suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "app-layer-frames.h"
36 #include "stream-tcp-reassemble.h"
37 #include "stream-tcp-private.h"
38 #include "stream-tcp-inline.h"
39 #include "stream-tcp.h"
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-private.h"
43 #include "ippair.h"
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 #include "app-layer-htp-mem.h"
50 #include "util-exception-policy.h"
51 
52 /**
53  * \brief This is for the app layer in general and it contains per thread
54  * context relevant to both the alpd and alp.
55  */
57  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61 
62 #ifdef PROFILING
63  uint64_t ticks_start;
64  uint64_t ticks_end;
65  uint64_t ticks_spent;
70 #endif
71 };
72 
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74 
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
84 
85 typedef struct AppLayerCounters_ {
86  uint16_t counter_id;
87  uint16_t counter_tx_id;
88  uint16_t gap_error_id;
89  uint16_t parser_error_id;
91  uint16_t alloc_error_id;
93 
94 /* counter names. Only used at init. */
96 /* counter id's. Used that runtime. */
98 
99 void AppLayerSetupCounters(void);
100 void AppLayerDeSetupCounters(void);
101 
102 /***** L7 layer dispatchers *****/
103 
104 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
105  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
107  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
108 }
109 
110 /**
111  * \note id can be 0 if protocol parser is disabled but detection
112  * is enabled.
113  */
114 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
115 {
116  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
117  if (likely(tv && id > 0)) {
118  StatsIncr(tv, id);
119  }
120 }
121 
122 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
123 {
124  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
125  if (likely(tv && id > 0)) {
126  StatsAddUI64(tv, id, step);
127  }
128 }
129 
131 {
132  const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id;
133  if (likely(tv && id > 0)) {
134  StatsIncr(tv, id);
135  }
136 }
137 
139 {
140  const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id;
141  if (likely(tv && id > 0)) {
142  StatsIncr(tv, id);
143  }
144 }
145 
147 {
148  const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id;
149  if (likely(tv && id > 0)) {
150  StatsIncr(tv, id);
151  }
152 }
153 
155 {
156  const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id;
157  if (likely(tv && id > 0)) {
158  StatsIncr(tv, id);
159  }
160 }
161 
162 /* in IDS mode protocol detection is done in reverse order:
163  * when TCP data is ack'd. We want to flag the correct packet,
164  * so in this case we set a flag in the flow so that the first
165  * packet in the correct direction can be tagged.
166  *
167  * For IPS we update packet and flow. */
168 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
169 {
170  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
171  if (flags & STREAM_TOSERVER) {
172  if (p->flowflags & FLOW_PKT_TOSERVER) {
175  } else {
177  }
178  } else {
179  if (p->flowflags & FLOW_PKT_TOCLIENT) {
182  } else {
184  }
185  }
186  } else {
187  if (flags & STREAM_TOSERVER) {
189  } else {
191  }
192  }
193 }
194 
195 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
196 {
197  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
198  f, f->alproto, f->alproto_ts, f->alproto_tc);
201  TcpSession *ssn = f->protoctx;
203  f->alproto = ALPROTO_FAILED;
204  AppLayerIncFlowCounter(tv, f);
205 
206  if (f->alproto_tc != ALPROTO_FAILED) {
207  if (f->alproto_tc == ALPROTO_UNKNOWN) {
209  }
210  FlagPacketFlow(p, f, STREAM_TOCLIENT);
211  }
212  if (f->alproto_ts != ALPROTO_FAILED) {
213  if (f->alproto_ts == ALPROTO_UNKNOWN) {
215  }
216  FlagPacketFlow(p, f, STREAM_TOSERVER);
217  }
218  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
219  f, f->alproto, f->alproto_ts, f->alproto_tc);
220 }
221 
222 /* See if we're going to have to give up:
223  *
224  * If we're getting a lot of data in one direction and the
225  * proto for this direction is unknown, proto detect will
226  * hold up segments in the segment list in the stream.
227  * They are held so that if we detect the protocol on the
228  * opposing stream, we can still parse this side of the stream
229  * as well. However, some sessions are very unbalanced. FTP
230  * data channels, large PUT/POST request and many others, can
231  * lead to cases where we would have to store many megabytes
232  * worth of segments before we see the opposing stream. This
233  * leads to risks of resource starvation.
234  *
235  * Here a cutoff point is enforced. If we've stored 100k in
236  * one direction and we've seen no data in the other direction,
237  * we give up.
238  *
239  * Giving up means we disable applayer an set an applayer event
240  */
241 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
242  Flow *f, TcpSession *ssn, Packet *p)
243 {
244  if (ssn->state < TCP_ESTABLISHED) {
245  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
246  return;
247  }
248 
249  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
250  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
251  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
252 
253  /* at least 100000 whatever the conditions
254  * and can be more if window is bigger and if configuration allows it */
255  const uint32_t size_tc_limit =
257  const uint32_t size_ts_limit =
259 
260  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
261  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
262  {
263  goto failure;
264 
265  /* we bail out whatever the pp and pm states if
266  * we received too much data */
267  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
269  goto failure;
270 
271  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
272  size_ts > size_ts_limit && size_tc == 0) {
275  goto failure;
276 
277  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
278  size_tc > size_tc_limit && size_ts == 0) {
281  goto failure;
282 
283  /* little data in ts direction, pp done, pm not done (max
284  * depth not reached), ts direction done, lots of data in
285  * tc direction. */
286  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
287  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
288  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
291  goto failure;
292 
293  /* little data in tc direction, pp done, pm not done (max
294  * depth not reached), tc direction done, lots of data in
295  * ts direction. */
296  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
297  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
298  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
301  goto failure;
302  }
303  return;
304 
305 failure:
306  DisableAppLayer(tv, f, p);
307  return;
308 }
309 
310 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
311  Packet *p, TcpSession *ssn, const TcpStream *stream)
312 {
313  TcpStream *opposing_stream = NULL;
314  if (stream == &ssn->client) {
315  opposing_stream = &ssn->server;
316  } else {
317  opposing_stream = &ssn->client;
318  }
319 
320  /* if the opposing side is not going to work, then
321  * we just have to give up. */
322  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
323  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
324  return -1;
325  }
326 
327  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
330  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
331  opposing_stream, p, dir);
332  return ret;
333 }
334 
336 
337 /** \todo data const
338  * \retval int -1 error
339  * \retval int 0 ok
340  */
341 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
342  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
343  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir dir)
344 {
345  AppProto *alproto;
346  AppProto *alproto_otherdir;
347  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
348 
349  if (flags & STREAM_TOSERVER) {
350  alproto = &f->alproto_ts;
351  alproto_otherdir = &f->alproto_tc;
352  } else {
353  alproto = &f->alproto_tc;
354  alproto_otherdir = &f->alproto_ts;
355  }
356 
357  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
358 #ifdef PRINT
359  if (data_len > 0) {
360  printf("=> Init Stream Data (app layer) -- start %s%s\n",
361  flags & STREAM_TOCLIENT ? "toclient" : "",
362  flags & STREAM_TOSERVER ? "toserver" : "");
363  PrintRawDataFp(stdout, data, data_len);
364  printf("=> Init Stream Data -- end\n");
365  }
366 #endif
367 
368  bool reverse_flow = false;
369  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
371  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
372  f, data, data_len,
373  IPPROTO_TCP, flags, &reverse_flow);
374  PACKET_PROFILING_APP_PD_END(app_tctx);
375  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
376 
377  if (*alproto != ALPROTO_UNKNOWN) {
378  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
381 
383  /* if we already invoked the parser, we go with that proto */
384  f->alproto = *alproto_otherdir;
385  } else {
386  /* no data sent to parser yet, we can still choose
387  * we're trusting the server more. */
388  if (flags & STREAM_TOCLIENT)
389  f->alproto = *alproto;
390  else
391  f->alproto = *alproto_otherdir;
392  }
393  } else {
394  f->alproto = *alproto;
395  }
396 
400  FlagPacketFlow(p, f, flags);
401 
402  /* if protocol detection indicated that we need to reverse
403  * the direction of the flow, do it now. We flip the flow,
404  * packet and the direction flags */
405  if (reverse_flow &&
408  /* but only if we didn't already detect it on the other side. */
409  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
410  SCLogDebug("reversing flow after proto detect told us so");
411  PacketSwap(p);
412  FlowSwap(f);
413  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
414  if (*stream == &ssn->client) {
415  *stream = &ssn->server;
416  } else {
417  *stream = &ssn->client;
418  }
419  direction = 1 - direction;
420  } else {
421  // TODO event, error?
422  }
423  }
424 
425  /* account flow if we have both sides */
426  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
427  AppLayerIncFlowCounter(tv, f);
428  }
429 
430  /* if we have seen data from the other direction first, send
431  * data for that direction first to the parser. This shouldn't
432  * be an issue, since each stream processing happens
433  * independently of the other stream direction. At this point of
434  * call, you need to know that this function's already being
435  * called by the very same StreamReassembly() function that we
436  * will now call shortly for the opposing direction. */
437  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
438  !(flags & ssn->data_first_seen_dir))
439  {
440  SCLogDebug("protocol %s needs first data in other direction",
441  AppProtoToString(*alproto));
442 
443  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
444  p, ssn, *stream) != 0)
445  {
446  goto detect_error;
447  }
448  if (FlowChangeProto(f)) {
449  /* We have the first data which requested a protocol change from P1 to P2
450  * even if it was not recognized at first as being P1
451  * As the second data was recognized as P1, the protocol did not change !
452  */
456  }
457  }
458 
459  /* if the parser operates such that it needs to see data from
460  * a particular direction first, we check if we have seen
461  * data from that direction first for the flow. IF it is not
462  * the same, we set an event and exit.
463  *
464  * \todo We need to figure out a more robust solution for this,
465  * as this can lead to easy evasion tactics, where the
466  * attacker can first send some dummy data in the wrong
467  * direction first to mislead our proto detection process.
468  * While doing this we need to update the parsers as well,
469  * since the parsers must be robust to see such wrong
470  * direction data.
471  * Either ways the moment we see the
472  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
473  * flow, it shows something's fishy.
474  */
476  uint8_t first_data_dir;
477  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
478 
479  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
482  goto detect_error;
483  }
484  /* This can happen if the current direction is not the
485  * right direction, and the data from the other(also
486  * the right direction) direction is available to be sent
487  * to the app layer, but it is not ack'ed yet and hence
488  * the forced call to STreamTcpAppLayerReassemble still
489  * hasn't managed to send data from the other direction
490  * to the app layer. */
491  if (first_data_dir && !(first_data_dir & flags)) {
497  SCReturnInt(-1);
498  }
499  }
500 
501  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
503 
504  /* finally, invoke the parser */
505  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
506  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
507  flags, data, data_len);
508  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
509  p->app_update_direction = (uint8_t)dir;
510  if (r != 1) {
511  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
512  }
513  if (r == 0) {
514  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
515  TcpStream *opposing_stream;
516  if (*stream == &ssn->client) {
517  opposing_stream = &ssn->server;
518  } else {
519  opposing_stream = &ssn->client;
520  }
522  // can happen in detection-only
523  AppLayerIncFlowCounter(tv, f);
524  }
525  }
526  }
527  if (r < 0) {
528  goto parser_error;
529  }
530  } else {
531  /* if the ssn is midstream, we may end up with a case where the
532  * start of an HTTP request is missing. We won't detect HTTP based
533  * on the request. However, the reply is fine, so we detect
534  * HTTP anyway. This leads to passing the incomplete request to
535  * the htp parser.
536  *
537  * This has been observed, where the http parser then saw many
538  * bogus requests in the incomplete data.
539  *
540  * To counter this case, a midstream session MUST find it's
541  * protocol in the toserver direction. If not, we assume the
542  * start of the request/toserver is incomplete and no reliable
543  * detection and parsing is possible. So we give up.
544  */
545  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
547  {
548  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
549  SCLogDebug("midstream end pd %p", ssn);
550  /* midstream and toserver detection failed: give up */
551  DisableAppLayer(tv, f, p);
552  SCReturnInt(0);
553  }
554  }
555 
556  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
557  uint8_t first_data_dir;
558  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
559 
560  /* this would handle this test case -
561  * http parser which says it wants to see toserver data first only.
562  * tcp handshake
563  * toclient data first received. - RUBBISH DATA which
564  * we don't detect as http
565  * toserver data next sent - we detect this as http.
566  * at this stage we see that toclient is the first data seen
567  * for this session and we try and redetect the app protocol,
568  * but we are unable to detect the app protocol like before.
569  * But since we have managed to detect the protocol for the
570  * other direction as http, we try to use that. At this
571  * stage we check if the direction of this stream matches
572  * to that acceptable by the app parser. If it is not the
573  * acceptable direction we error out.
574  */
576  (first_data_dir) && !(first_data_dir & flags))
577  {
578  goto detect_error;
579  }
580 
581  /* if protocol detection is marked done for our direction we
582  * pass our data on. We're only succeeded in finding one
583  * direction: the opposing stream
584  *
585  * If PD was not yet complete, we don't do anything.
586  */
587  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
588  if (data_len > 0)
590 
591  if (*alproto_otherdir != ALPROTO_FAILED) {
592  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
593  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
594  f->alproto, flags,
595  data, data_len);
596  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
597  p->app_update_direction = (uint8_t)dir;
598  if (r != 1) {
599  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
600  }
601 
606 
607  *alproto = *alproto_otherdir;
608  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
609  p->pcap_cnt, *alproto, *alproto_otherdir, r);
610  if (r < 0) {
611  goto parser_error;
612  }
613  }
614  *alproto = ALPROTO_FAILED;
616  AppLayerIncFlowCounter(tv, f);
617  FlagPacketFlow(p, f, flags);
618 
619  } else if (flags & STREAM_EOF) {
620  *alproto = f->alproto;
622  AppLayerIncFlowCounter(tv, f);
623  }
624  } else {
625  /* both sides unknown, let's see if we need to give up */
626  if (FlowChangeProto(f)) {
627  /* TCPProtoDetectCheckBailConditions does not work well because
628  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
629  * so, we set a lower limit to the data we inspect
630  * We could instead have set ssn->server.sb.stream_offset = 0;
631  */
632  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
633  DisableAppLayer(tv, f, p);
634  }
635  } else {
636  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
637  }
638  }
639  }
640  SCReturnInt(0);
641 parser_error:
643  SCReturnInt(-1);
644 detect_error:
645  DisableAppLayer(tv, f, p);
646  SCReturnInt(-2);
647 }
648 
649 /** \brief handle TCP data for the app-layer.
650  *
651  * First run protocol detection and then when the protocol is known invoke
652  * the app layer parser.
653  *
654  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
655  * reversed.
656  */
658  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
659  enum StreamUpdateDir dir)
660 {
661  SCEnter();
662 
664  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
665 
666  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
667  AppProto alproto;
668  int r = 0;
669 
670  SCLogDebug("data_len %u flags %02X", data_len, flags);
672  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
673  goto end;
674  }
675 
676  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
677 
678  if (flags & STREAM_TOSERVER) {
679  alproto = f->alproto_ts;
680  } else {
681  alproto = f->alproto_tc;
682  }
683 
684  /* If a gap notification, relay the notification on to the
685  * app-layer if known. */
686  if (flags & STREAM_GAP) {
687  if (alproto == ALPROTO_UNKNOWN) {
689  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
690  /* if the other side didn't already find the proto, we're done */
691  if (f->alproto == ALPROTO_UNKNOWN) {
692  goto failure;
693  }
694  AppLayerIncFlowCounter(tv, f);
695  }
696  if (FlowChangeProto(f)) {
698  SCLogDebug("Cannot handle gap while changing protocol");
699  goto failure;
700  }
701  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
702  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
703  flags, data, data_len);
704  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
705  p->app_update_direction = (uint8_t)dir;
706  /* ignore parser result for gap */
707  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
708  if (r < 0) {
710  SCReturnInt(-1);
711  }
712  goto end;
713  }
714 
715  /* if we don't know the proto yet and we have received a stream
716  * initializer message, we run proto detection.
717  * We receive 2 stream init msgs (one for each direction), we
718  * only run the proto detection for both and emit an event
719  * in the case protocols mismatch. */
720  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
722  /* run protocol detection */
723  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir) !=
724  0) {
725  goto failure;
726  }
727  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
728  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
729  void *alstate_orig = f->alstate;
730  AppLayerParserState *alparser = f->alparser;
731  // we delay AppLayerParserStateCleanup because we may need previous parser state
735  /* rerun protocol detection */
736  int rd =
737  TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir);
738  if (f->alproto == ALPROTO_UNKNOWN) {
739  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
740  // not enough data, revert AppLayerProtoDetectReset to rerun detection
741  f->alparser = alparser;
742  f->alproto = f->alproto_orig;
743  f->alproto_tc = f->alproto_orig;
744  f->alproto_ts = f->alproto_orig;
745  } else {
747  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
748  if (alstate_orig == f->alstate) {
749  // we just freed it
750  f->alstate = NULL;
751  }
752  }
753  if (rd != 0) {
754  SCLogDebug("proto detect failure");
755  goto failure;
756  }
757  SCLogDebug("protocol change, old %s, new %s",
759 
761  f->alproto != f->alproto_expect) {
764 
765  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
768 
769  }
770  }
771  } else {
772  SCLogDebug("stream data (len %" PRIu32 " alproto "
773  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
774 #ifdef PRINT
775  if (data_len > 0) {
776  printf("=> Stream Data (app layer) -- start %s%s\n",
777  flags & STREAM_TOCLIENT ? "toclient" : "",
778  flags & STREAM_TOSERVER ? "toserver" : "");
779  PrintRawDataFp(stdout, data, data_len);
780  printf("=> Stream Data -- end\n");
781  }
782 #endif
783  /* if we don't have a data object here we are not getting it
784  * a start msg should have gotten us one */
785  if (f->alproto != ALPROTO_UNKNOWN) {
786  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
787  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
788  flags, data, data_len);
789  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
790  p->app_update_direction = (uint8_t)dir;
791  if (r != 1) {
792  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
793  if (r < 0) {
796  SCReturnInt(-1);
797  }
798  }
799  }
800  }
801 
802  goto end;
803  failure:
804  r = -1;
805  end:
806  SCReturnInt(r);
807 }
808 
809 /**
810  * \brief Handle a app layer UDP message
811  *
812  * If the protocol is yet unknown, the proto detection code is run first.
813  *
814  * \param dp_ctx Thread app layer detect context
815  * \param f *locked* flow
816  * \param p UDP packet
817  *
818  * \retval 0 ok
819  * \retval -1 error
820  */
822 {
823  SCEnter();
824  AppProto *alproto;
825  AppProto *alproto_otherdir;
826 
827  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
828  SCReturnInt(0);
829  }
830 
831  int r = 0;
832  uint8_t flags = 0;
833  if (p->flowflags & FLOW_PKT_TOSERVER) {
834  flags |= STREAM_TOSERVER;
835  alproto = &f->alproto_ts;
836  alproto_otherdir = &f->alproto_tc;
837  } else {
838  flags |= STREAM_TOCLIENT;
839  alproto = &f->alproto_tc;
840  alproto_otherdir = &f->alproto_ts;
841  }
842 
843  AppLayerProfilingReset(tctx);
844 
845  /* if the protocol is still unknown, run detection */
846  if (*alproto == ALPROTO_UNKNOWN) {
847  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
848  p->payload_len);
849 
850  bool reverse_flow = false;
852  *alproto = AppLayerProtoDetectGetProto(
853  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
855 
856  switch (*alproto) {
857  case ALPROTO_UNKNOWN:
858  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
859  // Use recognized side
860  f->alproto = *alproto_otherdir;
861  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
862  *alproto = *alproto_otherdir;
863  if (*alproto_otherdir == ALPROTO_FAILED) {
864  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
865  }
866  } else {
867  // First side of protocol is unknown
868  *alproto = ALPROTO_FAILED;
869  }
870  break;
871  case ALPROTO_FAILED:
872  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
873  // Use recognized side
874  f->alproto = *alproto_otherdir;
875  if (*alproto_otherdir == ALPROTO_FAILED) {
876  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
877  }
878  }
879  // else wait for second side of protocol
880  break;
881  default:
882  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
883  if (*alproto_otherdir != *alproto) {
886  // data already sent to parser, we cannot change the protocol to use the one
887  // of the server
888  }
889  } else {
890  f->alproto = *alproto;
891  }
892  }
893  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
894  if (f->alproto == ALPROTO_UNKNOWN) {
895  // so as to increase stat about .app_layer.flow.failed_udp
896  f->alproto = ALPROTO_FAILED;
897  }
898  // If the other side is unknown, this is the first packet of the flow
899  AppLayerIncFlowCounter(tv, f);
900  }
901 
902  // parse the data if we recognized one protocol
903  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
904  if (reverse_flow) {
905  SCLogDebug("reversing flow after proto detect told us so");
906  PacketSwap(p);
907  FlowSwap(f);
908  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
909  }
910 
912  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
913  flags, p->payload, p->payload_len);
916  }
918  /* we do only inspection in one direction, so flag both
919  * sides as done here */
920  FlagPacketFlow(p, f, STREAM_TOSERVER);
921  FlagPacketFlow(p, f, STREAM_TOCLIENT);
922  } else {
923  SCLogDebug("data (len %" PRIu32 " ), alproto "
924  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
925 
926  /* run the parser */
928  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
929  flags, p->payload, p->payload_len);
933  }
934  if (r < 0) {
936  SCReturnInt(-1);
937  }
938 
939  SCReturnInt(r);
940 }
941 
942 /***** Utility *****/
943 
944 AppProto AppLayerGetProtoByName(char *alproto_name)
945 {
946  SCEnter();
948  SCReturnCT(r, "AppProto");
949 }
950 
951 const char *AppLayerGetProtoName(AppProto alproto)
952 {
953  SCEnter();
954  const char * r = AppLayerProtoDetectGetProtoName(alproto);
955  SCReturnCT(r, "char *");
956 }
957 
959 {
960  SCEnter();
961 
962  AppProto alproto;
963  AppProto alprotos[ALPROTO_MAX];
964 
966 
967  printf("=========Supported App Layer Protocols=========\n");
968  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
969  if (alprotos[alproto] == 1)
970  printf("%s\n", AppLayerGetProtoName(alproto));
971  }
972 
973  SCReturn;
974 }
975 
976 /***** Setup/General Registration *****/
977 
978 int AppLayerSetup(void)
979 {
980  SCEnter();
981 
984 
987 
989 
990  SCReturnInt(0);
991 }
992 
994 {
995  SCEnter();
996 
999 
1001 
1002  SCReturnInt(0);
1003 }
1004 
1006 {
1007  SCEnter();
1008 
1009  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1010  if (app_tctx == NULL)
1011  goto error;
1012 
1013  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1014  goto error;
1015  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1016  goto error;
1017 
1018  goto done;
1019  error:
1020  AppLayerDestroyCtxThread(app_tctx);
1021  app_tctx = NULL;
1022  done:
1023  SCReturnPtr(app_tctx, "void *");
1024 }
1025 
1027 {
1028  SCEnter();
1029 
1030  if (app_tctx == NULL)
1031  SCReturn;
1032 
1033  if (app_tctx->alpd_tctx != NULL)
1035  if (app_tctx->alp_tctx != NULL)
1037  SCFree(app_tctx);
1038 
1039  SCReturn;
1040 }
1041 
1042 #ifdef PROFILING
1044 {
1045  PACKET_PROFILING_APP_RESET(app_tctx);
1046 }
1047 
1049 {
1050  PACKET_PROFILING_APP_STORE(app_tctx, p);
1051 }
1052 #endif
1053 
1054 /** \brief HACK to work around our broken unix manager (re)init loop
1055  */
1057 {
1062  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1063 }
1064 
1065 #define IPPROTOS_MAX 2
1067 {
1068  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1069  AppProto alprotos[ALPROTO_MAX];
1070  const char *str = "app_layer.flow.";
1071  const char *estr = "app_layer.error.";
1072 
1074 
1075  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1076  const uint8_t ipproto = ipprotos[p];
1077  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1078  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1079  uint8_t ipprotos_all[256 / 8];
1080 
1081  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1082  if (alprotos[alproto] == 1) {
1083  const char *tx_str = "app_layer.tx.";
1084  const char *alproto_str = AppLayerGetProtoName(alproto);
1085 
1086  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1087  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1088  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1089  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1090  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1091  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1092  "%s%s%s", str, alproto_str, ipproto_suffix);
1093  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1094  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1095  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
1096 
1097  if (ipproto == IPPROTO_TCP) {
1098  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1099  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1100  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1101  }
1102  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1103  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1104  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1105  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1106  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1107  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1108  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1109  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1110  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1111  } else {
1112  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1113  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1114  "%s%s", str, alproto_str);
1115  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
1116  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
1117  "%s%s", tx_str, alproto_str);
1118 
1119  if (ipproto == IPPROTO_TCP) {
1120  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1121  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1122  "%s%s.gap", estr, alproto_str);
1123  }
1124  snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error,
1125  sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error),
1126  "%s%s.alloc", estr, alproto_str);
1127  snprintf(applayer_counter_names[ipproto_map][alproto].parser_error,
1128  sizeof(applayer_counter_names[ipproto_map][alproto].parser_error),
1129  "%s%s.parser", estr, alproto_str);
1130  snprintf(applayer_counter_names[ipproto_map][alproto].internal_error,
1131  sizeof(applayer_counter_names[ipproto_map][alproto].internal_error),
1132  "%s%s.internal", estr, alproto_str);
1133  }
1134  } else if (alproto == ALPROTO_FAILED) {
1135  snprintf(applayer_counter_names[ipproto_map][alproto].name,
1136  sizeof(applayer_counter_names[ipproto_map][alproto].name),
1137  "%s%s%s", str, "failed", ipproto_suffix);
1138  if (ipproto == IPPROTO_TCP) {
1139  snprintf(applayer_counter_names[ipproto_map][alproto].gap_error,
1140  sizeof(applayer_counter_names[ipproto_map][alproto].gap_error),
1141  "%sfailed%s.gap", estr, ipproto_suffix);
1142  }
1143  }
1144  }
1145  }
1146 }
1147 
1149 {
1150  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1151  AppProto alprotos[ALPROTO_MAX];
1153 
1154  for (uint8_t p = 0; p < IPPROTOS_MAX; p++) {
1155  const uint8_t ipproto = ipprotos[p];
1156  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1157 
1158  for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) {
1159  if (alprotos[alproto] == 1) {
1160  applayer_counters[ipproto_map][alproto].counter_id =
1161  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1162 
1163  applayer_counters[ipproto_map][alproto].counter_tx_id =
1164  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
1165 
1166  if (ipproto == IPPROTO_TCP) {
1167  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1168  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1169  }
1170  applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter(
1171  applayer_counter_names[ipproto_map][alproto].alloc_error, tv);
1172  applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter(
1173  applayer_counter_names[ipproto_map][alproto].parser_error, tv);
1175  applayer_counter_names[ipproto_map][alproto].internal_error, tv);
1176  } else if (alproto == ALPROTO_FAILED) {
1177  applayer_counters[ipproto_map][alproto].counter_id =
1178  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
1179 
1180  if (ipproto == IPPROTO_TCP) {
1181  applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter(
1182  applayer_counter_names[ipproto_map][alproto].gap_error, tv);
1183  }
1184  }
1185  }
1186  }
1187 }
1188 
1190 {
1191  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1192  memset(applayer_counters, 0, sizeof(applayer_counters));
1193 }
1194 
1195 /***** Unittests *****/
1196 
1197 #ifdef UNITTESTS
1198 #include "pkt-var.h"
1199 #include "stream-tcp-util.h"
1200 #include "stream.h"
1201 #include "util-unittest.h"
1202 
1203 #define TEST_START \
1204  Packet *p = PacketGetFromAlloc(); \
1205  FAIL_IF_NULL(p); \
1206  Flow f; \
1207  ThreadVars tv; \
1208  StreamTcpThread *stt = NULL; \
1209  TCPHdr tcph; \
1210  PacketQueueNoLock pq; \
1211  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1212  memset(&f, 0, sizeof(Flow)); \
1213  memset(&tv, 0, sizeof(ThreadVars)); \
1214  memset(&tcph, 0, sizeof(TCPHdr)); \
1215  \
1216  FLOW_INITIALIZE(&f); \
1217  f.flags = FLOW_IPV4; \
1218  f.proto = IPPROTO_TCP; \
1219  p->flow = &f; \
1220  p->tcph = &tcph; \
1221  \
1222  StreamTcpInitConfig(true); \
1223  IPPairInitConfig(true); \
1224  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1225  \
1226  /* handshake */ \
1227  tcph.th_win = htons(5480); \
1228  tcph.th_flags = TH_SYN; \
1229  p->flowflags = FLOW_PKT_TOSERVER; \
1230  p->payload_len = 0; \
1231  p->payload = NULL; \
1232  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1233  TcpSession *ssn = (TcpSession *)f.protoctx; \
1234  \
1235  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1236  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1237  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1238  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1239  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1240  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1241  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1242  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1243  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1244  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1245  FAIL_IF(ssn->data_first_seen_dir != 0); \
1246  \
1247  /* handshake */ \
1248  p->tcph->th_ack = htonl(1); \
1249  p->tcph->th_flags = TH_SYN | TH_ACK; \
1250  p->flowflags = FLOW_PKT_TOCLIENT; \
1251  p->payload_len = 0; \
1252  p->payload = NULL; \
1253  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1254  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1255  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1256  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1257  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1258  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1259  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1260  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1261  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1262  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1263  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1264  FAIL_IF(ssn->data_first_seen_dir != 0); \
1265  \
1266  /* handshake */ \
1267  p->tcph->th_ack = htonl(1); \
1268  p->tcph->th_seq = htonl(1); \
1269  p->tcph->th_flags = TH_ACK; \
1270  p->flowflags = FLOW_PKT_TOSERVER; \
1271  p->payload_len = 0; \
1272  p->payload = NULL; \
1273  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1274  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1275  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1276  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1277  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1278  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1279  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1280  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1281  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1282  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1283  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1284  FAIL_IF(ssn->data_first_seen_dir != 0);
1285 #define TEST_END \
1286  StreamTcpSessionClear(p->flow->protoctx); \
1287  StreamTcpThreadDeinit(&tv, (void *)stt); \
1288  StreamTcpFreeConfig(true); \
1289  PacketFree(p); \
1290  FLOW_DESTROY(&f); \
1291  StatsThreadCleanup(&tv);
1292 
1293 /**
1294  * \test GET -> HTTP/1.1
1295  */
1296 static int AppLayerTest01(void)
1297 {
1298  TEST_START;
1299 
1300  /* full request */
1301  uint8_t request[] = {
1302  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1303  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1304  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1305  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1306  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1307  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1308  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1309  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1310  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1311  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1312  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1313  p->tcph->th_ack = htonl(1);
1314  p->tcph->th_seq = htonl(1);
1315  p->tcph->th_flags = TH_PUSH | TH_ACK;
1317  p->payload_len = sizeof(request);
1318  p->payload = request;
1319  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1326  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1327  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1328  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1329  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1330  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1331 
1332  /* full response - request ack */
1333  uint8_t response[] = {
1334  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1335  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1336  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1337  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1338  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1339  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1340  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1341  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1342  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1343  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1344  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1345  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1346  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1347  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1348  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1349  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1350  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1351  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1352  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1353  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1354  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1355  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1356  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1357  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1358  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1359  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1360  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1361  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1362  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1363  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1364  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1365  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1366  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1367  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1368  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1369  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1370  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1371  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1372  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1373  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1374  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1375  p->tcph->th_ack = htonl(88);
1376  p->tcph->th_seq = htonl(1);
1377  p->tcph->th_flags = TH_PUSH | TH_ACK;
1379  p->payload_len = sizeof(response);
1380  p->payload = response;
1381  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1388  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1389  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1390  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1391  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1393 
1394  /* response ack */
1395  p->tcph->th_ack = htonl(328);
1396  p->tcph->th_seq = htonl(88);
1397  p->tcph->th_flags = TH_ACK;
1399  p->payload_len = 0;
1400  p->payload = NULL;
1401  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1408  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1409  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1410  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1411  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1413 
1414  TEST_END;
1415  PASS;
1416 }
1417 
1418 /**
1419  * \test GE -> T -> HTTP/1.1
1420  */
1421 static int AppLayerTest02(void)
1422 {
1423  TEST_START;
1424 
1425  /* partial request */
1426  uint8_t request1[] = { 0x47, 0x45, };
1427  p->tcph->th_ack = htonl(1);
1428  p->tcph->th_seq = htonl(1);
1429  p->tcph->th_flags = TH_PUSH | TH_ACK;
1431  p->payload_len = sizeof(request1);
1432  p->payload = request1;
1433  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1440  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1441  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1442  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1443  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1444  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1445 
1446  /* response ack against partial request */
1447  p->tcph->th_ack = htonl(3);
1448  p->tcph->th_seq = htonl(1);
1449  p->tcph->th_flags = TH_ACK;
1451  p->payload_len = 0;
1452  p->payload = NULL;
1453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1460  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1461  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1462  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1463  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1464  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1465 
1466  /* complete partial request */
1467  uint8_t request2[] = {
1468  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1469  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1470  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1471  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1472  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1473  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1474  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1475  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1476  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1477  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1478  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1479  p->tcph->th_ack = htonl(1);
1480  p->tcph->th_seq = htonl(3);
1481  p->tcph->th_flags = TH_PUSH | TH_ACK;
1483  p->payload_len = sizeof(request2);
1484  p->payload = request2;
1485  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1492  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1493  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1494  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1495  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1496  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1497 
1498  /* response - request ack */
1499  uint8_t response[] = {
1500  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1501  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1502  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1503  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1504  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1505  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1506  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1507  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1508  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1509  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1510  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1511  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1512  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1513  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1514  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1515  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1516  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1517  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1518  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1519  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1520  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1521  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1522  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1523  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1524  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1525  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1526  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1527  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1528  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1529  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1530  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1531  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1532  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1533  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1534  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1535  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1536  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1537  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1538  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1539  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1540  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1541  p->tcph->th_ack = htonl(88);
1542  p->tcph->th_seq = htonl(1);
1543  p->tcph->th_flags = TH_PUSH | TH_ACK;
1545  p->payload_len = sizeof(response);
1546  p->payload = response;
1547  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1554  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1555  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1556  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1557  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1559 
1560  /* response ack */
1561  p->tcph->th_ack = htonl(328);
1562  p->tcph->th_seq = htonl(88);
1563  p->tcph->th_flags = TH_ACK;
1565  p->payload_len = 0;
1566  p->payload = NULL;
1567  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1574  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1575  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1576  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1577  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1579 
1580  TEST_END;
1581  PASS;
1582 }
1583 
1584 /**
1585  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1586  */
1587 static int AppLayerTest03(void)
1588 {
1589  TEST_START;
1590 
1591  /* request */
1592  uint8_t request[] = {
1593  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1594  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1595  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1596  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1597  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1598  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1599  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1600  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1601  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1602  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1603  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1604  p->tcph->th_ack = htonl(1);
1605  p->tcph->th_seq = htonl(1);
1606  p->tcph->th_flags = TH_PUSH | TH_ACK;
1608  p->payload_len = sizeof(request);
1609  p->payload = request;
1610  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1617  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1618  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1619  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1620  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1621  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1622 
1623  /* rubbish response */
1624  uint8_t response[] = {
1625  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1626  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1627  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1628  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1629  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1630  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1631  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1632  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1633  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1634  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1635  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1636  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1637  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1638  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1639  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1640  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1641  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1642  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1643  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1644  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1645  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1646  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1647  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1648  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1649  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1650  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1651  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1652  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1653  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1654  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1655  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1656  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1657  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1658  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1659  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1660  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1661  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1662  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1663  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1664  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1665  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1666  p->tcph->th_ack = htonl(88);
1667  p->tcph->th_seq = htonl(1);
1668  p->tcph->th_flags = TH_PUSH | TH_ACK;
1670  p->payload_len = sizeof(response);
1671  p->payload = response;
1672  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1679  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1680  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1681  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1682  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1684 
1685  /* response ack */
1686  p->tcph->th_ack = htonl(328);
1687  p->tcph->th_seq = htonl(88);
1688  p->tcph->th_flags = TH_ACK;
1690  p->payload_len = 0;
1691  p->payload = NULL;
1692  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1699  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1700  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1701  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1702  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1704 
1705  TEST_END;
1706  PASS;
1707 }
1708 
1709 /**
1710  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1711  */
1712 static int AppLayerTest04(void)
1713 {
1714  TEST_START;
1715 
1716  /* request */
1717  uint8_t request[] = {
1718  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1719  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1720  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1721  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1722  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1723  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1724  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1725  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1726  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1727  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1728  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1729  PrintRawDataFp(stdout, request, sizeof(request));
1730  p->tcph->th_ack = htonl(1);
1731  p->tcph->th_seq = htonl(1);
1732  p->tcph->th_flags = TH_PUSH | TH_ACK;
1734  p->payload_len = sizeof(request);
1735  p->payload = request;
1736  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1743  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1744  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1745  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1746  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1747  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1748 
1749  /* partial response */
1750  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1751  PrintRawDataFp(stdout, response1, sizeof(response1));
1752  p->tcph->th_ack = htonl(88);
1753  p->tcph->th_seq = htonl(1);
1754  p->tcph->th_flags = TH_PUSH | TH_ACK;
1756  p->payload_len = sizeof(response1);
1757  p->payload = response1;
1758  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1761  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1762  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1765  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1766  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1767  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1768  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1769  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1770 
1771  /* partial response ack */
1772  p->tcph->th_ack = htonl(5);
1773  p->tcph->th_seq = htonl(88);
1774  p->tcph->th_flags = TH_ACK;
1776  p->payload_len = 0;
1777  p->payload = NULL;
1778  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1781  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1782  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1785  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1786  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1787  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1788  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1789  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1790 
1791  /* remaining response */
1792  uint8_t response2[] = {
1793  0x2f, 0x31, 0x2e, 0x31,
1794  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1795  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1796  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1797  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1798  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1799  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1800  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1801  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1802  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1803  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1804  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1805  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1806  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1807  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1808  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1809  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1810  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1811  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1812  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1813  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1814  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1815  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1816  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1817  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1818  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1819  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1820  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1821  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1822  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1823  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1824  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1825  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1826  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1827  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1828  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1829  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1830  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1831  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1832  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1833  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1834  PrintRawDataFp(stdout, response2, sizeof(response2));
1835  p->tcph->th_ack = htonl(88);
1836  p->tcph->th_seq = htonl(5);
1837  p->tcph->th_flags = TH_PUSH | TH_ACK;
1839  p->payload_len = sizeof(response2);
1840  p->payload = response2;
1841  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1844  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1845  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1848  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1849  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1850  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1851  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1852  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1853 
1854  /* response ack */
1855  p->tcph->th_ack = htonl(328);
1856  p->tcph->th_seq = htonl(88);
1857  p->tcph->th_flags = TH_ACK;
1859  p->payload_len = 0;
1860  p->payload = NULL;
1861  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1862  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1864  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1865  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1866  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1868  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1869  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1870  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1871  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1872  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1873 
1874  TEST_END;
1875  PASS;
1876 }
1877 
1878 /**
1879  * \test RUBBISH -> HTTP/1.1
1880  */
1881 static int AppLayerTest05(void)
1882 {
1883  TEST_START;
1884 
1885  /* full request */
1886  uint8_t request[] = {
1887  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1888  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1889  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1890  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1891  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1892  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1893  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1894  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1895  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1896  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1897  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1898  PrintRawDataFp(stdout, request, sizeof(request));
1899  p->tcph->th_ack = htonl(1);
1900  p->tcph->th_seq = htonl(1);
1901  p->tcph->th_flags = TH_PUSH | TH_ACK;
1903  p->payload_len = sizeof(request);
1904  p->payload = request;
1905  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1912  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1913  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1914  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1915  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1916  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1917 
1918  /* full response - request ack */
1919  uint8_t response[] = {
1920  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1921  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1922  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1923  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1924  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1925  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1926  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1927  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1928  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1929  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1930  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1931  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1932  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1933  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1934  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1935  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1936  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1937  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1938  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1939  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1940  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1941  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1942  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1943  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1944  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1945  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1946  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1947  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1948  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1949  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1950  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1951  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1952  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1953  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1954  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1955  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1956  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1957  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1958  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1959  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1960  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1961  PrintRawDataFp(stdout, response, sizeof(response));
1962  p->tcph->th_ack = htonl(88);
1963  p->tcph->th_seq = htonl(1);
1964  p->tcph->th_flags = TH_PUSH | TH_ACK;
1966  p->payload_len = sizeof(response);
1967  p->payload = response;
1968  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1975  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1976  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1977  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1978  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1979  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1980 
1981  /* response ack */
1982  p->tcph->th_ack = htonl(328);
1983  p->tcph->th_seq = htonl(88);
1984  p->tcph->th_flags = TH_ACK;
1986  p->payload_len = 0;
1987  p->payload = NULL;
1988  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1995  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1996  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1997  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1998  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2000 
2001  TEST_END;
2002  PASS;
2003 }
2004 
2005 /**
2006  * \test HTTP/1.1 -> GET
2007  */
2008 static int AppLayerTest06(void)
2009 {
2010  TEST_START;
2011 
2012  /* full response - request ack */
2013  uint8_t response[] = {
2014  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2015  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2016  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2017  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2018  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2019  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2020  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2021  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2022  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2023  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2024  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2025  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2026  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2027  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2028  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2029  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2030  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2031  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2032  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2033  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2034  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2035  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2036  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2037  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2038  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2039  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2040  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2041  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2042  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2043  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2044  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2045  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2046  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2047  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2048  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2049  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2050  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2051  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2052  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2053  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2054  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2055  p->tcph->th_ack = htonl(1);
2056  p->tcph->th_seq = htonl(1);
2057  p->tcph->th_flags = TH_PUSH | TH_ACK;
2059  p->payload_len = sizeof(response);
2060  p->payload = response;
2061  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2068  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2069  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2070  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2071  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2072  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2073 
2074  /* full request - response ack*/
2075  uint8_t request[] = {
2076  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2077  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2078  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2079  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2080  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2081  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2082  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2083  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2084  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2085  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2086  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2087  p->tcph->th_ack = htonl(328);
2088  p->tcph->th_seq = htonl(1);
2089  p->tcph->th_flags = TH_PUSH | TH_ACK;
2091  p->payload_len = sizeof(request);
2092  p->payload = request;
2093  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2100  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2101  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2102  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2103  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2105 
2106  p->tcph->th_ack = htonl(1 + sizeof(request));
2107  p->tcph->th_seq = htonl(328);
2108  p->tcph->th_flags = TH_PUSH | TH_ACK;
2110  p->payload_len = 0;
2111  p->payload = NULL;
2112  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2119  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2120  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2121  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2122  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2124 
2125  TEST_END;
2126  PASS;
2127 }
2128 
2129 /**
2130  * \test GET -> DCERPC
2131  */
2132 static int AppLayerTest07(void)
2133 {
2134  TEST_START;
2135 
2136  /* full request */
2137  uint8_t request[] = {
2138  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2139  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2140  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2141  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2142  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2143  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2144  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2145  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2146  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2147  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2148  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2149  p->tcph->th_ack = htonl(1);
2150  p->tcph->th_seq = htonl(1);
2151  p->tcph->th_flags = TH_PUSH | TH_ACK;
2153  p->payload_len = sizeof(request);
2154  p->payload = request;
2155  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2162  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2163  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2164  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2165  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2166  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2167 
2168  /* full response - request ack */
2169  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2170  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2171  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2172  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2173  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2174  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2175  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2176  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2177  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2178  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2179  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2180  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2181  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2182  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2183  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2184  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2185  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2186  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2187  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2188  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2189  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2190  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2191  p->tcph->th_ack = htonl(88);
2192  p->tcph->th_seq = htonl(1);
2193  p->tcph->th_flags = TH_PUSH | TH_ACK;
2195  p->payload_len = sizeof(response);
2196  p->payload = response;
2197  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2204  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2205  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2206  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2207  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2209 
2210  /* response ack */
2211  p->tcph->th_ack = htonl(328);
2212  p->tcph->th_seq = htonl(88);
2213  p->tcph->th_flags = TH_ACK;
2215  p->payload_len = 0;
2216  p->payload = NULL;
2217  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2224  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2225  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2226  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2227  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2229 
2230  TEST_END;
2231  PASS;
2232 }
2233 
2234 /**
2235  * \test SMB -> HTTP/1.1
2236  */
2237 static int AppLayerTest08(void)
2238 {
2239  TEST_START;
2240 
2241  /* full request */
2242  uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68,
2243  0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48,
2244  0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d,
2245  0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70,
2246  0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2247  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2248  p->tcph->th_ack = htonl(1);
2249  p->tcph->th_seq = htonl(1);
2250  p->tcph->th_flags = TH_PUSH | TH_ACK;
2252  p->payload_len = sizeof(request);
2253  p->payload = request;
2254  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2261  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2262  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2263  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2264  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2265  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2266 
2267  /* full response - request ack */
2268  uint8_t response[] = {
2269  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2270  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2271  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2272  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2273  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2274  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2275  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2276  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2277  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2278  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2279  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2280  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2281  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2282  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2283  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2284  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2285  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2286  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2287  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2288  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2289  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2290  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2291  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2292  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2293  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2294  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2295  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2296  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2297  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2298  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2299  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2300  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2301  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2302  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2303  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2304  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2305  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2306  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2307  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2308  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2309  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2310  p->tcph->th_ack = htonl(88);
2311  p->tcph->th_seq = htonl(1);
2312  p->tcph->th_flags = TH_PUSH | TH_ACK;
2314  p->payload_len = sizeof(response);
2315  p->payload = response;
2316  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2323  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2324  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2325  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2326  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2328 
2329  /* response ack */
2330  p->tcph->th_ack = htonl(328);
2331  p->tcph->th_seq = htonl(88);
2332  p->tcph->th_flags = TH_ACK;
2334  p->payload_len = 0;
2335  p->payload = NULL;
2336  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2343  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2344  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2345  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2346  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2348 
2349  TEST_END;
2350  PASS;
2351 }
2352 
2353 /**
2354  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2355  * RUBBISH(TC - PM and PP DONE) ->
2356  * RUBBISH(TS - PM and PP DONE)
2357  */
2358 static int AppLayerTest09(void)
2359 {
2360  TEST_START;
2361 
2362  /* full request */
2363  uint8_t request1[] = {
2364  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2365  p->tcph->th_ack = htonl(1);
2366  p->tcph->th_seq = htonl(1);
2367  p->tcph->th_flags = TH_PUSH | TH_ACK;
2369  p->payload_len = sizeof(request1);
2370  p->payload = request1;
2371  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2378  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2379  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2380  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2381  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2382  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2383 
2384  /* response - request ack */
2385  p->tcph->th_ack = htonl(9);
2386  p->tcph->th_seq = htonl(1);
2387  p->tcph->th_flags = TH_PUSH | TH_ACK;
2389  p->payload_len = 0;
2390  p->payload = NULL;
2391  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2398  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2399  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2400  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2401  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2402  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2403 
2404  /* full request */
2405  uint8_t request2[] = {
2406  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2407  p->tcph->th_ack = htonl(1);
2408  p->tcph->th_seq = htonl(9);
2409  p->tcph->th_flags = TH_PUSH | TH_ACK;
2411  p->payload_len = sizeof(request2);
2412  p->payload = request2;
2413  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2420  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2421  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2422  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2423  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2424  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2425 
2426  /* full response - request ack */
2427  uint8_t response[] = {
2428  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2429  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2430  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2431  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2432  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2433  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2434  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2435  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2436  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2437  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2438  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2439  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2440  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2441  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2442  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2443  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2444  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2445  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2446  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2447  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2448  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2449  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2450  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2451  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2452  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2453  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2454  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2455  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2456  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2457  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2458  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2459  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2460  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2461  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2462  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2463  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2464  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2465  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2466  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2467  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2468  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2469  p->tcph->th_ack = htonl(18);
2470  p->tcph->th_seq = htonl(1);
2471  p->tcph->th_flags = TH_PUSH | TH_ACK;
2473  p->payload_len = sizeof(response);
2474  p->payload = response;
2475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2482  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2483  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2484  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2485  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2486  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2487 
2488  /* response ack */
2489  p->tcph->th_ack = htonl(328);
2490  p->tcph->th_seq = htonl(18);
2491  p->tcph->th_flags = TH_ACK;
2493  p->payload_len = 0;
2494  p->payload = NULL;
2495  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2502  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2503  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2504  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2505  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2507 
2508  TEST_END;
2509  PASS;
2510 }
2511 
2512 /**
2513  * \test RUBBISH(TC - PM and PP DONE) ->
2514  * RUBBISH(TS - PM and PP DONE)
2515  */
2516 static int AppLayerTest10(void)
2517 {
2518  TEST_START;
2519 
2520  /* full request */
2521  uint8_t request1[] = {
2522  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2523  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2524  p->tcph->th_ack = htonl(1);
2525  p->tcph->th_seq = htonl(1);
2526  p->tcph->th_flags = TH_PUSH | TH_ACK;
2528  p->payload_len = sizeof(request1);
2529  p->payload = request1;
2530  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2537  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2538  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2539  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2540  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2541  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2542 
2543  /* response - request ack */
2544  p->tcph->th_ack = htonl(18);
2545  p->tcph->th_seq = htonl(1);
2546  p->tcph->th_flags = TH_PUSH | TH_ACK;
2548  p->payload_len = 0;
2549  p->payload = NULL;
2550  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2557  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2558  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2559  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2560  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2561  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2562 
2563  /* full response - request ack */
2564  uint8_t response[] = {
2565  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2566  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2567  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2568  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2569  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2570  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2571  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2572  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2573  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2574  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2575  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2576  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2577  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2578  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2579  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2580  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2581  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2582  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2583  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2584  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2585  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2586  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2587  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2588  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2589  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2590  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2591  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2592  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2593  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2594  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2595  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2596  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2597  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2598  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2599  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2600  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2601  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2602  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2603  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2604  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2605  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2606  p->tcph->th_ack = htonl(18);
2607  p->tcph->th_seq = htonl(1);
2608  p->tcph->th_flags = TH_PUSH | TH_ACK;
2610  p->payload_len = sizeof(response);
2611  p->payload = response;
2612  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2619  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2620  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2621  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2622  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2623  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2624 
2625  /* response ack */
2626  p->tcph->th_ack = htonl(328);
2627  p->tcph->th_seq = htonl(18);
2628  p->tcph->th_flags = TH_ACK;
2630  p->payload_len = 0;
2631  p->payload = NULL;
2632  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2639  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2640  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2641  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2642  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2644 
2645  TEST_END;
2646  PASS;
2647 }
2648 
2649 /**
2650  * \test RUBBISH(TC - PM and PP DONE) ->
2651  * RUBBISH(TS - PM and PP NOT DONE) ->
2652  * RUBBISH(TS - PM and PP DONE)
2653  */
2654 static int AppLayerTest11(void)
2655 {
2656  TEST_START;
2657 
2658  /* full request */
2659  uint8_t request1[] = {
2660  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2661  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2662  p->tcph->th_ack = htonl(1);
2663  p->tcph->th_seq = htonl(1);
2664  p->tcph->th_flags = TH_PUSH | TH_ACK;
2666  p->payload_len = sizeof(request1);
2667  p->payload = request1;
2668  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2675  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2676  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2677  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2678  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2679  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2680 
2681  /* response - request ack */
2682  p->tcph->th_ack = htonl(18);
2683  p->tcph->th_seq = htonl(1);
2684  p->tcph->th_flags = TH_PUSH | TH_ACK;
2686  p->payload_len = 0;
2687  p->payload = NULL;
2688  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2695  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2696  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2697  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2698  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2699  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2700 
2701  /* full response - request ack */
2702  uint8_t response1[] = {
2703  0x55, 0x74, 0x54, 0x50, };
2704  p->tcph->th_ack = htonl(18);
2705  p->tcph->th_seq = htonl(1);
2706  p->tcph->th_flags = TH_PUSH | TH_ACK;
2708  p->payload_len = sizeof(response1);
2709  p->payload = response1;
2710  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2717  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2718  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2719  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2720  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2721  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2722 
2723  /* response ack from request */
2724  p->tcph->th_ack = htonl(5);
2725  p->tcph->th_seq = htonl(18);
2726  p->tcph->th_flags = TH_ACK;
2728  p->payload_len = 0;
2729  p->payload = NULL;
2730  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2737  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2738  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2739  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2740  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2741  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2742 
2743  uint8_t response2[] = {
2744  0x2f, 0x31, 0x2e, 0x31,
2745  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2746  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2747  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2748  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2749  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2750  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2751  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2752  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2753  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2754  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2755  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2756  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2757  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2758  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2759  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2760  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2761  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2762  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2763  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2764  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2765  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2766  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2767  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2768  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2769  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2770  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2771  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2772  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2773  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2774  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2775  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2776  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2777  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2778  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2779  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2780  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2781  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2782  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2783  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2784  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2785  p->tcph->th_ack = htonl(18);
2786  p->tcph->th_seq = htonl(5);
2787  p->tcph->th_flags = TH_PUSH | TH_ACK;
2789  p->payload_len = sizeof(response2);
2790  p->payload = response2;
2791  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2798  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2799  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2800  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2801  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2802  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2803 
2804  /* response ack from request */
2805  p->tcph->th_ack = htonl(328);
2806  p->tcph->th_seq = htonl(18);
2807  p->tcph->th_flags = TH_ACK;
2809  p->payload_len = 0;
2810  p->payload = NULL;
2811  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2818  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2819  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2820  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2821  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2823 
2824  TEST_END;
2825  PASS;
2826 }
2827 
2829 {
2830  SCEnter();
2831 
2832  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2833  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2834  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2835  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2836  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2837  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2838  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2839  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2840  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2841  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2842  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2843 
2844  SCReturn;
2845 }
2846 
2847 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:91
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:86
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:281
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:223
Packet_::proto
uint8_t proto
Definition: decode.h:458
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:281
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:48
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:69
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:88
AppLayerCounters_
Definition: app-layer.c:85
ippair.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:146
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1721
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:87
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:97
stream-tcp.h
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6853
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:607
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1029
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1048
Flow_::proto
uint8_t proto
Definition: flow.h:372
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
Packet_::payload
uint8_t * payload
Definition: decode.h:586
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
Packet_::flags
uint32_t flags
Definition: decode.h:473
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:69
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:49
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:187
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:64
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:60
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:350
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:130
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:90
Flow_::protomap
uint8_t protomap
Definition: flow.h:444
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:74
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:65
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1161
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1148
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:455
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2042
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:167
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1043
AppLayerCounterNames_
Definition: app-layer.c:76
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6429
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:68
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2828
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:83
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:958
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1066
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:467
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:66
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:115
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:75
Flow_::protoctx
void * protoctx
Definition: flow.h:440
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:78
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:138
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:587
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:613
util-unittest.h
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:944
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:182
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:89
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:993
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1051
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:75
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:272
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:474
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1737
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:67
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:978
app-layer-expectation.h
app-layer-detect-proto.h
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1353
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:50
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:173
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:138
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:273
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1056
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:397
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:64
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:493
util-exception-policy.h
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:56
util-print.h
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:51
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:1005
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5312
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:1065
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1869
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1203
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:52
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:207
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:135
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:101
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy.h:27
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:260
SCReturn
#define SCReturn
Definition: util-debug.h:273
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:280
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
Packet_
Definition: decode.h:436
stream-tcp-private.h
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:821
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:100
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:299
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:58
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:717
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:63
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:146
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:173
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:458
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:56
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1303
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:451
suricata-common.h
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir dir)
handle TCP data for the app-layer.
Definition: app-layer.c:657
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:282
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:566
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1751
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:91
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:470
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:100
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:154
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1052
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1595
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:284
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2101
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1419
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1963
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2059
str
#define str(s)
Definition: suricata-common.h:291
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:417
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:450
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6859
Flow_::alstate
void * alstate
Definition: flow.h:475
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1026
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
Flow_::flags
uint32_t flags
Definition: flow.h:420
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:89
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:951
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:158
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:122
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:70
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
app-layer-protos.h
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:229
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
TEST_END
#define TEST_END
Definition: app-layer.c:1285
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:53
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:173
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2016
likely
#define likely(expr)
Definition: util-optimize.h:32
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:95
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:77
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:233
TcpSession_
Definition: stream-tcp-private.h:283
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:451
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:73
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1522
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:449
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:971
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:196
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1189
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2084
app-layer.h