = htonl(18);
2681  tcph.th_seq = htonl(1);
2682  tcph.th_flags = TH_PUSH | TH_ACK;
2683  p->flowflags = FLOW_PKT_TOCLIENT;
2684  p->payload_len = sizeof(response);
2685  p->payload = response;
2686  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2687  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2688  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2689  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2690  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2691  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2692  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2693  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2694  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2695  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2696  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2697  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2698 
2699  /* response ack */
2700  tcph.th_ack = htonl(328);
2701  tcph.th_seq = htonl(18);
2702  tcph.th_flags = TH_ACK;
2703  p->flowflags = FLOW_PKT_TOSERVER;
2704  p->payload_len = 0;
2705  p->payload = NULL;
2706  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2707  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2708  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2709  FAIL_IF(f.alproto != ALPROTO_FAILED);
2710  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2711  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2712  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2713  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2714  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2715  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2716  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2717  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2718 
2719  TEST_END;
2720  PASS;
2721 }
2722 
2723 /**
2724  * \test RUBBISH(TC - PM and PP DONE) ->
2725  * RUBBISH(TS - PM and PP NOT DONE) ->
2726  * RUBBISH(TS - PM and PP DONE)
2727  */
2728 static int AppLayerTest11(void)
2729 {
2730  TEST_START;
2731 
2732  /* full request */
2733  uint8_t request1[] = {
2734  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2735  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2736  tcph.th_ack = htonl(1);
2737  tcph.th_seq = htonl(1);
2738  tcph.th_flags = TH_PUSH | TH_ACK;
2739  p->flowflags = FLOW_PKT_TOSERVER;
2740  p->payload_len = sizeof(request1);
2741  p->payload = request1;
2742  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2743  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2744  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2745  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2746  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2747  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2748  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2749  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2750  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2751  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2752  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2753  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2754 
2755  /* response - request ack */
2756  tcph.th_ack = htonl(18);
2757  tcph.th_seq = htonl(1);
2758  tcph.th_flags = TH_PUSH | TH_ACK;
2759  p->flowflags = FLOW_PKT_TOCLIENT;
2760  p->payload_len = 0;
2761  p->payload = NULL;
2762  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2763  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2764  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2765  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2766  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2767  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2768  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2769  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2770  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2771  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2772  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2773  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2774 
2775  /* full response - request ack */
2776  uint8_t response1[] = {
2777  0x55, 0x74, 0x54, 0x50, };
2778  tcph.th_ack = htonl(18);
2779  tcph.th_seq = htonl(1);
2780  tcph.th_flags = TH_PUSH | TH_ACK;
2781  p->flowflags = FLOW_PKT_TOCLIENT;
2782  p->payload_len = sizeof(response1);
2783  p->payload = response1;
2784  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2785  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2786  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2787  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2788  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2789  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2790  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2791  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2792  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2793  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2794  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2795  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2796 
2797  /* response ack from request */
2798  tcph.th_ack = htonl(5);
2799  tcph.th_seq = htonl(18);
2800  tcph.th_flags = TH_ACK;
2801  p->flowflags = FLOW_PKT_TOSERVER;
2802  p->payload_len = 0;
2803  p->payload = NULL;
2804  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2805  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2806  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2807  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2808  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2809  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2810  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2811  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2812  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2813  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2814  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2815  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2816 
2817  uint8_t response2[] = {
2818  0x2f, 0x31, 0x2e, 0x31,
2819  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2820  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2821  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2822  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2823  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2824  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2825  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2826  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2827  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2828  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2829  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2830  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2831  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2832  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2833  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2834  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2835  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2836  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2837  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2838  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2839  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2840  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2841  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2842  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2843  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2844  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2845  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2846  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2847  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2848  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2849  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2850  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2851  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2852  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2853  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2854  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2855  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2856  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2857  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2858  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2859  tcph.th_ack = htonl(18);
2860  tcph.th_seq = htonl(5);
2861  tcph.th_flags = TH_PUSH | TH_ACK;
2862  p->flowflags = FLOW_PKT_TOCLIENT;
2863  p->payload_len = sizeof(response2);
2864  p->payload = response2;
2865  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2866  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2867  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2868  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2869  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2870  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2871  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2872  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2873  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2874  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2875  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2876  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2877 
2878  /* response ack from request */
2879  tcph.th_ack = htonl(328);
2880  tcph.th_seq = htonl(18);
2881  tcph.th_flags = TH_ACK;
2882  p->flowflags = FLOW_PKT_TOSERVER;
2883  p->payload_len = 0;
2884  p->payload = NULL;
2885  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2886  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2887  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2888  FAIL_IF(f.alproto != ALPROTO_FAILED);
2889  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2890  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2891  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2892  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2893  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2894  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2895  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2896  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2897 
2898  TEST_END;
2899  PASS;
2900 }
2901 
2902 void AppLayerUnittestsRegister(void)
2903 {
2904  SCEnter();
2905 
2906  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2907  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2908  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2909  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2910  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2911  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2912  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2913  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2914  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2915  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2916 
2917  SCReturn;
2918 }
2919 
2920 #endif /* UNITTESTS */
AppLayerCounters_::counter_tx_id
StatsCounterId counter_tx_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:278
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:187
StatsRegisterGlobalCounter
StatsCounterGlobalId StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1094
Packet_::proto
uint8_t proto
Definition: decode.h:523
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:285
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:51
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:138
AppLayerCounters_
Definition: app-layer.c:89
ippair.h
SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1840
app-layer-htp-range.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1686
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
AppLayerCounterNames_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]
Definition: app-layer.c:86
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
AppLayerCounters_::gap_error_id
StatsCounterId gap_error_id
Definition: app-layer.c:92
AppLayerCounters_::internal_error_id
StatsCounterId internal_error_id
Definition: app-layer.c:94
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:534
stream-tcp.h
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7271
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(const char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:1007
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1104
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:52
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1039
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
name
const char * name
Definition: detect-engine-proto.c:48
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1156
Flow_::proto
uint8_t proto
Definition: flow.h:369
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
Packet_::payload
uint8_t * payload
Definition: decode.h:605
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:62
Packet_::flags
uint32_t flags
Definition: decode.h:544
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:72
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:186
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:63
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:347
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:165
Flow_::protomap
uint8_t protomap
Definition: flow.h:436
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:41
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:68
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:59
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1142
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:224
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:228
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir app_update_dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1393
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:66
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:305
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1312
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:447
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2066
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:59
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1151
AppLayerCounterNames_
Definition: app-layer.c:79
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1640
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
handle TCP data for the app-layer.
Definition: app-layer.c:710
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:224
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:65
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6846
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
app_layer_error_eps_stats
ExceptionPolicyStatsSetts app_layer_error_eps_stats
Definition: app-layer.c:108
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:71
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2902
StatsCounterId
Definition: counters.h:30
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:49
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:80
AppLayerCounters_::counter_id
StatsCounterId counter_id
Definition: app-layer.c:90
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:1021
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1203
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
app-layer-ftp.h
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:69
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:227
MAX
#define MAX(x, y)
Definition: suricata-common.h:412
Flow_::protoctx
void * protoctx
Definition: flow.h:432
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:173
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:27
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:628
util-unittest.h
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:181
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1100
HostGetMemcap
uint64_t HostGetMemcap(void)
Return memcap value.
Definition: host.c:83
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1300
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:78
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:269
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:50
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:469
EXCEPTION_POLICY_MAX
#define EXCEPTION_POLICY_MAX
Definition: util-exception-policy-types.h:39
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1780
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:70
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1083
app-layer-expectation.h
app-layer-detect-proto.h
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:179
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
ExceptionPolicyCounters_
Definition: util-exception-policy-types.h:54
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:46
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:30
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:270
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1164
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:387
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:67
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, int64_t step)
Definition: app-layer.c:157
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:581
util-exception-policy.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:81
HTPByteRangeMemuseGlobalCounter
uint64_t HTPByteRangeMemuseGlobalCounter(void)
Definition: app-layer-htp-range.c:62
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:59
util-print.h
IPPairGetMemcap
uint64_t IPPairGetMemcap(void)
Return memcap value.
Definition: ippair.c:81
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5676
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1894
StatsCounterIncr
void StatsCounterIncr(StatsThreadContext *stats, StatsCounterId id)
Increments the local counter.
Definition: counters.c:166
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1394
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:61
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
HostGetMemuse
uint64_t HostGetMemuse(void)
Return memuse value.
Definition: host.c:94
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:206
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:104
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:259
SCReturn
#define SCReturn
Definition: util-debug.h:286
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:277
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
Packet_
Definition: decode.h:501
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
stream-tcp-private.h
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:68
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:75
applayer_counters
AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:102
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:875
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp)
Definition: util-profiling.h:173
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:63
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:300
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:61
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:721
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1113
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:66
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:181
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:225
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:450
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:57
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1284
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:446
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:279
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1743
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:62
IPPairGetMemuse
uint64_t IPPairGetMemuse(void)
Return memuse value.
Definition: ippair.c:92
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:535
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:103
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:189
eps_error_summary
ExceptionPolicyCounters eps_error_summary
Definition: app-layer.c:104
FatalError
#define FatalError(...)
Definition: util-debug.h:517
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:48
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
applayer_counter_names
AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:100
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1301
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:40
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1572
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
app-layer-events.h
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:246
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2128
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1409
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1987
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2086
str
#define str(s)
Definition: suricata-common.h:308
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:434
ExceptionPolicyEnumToString
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
Definition: util-exception-policy.c:39
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:442
AppLayerCounters_::alloc_error_id
StatsCounterId alloc_error_id
Definition: app-layer.c:95
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:62
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7277
Flow_::alstate
void * alstate
Definition: flow.h:470
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1134
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
HTPByteRangeMemcapGlobalCounter
uint64_t HTPByteRangeMemcapGlobalCounter(void)
Definition: app-layer-htp-range.c:56
Flow_::flags
uint32_t flags
Definition: flow.h:412
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
StatsCounterId::id
uint16_t id
Definition: counters.h:31
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:86
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:61
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1014
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:155
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerCounters_::eps_error
ExceptionPolicyCounters eps_error
Definition: app-layer.c:96
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:67
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:84
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:298
app-layer-protos.h
AppLayerProfilingReset
#define AppLayerProfilingReset(app_tctx)
Definition: app-layer.h:127
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:246
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:60
TEST_END
#define TEST_END
Definition: app-layer.c:1477
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2040
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:70
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
AppLayerCounters_::parser_error_id
StatsCounterId parser_error_id
Definition: app-layer.c:93
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:197
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:51
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:443
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:76
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1497
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:441
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:26
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:85
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:195
StatsCounterAddI64
void StatsCounterAddI64(StatsThreadContext *stats, StatsCounterId id, int64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:147
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:47
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1380
ExceptionPolicyCounters_::eps_id
StatsCounterId eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:56
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
ExceptionPolicyStatsSetts_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][EXCEPTION_POLICY_COUNTER_MAX_LEN]
Definition: util-exception-policy-types.h:60
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2111
app-layer.h
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:455