suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-htp-range.h"
35 #include "app-layer-detect-proto.h"
36 #include "app-layer-frames.h"
37 #include "app-layer-events.h"
38 #include "stream-tcp-reassemble.h"
39 #include "stream-tcp-private.h"
40 #include "stream-tcp-inline.h"
41 #include "stream-tcp.h"
42 #include "flow.h"
43 #include "flow-util.h"
44 #include "flow-private.h"
45 #include "ippair.h"
46 #include "util-debug.h"
47 #include "util-print.h"
48 #include "util-profiling.h"
49 #include "util-validate.h"
50 #include "decode-events.h"
51 #include "app-layer-htp-mem.h"
52 #include "util-exception-policy.h"
53 
54 extern bool g_stats_eps_per_app_proto_errors;
55 /**
56  * \brief This is for the app layer in general and it contains per thread
57  * context relevant to both the alpd and alp.
58  */
59 struct AppLayerThreadCtx_ {
60  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
61  AppLayerProtoDetectThreadCtx *alpd_tctx;
62  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
63  AppLayerParserThreadCtx *alp_tctx;
64 
65 #ifdef PROFILING
66  uint64_t ticks_start;
67  uint64_t ticks_end;
68  uint64_t ticks_spent;
69  AppProto alproto;
70  uint64_t proto_detect_ticks_start;
71  uint64_t proto_detect_ticks_end;
72  uint64_t proto_detect_ticks_spent;
73 #endif
74 };
75 
76 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
77 
78 #define MAX_COUNTER_SIZE 64
79 typedef struct AppLayerCounterNames_ {
80  char name[MAX_COUNTER_SIZE];
81  char tx_name[MAX_COUNTER_SIZE];
82  char gap_error[MAX_COUNTER_SIZE];
83  char parser_error[MAX_COUNTER_SIZE];
84  char internal_error[MAX_COUNTER_SIZE];
85  char alloc_error[MAX_COUNTER_SIZE];
86  char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE];
87 } AppLayerCounterNames;
88 
89 typedef struct AppLayerCounters_ {
90  uint16_t counter_id;
91  uint16_t counter_tx_id;
92  uint16_t gap_error_id;
93  uint16_t parser_error_id;
94  uint16_t internal_error_id;
95  uint16_t alloc_error_id;
96  ExceptionPolicyCounters eps_error;
97 } AppLayerCounters;
98 
99 /* counter names. Only used at init. */
100 AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX];
101 /* counter id's. Used that runtime. */
102 AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX];
103 /* Exception policy global counters ids */
104 ExceptionPolicyCounters eps_error_summary;
105 
106 /* Settings order as in the enum */
107 // clang-format off
108 ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
109  .valid_settings_ids = {
110  /* EXCEPTION_POLICY_NOT_SET */ false,
111  /* EXCEPTION_POLICY_AUTO */ false,
112  /* EXCEPTION_POLICY_PASS_PACKET */ true,
113  /* EXCEPTION_POLICY_PASS_FLOW */ true,
114  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
115  /* EXCEPTION_POLICY_DROP_PACKET */ false,
116  /* EXCEPTION_POLICY_DROP_FLOW */ false,
117  /* EXCEPTION_POLICY_REJECT */ true,
118  },
119  .valid_settings_ips = {
120  /* EXCEPTION_POLICY_NOT_SET */ false,
121  /* EXCEPTION_POLICY_AUTO */ false,
122  /* EXCEPTION_POLICY_PASS_PACKET */ true,
123  /* EXCEPTION_POLICY_PASS_FLOW */ true,
124  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
125  /* EXCEPTION_POLICY_DROP_PACKET */ true,
126  /* EXCEPTION_POLICY_DROP_FLOW */ true,
127  /* EXCEPTION_POLICY_REJECT */ true,
128  },
129 };
130 // clang-format on
131 
132 void AppLayerSetupCounters(void);
133 void AppLayerDeSetupCounters(void);
134 
135 /***** L7 layer dispatchers *****/
136 
137 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
138  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
139  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
140  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
141 }
142 
143 /**
144  * \note id can be 0 if protocol parser is disabled but detection
145  * is enabled.
146  */
147 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
148 {
149  const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_id;
150  if (likely(tv && id > 0)) {
151  StatsIncr(tv, id);
152  }
153 }
154 
155 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
156 {
157  const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_tx_id;
158  if (likely(tv && id > 0)) {
159  StatsAddUI64(tv, id, step);
160  }
161 }
162 
163 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
164 {
165  const uint16_t id = applayer_counters[f->alproto][f->protomap].gap_error_id;
166  if (likely(tv && id > 0)) {
167  StatsIncr(tv, id);
168  }
169 }
170 
171 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
172 {
173  const uint16_t id = applayer_counters[f->alproto][f->protomap].alloc_error_id;
174  if (likely(tv && id > 0)) {
175  StatsIncr(tv, id);
176  }
177 }
178 
179 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
180 {
181  const uint16_t id = applayer_counters[f->alproto][f->protomap].parser_error_id;
182  if (likely(tv && id > 0)) {
183  StatsIncr(tv, id);
184  }
185 }
186 
187 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
188 {
189  const uint16_t id = applayer_counters[f->alproto][f->protomap].internal_error_id;
190  if (likely(tv && id > 0)) {
191  StatsIncr(tv, id);
192  }
193 }
194 
195 static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy)
196 {
197 #ifdef UNITTESTS
198  if (tv == NULL) {
199  return;
200  }
201 #endif
202  uint16_t id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy];
203  /* for the summary values */
204  uint16_t g_id = eps_error_summary.eps_id[policy];
205 
206  if (likely(id > 0)) {
207  StatsIncr(tv, id);
208  }
209  if (likely(g_id > 0)) {
210  StatsIncr(tv, g_id);
211  }
212 }
213 
214 /* in IDS mode protocol detection is done in reverse order:
215  * when TCP data is ack'd. We want to flag the correct packet,
216  * so in this case we set a flag in the flow so that the first
217  * packet in the correct direction can be tagged.
218  *
219  * For IPS we update packet and flow. */
220 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
221 {
222  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
223  if (flags & STREAM_TOSERVER) {
224  if (p->flowflags & FLOW_PKT_TOSERVER) {
225  p->flags |= PKT_PROTO_DETECT_TS_DONE;
226  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
227  } else {
228  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
229  }
230  } else {
231  if (p->flowflags & FLOW_PKT_TOCLIENT) {
232  p->flags |= PKT_PROTO_DETECT_TC_DONE;
233  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
234  } else {
235  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
236  }
237  }
238  } else {
239  if (flags & STREAM_TOSERVER) {
240  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
241  } else {
242  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
243  }
244  }
245 }
246 
247 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
248 {
249  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
250  f, f->alproto, f->alproto_ts, f->alproto_tc);
251  FlowCleanupAppLayer(f);
252  StreamTcpDisableAppLayer(f);
253  TcpSession *ssn = f->protoctx;
254  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
255  f->alproto = ALPROTO_FAILED;
256  AppLayerIncFlowCounter(tv, f);
257 
258  if (f->alproto_tc != ALPROTO_FAILED) {
259  if (f->alproto_tc == ALPROTO_UNKNOWN) {
260  f->alproto_tc = ALPROTO_FAILED;
261  }
262  FlagPacketFlow(p, f, STREAM_TOCLIENT);
263  }
264  if (f->alproto_ts != ALPROTO_FAILED) {
265  if (f->alproto_ts == ALPROTO_UNKNOWN) {
266  f->alproto_ts = ALPROTO_FAILED;
267  }
268  FlagPacketFlow(p, f, STREAM_TOSERVER);
269  }
270  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
271  f, f->alproto, f->alproto_ts, f->alproto_tc);
272 }
273 
274 /* See if we're going to have to give up:
275  *
276  * If we're getting a lot of data in one direction and the
277  * proto for this direction is unknown, proto detect will
278  * hold up segments in the segment list in the stream.
279  * They are held so that if we detect the protocol on the
280  * opposing stream, we can still parse this side of the stream
281  * as well. However, some sessions are very unbalanced. FTP
282  * data channels, large PUT/POST request and many others, can
283  * lead to cases where we would have to store many megabytes
284  * worth of segments before we see the opposing stream. This
285  * leads to risks of resource starvation.
286  *
287  * Here a cutoff point is enforced. If we've stored 100k in
288  * one direction and we've seen no data in the other direction,
289  * we give up.
290  *
291  * Giving up means we disable applayer an set an applayer event
292  */
293 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
294  Flow *f, TcpSession *ssn, Packet *p)
295 {
296  if (ssn->state < TCP_ESTABLISHED) {
297  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
298  return;
299  }
300 
301  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
302  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
303  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
304 
305  /* at least 100000 whatever the conditions
306  * and can be more if window is bigger and if configuration allows it */
307  const uint32_t size_tc_limit =
308  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
309  const uint32_t size_ts_limit =
310  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
311 
312  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
313  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
314  {
315  goto failure;
316 
317  /* we bail out whatever the pp and pm states if
318  * we received too much data */
319  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
320  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
321  goto failure;
322 
323  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
324  size_ts > size_ts_limit && size_tc == 0) {
325  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
326  goto failure;
327 
328  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
329  size_tc > size_tc_limit && size_ts == 0) {
330  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
331  goto failure;
332 
333  /* little data in ts direction, pp done, pm not done (max
334  * depth not reached), ts direction done, lots of data in
335  * tc direction. */
336  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
337  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
338  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
339  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
340  goto failure;
341 
342  /* little data in tc direction, pp done, pm not done (max
343  * depth not reached), tc direction done, lots of data in
344  * ts direction. */
345  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
346  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
347  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
348  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
349  goto failure;
350  }
351  return;
352 
353 failure:
354  DisableAppLayer(tv, f, p);
355 }
356 
357 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
358  Packet *p, TcpSession *ssn, const TcpStream *stream)
359 {
360  TcpStream *opposing_stream = NULL;
361  if (stream == &ssn->client) {
362  opposing_stream = &ssn->server;
363  } else {
364  opposing_stream = &ssn->client;
365  }
366 
367  /* if the opposing side is not going to work, then
368  * we just have to give up. */
369  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
370  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
371  return -1;
372  }
373 
374  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
375  UPDATE_DIR_OPPOSING :
376  UPDATE_DIR_PACKET;
377  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
378  opposing_stream, p, dir);
379  return ret;
380 }
381 
382 extern enum ExceptionPolicy g_applayerparser_error_policy;
383 
384 /** \todo data const
385  * \retval int -1 error
386  * \retval int 0 ok
387  */
388 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
389  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
390  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
391 {
392  AppProto *alproto;
393  AppProto *alproto_otherdir;
394  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
395 
396  if (flags & STREAM_TOSERVER) {
397  alproto = &f->alproto_ts;
398  alproto_otherdir = &f->alproto_tc;
399  } else {
400  alproto = &f->alproto_tc;
401  alproto_otherdir = &f->alproto_ts;
402  }
403 
404  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
405 #ifdef PRINT
406  if (data_len > 0) {
407  printf("=> Init Stream Data (app layer) -- start %s%s\n",
408  flags & STREAM_TOCLIENT ? "toclient" : "",
409  flags & STREAM_TOSERVER ? "toserver" : "");
410  PrintRawDataFp(stdout, data, data_len);
411  printf("=> Init Stream Data -- end\n");
412  }
413 #endif
414 
415  bool reverse_flow = false;
416  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
417  PACKET_PROFILING_APP_PD_START(app_tctx);
418  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
419  f, data, data_len,
420  IPPROTO_TCP, flags, &reverse_flow);
421  PACKET_PROFILING_APP_PD_END(app_tctx);
422  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
423 
424  if (*alproto != ALPROTO_UNKNOWN) {
425  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
426  SCAppLayerDecoderEventsSetEventRaw(
427  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
428 
429  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
430  /* if we already invoked the parser, we go with that proto */
431  f->alproto = *alproto_otherdir;
432  } else {
433  /* no data sent to parser yet, we can still choose
434  * we're trusting the server more. */
435  if (flags & STREAM_TOCLIENT)
436  f->alproto = *alproto;
437  else
438  f->alproto = *alproto_otherdir;
439  }
440  } else {
441  f->alproto = *alproto;
442  }
443 
444  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
445  TcpSessionSetReassemblyDepth(ssn,
446  AppLayerParserGetStreamDepth(f));
447  FlagPacketFlow(p, f, flags);
448 
449  /* if protocol detection indicated that we need to reverse
450  * the direction of the flow, do it now. We flip the flow,
451  * packet and the direction flags */
452  if (reverse_flow &&
453  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
454  STREAMTCP_FLAG_MIDSTREAM)) {
455  /* but only if we didn't already detect it on the other side. */
456  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
457  SCLogDebug("reversing flow after proto detect told us so");
458  PacketSwap(p);
459  FlowSwap(f);
460  // Will reset signature groups in DetectRunSetup
461  f->de_ctx_version = UINT32_MAX;
462  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
463  if (*stream == &ssn->client) {
464  *stream = &ssn->server;
465  } else {
466  *stream = &ssn->client;
467  }
468  direction = 1 - direction;
469  } else {
470  // TODO event, error?
471  }
472  }
473 
474  /* account flow if we have both sides */
475  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
476  AppLayerIncFlowCounter(tv, f);
477  }
478 
479  /* if we have seen data from the other direction first, send
480  * data for that direction first to the parser. This shouldn't
481  * be an issue, since each stream processing happens
482  * independently of the other stream direction. At this point of
483  * call, you need to know that this function's already being
484  * called by the very same StreamReassembly() function that we
485  * will now call shortly for the opposing direction. */
486  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
487  !(flags & ssn->data_first_seen_dir))
488  {
489  SCLogDebug("protocol %s needs first data in other direction",
490  AppProtoToString(*alproto));
491 
492  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
493  p, ssn, *stream) != 0)
494  {
495  goto detect_error;
496  }
497  if (FlowChangeProto(f)) {
498  /* We have the first data which requested a protocol change from P1 to P2
499  * even if it was not recognized at first as being P1
500  * As the second data was recognized as P1, the protocol did not change !
501  */
502  FlowUnsetChangeProtoFlag(f);
503  SCAppLayerDecoderEventsSetEventRaw(
504  &p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
505  }
506  }
507 
508  /* if the parser operates such that it needs to see data from
509  * a particular direction first, we check if we have seen
510  * data from that direction first for the flow. IF it is not
511  * the same, we set an event and exit.
512  *
513  * \todo We need to figure out a more robust solution for this,
514  * as this can lead to easy evasion tactics, where the
515  * attacker can first send some dummy data in the wrong
516  * direction first to mislead our proto detection process.
517  * While doing this we need to update the parsers as well,
518  * since the parsers must be robust to see such wrong
519  * direction data.
520  * Either ways the moment we see the
521  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
522  * flow, it shows something's fishy.
523  */
524  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
525  uint8_t first_data_dir;
526  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
527 
528  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
529  SCAppLayerDecoderEventsSetEventRaw(
530  &p->app_layer_events, APPLAYER_WRONG_DIRECTION_FIRST_DATA);
531  goto detect_error;
532  }
533  /* This can happen if the current direction is not the
534  * right direction, and the data from the other(also
535  * the right direction) direction is available to be sent
536  * to the app layer, but it is not ack'ed yet and hence
537  * the forced call to STreamTcpAppLayerReassemble still
538  * hasn't managed to send data from the other direction
539  * to the app layer. */
540  if (first_data_dir && !(first_data_dir & flags)) {
541  FlowCleanupAppLayer(f);
542  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
543  FLOW_RESET_PP_DONE(f, flags);
544  FLOW_RESET_PM_DONE(f, flags);
545  FLOW_RESET_PE_DONE(f, flags);
546  SCReturnInt(-1);
547  }
548  }
549 
550  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
551  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
552 
553  /* finally, invoke the parser */
554  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
555  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
556  flags, data, data_len);
557  PACKET_PROFILING_APP_END(app_tctx);
558  p->app_update_direction = (uint8_t)app_update_dir;
559  if (r != 1) {
560  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
561  }
562  if (r == 0) {
563  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
564  TcpStream *opposing_stream;
565  if (*stream == &ssn->client) {
566  opposing_stream = &ssn->server;
567  } else {
568  opposing_stream = &ssn->client;
569  }
570  if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) {
571  // can happen in detection-only
572  AppLayerIncFlowCounter(tv, f);
573  }
574  }
575  }
576  if (r < 0) {
577  goto parser_error;
578  }
579  } else {
580  /* if the ssn is midstream, we may end up with a case where the
581  * start of an HTTP request is missing. We won't detect HTTP based
582  * on the request. However, the reply is fine, so we detect
583  * HTTP anyway. This leads to passing the incomplete request to
584  * the htp parser.
585  *
586  * This has been observed, where the http parser then saw many
587  * bogus requests in the incomplete data.
588  *
589  * To counter this case, a midstream session MUST find it's
590  * protocol in the toserver direction. If not, we assume the
591  * start of the request/toserver is incomplete and no reliable
592  * detection and parsing is possible. So we give up.
593  */
594  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
595  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
596  {
597  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
598  SCLogDebug("midstream end pd %p", ssn);
599  /* midstream and toserver detection failed: give up */
600  DisableAppLayer(tv, f, p);
601  SCReturnInt(0);
602  }
603  }
604 
605  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
606  uint8_t first_data_dir;
607  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
608 
609  /* this would handle this test case -
610  * http parser which says it wants to see toserver data first only.
611  * tcp handshake
612  * toclient data first received. - RUBBISH DATA which
613  * we don't detect as http
614  * toserver data next sent - we detect this as http.
615  * at this stage we see that toclient is the first data seen
616  * for this session and we try and redetect the app protocol,
617  * but we are unable to detect the app protocol like before.
618  * But since we have managed to detect the protocol for the
619  * other direction as http, we try to use that. At this
620  * stage we check if the direction of this stream matches
621  * to that acceptable by the app parser. If it is not the
622  * acceptable direction we error out.
623  */
624  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
625  (first_data_dir) && !(first_data_dir & flags))
626  {
627  goto detect_error;
628  }
629 
630  /* if protocol detection is marked done for our direction we
631  * pass our data on. We're only succeeded in finding one
632  * direction: the opposing stream
633  *
634  * If PD was not yet complete, we don't do anything.
635  */
636  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
637  if (data_len > 0)
638  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
639 
640  if (*alproto_otherdir != ALPROTO_FAILED) {
641  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
642  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
643  f->alproto, flags,
644  data, data_len);
645  PACKET_PROFILING_APP_END(app_tctx);
646  p->app_update_direction = (uint8_t)app_update_dir;
647  if (r != 1) {
648  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
649  }
650 
651  SCAppLayerDecoderEventsSetEventRaw(
652  &p->app_layer_events, APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
653  TcpSessionSetReassemblyDepth(ssn,
654  AppLayerParserGetStreamDepth(f));
655  AppLayerIncFlowCounter(tv, f);
656 
657  *alproto = *alproto_otherdir;
658  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
659  p->pcap_cnt, *alproto, *alproto_otherdir, r);
660  if (r < 0) {
661  goto parser_error;
662  }
663  }
664  *alproto = ALPROTO_FAILED;
665  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
666  FlagPacketFlow(p, f, flags);
667 
668  } else if (flags & STREAM_EOF) {
669  *alproto = f->alproto;
670  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
671  AppLayerIncFlowCounter(tv, f);
672  }
673  } else {
674  /* both sides unknown, let's see if we need to give up */
675  if (FlowChangeProto(f)) {
676  /* TCPProtoDetectCheckBailConditions does not work well because
677  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
678  * so, we set a lower limit to the data we inspect
679  * We could instead have set ssn->server.sb.stream_offset = 0;
680  */
681  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
682  DisableAppLayer(tv, f, p);
683  }
684  } else {
685  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
686  }
687  }
688  }
689  SCReturnInt(0);
690 parser_error:
691  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
692  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
693  SCReturnInt(-1);
694 detect_error:
695  DisableAppLayer(tv, f, p);
696  SCReturnInt(-2);
697 }
698 
699 /** \brief handle TCP data for the app-layer.
700  *
701  * First run protocol detection and then when the protocol is known invoke
702  * the app layer parser.
703  *
704  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
705  * reversed.
706  */
707 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
708  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
709  enum StreamUpdateDir app_update_dir)
710 {
711  SCEnter();
712 
713  DEBUG_ASSERT_FLOW_LOCKED(f);
714  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
715 
716  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
717  AppProto alproto;
718  int r = 0;
719 
720  SCLogDebug("data_len %u flags %02X", data_len, flags);
721  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
722  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
723  goto end;
724  }
725 
726  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
727 
728  if (flags & STREAM_TOSERVER) {
729  alproto = f->alproto_ts;
730  } else {
731  alproto = f->alproto_tc;
732  }
733 
734  /* If a gap notification, relay the notification on to the
735  * app-layer if known. */
736  if (flags & STREAM_GAP) {
737  SCLogDebug("GAP of size %u", data_len);
738  if (alproto == ALPROTO_UNKNOWN) {
739  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
740  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
741  /* if the other side didn't already find the proto, we're done */
742  if (f->alproto == ALPROTO_UNKNOWN) {
743  goto failure;
744  }
745  AppLayerIncFlowCounter(tv, f);
746  }
747  if (FlowChangeProto(f)) {
748  FlowUnsetChangeProtoFlag(f);
749  SCLogDebug("Cannot handle gap while changing protocol");
750  goto failure;
751  }
752  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
753  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
754  flags, data, data_len);
755  PACKET_PROFILING_APP_END(app_tctx);
756  p->app_update_direction = (uint8_t)app_update_dir;
757  /* ignore parser result for gap */
758  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
759  if (r < 0) {
760  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
761  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
762  SCReturnInt(-1);
763  }
764  goto end;
765  }
766 
767  /* if we don't know the proto yet and we have received a stream
768  * initializer message, we run proto detection.
769  * We receive 2 stream init msgs (one for each direction), we
770  * only run the proto detection for both and emit an event
771  * in the case protocols mismatch. */
772  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
773  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
774  /* run protocol detection */
775  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags,
776  app_update_dir) != 0) {
777  goto failure;
778  }
779  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
780  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
781  void *alstate_orig = f->alstate;
782  AppLayerParserState *alparser = f->alparser;
783  // we delay AppLayerParserStateCleanup because we may need previous parser state
784  AppLayerProtoDetectReset(f);
785  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
786  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
787  /* rerun protocol detection */
788  int rd = TCPProtoDetect(
789  tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, app_update_dir);
790  if (f->alproto == ALPROTO_UNKNOWN) {
791  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
792  // not enough data, revert AppLayerProtoDetectReset to rerun detection
793  f->alparser = alparser;
794  f->alproto = f->alproto_orig;
795  f->alproto_tc = f->alproto_orig;
796  f->alproto_ts = f->alproto_orig;
797  } else {
798  FlowUnsetChangeProtoFlag(f);
799  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
800  if (alstate_orig == f->alstate) {
801  // we just freed it
802  f->alstate = NULL;
803  }
804  }
805  if (rd != 0) {
806  SCLogDebug("proto detect failure");
807  goto failure;
808  }
809  SCLogDebug("protocol change, old %s, new %s",
810  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
811 
812  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
813  f->alproto != f->alproto_expect) {
814  SCAppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_UNEXPECTED_PROTOCOL);
815 
816  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
817  SCAppLayerDecoderEventsSetEventRaw(
818  &p->app_layer_events, APPLAYER_NO_TLS_AFTER_STARTTLS);
819  }
820  }
821  } else {
822  SCLogDebug("stream data (len %" PRIu32 " alproto "
823  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
824 #ifdef PRINT
825  if (data_len > 0) {
826  printf("=> Stream Data (app layer) -- start %s%s\n",
827  flags & STREAM_TOCLIENT ? "toclient" : "",
828  flags & STREAM_TOSERVER ? "toserver" : "");
829  PrintRawDataFp(stdout, data, data_len);
830  printf("=> Stream Data -- end\n");
831  }
832 #endif
833  /* if we don't have a data object here we are not getting it
834  * a start msg should have gotten us one */
835  if (f->alproto != ALPROTO_UNKNOWN) {
836  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
837  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
838  flags, data, data_len);
839  PACKET_PROFILING_APP_END(app_tctx);
840  p->app_update_direction = (uint8_t)app_update_dir;
841  if (r != 1) {
842  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
843  if (r < 0) {
844  ExceptionPolicyApply(
845  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
846  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
847  SCReturnInt(-1);
848  }
849  }
850  }
851  }
852 
853  goto end;
854  failure:
855  r = -1;
856  end:
857  SCReturnInt(r);
858 }
859 
860 /**
861  * \brief Handle a app layer UDP message
862  *
863  * If the protocol is yet unknown, the proto detection code is run first.
864  *
865  * \param dp_ctx Thread app layer detect context
866  * \param f *locked* flow
867  * \param p UDP packet
868  *
869  * \retval 0 ok
870  * \retval -1 error
871  */
872 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
873 {
874  SCEnter();
875  AppProto *alproto;
876  AppProto *alproto_otherdir;
877 
878  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
879  SCReturnInt(0);
880  }
881 
882  int r = 0;
883  uint8_t flags = 0;
884  if (p->flowflags & FLOW_PKT_TOSERVER) {
885  flags |= STREAM_TOSERVER;
886  alproto = &f->alproto_ts;
887  alproto_otherdir = &f->alproto_tc;
888  } else {
889  flags |= STREAM_TOCLIENT;
890  alproto = &f->alproto_tc;
891  alproto_otherdir = &f->alproto_ts;
892  }
893 
894  AppLayerProfilingReset(tctx);
895 
896  /* if the protocol is still unknown, run detection */
897  if (*alproto == ALPROTO_UNKNOWN) {
898  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
899  p->payload_len);
900 
901  bool reverse_flow = false;
902  PACKET_PROFILING_APP_PD_START(tctx);
903  *alproto = AppLayerProtoDetectGetProto(
904  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
905  PACKET_PROFILING_APP_PD_END(tctx);
906 
907  switch (*alproto) {
908  case ALPROTO_UNKNOWN:
909  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
910  // Use recognized side
911  f->alproto = *alproto_otherdir;
912  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
913  *alproto = *alproto_otherdir;
914  if (*alproto_otherdir == ALPROTO_FAILED) {
915  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
916  }
917  } else {
918  // First side of protocol is unknown
919  *alproto = ALPROTO_FAILED;
920  }
921  break;
922  case ALPROTO_FAILED:
923  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
924  // Use recognized side
925  f->alproto = *alproto_otherdir;
926  if (*alproto_otherdir == ALPROTO_FAILED) {
927  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
928  }
929  }
930  // else wait for second side of protocol
931  break;
932  default:
933  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
934  if (*alproto_otherdir != *alproto) {
935  SCAppLayerDecoderEventsSetEventRaw(
936  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
937  // data already sent to parser, we cannot change the protocol to use the one
938  // of the server
939  }
940  } else {
941  f->alproto = *alproto;
942  }
943  }
944  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
945  if (f->alproto == ALPROTO_UNKNOWN) {
946  // so as to increase stat about .app_layer.flow.failed_udp
947  f->alproto = ALPROTO_FAILED;
948  }
949  // If the other side is unknown, this is the first packet of the flow
950  AppLayerIncFlowCounter(tv, f);
951  }
952 
953  // parse the data if we recognized one protocol
954  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
955  if (reverse_flow) {
956  SCLogDebug("reversing flow after proto detect told us so");
957  PacketSwap(p);
958  FlowSwap(f);
959  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
960  }
961 
962  PACKET_PROFILING_APP_START(tctx, f->alproto);
963  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
964  flags, p->payload, p->payload_len);
965  PACKET_PROFILING_APP_END(tctx);
966  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
967  }
968  PACKET_PROFILING_APP_STORE(tctx, p);
969  /* we do only inspection in one direction, so flag both
970  * sides as done here */
971  FlagPacketFlow(p, f, STREAM_TOSERVER);
972  FlagPacketFlow(p, f, STREAM_TOCLIENT);
973  } else {
974  SCLogDebug("data (len %" PRIu32 " ), alproto "
975  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
976 
977  /* run the parser */
978  PACKET_PROFILING_APP_START(tctx, f->alproto);
979  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
980  flags, p->payload, p->payload_len);
981  PACKET_PROFILING_APP_END(tctx);
982  PACKET_PROFILING_APP_STORE(tctx, p);
983  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
984  }
985  if (r < 0) {
986  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
987  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
988  SCReturnInt(-1);
989  }
990 
991  SCReturnInt(r);
992 }
993 
994 /***** Utility *****/
995 
996 AppProto AppLayerGetProtoByName(const char *alproto_name)
997 {
998  SCEnter();
999  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
1000  SCReturnCT(r, "AppProto");
1001 }
1002 
1003 const char *AppLayerGetProtoName(AppProto alproto)
1004 {
1005  SCEnter();
1006  const char * r = AppLayerProtoDetectGetProtoName(alproto);
1007  SCReturnCT(r, "char *");
1008 }
1009 
1010 void AppLayerListSupportedProtocols(void)
1011 {
1012  SCEnter();
1013 
1014  AppProto alproto;
1015  AppProto alprotos[g_alproto_max];
1016 
1017  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1018 
1019  printf("=========Supported App Layer Protocols=========\n");
1020  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1021  if (alprotos[alproto] == 1)
1022  printf("%s\n", AppLayerGetProtoName(alproto));
1023  }
1024 
1025  SCReturn;
1026 }
1027 
1028 /***** Setup/General Registration *****/
1029 static void AppLayerNamesSetup(void)
1030 {
1031  AppProtoRegisterProtoString(ALPROTO_UNKNOWN, "unknown");
1032  AppProtoRegisterProtoString(ALPROTO_FAILED, "failed");
1033  AppProtoRegisterProtoString(ALPROTO_HTTP1, "http1");
1034  AppProtoRegisterProtoString(ALPROTO_FTP, "ftp");
1035  AppProtoRegisterProtoString(ALPROTO_SMTP, "smtp");
1036  AppProtoRegisterProtoString(ALPROTO_TLS, "tls");
1037  AppProtoRegisterProtoString(ALPROTO_SSH, "ssh");
1038  AppProtoRegisterProtoString(ALPROTO_IMAP, "imap");
1039  AppProtoRegisterProtoString(ALPROTO_JABBER, "jabber");
1040  AppProtoRegisterProtoString(ALPROTO_SMB, "smb");
1041  AppProtoRegisterProtoString(ALPROTO_DCERPC, "dcerpc");
1042  AppProtoRegisterProtoString(ALPROTO_IRC, "irc");
1043  AppProtoRegisterProtoString(ALPROTO_DNS, "dns");
1044  AppProtoRegisterProtoString(ALPROTO_MODBUS, "modbus");
1045  AppProtoRegisterProtoString(ALPROTO_ENIP, "enip");
1046  AppProtoRegisterProtoString(ALPROTO_DNP3, "dnp3");
1047  AppProtoRegisterProtoString(ALPROTO_NFS, "nfs");
1048  AppProtoRegisterProtoString(ALPROTO_NTP, "ntp");
1049  AppProtoRegisterProtoString(ALPROTO_FTPDATA, "ftp-data");
1050  AppProtoRegisterProtoString(ALPROTO_TFTP, "tftp");
1051  AppProtoRegisterProtoString(ALPROTO_IKE, "ike");
1052  AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
1053  AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
1054  AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
1055  AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
1056  AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
1057  AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
1058  AppProtoRegisterProtoString(ALPROTO_PGSQL, "pgsql");
1059  AppProtoRegisterProtoString(ALPROTO_TELNET, "telnet");
1060  AppProtoRegisterProtoString(ALPROTO_WEBSOCKET, "websocket");
1061  AppProtoRegisterProtoString(ALPROTO_LDAP, "ldap");
1062  AppProtoRegisterProtoString(ALPROTO_DOH2, "doh2");
1063  AppProtoRegisterProtoString(ALPROTO_MDNS, "mdns");
1064  AppProtoRegisterProtoString(ALPROTO_TEMPLATE, "template");
1065  AppProtoRegisterProtoString(ALPROTO_RDP, "rdp");
1066  AppProtoRegisterProtoString(ALPROTO_HTTP2, "http2");
1067  AppProtoRegisterProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht");
1068  AppProtoRegisterProtoString(ALPROTO_POP3, "pop3");
1069  AppProtoRegisterProtoString(ALPROTO_HTTP, "http");
1070 }
1071 
1072 int AppLayerSetup(void)
1073 {
1074  SCEnter();
1075 
1076  AppLayerNamesSetup();
1077  AppLayerProtoDetectSetup();
1078  AppLayerParserSetup();
1079 
1080  AppLayerParserRegisterProtocolParsers();
1081  AppLayerProtoDetectPrepareState();
1082 
1083  AppLayerSetupCounters();
1084  FrameConfigInit();
1085 
1086  SCReturnInt(0);
1087 }
1088 
1089 int AppLayerDeSetup(void)
1090 {
1091  SCEnter();
1092 
1093  AppLayerProtoDetectDeSetup();
1094  AppLayerParserDeSetup();
1095 
1096  AppLayerDeSetupCounters();
1097  FrameConfigDeInit();
1098 
1099  SCReturnInt(0);
1100 }
1101 
1102 AppLayerThreadCtx *AppLayerGetCtxThread(void)
1103 {
1104  SCEnter();
1105 
1106  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1107  if (app_tctx == NULL)
1108  goto error;
1109 
1110  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1111  goto error;
1112  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1113  goto error;
1114 
1115  goto done;
1116  error:
1117  AppLayerDestroyCtxThread(app_tctx);
1118  app_tctx = NULL;
1119  done:
1120  SCReturnPtr(app_tctx, "void *");
1121 }
1122 
1123 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1124 {
1125  SCEnter();
1126 
1127  if (app_tctx == NULL)
1128  SCReturn;
1129 
1130  if (app_tctx->alpd_tctx != NULL)
1131  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1132  if (app_tctx->alp_tctx != NULL)
1133  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1134  SCFree(app_tctx);
1135 
1136  SCReturn;
1137 }
1138 
1139 #ifdef PROFILING
1140 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1141 {
1142  PACKET_PROFILING_APP_RESET(app_tctx);
1143 }
1144 
1145 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1146 {
1147  PACKET_PROFILING_APP_STORE(app_tctx, p);
1148 }
1149 #endif
1150 
1151 /** \brief HACK to work around our broken unix manager (re)init loop
1152  */
1153 void AppLayerRegisterGlobalCounters(void)
1154 {
1155  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1156  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1157  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1158  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1159  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1160  StatsRegisterGlobalCounter("http.byterange.memuse", HTPByteRangeMemuseGlobalCounter);
1161  StatsRegisterGlobalCounter("http.byterange.memcap", HTPByteRangeMemcapGlobalCounter);
1162  StatsRegisterGlobalCounter("ippair.memuse", IPPairGetMemuse);
1163  StatsRegisterGlobalCounter("ippair.memcap", IPPairGetMemcap);
1164  StatsRegisterGlobalCounter("host.memuse", HostGetMemuse);
1165  StatsRegisterGlobalCounter("host.memcap", HostGetMemcap);
1166 }
1167 
1168 static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy)
1169 {
1170  if (EngineModeIsIPS()) {
1171  return app_layer_error_eps_stats.valid_settings_ips[policy];
1172  }
1173  return app_layer_error_eps_stats.valid_settings_ids[policy];
1174 }
1175 
1176 static void AppLayerSetupExceptionPolicyPerProtoCounters(
1177  uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix)
1178 {
1179  if (g_stats_eps_per_app_proto_errors &&
1180  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1181  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1182  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1183  snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i],
1184  sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]),
1185  "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix,
1186  ExceptionPolicyEnumToString(i, true));
1187  }
1188  }
1189  }
1190 }
1191 
1192 void AppLayerSetupCounters(void)
1193 {
1194  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1195  AppProto alprotos[g_alproto_max];
1196  const char *str = "app_layer.flow.";
1197  const char *estr = "app_layer.error.";
1198 
1199  applayer_counter_names =
1200  SCCalloc(g_alproto_max, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX]));
1201  if (unlikely(applayer_counter_names == NULL)) {
1202  FatalError("Unable to alloc applayer_counter_names.");
1203  }
1204  applayer_counters = SCCalloc(g_alproto_max, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX]));
1205  if (unlikely(applayer_counters == NULL)) {
1206  FatalError("Unable to alloc applayer_counters.");
1207  }
1208  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1209  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1210  /* Register global counters for app layer error exception policy summary */
1211  const char *eps_default_str = "exception_policy.app_layer.error.";
1212  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1213  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1214  snprintf(app_layer_error_eps_stats.eps_name[i],
1215  sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str,
1216  ExceptionPolicyEnumToString(i, true));
1217  }
1218  }
1219  }
1220 
1221  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1222 
1223  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1224  const uint8_t ipproto = ipprotos[p];
1225  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1226  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1227  uint8_t ipprotos_all[256 / 8];
1228 
1229  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1230  if (alprotos[alproto] == 1) {
1231  const char *tx_str = "app_layer.tx.";
1232  const char *alproto_str = AppLayerGetProtoName(alproto);
1233 
1234  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1235  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1236  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1237  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1238  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1239  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s",
1240  str, alproto_str, ipproto_suffix);
1241  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1242  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s",
1243  tx_str, alproto_str, ipproto_suffix);
1244 
1245  if (ipproto == IPPROTO_TCP) {
1246  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1247  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1248  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1249  }
1250  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1251  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1252  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1253  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1254  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1255  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1256  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1257  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1258  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1259 
1260  AppLayerSetupExceptionPolicyPerProtoCounters(
1261  ipproto_map, alproto, alproto_str, ipproto_suffix);
1262  } else {
1263  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1264  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str,
1265  alproto_str);
1266  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1267  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s",
1268  tx_str, alproto_str);
1269 
1270  if (ipproto == IPPROTO_TCP) {
1271  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1272  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1273  "%s%s.gap", estr, alproto_str);
1274  }
1275  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1276  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1277  "%s%s.alloc", estr, alproto_str);
1278  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1279  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1280  "%s%s.parser", estr, alproto_str);
1281  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1282  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1283  "%s%s.internal", estr, alproto_str);
1284  AppLayerSetupExceptionPolicyPerProtoCounters(
1285  ipproto_map, alproto, alproto_str, "");
1286  }
1287  } else if (alproto == ALPROTO_FAILED) {
1288  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1289  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str,
1290  "failed", ipproto_suffix);
1291  if (ipproto == IPPROTO_TCP) {
1292  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1293  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1294  "%sfailed%s.gap", estr, ipproto_suffix);
1295  }
1296  }
1297  }
1298  }
1299 }
1300 
1301 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1302 {
1303  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1304  AppProto alprotos[g_alproto_max];
1305  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1306 
1307  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1308  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1309  /* Register global counters for app layer error exception policy summary */
1310  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1311  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1312  eps_error_summary.eps_id[i] =
1313  StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], tv);
1314  }
1315  }
1316  }
1317 
1318  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1319  const uint8_t ipproto = ipprotos[p];
1320  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1321 
1322  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1323  if (alprotos[alproto] == 1) {
1324  applayer_counters[alproto][ipproto_map].counter_id =
1325  StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv);
1326 
1327  applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter(
1328  applayer_counter_names[alproto][ipproto_map].tx_name, tv);
1329 
1330  if (ipproto == IPPROTO_TCP) {
1331  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1332  applayer_counter_names[alproto][ipproto_map].gap_error, tv);
1333  }
1334  applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter(
1335  applayer_counter_names[alproto][ipproto_map].alloc_error, tv);
1336  applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter(
1337  applayer_counter_names[alproto][ipproto_map].parser_error, tv);
1338  applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter(
1339  applayer_counter_names[alproto][ipproto_map].internal_error, tv);
1340  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1341  if (g_stats_eps_per_app_proto_errors &&
1342  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1343  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1;
1344  i < EXCEPTION_POLICY_MAX; i++) {
1345  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1346  applayer_counters[alproto][ipproto_map]
1347  .eps_error.eps_id[i] = StatsRegisterCounter(
1348  applayer_counter_names[alproto][ipproto_map].eps_name[i], tv);
1349  }
1350  }
1351  }
1352  } else if (alproto == ALPROTO_FAILED) {
1353  applayer_counters[alproto][ipproto_map].counter_id =
1354  StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv);
1355 
1356  if (ipproto == IPPROTO_TCP) {
1357  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1358  applayer_counter_names[alproto][ipproto_map].gap_error, tv);
1359  }
1360  }
1361  }
1362  }
1363 }
1364 
1365 void AppLayerDeSetupCounters(void)
1366 {
1367  SCFree(applayer_counter_names);
1368  SCFree(applayer_counters);
1369 }
1370 
1371 /***** Unittests *****/
1372 
1373 #ifdef UNITTESTS
1374 #include "pkt-var.h"
1375 #include "stream-tcp-util.h"
1376 #include "stream.h"
1377 #include "util-unittest.h"
1378 
1379 #define TEST_START \
1380  Packet *p = PacketGetFromAlloc(); \
1381  FAIL_IF_NULL(p); \
1382  Flow f; \
1383  ThreadVars tv; \
1384  StreamTcpThread *stt = NULL; \
1385  TCPHdr tcph; \
1386  PacketQueueNoLock pq; \
1387  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1388  memset(&f, 0, sizeof(Flow)); \
1389  memset(&tv, 0, sizeof(ThreadVars)); \
1390  memset(&tcph, 0, sizeof(TCPHdr)); \
1391  \
1392  FLOW_INITIALIZE(&f); \
1393  f.flags = FLOW_IPV4; \
1394  f.proto = IPPROTO_TCP; \
1395  p->flow = &f; \
1396  PacketSetTCP(p, (uint8_t *)&tcph); \
1397  \
1398  StreamTcpInitConfig(true); \
1399  IPPairInitConfig(true); \
1400  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1401  \
1402  /* handshake */ \
1403  tcph.th_win = htons(5480); \
1404  tcph.th_flags = TH_SYN; \
1405  p->flowflags = FLOW_PKT_TOSERVER; \
1406  p->payload_len = 0; \
1407  p->payload = NULL; \
1408  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1409  TcpSession *ssn = (TcpSession *)f.protoctx; \
1410  \
1411  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1412  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1413  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1414  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1415  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1416  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1417  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1418  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1419  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1420  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1421  FAIL_IF(ssn->data_first_seen_dir != 0); \
1422  \
1423  /* handshake */ \
1424  tcph.th_ack = htonl(1); \
1425  tcph.th_flags = TH_SYN | TH_ACK; \
1426  p->flowflags = FLOW_PKT_TOCLIENT; \
1427  p->payload_len = 0; \
1428  p->payload = NULL; \
1429  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1430  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1431  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1432  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1433  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1434  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1435  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1436  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1437  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1438  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1439  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1440  FAIL_IF(ssn->data_first_seen_dir != 0); \
1441  \
1442  /* handshake */ \
1443  tcph.th_ack = htonl(1); \
1444  tcph.th_seq = htonl(1); \
1445  tcph.th_flags = TH_ACK; \
1446  p->flowflags = FLOW_PKT_TOSERVER; \
1447  p->payload_len = 0; \
1448  p->payload = NULL; \
1449  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1450  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1451  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1452  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1453  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1454  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1455  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1456  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1457  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1458  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1459  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1460  FAIL_IF(ssn->data_first_seen_dir != 0);
1461 #define TEST_END \
1462  StreamTcpSessionClear(p->flow->protoctx); \
1463  StreamTcpThreadDeinit(&tv, (void *)stt); \
1464  StreamTcpFreeConfig(true); \
1465  PacketFree(p); \
1466  FLOW_DESTROY(&f); \
1467  IPPairShutdown(); \
1468  StatsThreadCleanup(&tv);
1469 
1470 /**
1471  * \test GET -> HTTP/1.1
1472  */
1473 static int AppLayerTest01(void)
1474 {
1475  TEST_START;
1476 
1477  /* full request */
1478  uint8_t request[] = {
1479  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1480  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1481  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1482  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1483  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1484  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1485  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1486  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1487  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1488  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1489  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1490  tcph.th_ack = htonl(1);
1491  tcph.th_seq = htonl(1);
1492  tcph.th_flags = TH_PUSH | TH_ACK;
1493  p->flowflags = FLOW_PKT_TOSERVER;
1494  p->payload_len = sizeof(request);
1495  p->payload = request;
1496  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1497  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1498  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1499  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1500  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1501  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1502  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1503  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1504  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1505  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1506  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1507  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1508 
1509  /* full response - request ack */
1510  uint8_t response[] = {
1511  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1512  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1513  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1514  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1515  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1516  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1517  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1518  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1519  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1520  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1521  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1522  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1523  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1524  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1525  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1526  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1527  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1528  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1529  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1530  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1531  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1532  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1533  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1534  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1535  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1536  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1537  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1538  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1539  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1540  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1541  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1542  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1543  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1544  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1545  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1546  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1547  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1548  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1549  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1550  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1551  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1552  tcph.th_ack = htonl(88);
1553  tcph.th_seq = htonl(1);
1554  tcph.th_flags = TH_PUSH | TH_ACK;
1555  p->flowflags = FLOW_PKT_TOCLIENT;
1556  p->payload_len = sizeof(response);
1557  p->payload = response;
1558  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1559  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1560  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1561  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1562  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1563  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1564  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1565  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1566  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1567  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1568  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1569  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1570 
1571  /* response ack */
1572  tcph.th_ack = htonl(328);
1573  tcph.th_seq = htonl(88);
1574  tcph.th_flags = TH_ACK;
1575  p->flowflags = FLOW_PKT_TOSERVER;
1576  p->payload_len = 0;
1577  p->payload = NULL;
1578  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1579  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1580  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1581  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1582  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1583  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1584  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1585  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1586  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1587  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1588  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1589  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1590 
1591  TEST_END;
1592  PASS;
1593 }
1594 
1595 /**
1596  * \test GE -> T -> HTTP/1.1
1597  */
1598 static int AppLayerTest02(void)
1599 {
1600  TEST_START;
1601 
1602  /* partial request */
1603  uint8_t request1[] = { 0x47, 0x45, };
1604  tcph.th_ack = htonl(1);
1605  tcph.th_seq = htonl(1);
1606  tcph.th_flags = TH_PUSH | TH_ACK;
1607  p->flowflags = FLOW_PKT_TOSERVER;
1608  p->payload_len = sizeof(request1);
1609  p->payload = request1;
1610  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1611  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1612  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1613  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1614  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1615  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1616  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1617  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1618  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1619  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1620  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1621  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1622 
1623  /* response ack against partial request */
1624  tcph.th_ack = htonl(3);
1625  tcph.th_seq = htonl(1);
1626  tcph.th_flags = TH_ACK;
1627  p->flowflags = FLOW_PKT_TOCLIENT;
1628  p->payload_len = 0;
1629  p->payload = NULL;
1630  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1631  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1632  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1633  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1634  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1635  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1636  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1637  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1638  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1639  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1640  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1641  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1642 
1643  /* complete partial request */
1644  uint8_t request2[] = {
1645  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1646  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1647  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1648  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1649  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1650  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1651  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1652  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1653  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1654  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1655  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1656  tcph.th_ack = htonl(1);
1657  tcph.th_seq = htonl(3);
1658  tcph.th_flags = TH_PUSH | TH_ACK;
1659  p->flowflags = FLOW_PKT_TOSERVER;
1660  p->payload_len = sizeof(request2);
1661  p->payload = request2;
1662  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1663  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1664  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1665  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1666  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1667  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1668  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1669  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1670  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1671  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1672  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1673  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1674 
1675  /* response - request ack */
1676  uint8_t response[] = {
1677  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1678  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1679  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1680  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1681  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1682  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1683  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1684  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1685  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1686  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1687  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1688  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1689  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1690  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1691  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1692  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1693  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1694  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1695  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1696  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1697  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1698  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1699  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1700  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1701  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1702  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1703  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1704  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1705  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1706  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1707  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1708  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1709  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1710  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1711  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1712  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1713  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1714  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1715  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1716  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1717  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1718  tcph.th_ack = htonl(88);
1719  tcph.th_seq = htonl(1);
1720  tcph.th_flags = TH_PUSH | TH_ACK;
1721  p->flowflags = FLOW_PKT_TOCLIENT;
1722  p->payload_len = sizeof(response);
1723  p->payload = response;
1724  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1725  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1726  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1727  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1728  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1729  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1730  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1731  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1732  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1733  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1734  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1735  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1736 
1737  /* response ack */
1738  tcph.th_ack = htonl(328);
1739  tcph.th_seq = htonl(88);
1740  tcph.th_flags = TH_ACK;
1741  p->flowflags = FLOW_PKT_TOSERVER;
1742  p->payload_len = 0;
1743  p->payload = NULL;
1744  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1745  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1746  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1747  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1748  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1749  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1750  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1751  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1752  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1753  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1754  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1755  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1756 
1757  TEST_END;
1758  PASS;
1759 }
1760 
1761 /**
1762  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1763  */
1764 static int AppLayerTest03(void)
1765 {
1766  TEST_START;
1767 
1768  /* request */
1769  uint8_t request[] = {
1770  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1771  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1772  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1773  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1774  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1775  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1776  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1777  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1778  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1779  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1780  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1781  tcph.th_ack = htonl(1);
1782  tcph.th_seq = htonl(1);
1783  tcph.th_flags = TH_PUSH | TH_ACK;
1784  p->flowflags = FLOW_PKT_TOSERVER;
1785  p->payload_len = sizeof(request);
1786  p->payload = request;
1787  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1788  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1789  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1790  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1791  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1792  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1793  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1794  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1795  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1796  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1797  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1798  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1799 
1800  /* rubbish response */
1801  uint8_t response[] = {
1802  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1803  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1804  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1805  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1806  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1807  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1808  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1809  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1810  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1811  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1812  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1813  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1814  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1815  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1816  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1817  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1818  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1819  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1820  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1821  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1822  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1823  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1824  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1825  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1826  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1827  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1828  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1829  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1830  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1831  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1832  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1833  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1834  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1835  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1836  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1837  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1838  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1839  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1840  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1841  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1842  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1843  tcph.th_ack = htonl(88);
1844  tcph.th_seq = htonl(1);
1845  tcph.th_flags = TH_PUSH | TH_ACK;
1846  p->flowflags = FLOW_PKT_TOCLIENT;
1847  p->payload_len = sizeof(response);
1848  p->payload = response;
1849  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1850  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1851  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1852  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1853  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1854  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1855  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1856  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1857  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1858  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1859  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1860  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1861 
1862  /* response ack */
1863  tcph.th_ack = htonl(328);
1864  tcph.th_seq = htonl(88);
1865  tcph.th_flags = TH_ACK;
1866  p->flowflags = FLOW_PKT_TOSERVER;
1867  p->payload_len = 0;
1868  p->payload = NULL;
1869  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1870  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1871  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1872  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1873  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1874  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1875  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1876  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1877  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1878  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1879  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1880  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1881 
1882  TEST_END;
1883  PASS;
1884 }
1885 
1886 /**
1887  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1888  */
1889 static int AppLayerTest04(void)
1890 {
1891  TEST_START;
1892 
1893  /* request */
1894  uint8_t request[] = {
1895  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1896  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1897  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1898  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1899  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1900  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1901  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1902  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1903  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1904  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1905  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1906  PrintRawDataFp(stdout, request, sizeof(request));
1907  tcph.th_ack = htonl(1);
1908  tcph.th_seq = htonl(1);
1909  tcph.th_flags = TH_PUSH | TH_ACK;
1910  p->flowflags = FLOW_PKT_TOSERVER;
1911  p->payload_len = sizeof(request);
1912  p->payload = request;
1913  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1914  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1915  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1916  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1917  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1918  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1919  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1920  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1921  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1922  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1923  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1924  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1925 
1926  /* partial response */
1927  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1928  PrintRawDataFp(stdout, response1, sizeof(response1));
1929  tcph.th_ack = htonl(88);
1930  tcph.th_seq = htonl(1);
1931  tcph.th_flags = TH_PUSH | TH_ACK;
1932  p->flowflags = FLOW_PKT_TOCLIENT;
1933  p->payload_len = sizeof(response1);
1934  p->payload = response1;
1935  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1936  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1937  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1938  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1939  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1940  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1941  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1942  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1943  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1944  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1945  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1946  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1947 
1948  /* partial response ack */
1949  tcph.th_ack = htonl(5);
1950  tcph.th_seq = htonl(88);
1951  tcph.th_flags = TH_ACK;
1952  p->flowflags = FLOW_PKT_TOSERVER;
1953  p->payload_len = 0;
1954  p->payload = NULL;
1955  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1956  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1957  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1958  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1959  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1960  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1961  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1962  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1963  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1964  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1965  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1966  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1967 
1968  /* remaining response */
1969  uint8_t response2[] = {
1970  0x2f, 0x31, 0x2e, 0x31,
1971  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1972  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1973  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1974  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1975  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1976  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1977  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1978  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1979  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1980  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1981  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1982  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1983  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1984  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1985  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1986  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1987  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1988  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1989  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1990  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1991  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1992  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1993  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1994  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1995  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1996  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1997  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1998  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1999  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2000  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2001  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2002  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2003  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2004  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2005  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2006  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2007  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2008  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2009  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2010  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2011  PrintRawDataFp(stdout, response2, sizeof(response2));
2012  tcph.th_ack = htonl(88);
2013  tcph.th_seq = htonl(5);
2014  tcph.th_flags = TH_PUSH | TH_ACK;
2015  p->flowflags = FLOW_PKT_TOCLIENT;
2016  p->payload_len = sizeof(response2);
2017  p->payload = response2;
2018  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2019  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2020  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2021  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2022  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2023  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2024  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2025  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2026  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2027  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2028  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2029  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2030 
2031  /* response ack */
2032  tcph.th_ack = htonl(328);
2033  tcph.th_seq = htonl(88);
2034  tcph.th_flags = TH_ACK;
2035  p->flowflags = FLOW_PKT_TOSERVER;
2036  p->payload_len = 0;
2037  p->payload = NULL;
2038  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2039  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
2040  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2041  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2042  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2043  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
2044  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2045  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2046  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2047  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2048  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2049  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2050 
2051  TEST_END;
2052  PASS;
2053 }
2054 
2055 /**
2056  * \test RUBBISH -> HTTP/1.1
2057  */
2058 static int AppLayerTest05(void)
2059 {
2060  TEST_START;
2061 
2062  /* full request */
2063  uint8_t request[] = {
2064  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2065  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2066  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2067  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2068  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2069  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2070  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2071  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2072  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2073  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2074  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2075  PrintRawDataFp(stdout, request, sizeof(request));
2076  tcph.th_ack = htonl(1);
2077  tcph.th_seq = htonl(1);
2078  tcph.th_flags = TH_PUSH | TH_ACK;
2079  p->flowflags = FLOW_PKT_TOSERVER;
2080  p->payload_len = sizeof(request);
2081  p->payload = request;
2082  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2083  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2084  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2085  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2086  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2087  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2088  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2089  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2090  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2091  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2092  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2093  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2094 
2095  /* full response - request ack */
2096  uint8_t response[] = {
2097  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2098  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2099  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2100  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2101  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2102  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2103  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2104  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2105  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2106  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2107  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2108  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2109  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2110  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2111  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2112  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2113  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2114  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2115  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2116  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2117  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2118  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2119  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2120  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2121  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2122  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2123  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2124  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2125  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2126  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2127  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2128  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2129  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2130  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2131  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2132  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2133  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2134  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2135  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2136  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2137  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2138  PrintRawDataFp(stdout, response, sizeof(response));
2139  tcph.th_ack = htonl(88);
2140  tcph.th_seq = htonl(1);
2141  tcph.th_flags = TH_PUSH | TH_ACK;
2142  p->flowflags = FLOW_PKT_TOCLIENT;
2143  p->payload_len = sizeof(response);
2144  p->payload = response;
2145  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2146  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2147  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2148  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2149  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2150  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2151  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2152  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2153  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2154  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2155  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2156  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2157 
2158  /* response ack */
2159  tcph.th_ack = htonl(328);
2160  tcph.th_seq = htonl(88);
2161  tcph.th_flags = TH_ACK;
2162  p->flowflags = FLOW_PKT_TOSERVER;
2163  p->payload_len = 0;
2164  p->payload = NULL;
2165  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2166  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2167  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2168  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2169  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2170  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2171  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2172  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2173  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2174  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2175  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2176  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2177 
2178  TEST_END;
2179  PASS;
2180 }
2181 
2182 /**
2183  * \test HTTP/1.1 -> GET
2184  */
2185 static int AppLayerTest06(void)
2186 {
2187  TEST_START;
2188 
2189  /* full response - request ack */
2190  uint8_t response[] = {
2191  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2192  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2193  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2194  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2195  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2196  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2197  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2198  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2199  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2200  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2201  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2202  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2203  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2204  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2205  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2206  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2207  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2208  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2209  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2210  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2211  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2212  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2213  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2214  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2215  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2216  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2217  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2218  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2219  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2220  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2221  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2222  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2223  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2224  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2225  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2226  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2227  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2228  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2229  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2230  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2231  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2232  tcph.th_ack = htonl(1);
2233  tcph.th_seq = htonl(1);
2234  tcph.th_flags = TH_PUSH | TH_ACK;
2235  p->flowflags = FLOW_PKT_TOCLIENT;
2236  p->payload_len = sizeof(response);
2237  p->payload = response;
2238  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2239  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2240  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2241  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2242  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2243  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2244  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2245  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2246  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2247  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2248  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2249  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2250 
2251  /* full request - response ack*/
2252  uint8_t request[] = {
2253  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2254  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2255  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2256  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2257  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2258  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2259  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2260  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2261  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2262  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2263  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2264  tcph.th_ack = htonl(328);
2265  tcph.th_seq = htonl(1);
2266  tcph.th_flags = TH_PUSH | TH_ACK;
2267  p->flowflags = FLOW_PKT_TOSERVER;
2268  p->payload_len = sizeof(request);
2269  p->payload = request;
2270  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2271  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2272  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2273  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2274  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2275  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2276  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2277  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2278  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2279  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2280  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2281  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2282 
2283  tcph.th_ack = htonl(1 + sizeof(request));
2284  tcph.th_seq = htonl(328);
2285  tcph.th_flags = TH_PUSH | TH_ACK;
2286  p->flowflags = FLOW_PKT_TOCLIENT;
2287  p->payload_len = 0;
2288  p->payload = NULL;
2289  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2290  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2291  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2292  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2293  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2294  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2295  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2296  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2297  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2298  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2299  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2300  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2301 
2302  TEST_END;
2303  PASS;
2304 }
2305 
2306 /**
2307  * \test GET -> DCERPC
2308  */
2309 static int AppLayerTest07(void)
2310 {
2311  TEST_START;
2312 
2313  /* full request */
2314  uint8_t request[] = {
2315  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2316  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2317  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2318  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2319  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2320  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2321  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2322  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2323  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2324  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2325  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2326  tcph.th_ack = htonl(1);
2327  tcph.th_seq = htonl(1);
2328  tcph.th_flags = TH_PUSH | TH_ACK;
2329  p->flowflags = FLOW_PKT_TOSERVER;
2330  p->payload_len = sizeof(request);
2331  p->payload = request;
2332  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2333  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2334  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2335  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2336  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2337  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2338  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2339  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2340  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2341  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2342  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2343  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2344 
2345  /* full response - request ack */
2346  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2347  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2348  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2349  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2350  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2351  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2352  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2353  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2354  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2355  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2356  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2357  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2358  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2359  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2360  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2361  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2362  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2363  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2364  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2365  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2366  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2367  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2368  tcph.th_ack = htonl(88);
2369  tcph.th_seq = htonl(1);
2370  tcph.th_flags = TH_PUSH | TH_ACK;
2371  p->flowflags = FLOW_PKT_TOCLIENT;
2372  p->payload_len = sizeof(response);
2373  p->payload = response;
2374  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2375  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2376  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2377  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2378  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2379  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2380  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2381  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2382  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2383  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2384  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2385  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2386 
2387  /* response ack */
2388  tcph.th_ack = htonl(328);
2389  tcph.th_seq = htonl(88);
2390  tcph.th_flags = TH_ACK;
2391  p->flowflags = FLOW_PKT_TOSERVER;
2392  p->payload_len = 0;
2393  p->payload = NULL;
2394  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2395  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2396  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2397  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2398  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2399  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2400  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2401  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2402  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2403  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2404  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2405  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2406 
2407  TEST_END;
2408  PASS;
2409 }
2410 
2411 /**
2412  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2413  * RUBBISH(TC - PM and PP DONE) ->
2414  * RUBBISH(TS - PM and PP DONE)
2415  */
2416 static int AppLayerTest09(void)
2417 {
2418  TEST_START;
2419 
2420  /* full request */
2421  uint8_t request1[] = {
2422  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2423  tcph.th_ack = htonl(1);
2424  tcph.th_seq = htonl(1);
2425  tcph.th_flags = TH_PUSH | TH_ACK;
2426  p->flowflags = FLOW_PKT_TOSERVER;
2427  p->payload_len = sizeof(request1);
2428  p->payload = request1;
2429  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2430  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2431  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2432  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2433  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2434  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2435  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2436  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2437  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2438  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2439  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2440  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2441 
2442  /* response - request ack */
2443  tcph.th_ack = htonl(9);
2444  tcph.th_seq = htonl(1);
2445  tcph.th_flags = TH_PUSH | TH_ACK;
2446  p->flowflags = FLOW_PKT_TOCLIENT;
2447  p->payload_len = 0;
2448  p->payload = NULL;
2449  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2450  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2451  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2452  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2453  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2454  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2455  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2456  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2457  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2458  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2459  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2460  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2461 
2462  /* full request */
2463  uint8_t request2[] = {
2464  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2465  tcph.th_ack = htonl(1);
2466  tcph.th_seq = htonl(9);
2467  tcph.th_flags = TH_PUSH | TH_ACK;
2468  p->flowflags = FLOW_PKT_TOSERVER;
2469  p->payload_len = sizeof(request2);
2470  p->payload = request2;
2471  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2472  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2473  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2474  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2475  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2476  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2477  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2478  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2479  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2480  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2481  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2482  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2483 
2484  /* full response - request ack */
2485  uint8_t response[] = {
2486  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2487  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2488  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2489  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2490  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2491  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2492  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2493  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2494  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2495  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2496  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2497  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2498  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2499  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2500  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2501  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2502  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2503  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2504  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2505  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2506  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2507  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2508  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2509  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2510  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2511  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2512  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2513  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2514  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2515  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2516  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2517  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2518  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2519  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2520  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2521  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2522  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2523  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2524  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2525  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2526  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2527  tcph.th_ack = htonl(18);
2528  tcph.th_seq = htonl(1);
2529  tcph.th_flags = TH_PUSH | TH_ACK;
2530  p->flowflags = FLOW_PKT_TOCLIENT;
2531  p->payload_len = sizeof(response);
2532  p->payload = response;
2533  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2534  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2535  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2536  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2537  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2538  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2539  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2540  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2541  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2542  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2543  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2544  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2545 
2546  /* response ack */
2547  tcph.th_ack = htonl(328);
2548  tcph.th_seq = htonl(18);
2549  tcph.th_flags = TH_ACK;
2550  p->flowflags = FLOW_PKT_TOSERVER;
2551  p->payload_len = 0;
2552  p->payload = NULL;
2553  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2554  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2555  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2556  FAIL_IF(f.alproto != ALPROTO_FAILED);
2557  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2558  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2559  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2560  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2561  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2562  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2563  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2564  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2565 
2566  TEST_END;
2567  PASS;
2568 }
2569 
2570 /**
2571  * \test RUBBISH(TC - PM and PP DONE) ->
2572  * RUBBISH(TS - PM and PP DONE)
2573  */
2574 static int AppLayerTest10(void)
2575 {
2576  TEST_START;
2577 
2578  /* full request */
2579  uint8_t request1[] = {
2580  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2581  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2582  tcph.th_ack = htonl(1);
2583  tcph.th_seq = htonl(1);
2584  tcph.th_flags = TH_PUSH | TH_ACK;
2585  p->flowflags = FLOW_PKT_TOSERVER;
2586  p->payload_len = sizeof(request1);
2587  p->payload = request1;
2588  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2589  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2590  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2591  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2592  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2593  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2594  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2595  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2596  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2597  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2598  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2599  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2600 
2601  /* response - request ack */
2602  tcph.th_ack = htonl(18);
2603  tcph.th_seq = htonl(1);
2604  tcph.th_flags = TH_PUSH | TH_ACK;
2605  p->flowflags = FLOW_PKT_TOCLIENT;
2606  p->payload_len = 0;
2607  p->payload = NULL;
2608  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2609  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2610  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2611  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2612  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2613  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2614  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2615  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2616  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2617  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2618  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2619  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2620 
2621  /* full response - request ack */
2622  uint8_t response[] = {
2623  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2624  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2625  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2626  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2627  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2628  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2629  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2630  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2631  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2632  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2633  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2634  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2635  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2636  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2637  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2638  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2639  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2640  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2641  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2642  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2643  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2644  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2645  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2646  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2647  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2648  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2649  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2650  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2651  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2652  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2653  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2654  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2655  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2656  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2657  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2658  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2659  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2660  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2661  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2662  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2663  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2664  tcph.th_ack = htonl(18);
2665  tcph.th_seq = htonl(1);
2666  tcph.th_flags = TH_PUSH | TH_ACK;
2667  p->flowflags = FLOW_PKT_TOCLIENT;
2668  p->payload_len = sizeof(response);
2669  p->payload = response;
2670  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2671  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2672  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2673  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2674  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2675  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2676  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2677  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2678  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2679  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2680  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2681  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2682 
2683  /* response ack */
2684  tcph.th_ack = htonl(328);
2685  tcph.th_seq = htonl(18);
2686  tcph.th_flags = TH_ACK;
2687  p->flowflags = FLOW_PKT_TOSERVER;
2688  p->payload_len = 0;
2689  p->payload = NULL;
2690  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2691  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2692  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2693  FAIL_IF(f.alproto != ALPROTO_FAILED);
2694  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2695  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2696  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2697  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2698  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2699  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2700  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2701  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2702 
2703  TEST_END;
2704  PASS;
2705 }
2706 
2707 /**
2708  * \test RUBBISH(TC - PM and PP DONE) ->
2709  * RUBBISH(TS - PM and PP NOT DONE) ->
2710  * RUBBISH(TS - PM and PP DONE)
2711  */
2712 static int AppLayerTest11(void)
2713 {
2714  TEST_START;
2715 
2716  /* full request */
2717  uint8_t request1[] = {
2718  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2719  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2720  tcph.th_ack = htonl(1);
2721  tcph.th_seq = htonl(1);
2722  tcph.th_flags = TH_PUSH | TH_ACK;
2723  p->flowflags = FLOW_PKT_TOSERVER;
2724  p->payload_len = sizeof(request1);
2725  p->payload = request1;
2726  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2727  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2728  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2729  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2730  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2731  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2732  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2733  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2734  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2735  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2736  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2737  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2738 
2739  /* response - request ack */
2740  tcph.th_ack = htonl(18);
2741  tcph.th_seq = htonl(1);
2742  tcph.th_flags = TH_PUSH | TH_ACK;
2743  p->flowflags = FLOW_PKT_TOCLIENT;
2744  p->payload_len = 0;
2745  p->payload = NULL;
2746  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2747  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2748  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2749  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2750  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2751  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2752  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2753  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2754  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2755  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2756  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2757  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2758 
2759  /* full response - request ack */
2760  uint8_t response1[] = {
2761  0x55, 0x74, 0x54, 0x50, };
2762  tcph.th_ack = htonl(18);
2763  tcph.th_seq = htonl(1);
2764  tcph.th_flags = TH_PUSH | TH_ACK;
2765  p->flowflags = FLOW_PKT_TOCLIENT;
2766  p->payload_len = sizeof(response1);
2767  p->payload = response1;
2768  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2769  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2770  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2771  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2772  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2773  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2774  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2775  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2776  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2777  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2778  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2779  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2780 
2781  /* response ack from request */
2782  tcph.th_ack = htonl(5);
2783  tcph.th_seq = htonl(18);
2784  tcph.th_flags = TH_ACK;
2785  p->flowflags = FLOW_PKT_TOSERVER;
2786  p->payload_len = 0;
2787  p->payload = NULL;
2788  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2789  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2790  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2791  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2792  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2793  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2794  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2795  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2796  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2797  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2798  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2799  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2800 
2801  uint8_t response2[] = {
2802  0x2f, 0x31, 0x2e, 0x31,
2803  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2804  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2805  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2806  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2807  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2808  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2809  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2810  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2811  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2812  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2813  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2814  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2815  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2816  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2817  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2818  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2819  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2820  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2821  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2822  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2823  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2824  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2825  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2826  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2827  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2828  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2829  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2830  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2831  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2832  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2833  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2834  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2835  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2836  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2837  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2838  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2839  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2840  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2841  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2842  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2843  tcph.th_ack = htonl(18);
2844  tcph.th_seq = htonl(5);
2845  tcph.th_flags = TH_PUSH | TH_ACK;
2846  p->flowflags = FLOW_PKT_TOCLIENT;
2847  p->payload_len = sizeof(response2);
2848  p->payload = response2;
2849  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2850  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2851  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2852  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2853  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2854  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2855  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2856  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2857  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2858  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2859  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2860  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2861 
2862  /* response ack from request */
2863  tcph.th_ack = htonl(328);
2864  tcph.th_seq = htonl(18);
2865  tcph.th_flags = TH_ACK;
2866  p->flowflags = FLOW_PKT_TOSERVER;
2867  p->payload_len = 0;
2868  p->payload = NULL;
2869  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2870  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2871  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2872  FAIL_IF(f.alproto != ALPROTO_FAILED);
2873  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2874  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2875  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2876  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2877  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2878  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2879  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2880  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2881 
2882  TEST_END;
2883  PASS;
2884 }
2885 
2886 void AppLayerUnittestsRegister(void)
2887 {
2888  SCEnter();
2889 
2890  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2891  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2892  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2893  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2894  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2895  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2896  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2897  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2898  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2899  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2900 
2901  SCReturn;
2902 }
2903 
2904 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:95
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:90
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:279
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:187
Packet_::proto
uint8_t proto
Definition: decode.h:523
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:285
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:51
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:136
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:92
AppLayerCounters_
Definition: app-layer.c:89
ippair.h
app-layer-htp-range.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1661
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
AppLayerCounterNames_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]
Definition: app-layer.c:86
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:91
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
stream-tcp.h
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7213
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(const char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:996
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1026
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1145
Flow_::proto
uint8_t proto
Definition: flow.h:370
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
Packet_::payload
uint8_t * payload
Definition: decode.h:605
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:71
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:62
Packet_::flags
uint32_t flags
Definition: decode.h:544
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:72
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:186
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:63
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:348
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:163
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:94
Flow_::protomap
uint8_t protomap
Definition: flow.h:437
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:68
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:56
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1149
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:220
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir app_update_dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1396
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:305
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1301
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:448
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2025
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:79
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:59
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1140
AppLayerCounterNames_
Definition: app-layer.c:79
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1647
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
handle TCP data for the app-layer.
Definition: app-layer.c:707
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:65
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6788
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
app_layer_error_eps_stats
ExceptionPolicyStatsSetts app_layer_error_eps_stats
Definition: app-layer.c:108
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:71
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2886
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:49
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:80
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:1010
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1192
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
app-layer-ftp.h
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:69
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:412
Flow_::protoctx
void * protoctx
Definition: flow.h:433
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:171
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:632
util-unittest.h
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:181
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:93
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1089
HostGetMemcap
uint64_t HostGetMemcap(void)
Return memcap value.
Definition: host.c:83
SCAppLayerDecoderEventsSetEventRaw
void SCAppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:96
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1301
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:78
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:270
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:50
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:470
EXCEPTION_POLICY_MAX
#define EXCEPTION_POLICY_MAX
Definition: util-exception-policy-types.h:36
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1769
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:70
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1072
app-layer-expectation.h
app-layer-detect-proto.h
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:179
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:135
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
ExceptionPolicyCounters_
Definition: util-exception-policy-types.h:51
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:46
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:271
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1153
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:387
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:67
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:577
util-exception-policy.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:80
HTPByteRangeMemuseGlobalCounter
uint64_t HTPByteRangeMemuseGlobalCounter(void)
Definition: app-layer-htp-range.c:62
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:59
ExceptionPolicyCounters_::eps_id
uint16_t eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:53
util-print.h
IPPairGetMemcap
uint64_t IPPairGetMemcap(void)
Return memcap value.
Definition: ippair.c:81
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5656
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1853
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1379
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:58
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
HostGetMemuse
uint64_t HostGetMemuse(void)
Return memuse value.
Definition: host.c:94
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:206
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:105
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:259
SCReturn
#define SCReturn
Definition: util-debug.h:283
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:278
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
Packet_
Definition: decode.h:501
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
stream-tcp-private.h
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:68
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
applayer_counters
AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:102
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:872
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp)
Definition: util-profiling.h:173
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:63
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
name
const char * name
Definition: tm-threads.c:2163
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:297
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:61
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:722
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1102
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:66
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:179
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:85
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:451
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:57
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:280
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1702
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:62
IPPairGetMemuse
uint64_t IPPairGetMemuse(void)
Return memuse value.
Definition: ippair.c:92
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:535
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:104
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:187
eps_error_summary
ExceptionPolicyCounters eps_error_summary
Definition: app-layer.c:104
FatalError
#define FatalError(...)
Definition: util-debug.h:514
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:48
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
applayer_counter_names
AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:100
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1302
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:39
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1579
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
app-layer-events.h
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:246
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2087
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1394
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1946
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2045
str
#define str(s)
Definition: suricata-common.h:308
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:434
ExceptionPolicyEnumToString
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
Definition: util-exception-policy.c:39
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:443
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:59
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7219
Flow_::alstate
void * alstate
Definition: flow.h:471
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1123
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
HTPByteRangeMemcapGlobalCounter
uint64_t HTPByteRangeMemcapGlobalCounter(void)
Definition: app-layer-htp-range.c:56
Flow_::flags
uint32_t flags
Definition: flow.h:413
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:86
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:61
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1003
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:155
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerCounters_::eps_error
ExceptionPolicyCounters eps_error
Definition: app-layer.c:96
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:155
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:67
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:84
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:295
app-layer-protos.h
AppLayerProfilingReset
#define AppLayerProfilingReset(app_tctx)
Definition: app-layer.h:127
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:242
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:60
TEST_END
#define TEST_END
Definition: app-layer.c:1461
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1999
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:70
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:197
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:50
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:444
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:76
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1482
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:968
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:85
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:285
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:195
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:47
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1365
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
ExceptionPolicyStatsSetts_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][EXCEPTION_POLICY_COUNTER_MAX_LEN]
Definition: util-exception-policy-types.h:57
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2070
app-layer.h
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:456