suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
57 struct AppLayerThreadCtx_ {
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  AppLayerProtoDetectThreadCtx *alpd_tctx;
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61  AppLayerParserThreadCtx *alp_tctx;
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
67  AppProto alproto;
68  uint64_t proto_detect_ticks_start;
69  uint64_t proto_detect_ticks_end;
70  uint64_t proto_detect_ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
78 } AppLayerCounterNames;
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
83 } AppLayerCounters;
84 
85 /* counter names. Only used at init. */
86 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
87 /* counter id's. Used that runtime. */
88 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  p->flags |= PKT_PROTO_DETECT_TS_DONE;
134  } else {
135  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  p->flags |= PKT_PROTO_DETECT_TC_DONE;
140  } else {
141  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
146  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
147  } else {
148  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
157  FlowCleanupAppLayer(f);
158  StreamTcpDisableAppLayer(f);
159  TcpSession *ssn = f->protoctx;
160  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  f->alproto_tc = ALPROTO_FAILED;
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  f->alproto_ts = ALPROTO_FAILED;
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
218  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
219  size_ts > 100000 && size_tc == 0)
220  {
221  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
222  APPLAYER_PROTO_DETECTION_SKIPPED);
223  goto failure;
224 
225  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
226  size_tc > 100000 && size_ts == 0)
227  {
228  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
229  APPLAYER_PROTO_DETECTION_SKIPPED);
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
236  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
237  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
238  {
239  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
240  APPLAYER_PROTO_DETECTION_SKIPPED);
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
247  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
248  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
249  {
250  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
251  APPLAYER_PROTO_DETECTION_SKIPPED);
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
258  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
259  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
260  {
261  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
262  APPLAYER_PROTO_DETECTION_SKIPPED);
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
291  UPDATE_DIR_OPPOSING :
292  UPDATE_DIR_PACKET;
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  bool reverse_flow = false;
327  PACKET_PROFILING_APP_PD_START(app_tctx);
328  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
329  f, data, data_len,
330  IPPROTO_TCP, flags, &reverse_flow);
331  PACKET_PROFILING_APP_PD_END(app_tctx);
332  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
333 
334  if (*alproto != ALPROTO_UNKNOWN) {
335  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
336  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
337  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
338 
339  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
340  /* if we already invoked the parser, we go with that proto */
341  f->alproto = *alproto_otherdir;
342  } else {
343  /* no data sent to parser yet, we can still choose
344  * we're trusting the server more. */
345  if (flags & STREAM_TOCLIENT)
346  f->alproto = *alproto;
347  else
348  f->alproto = *alproto_otherdir;
349  }
350  } else {
351  f->alproto = *alproto;
352  }
353 
354  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
355  TcpSessionSetReassemblyDepth(ssn,
356  AppLayerParserGetStreamDepth(f));
357  FlagPacketFlow(p, f, flags);
358  /* if protocol detection indicated that we need to reverse
359  * the direction of the flow, do it now. We flip the flow,
360  * packet and the direction flags */
361  if (reverse_flow) {
362  SCLogDebug("reversing flow after proto detect told us so");
363  PacketSwap(p);
364  FlowSwap(f);
365  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
366  }
367 
368  /* account flow if we have both sides */
369  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
370  AppLayerIncFlowCounter(tv, f);
371  }
372 
373  /* if we have seen data from the other direction first, send
374  * data for that direction first to the parser. This shouldn't
375  * be an issue, since each stream processing happens
376  * independently of the other stream direction. At this point of
377  * call, you need to know that this function's already being
378  * called by the very same StreamReassembly() function that we
379  * will now call shortly for the opposing direction. */
380  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
381  !(flags & ssn->data_first_seen_dir))
382  {
383  SCLogDebug("protocol %s needs first data in other direction",
384  AppProtoToString(*alproto));
385 
386  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
387  p, ssn, stream) != 0)
388  {
389  DisableAppLayer(tv, f, p);
390  goto failure;
391  }
392  }
393 
394  /* if the parser operates such that it needs to see data from
395  * a particular direction first, we check if we have seen
396  * data from that direction first for the flow. IF it is not
397  * the same, we set an event and exit.
398  *
399  * \todo We need to figure out a more robust solution for this,
400  * as this can lead to easy evasion tactics, where the
401  * attackeer can first send some dummy data in the wrong
402  * direction first to mislead our proto detection process.
403  * While doing this we need to update the parsers as well,
404  * since the parsers must be robust to see such wrong
405  * direction data.
406  * Either ways the moment we see the
407  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
408  * flow, it shows something's fishy.
409  */
410  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
411  uint8_t first_data_dir;
412  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
413 
414  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
415  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
416  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
417  DisableAppLayer(tv, f, p);
418  goto failure;
419  }
420  /* This can happen if the current direction is not the
421  * right direction, and the data from the other(also
422  * the right direction) direction is available to be sent
423  * to the app layer, but it is not ack'ed yet and hence
424  * the forced call to STreamTcpAppLayerReassemble still
425  * hasn't managed to send data from the other direction
426  * to the app layer. */
427  if (first_data_dir && !(first_data_dir & flags)) {
428  FlowCleanupAppLayer(f);
429  StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream);
430  FLOW_RESET_PP_DONE(f, flags);
431  FLOW_RESET_PM_DONE(f, flags);
432  FLOW_RESET_PE_DONE(f, flags);
433  goto failure;
434  }
435  }
436 
437  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
438  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
439 
440  /* finally, invoke the parser */
441  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
442  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
443  flags, data, data_len);
444  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
445  if (r < 0)
446  goto failure;
447 
448  } else {
449  /* if the ssn is midstream, we may end up with a case where the
450  * start of an HTTP request is missing. We won't detect HTTP based
451  * on the request. However, the reply is fine, so we detect
452  * HTTP anyway. This leads to passing the incomplete request to
453  * the htp parser.
454  *
455  * This has been observed, where the http parser then saw many
456  * bogus requests in the incomplete data.
457  *
458  * To counter this case, a midstream session MUST find it's
459  * protocol in the toserver direction. If not, we assume the
460  * start of the request/toserver is incomplete and no reliable
461  * detection and parsing is possible. So we give up.
462  */
463  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
464  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
465  {
466  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
467  SCLogDebug("midstream end pd %p", ssn);
468  /* midstream and toserver detection failed: give up */
469  DisableAppLayer(tv, f, p);
470  goto end;
471  }
472  }
473 
474  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
475  uint8_t first_data_dir;
476  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
477 
478  /* this would handle this test case -
479  * http parser which says it wants to see toserver data first only.
480  * tcp handshake
481  * toclient data first received. - RUBBISH DATA which
482  * we don't detect as http
483  * toserver data next sent - we detect this as http.
484  * at this stage we see that toclient is the first data seen
485  * for this session and we try and redetect the app protocol,
486  * but we are unable to detect the app protocol like before.
487  * But since we have managed to detect the protocol for the
488  * other direction as http, we try to use that. At this
489  * stage we check if the direction of this stream matches
490  * to that acceptable by the app parser. If it is not the
491  * acceptable direction we error out.
492  */
493  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
494  (first_data_dir) && !(first_data_dir & flags))
495  {
496  DisableAppLayer(tv, f, p);
497  goto failure;
498  }
499 
500  /* if protocol detection is marked done for our direction we
501  * pass our data on. We're only succeeded in finding one
502  * direction: the opposing stream
503  *
504  * If PD was not yet complete, we don't do anything.
505  */
506  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
507  if (data_len > 0)
508  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
509 
510  if (*alproto_otherdir != ALPROTO_FAILED) {
511  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
512  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
513  f->alproto, flags,
514  data, data_len);
515  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
516 
517  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
518  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
519  TcpSessionSetReassemblyDepth(ssn,
520  AppLayerParserGetStreamDepth(f));
521 
522  *alproto = *alproto_otherdir;
523  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
524  p->pcap_cnt, *alproto, *alproto_otherdir, r);
525  if (r < 0)
526  goto failure;
527  }
528  *alproto = ALPROTO_FAILED;
529  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
530  AppLayerIncFlowCounter(tv, f);
531  FlagPacketFlow(p, f, flags);
532 
533  }
534  } else {
535  /* both sides unknown, let's see if we need to give up */
536  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
537  }
538  }
539 end:
540  return 0;
541 
542 failure:
543  return -1;
544 }
545 
546 /** \brief handle TCP data for the app-layer.
547  *
548  * First run protocol detection and then when the protocol is known invoke
549  * the app layer parser.
550  */
551 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
552  Packet *p, Flow *f,
553  TcpSession *ssn, TcpStream *stream,
554  uint8_t *data, uint32_t data_len,
555  uint8_t flags)
556 {
557  SCEnter();
558 
559  DEBUG_ASSERT_FLOW_LOCKED(f);
560 
561  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
562  AppProto alproto;
563  int r = 0;
564 
565  SCLogDebug("data_len %u flags %02X", data_len, flags);
566  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
567  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
568  goto end;
569  }
570 
571  if (flags & STREAM_TOSERVER) {
572  alproto = f->alproto_ts;
573  } else {
574  alproto = f->alproto_tc;
575  }
576 
577  /* If a gap notification, relay the notification on to the
578  * app-layer if known. */
579  if (flags & STREAM_GAP) {
580  if (alproto == ALPROTO_UNKNOWN) {
581  StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
582  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
583  /* if the other side didn't already find the proto, we're done */
584  if (f->alproto == ALPROTO_UNKNOWN)
585  goto end;
586 
587  }
588  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
589  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
590  flags, data, data_len);
591  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
592  goto end;
593  }
594 
595  /* if we don't know the proto yet and we have received a stream
596  * initializer message, we run proto detection.
597  * We receive 2 stream init msgs (one for each direction) but we
598  * only run the proto detection once. */
599  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
600  /* run protocol detection */
601  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
602  data, data_len, flags) != 0) {
603  goto failure;
604  }
605  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
606  f->alproto_orig = f->alproto;
607  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
608  AppLayerProtoDetectReset(f);
609  /* rerun protocol detection */
610  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
611  data, data_len, flags) != 0) {
612  SCLogDebug("proto detect failure");
613  goto failure;
614  }
615  SCLogDebug("protocol change, old %s, new %s",
616  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
617 
618  if (f->alproto_expect != ALPROTO_UNKNOWN &&
619  f->alproto != f->alproto_expect)
620  {
621  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
622  APPLAYER_UNEXPECTED_PROTOCOL);
623 
624  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
625  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
626  APPLAYER_NO_TLS_AFTER_STARTTLS);
627 
628  }
629  }
630  } else {
631  SCLogDebug("stream data (len %" PRIu32 " alproto "
632  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
633 #ifdef PRINT
634  if (data_len > 0) {
635  printf("=> Stream Data (app layer) -- start %s%s\n",
636  flags & STREAM_TOCLIENT ? "toclient" : "",
637  flags & STREAM_TOSERVER ? "toserver" : "");
638  PrintRawDataFp(stdout, data, data_len);
639  printf("=> Stream Data -- end\n");
640  }
641 #endif
642  /* if we don't have a data object here we are not getting it
643  * a start msg should have gotten us one */
644  if (f->alproto != ALPROTO_UNKNOWN) {
645  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
646  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
647  flags, data, data_len);
648  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
649  }
650  }
651 
652  goto end;
653  failure:
654  r = -1;
655  end:
656  SCReturnInt(r);
657 }
658 
659 /**
660  * \brief Handle a app layer UDP message
661  *
662  * If the protocol is yet unknown, the proto detection code is run first.
663  *
664  * \param dp_ctx Thread app layer detect context
665  * \param f *locked* flow
666  * \param p UDP packet
667  *
668  * \retval 0 ok
669  * \retval -1 error
670  */
671 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
672 {
673  SCEnter();
674 
675  if (f->alproto == ALPROTO_FAILED) {
676  SCReturnInt(0);
677  }
678 
679  int r = 0;
680  uint8_t flags = 0;
681  if (p->flowflags & FLOW_PKT_TOSERVER) {
682  flags |= STREAM_TOSERVER;
683  } else {
684  flags |= STREAM_TOCLIENT;
685  }
686 
687  AppLayerProfilingReset(tctx);
688 
689  /* if the protocol is still unknown, run detection */
690  if (f->alproto == ALPROTO_UNKNOWN) {
691  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
692  p->payload_len);
693 
694  bool reverse_flow = false;
695  PACKET_PROFILING_APP_PD_START(tctx);
696  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
697  f, p->payload, p->payload_len,
698  IPPROTO_UDP, flags, &reverse_flow);
699  PACKET_PROFILING_APP_PD_END(tctx);
700 
701  if (f->alproto != ALPROTO_UNKNOWN) {
702  AppLayerIncFlowCounter(tv, f);
703 
704  if (reverse_flow) {
705  SCLogDebug("reversing flow after proto detect told us so");
706  PacketSwap(p);
707  FlowSwap(f);
708  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
709  }
710 
711  PACKET_PROFILING_APP_START(tctx, f->alproto);
712  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
713  flags, p->payload, p->payload_len);
714  PACKET_PROFILING_APP_END(tctx, f->alproto);
715  } else {
716  f->alproto = ALPROTO_FAILED;
717  AppLayerIncFlowCounter(tv, f);
718  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
719  }
720  PACKET_PROFILING_APP_STORE(tctx, p);
721  /* we do only inspection in one direction, so flag both
722  * sides as done here */
723  FlagPacketFlow(p, f, STREAM_TOSERVER);
724  FlagPacketFlow(p, f, STREAM_TOCLIENT);
725  } else {
726  SCLogDebug("data (len %" PRIu32 " ), alproto "
727  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
728 
729  /* run the parser */
730  PACKET_PROFILING_APP_START(tctx, f->alproto);
731  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
732  flags, p->payload, p->payload_len);
733  PACKET_PROFILING_APP_END(tctx, f->alproto);
734  PACKET_PROFILING_APP_STORE(tctx, p);
735  }
736 
737  SCReturnInt(r);
738 }
739 
740 /***** Utility *****/
741 
742 AppProto AppLayerGetProtoByName(char *alproto_name)
743 {
744  SCEnter();
745  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
746  SCReturnCT(r, "AppProto");
747 }
748 
749 const char *AppLayerGetProtoName(AppProto alproto)
750 {
751  SCEnter();
752  const char * r = AppLayerProtoDetectGetProtoName(alproto);
753  SCReturnCT(r, "char *");
754 }
755 
756 void AppLayerListSupportedProtocols(void)
757 {
758  SCEnter();
759 
760  AppProto alproto;
761  AppProto alprotos[ALPROTO_MAX];
762 
763  AppLayerProtoDetectSupportedAppProtocols(alprotos);
764 
765  printf("=========Supported App Layer Protocols=========\n");
766  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
767  if (alprotos[alproto] == 1)
768  printf("%s\n", AppLayerGetProtoName(alproto));
769  }
770 
771  SCReturn;
772 }
773 
774 /***** Setup/General Registration *****/
775 
776 int AppLayerSetup(void)
777 {
778  SCEnter();
779 
780  AppLayerProtoDetectSetup();
781  AppLayerParserSetup();
782 
783  AppLayerParserRegisterProtocolParsers();
784  AppLayerProtoDetectPrepareState();
785 
786  AppLayerSetupCounters();
787 
788  SCReturnInt(0);
789 }
790 
791 int AppLayerDeSetup(void)
792 {
793  SCEnter();
794 
795  AppLayerProtoDetectDeSetup();
796  AppLayerParserDeSetup();
797 
798  AppLayerDeSetupCounters();
799 
800  SCReturnInt(0);
801 }
802 
803 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
804 {
805  SCEnter();
806 
807  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
808  if (app_tctx == NULL)
809  goto error;
810  memset(app_tctx, 0, sizeof(*app_tctx));
811 
812  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
813  goto error;
814  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
815  goto error;
816 
817  goto done;
818  error:
819  AppLayerDestroyCtxThread(app_tctx);
820  app_tctx = NULL;
821  done:
822  SCReturnPtr(app_tctx, "void *");
823 }
824 
825 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
826 {
827  SCEnter();
828 
829  if (app_tctx == NULL)
830  SCReturn;
831 
832  if (app_tctx->alpd_tctx != NULL)
833  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
834  if (app_tctx->alp_tctx != NULL)
835  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
836  SCFree(app_tctx);
837 
838  SCReturn;
839 }
840 
841 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
842 {
843  PACKET_PROFILING_APP_RESET(app_tctx);
844 }
845 
846 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
847 {
848  PACKET_PROFILING_APP_STORE(app_tctx, p);
849 }
850 
851 /** \brief HACK to work around our broken unix manager (re)init loop
852  */
853 void AppLayerRegisterGlobalCounters(void)
854 {
855  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
856  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
857  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
858  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
859  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
860 }
861 
862 #define IPPROTOS_MAX 2
863 void AppLayerSetupCounters()
864 {
865  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
866  uint8_t ipproto;
867  AppProto alproto;
868  AppProto alprotos[ALPROTO_MAX];
869  const char *str = "app_layer.flow.";
870 
871  AppLayerProtoDetectSupportedAppProtocols(alprotos);
872 
873  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
874  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
875  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
876  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
877 
878  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
879  if (alprotos[alproto] == 1) {
880  const char *tx_str = "app_layer.tx.";
881  const char *alproto_str = AppLayerGetProtoName(alproto);
882 
883  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
884  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
885  {
886  snprintf(applayer_counter_names[ipproto_map][alproto].name,
887  sizeof(applayer_counter_names[ipproto_map][alproto].name),
888  "%s%s%s", str, alproto_str, ipproto_suffix);
889  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
890  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
891  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
892  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
893  }
894  } else {
895  snprintf(applayer_counter_names[ipproto_map][alproto].name,
896  sizeof(applayer_counter_names[ipproto_map][alproto].name),
897  "%s%s", str, alproto_str);
898  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
899  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
900  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
901  "%s%s", tx_str, alproto_str);
902  }
903  }
904  } else if (alproto == ALPROTO_FAILED) {
905  snprintf(applayer_counter_names[ipproto_map][alproto].name,
906  sizeof(applayer_counter_names[ipproto_map][alproto].name),
907  "%s%s%s", str, "failed", ipproto_suffix);
908  }
909  }
910  }
911 }
912 
913 void AppLayerRegisterThreadCounters(ThreadVars *tv)
914 {
915  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
916  uint8_t ipproto;
917  AppProto alproto;
918  AppProto alprotos[ALPROTO_MAX];
919 
920  AppLayerProtoDetectSupportedAppProtocols(alprotos);
921 
922  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
923  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
924 
925  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
926  if (alprotos[alproto] == 1) {
927  applayer_counters[ipproto_map][alproto].counter_id =
928  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
929 
930  if (AppLayerParserProtocolIsTxAware(ipprotos[ipproto], alproto)) {
931  applayer_counters[ipproto_map][alproto].counter_tx_id =
932  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
933  }
934  } else if (alproto == ALPROTO_FAILED) {
935  applayer_counters[ipproto_map][alproto].counter_id =
936  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
937  }
938  }
939  }
940 }
941 
942 void AppLayerDeSetupCounters()
943 {
944  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
945  memset(applayer_counters, 0, sizeof(applayer_counters));
946 }
947 
948 /***** Unittests *****/
949 
950 #ifdef UNITTESTS
951 #include "pkt-var.h"
952 #include "stream-tcp.h"
953 #include "stream-tcp-util.h"
954 #include "stream.h"
955 #include "util-unittest.h"
956 
957 #define TEST_START \
958  Packet *p = SCMalloc(SIZE_OF_PACKET);\
959  FAIL_IF_NULL(p);\
960  Flow f;\
961  ThreadVars tv;\
962  StreamTcpThread *stt = NULL;\
963  TCPHdr tcph;\
964  PacketQueue pq;\
965  memset(&pq,0,sizeof(PacketQueue));\
966  memset(p, 0, SIZE_OF_PACKET);\
967  memset (&f, 0, sizeof(Flow));\
968  memset(&tv, 0, sizeof (ThreadVars));\
969  memset(&tcph, 0, sizeof (TCPHdr));\
970 \
971  FLOW_INITIALIZE(&f);\
972  f.flags = FLOW_IPV4;\
973  f.proto = IPPROTO_TCP;\
974  p->flow = &f;\
975  p->tcph = &tcph;\
976 \
977  StreamTcpInitConfig(TRUE);\
978  IPPairInitConfig(TRUE); \
979  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
980 \
981  /* handshake */\
982  tcph.th_win = htons(5480);\
983  tcph.th_flags = TH_SYN;\
984  p->flowflags = FLOW_PKT_TOSERVER;\
985  p->payload_len = 0;\
986  p->payload = NULL;\
987  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
988  TcpSession *ssn = (TcpSession *)f.protoctx;\
989 \
990  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
991  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
992  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
993  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
994  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
995  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
996  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
997  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
998  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
999  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1000  FAIL_IF(ssn->data_first_seen_dir != 0);\
1001 \
1002  /* handshake */\
1003  p->tcph->th_ack = htonl(1);\
1004  p->tcph->th_flags = TH_SYN | TH_ACK;\
1005  p->flowflags = FLOW_PKT_TOCLIENT;\
1006  p->payload_len = 0;\
1007  p->payload = NULL;\
1008  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1009  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1010  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1011  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1012  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1013  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1014  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1015  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1016  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1017  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1018  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1019  FAIL_IF(ssn->data_first_seen_dir != 0);\
1020 \
1021  /* handshake */\
1022  p->tcph->th_ack = htonl(1);\
1023  p->tcph->th_seq = htonl(1);\
1024  p->tcph->th_flags = TH_ACK;\
1025  p->flowflags = FLOW_PKT_TOSERVER;\
1026  p->payload_len = 0;\
1027  p->payload = NULL;\
1028  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1029  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1030  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1031  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1032  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1033  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1034  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1035  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1036  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1037  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1038  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1039  FAIL_IF(ssn->data_first_seen_dir != 0);
1040 #define TEST_END \
1041  StreamTcpSessionClear(p->flow->protoctx);\
1042  StreamTcpThreadDeinit(&tv, (void *)stt); \
1043  StreamTcpFreeConfig(TRUE);\
1044  PACKET_DESTRUCTOR(p);\
1045  SCFree(p);\
1046  FLOW_DESTROY(&f); \
1047  StatsThreadCleanup(&tv);
1048 
1049 /**
1050  * \test GET -> HTTP/1.1
1051  */
1052 static int AppLayerTest01(void)
1053 {
1054  TEST_START;
1055 
1056  /* full request */
1057  uint8_t request[] = {
1058  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1059  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1060  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1061  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1062  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1063  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1064  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1065  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1066  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1067  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1068  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1069  p->tcph->th_ack = htonl(1);
1070  p->tcph->th_seq = htonl(1);
1071  p->tcph->th_flags = TH_PUSH | TH_ACK;
1072  p->flowflags = FLOW_PKT_TOSERVER;
1073  p->payload_len = sizeof(request);
1074  p->payload = request;
1075  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1076  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1077  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1078  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1079  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1080  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1081  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1082  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1083  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1084  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1085  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1086  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1087 
1088  /* full response - request ack */
1089  uint8_t response[] = {
1090  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1091  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1092  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1093  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1094  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1095  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1096  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1097  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1098  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1099  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1100  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1101  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1102  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1103  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1104  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1105  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1106  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1107  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1108  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1109  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1110  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1111  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1112  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1113  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1114  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1115  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1116  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1117  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1118  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1119  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1120  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1121  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1122  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1123  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1124  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1125  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1126  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1127  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1128  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1129  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1130  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1131  p->tcph->th_ack = htonl(88);
1132  p->tcph->th_seq = htonl(1);
1133  p->tcph->th_flags = TH_PUSH | TH_ACK;
1134  p->flowflags = FLOW_PKT_TOCLIENT;
1135  p->payload_len = sizeof(response);
1136  p->payload = response;
1137  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1138  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1139  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1140  FAIL_IF(f.alproto != ALPROTO_HTTP);
1141  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1142  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1143  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1144  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1145  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1146  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1147  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1148  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1149 
1150  /* response ack */
1151  p->tcph->th_ack = htonl(328);
1152  p->tcph->th_seq = htonl(88);
1153  p->tcph->th_flags = TH_ACK;
1154  p->flowflags = FLOW_PKT_TOSERVER;
1155  p->payload_len = 0;
1156  p->payload = NULL;
1157  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1158  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1159  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1160  FAIL_IF(f.alproto != ALPROTO_HTTP);
1161  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1162  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1163  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1164  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1165  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1166  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1167  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1168  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1169 
1170  TEST_END;
1171  PASS;
1172 }
1173 
1174 /**
1175  * \test GE -> T -> HTTP/1.1
1176  */
1177 static int AppLayerTest02(void)
1178 {
1179  TEST_START;
1180 
1181  /* partial request */
1182  uint8_t request1[] = { 0x47, 0x45, };
1183  p->tcph->th_ack = htonl(1);
1184  p->tcph->th_seq = htonl(1);
1185  p->tcph->th_flags = TH_PUSH | TH_ACK;
1186  p->flowflags = FLOW_PKT_TOSERVER;
1187  p->payload_len = sizeof(request1);
1188  p->payload = request1;
1189  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1190  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1191  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1192  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1193  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1194  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1195  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1196  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1197  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1198  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1199  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1200  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1201 
1202  /* response ack against partial request */
1203  p->tcph->th_ack = htonl(3);
1204  p->tcph->th_seq = htonl(1);
1205  p->tcph->th_flags = TH_ACK;
1206  p->flowflags = FLOW_PKT_TOCLIENT;
1207  p->payload_len = 0;
1208  p->payload = NULL;
1209  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1210  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1211  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1212  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1213  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1214  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1215  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1216  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1217  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1218  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1219  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1220  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1221 
1222  /* complete partial request */
1223  uint8_t request2[] = {
1224  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1225  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1226  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1227  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1228  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1229  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1230  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1231  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1232  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1233  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1234  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1235  p->tcph->th_ack = htonl(1);
1236  p->tcph->th_seq = htonl(3);
1237  p->tcph->th_flags = TH_PUSH | TH_ACK;
1238  p->flowflags = FLOW_PKT_TOSERVER;
1239  p->payload_len = sizeof(request2);
1240  p->payload = request2;
1241  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1242  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1243  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1244  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1245  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1246  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1247  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1248  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1249  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1250  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1251  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1252  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1253 
1254  /* response - request ack */
1255  uint8_t response[] = {
1256  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1257  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1258  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1259  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1260  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1261  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1262  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1263  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1264  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1265  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1266  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1267  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1268  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1269  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1270  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1271  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1272  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1273  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1274  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1275  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1276  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1277  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1278  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1279  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1280  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1281  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1282  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1283  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1284  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1285  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1286  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1287  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1288  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1289  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1290  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1291  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1292  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1293  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1294  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1295  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1296  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1297  p->tcph->th_ack = htonl(88);
1298  p->tcph->th_seq = htonl(1);
1299  p->tcph->th_flags = TH_PUSH | TH_ACK;
1300  p->flowflags = FLOW_PKT_TOCLIENT;
1301  p->payload_len = sizeof(response);
1302  p->payload = response;
1303  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1304  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1305  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1306  FAIL_IF(f.alproto != ALPROTO_HTTP);
1307  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1308  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1309  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1310  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1311  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1312  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1313  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1314  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1315 
1316  /* response ack */
1317  p->tcph->th_ack = htonl(328);
1318  p->tcph->th_seq = htonl(88);
1319  p->tcph->th_flags = TH_ACK;
1320  p->flowflags = FLOW_PKT_TOSERVER;
1321  p->payload_len = 0;
1322  p->payload = NULL;
1323  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1324  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1325  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1326  FAIL_IF(f.alproto != ALPROTO_HTTP);
1327  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1328  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1329  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1330  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1331  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1332  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1333  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1334  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1335 
1336  TEST_END;
1337  PASS;
1338 }
1339 
1340 /**
1341  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1342  */
1343 static int AppLayerTest03(void)
1344 {
1345  TEST_START;
1346 
1347  /* request */
1348  uint8_t request[] = {
1349  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1350  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1351  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1352  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1353  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1354  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1355  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1356  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1357  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1358  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1359  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1360  p->tcph->th_ack = htonl(1);
1361  p->tcph->th_seq = htonl(1);
1362  p->tcph->th_flags = TH_PUSH | TH_ACK;
1363  p->flowflags = FLOW_PKT_TOSERVER;
1364  p->payload_len = sizeof(request);
1365  p->payload = request;
1366  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1367  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1368  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1369  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1370  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1371  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1372  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1373  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1374  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1375  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1376  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1377  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1378 
1379  /* rubbish response */
1380  uint8_t response[] = {
1381  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1382  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1383  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1384  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1385  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1386  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1387  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1388  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1389  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1390  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1391  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1392  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1393  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1394  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1395  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1396  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1397  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1398  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1399  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1400  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1401  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1402  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1403  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1404  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1405  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1406  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1407  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1408  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1409  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1410  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1411  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1412  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1413  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1414  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1415  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1416  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1417  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1418  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1419  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1420  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1421  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1422  p->tcph->th_ack = htonl(88);
1423  p->tcph->th_seq = htonl(1);
1424  p->tcph->th_flags = TH_PUSH | TH_ACK;
1425  p->flowflags = FLOW_PKT_TOCLIENT;
1426  p->payload_len = sizeof(response);
1427  p->payload = response;
1428  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1429  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1430  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1431  FAIL_IF(f.alproto != ALPROTO_HTTP);
1432  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1433  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1434  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1435  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1436  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1437  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1438  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1439  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1440 
1441  /* response ack */
1442  p->tcph->th_ack = htonl(328);
1443  p->tcph->th_seq = htonl(88);
1444  p->tcph->th_flags = TH_ACK;
1445  p->flowflags = FLOW_PKT_TOSERVER;
1446  p->payload_len = 0;
1447  p->payload = NULL;
1448  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1449  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1450  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1451  FAIL_IF(f.alproto != ALPROTO_HTTP);
1452  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1453  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1454  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1455  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1456  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1457  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1458  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1459  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1460 
1461  TEST_END;
1462  PASS;
1463 }
1464 
1465 /**
1466  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1467  */
1468 static int AppLayerTest04(void)
1469 {
1470  TEST_START;
1471 
1472  /* request */
1473  uint8_t request[] = {
1474  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1475  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1476  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1477  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1478  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1479  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1480  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1481  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1482  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1483  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1484  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1485  PrintRawDataFp(stdout, request, sizeof(request));
1486  p->tcph->th_ack = htonl(1);
1487  p->tcph->th_seq = htonl(1);
1488  p->tcph->th_flags = TH_PUSH | TH_ACK;
1489  p->flowflags = FLOW_PKT_TOSERVER;
1490  p->payload_len = sizeof(request);
1491  p->payload = request;
1492  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1493  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1494  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1495  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1496  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1497  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1498  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1499  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1500  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1501  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1502  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1503  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1504 
1505  /* partial response */
1506  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1507  PrintRawDataFp(stdout, response1, sizeof(response1));
1508  p->tcph->th_ack = htonl(88);
1509  p->tcph->th_seq = htonl(1);
1510  p->tcph->th_flags = TH_PUSH | TH_ACK;
1511  p->flowflags = FLOW_PKT_TOCLIENT;
1512  p->payload_len = sizeof(response1);
1513  p->payload = response1;
1514  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1515  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1516  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1517  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1518  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1519  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1520  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1521  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1522  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1523  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1524  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1525  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1526 
1527  /* partial response ack */
1528  p->tcph->th_ack = htonl(5);
1529  p->tcph->th_seq = htonl(88);
1530  p->tcph->th_flags = TH_ACK;
1531  p->flowflags = FLOW_PKT_TOSERVER;
1532  p->payload_len = 0;
1533  p->payload = NULL;
1534  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1535  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1536  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1537  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1538  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1539  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1540  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1541  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1542  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1543  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1544  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1545  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1546 
1547  /* remaining response */
1548  uint8_t response2[] = {
1549  0x2f, 0x31, 0x2e, 0x31,
1550  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1551  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1552  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1553  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1554  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1555  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1556  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1557  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1558  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1559  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1560  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1561  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1562  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1563  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1564  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1565  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1566  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1567  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1568  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1569  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1570  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1571  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1572  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1573  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1574  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1575  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1576  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1577  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1578  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1579  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1580  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1581  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1582  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1583  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1584  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1585  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1586  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1587  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1588  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1589  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1590  PrintRawDataFp(stdout, response2, sizeof(response2));
1591  p->tcph->th_ack = htonl(88);
1592  p->tcph->th_seq = htonl(5);
1593  p->tcph->th_flags = TH_PUSH | TH_ACK;
1594  p->flowflags = FLOW_PKT_TOCLIENT;
1595  p->payload_len = sizeof(response2);
1596  p->payload = response2;
1597  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1598  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1599  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1600  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1601  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1602  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1603  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1604  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1605  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1606  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1607  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1608  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1609 
1610  /* response ack */
1611  p->tcph->th_ack = htonl(328);
1612  p->tcph->th_seq = htonl(88);
1613  p->tcph->th_flags = TH_ACK;
1614  p->flowflags = FLOW_PKT_TOSERVER;
1615  p->payload_len = 0;
1616  p->payload = NULL;
1617  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1618  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1619  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1620  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1621  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1622  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1623  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1624  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1625  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1626  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1627  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1628  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1629 
1630  TEST_END;
1631  PASS;
1632 }
1633 
1634 /**
1635  * \test RUBBISH -> HTTP/1.1
1636  */
1637 static int AppLayerTest05(void)
1638 {
1639  TEST_START;
1640 
1641  /* full request */
1642  uint8_t request[] = {
1643  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1644  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1645  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1646  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1647  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1648  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1649  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1650  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1651  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1652  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1653  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1654  PrintRawDataFp(stdout, request, sizeof(request));
1655  p->tcph->th_ack = htonl(1);
1656  p->tcph->th_seq = htonl(1);
1657  p->tcph->th_flags = TH_PUSH | TH_ACK;
1658  p->flowflags = FLOW_PKT_TOSERVER;
1659  p->payload_len = sizeof(request);
1660  p->payload = request;
1661  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1662  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1663  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1664  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1665  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1666  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1667  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1668  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1669  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1670  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1671  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1672  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1673 
1674  /* full response - request ack */
1675  uint8_t response[] = {
1676  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1677  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1678  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1679  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1680  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1681  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1682  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1683  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1684  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1685  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1686  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1687  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1688  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1689  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1690  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1691  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1692  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1693  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1694  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1695  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1696  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1697  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1698  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1699  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1700  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1701  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1702  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1703  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1704  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1705  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1706  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1707  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1708  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1709  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1710  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1711  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1712  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1713  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1714  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1715  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1716  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1717  PrintRawDataFp(stdout, response, sizeof(response));
1718  p->tcph->th_ack = htonl(88);
1719  p->tcph->th_seq = htonl(1);
1720  p->tcph->th_flags = TH_PUSH | TH_ACK;
1721  p->flowflags = FLOW_PKT_TOCLIENT;
1722  p->payload_len = sizeof(response);
1723  p->payload = response;
1724  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1725  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1726  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1727  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1728  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1729  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1730  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1731  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1732  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1733  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1734  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1735  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1736 
1737  /* response ack */
1738  p->tcph->th_ack = htonl(328);
1739  p->tcph->th_seq = htonl(88);
1740  p->tcph->th_flags = TH_ACK;
1741  p->flowflags = FLOW_PKT_TOSERVER;
1742  p->payload_len = 0;
1743  p->payload = NULL;
1744  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1745  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1746  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1747  FAIL_IF(f.alproto != ALPROTO_HTTP);
1748  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1749  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1750  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1751  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1752  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1753  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1754  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1755  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1756 
1757  TEST_END;
1758  PASS;
1759 }
1760 
1761 /**
1762  * \test HTTP/1.1 -> GET
1763  */
1764 static int AppLayerTest06(void)
1765 {
1766  TEST_START;
1767 
1768  /* full response - request ack */
1769  uint8_t response[] = {
1770  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1771  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1772  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1773  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1774  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1775  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1776  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1777  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1778  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1779  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1780  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1781  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1782  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1783  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1784  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1785  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1786  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1787  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1788  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1789  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1790  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1791  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1792  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1793  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1794  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1795  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1796  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1797  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1798  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1799  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1800  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1801  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1802  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1803  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1804  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1805  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1806  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1807  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1808  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1809  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1810  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1811  p->tcph->th_ack = htonl(1);
1812  p->tcph->th_seq = htonl(1);
1813  p->tcph->th_flags = TH_PUSH | TH_ACK;
1814  p->flowflags = FLOW_PKT_TOCLIENT;
1815  p->payload_len = sizeof(response);
1816  p->payload = response;
1817  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1818  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1819  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1820  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1821  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1822  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1823  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1824  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1825  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1826  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1827  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1828  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1829 
1830  /* full request - response ack*/
1831  uint8_t request[] = {
1832  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1833  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1834  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1835  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1836  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1837  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1838  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1839  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1840  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1841  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1842  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1843  p->tcph->th_ack = htonl(328);
1844  p->tcph->th_seq = htonl(1);
1845  p->tcph->th_flags = TH_PUSH | TH_ACK;
1846  p->flowflags = FLOW_PKT_TOSERVER;
1847  p->payload_len = sizeof(request);
1848  p->payload = request;
1849  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1850  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1851  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1852  FAIL_IF(f.alproto != ALPROTO_HTTP);
1853  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1854  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1855  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1856  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1857  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1858  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1859  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1860  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1861 
1862  p->tcph->th_ack = htonl(1 + sizeof(request));
1863  p->tcph->th_seq = htonl(328);
1864  p->tcph->th_flags = TH_PUSH | TH_ACK;
1865  p->flowflags = FLOW_PKT_TOCLIENT;
1866  p->payload_len = 0;
1867  p->payload = NULL;
1868  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1869  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1870  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1871  FAIL_IF(f.alproto != ALPROTO_HTTP);
1872  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1873  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1874  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1875  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1876  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1877  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1878  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1879  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1880 
1881  TEST_END;
1882  PASS;
1883 }
1884 
1885 /**
1886  * \test GET -> DCERPC
1887  */
1888 static int AppLayerTest07(void)
1889 {
1890  TEST_START;
1891 
1892  /* full request */
1893  uint8_t request[] = {
1894  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1895  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1896  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1897  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1898  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1899  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1900  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1901  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1902  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1903  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1904  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1905  p->tcph->th_ack = htonl(1);
1906  p->tcph->th_seq = htonl(1);
1907  p->tcph->th_flags = TH_PUSH | TH_ACK;
1908  p->flowflags = FLOW_PKT_TOSERVER;
1909  p->payload_len = sizeof(request);
1910  p->payload = request;
1911  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1912  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1913  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1914  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1915  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1916  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1917  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1918  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1919  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1920  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1921  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1922  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1923 
1924  /* full response - request ack */
1925  uint8_t response[] = {
1926  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1927  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1928  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1929  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1930  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1931  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1932  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1933  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1934  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1935  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1936  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1937  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1938  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1939  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1940  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1941  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1942  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1943  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1944  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1945  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1946  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1947  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1948  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1949  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1950  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1951  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1952  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1953  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1954  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1955  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1956  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1957  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1958  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1959  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1960  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1961  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1962  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1963  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1964  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1965  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1966  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1967  p->tcph->th_ack = htonl(88);
1968  p->tcph->th_seq = htonl(1);
1969  p->tcph->th_flags = TH_PUSH | TH_ACK;
1970  p->flowflags = FLOW_PKT_TOCLIENT;
1971  p->payload_len = sizeof(response);
1972  p->payload = response;
1973  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1974  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1975  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1976  FAIL_IF(f.alproto != ALPROTO_HTTP);
1977  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1978  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1979  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1980  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1981  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1982  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1983  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1984  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1985 
1986  /* response ack */
1987  p->tcph->th_ack = htonl(328);
1988  p->tcph->th_seq = htonl(88);
1989  p->tcph->th_flags = TH_ACK;
1990  p->flowflags = FLOW_PKT_TOSERVER;
1991  p->payload_len = 0;
1992  p->payload = NULL;
1993  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1994  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1995  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1996  FAIL_IF(f.alproto != ALPROTO_HTTP);
1997  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1998  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
1999  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2000  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2001  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2002  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2003  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2004  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2005 
2006  TEST_END;
2007  PASS;
2008 }
2009 
2010 /**
2011  * \test SMB -> HTTP/1.1
2012  */
2013 static int AppLayerTest08(void)
2014 {
2015  TEST_START;
2016 
2017  /* full request */
2018  uint8_t request[] = {
2019  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2020  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2021  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2022  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2023  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2024  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2025  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2026  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2027  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2028  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2029  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2030  p->tcph->th_ack = htonl(1);
2031  p->tcph->th_seq = htonl(1);
2032  p->tcph->th_flags = TH_PUSH | TH_ACK;
2033  p->flowflags = FLOW_PKT_TOSERVER;
2034  p->payload_len = sizeof(request);
2035  p->payload = request;
2036  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2037  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2038  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2039  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2040  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2041  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2042  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2043  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2044  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2045  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2046  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2047  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2048 
2049  /* full response - request ack */
2050  uint8_t response[] = {
2051  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2052  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2053  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2054  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2055  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2056  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2057  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2058  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2059  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2060  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2061  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2062  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2063  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2064  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2065  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2066  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2067  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2068  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2069  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2070  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2071  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2072  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2073  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2074  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2075  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2076  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2077  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2078  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2079  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2080  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2081  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2082  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2083  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2084  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2085  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2086  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2087  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2088  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2089  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2090  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2091  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2092  p->tcph->th_ack = htonl(88);
2093  p->tcph->th_seq = htonl(1);
2094  p->tcph->th_flags = TH_PUSH | TH_ACK;
2095  p->flowflags = FLOW_PKT_TOCLIENT;
2096  p->payload_len = sizeof(response);
2097  p->payload = response;
2098  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2099  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2100  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2101  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2102  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2103  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2104  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2105  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2106  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2107  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2108  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2109  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2110 
2111  /* response ack */
2112  p->tcph->th_ack = htonl(328);
2113  p->tcph->th_seq = htonl(88);
2114  p->tcph->th_flags = TH_ACK;
2115  p->flowflags = FLOW_PKT_TOSERVER;
2116  p->payload_len = 0;
2117  p->payload = NULL;
2118  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2119  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2120  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2121  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2122  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2123  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2124  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2125  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2126  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2127  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2128  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2129  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2130 
2131  TEST_END;
2132  PASS;
2133 }
2134 
2135 /**
2136  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2137  * RUBBISH(TC - PM and PP DONE) ->
2138  * RUBBISH(TS - PM and PP DONE)
2139  */
2140 static int AppLayerTest09(void)
2141 {
2142  TEST_START;
2143 
2144  /* full request */
2145  uint8_t request1[] = {
2146  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2147  p->tcph->th_ack = htonl(1);
2148  p->tcph->th_seq = htonl(1);
2149  p->tcph->th_flags = TH_PUSH | TH_ACK;
2150  p->flowflags = FLOW_PKT_TOSERVER;
2151  p->payload_len = sizeof(request1);
2152  p->payload = request1;
2153  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2154  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2155  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2156  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2157  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2158  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2159  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2160  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2161  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2162  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2163  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2164  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2165 
2166  /* response - request ack */
2167  p->tcph->th_ack = htonl(9);
2168  p->tcph->th_seq = htonl(1);
2169  p->tcph->th_flags = TH_PUSH | TH_ACK;
2170  p->flowflags = FLOW_PKT_TOCLIENT;
2171  p->payload_len = 0;
2172  p->payload = NULL;
2173  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2174  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2175  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2176  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2177  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2178  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2179  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2180  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2181  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2182  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2183  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2184  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2185 
2186  /* full request */
2187  uint8_t request2[] = {
2188  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2189  p->tcph->th_ack = htonl(1);
2190  p->tcph->th_seq = htonl(9);
2191  p->tcph->th_flags = TH_PUSH | TH_ACK;
2192  p->flowflags = FLOW_PKT_TOSERVER;
2193  p->payload_len = sizeof(request2);
2194  p->payload = request2;
2195  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2196  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2197  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2198  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2199  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2200  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2201  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2202  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2203  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2204  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2205  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2206  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2207 
2208  /* full response - request ack */
2209  uint8_t response[] = {
2210  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2211  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2212  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2213  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2214  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2215  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2216  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2217  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2218  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2219  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2220  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2221  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2222  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2223  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2224  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2225  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2226  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2227  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2228  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2229  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2230  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2231  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2232  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2233  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2234  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2235  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2236  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2237  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2238  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2239  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2240  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2241  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2242  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2243  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2244  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2245  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2246  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2247  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2248  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2249  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2250  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2251  p->tcph->th_ack = htonl(18);
2252  p->tcph->th_seq = htonl(1);
2253  p->tcph->th_flags = TH_PUSH | TH_ACK;
2254  p->flowflags = FLOW_PKT_TOCLIENT;
2255  p->payload_len = sizeof(response);
2256  p->payload = response;
2257  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2258  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2259  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2260  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2261  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2262  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2263  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2264  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2265  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2266  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2267  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2268  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2269 
2270  /* response ack */
2271  p->tcph->th_ack = htonl(328);
2272  p->tcph->th_seq = htonl(18);
2273  p->tcph->th_flags = TH_ACK;
2274  p->flowflags = FLOW_PKT_TOSERVER;
2275  p->payload_len = 0;
2276  p->payload = NULL;
2277  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2278  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2279  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2280  FAIL_IF(f.alproto != ALPROTO_FAILED);
2281  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2282  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2283  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2284  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2285  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2286  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2287  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2288  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2289 
2290  TEST_END;
2291  PASS;
2292 }
2293 
2294 /**
2295  * \test RUBBISH(TC - PM and PP DONE) ->
2296  * RUBBISH(TS - PM and PP DONE)
2297  */
2298 static int AppLayerTest10(void)
2299 {
2300  TEST_START;
2301 
2302  /* full request */
2303  uint8_t request1[] = {
2304  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2305  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2306  p->tcph->th_ack = htonl(1);
2307  p->tcph->th_seq = htonl(1);
2308  p->tcph->th_flags = TH_PUSH | TH_ACK;
2309  p->flowflags = FLOW_PKT_TOSERVER;
2310  p->payload_len = sizeof(request1);
2311  p->payload = request1;
2312  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2313  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2314  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2315  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2316  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2317  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2318  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2319  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2320  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2321  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2322  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2323  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2324 
2325  /* response - request ack */
2326  p->tcph->th_ack = htonl(18);
2327  p->tcph->th_seq = htonl(1);
2328  p->tcph->th_flags = TH_PUSH | TH_ACK;
2329  p->flowflags = FLOW_PKT_TOCLIENT;
2330  p->payload_len = 0;
2331  p->payload = NULL;
2332  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2333  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2334  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2335  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2336  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2337  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2338  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2339  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2340  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2341  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2342  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2343  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2344 
2345  /* full response - request ack */
2346  uint8_t response[] = {
2347  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2348  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2349  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2350  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2351  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2352  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2353  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2354  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2355  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2356  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2357  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2358  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2359  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2360  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2361  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2362  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2363  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2364  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2365  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2366  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2367  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2368  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2369  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2370  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2371  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2372  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2373  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2374  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2375  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2376  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2377  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2378  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2379  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2380  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2381  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2382  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2383  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2384  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2385  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2386  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2387  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2388  p->tcph->th_ack = htonl(18);
2389  p->tcph->th_seq = htonl(1);
2390  p->tcph->th_flags = TH_PUSH | TH_ACK;
2391  p->flowflags = FLOW_PKT_TOCLIENT;
2392  p->payload_len = sizeof(response);
2393  p->payload = response;
2394  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2395  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2396  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2397  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2398  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2399  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2400  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2401  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2402  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2403  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2404  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2405  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2406 
2407  /* response ack */
2408  p->tcph->th_ack = htonl(328);
2409  p->tcph->th_seq = htonl(18);
2410  p->tcph->th_flags = TH_ACK;
2411  p->flowflags = FLOW_PKT_TOSERVER;
2412  p->payload_len = 0;
2413  p->payload = NULL;
2414  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2415  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2416  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2417  FAIL_IF(f.alproto != ALPROTO_FAILED);
2418  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2419  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2420  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2421  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2422  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2423  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2424  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2425  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2426 
2427  TEST_END;
2428  PASS;
2429 }
2430 
2431 /**
2432  * \test RUBBISH(TC - PM and PP DONE) ->
2433  * RUBBISH(TS - PM and PP NOT DONE) ->
2434  * RUBBISH(TS - PM and PP DONE)
2435  */
2436 static int AppLayerTest11(void)
2437 {
2438  TEST_START;
2439 
2440  /* full request */
2441  uint8_t request1[] = {
2442  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2443  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2444  p->tcph->th_ack = htonl(1);
2445  p->tcph->th_seq = htonl(1);
2446  p->tcph->th_flags = TH_PUSH | TH_ACK;
2447  p->flowflags = FLOW_PKT_TOSERVER;
2448  p->payload_len = sizeof(request1);
2449  p->payload = request1;
2450  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2451  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2452  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2453  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2454  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2455  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2456  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2457  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2458  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2459  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2460  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2461  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2462 
2463  /* response - request ack */
2464  p->tcph->th_ack = htonl(18);
2465  p->tcph->th_seq = htonl(1);
2466  p->tcph->th_flags = TH_PUSH | TH_ACK;
2467  p->flowflags = FLOW_PKT_TOCLIENT;
2468  p->payload_len = 0;
2469  p->payload = NULL;
2470  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2471  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2472  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2473  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2474  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2475  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2476  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2477  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2478  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2479  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2480  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2481  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2482 
2483  /* full response - request ack */
2484  uint8_t response1[] = {
2485  0x55, 0x74, 0x54, 0x50, };
2486  p->tcph->th_ack = htonl(18);
2487  p->tcph->th_seq = htonl(1);
2488  p->tcph->th_flags = TH_PUSH | TH_ACK;
2489  p->flowflags = FLOW_PKT_TOCLIENT;
2490  p->payload_len = sizeof(response1);
2491  p->payload = response1;
2492  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2493  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2494  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2495  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2496  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2497  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2498  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2499  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2500  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2501  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2502  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2503  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2504 
2505  /* response ack from request */
2506  p->tcph->th_ack = htonl(5);
2507  p->tcph->th_seq = htonl(18);
2508  p->tcph->th_flags = TH_ACK;
2509  p->flowflags = FLOW_PKT_TOSERVER;
2510  p->payload_len = 0;
2511  p->payload = NULL;
2512  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2513  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2514  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2515  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2516  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2517  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2518  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2519  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2520  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2521  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2522  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2523  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2524 
2525  uint8_t response2[] = {
2526  0x2f, 0x31, 0x2e, 0x31,
2527  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2528  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2529  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2530  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2531  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2532  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2533  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2534  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2535  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2536  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2537  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2538  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2539  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2540  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2541  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2542  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2543  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2544  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2545  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2546  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2547  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2548  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2549  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2550  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2551  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2552  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2553  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2554  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2555  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2556  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2557  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2558  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2559  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2560  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2561  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2562  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2563  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2564  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2565  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2566  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2567  p->tcph->th_ack = htonl(18);
2568  p->tcph->th_seq = htonl(5);
2569  p->tcph->th_flags = TH_PUSH | TH_ACK;
2570  p->flowflags = FLOW_PKT_TOCLIENT;
2571  p->payload_len = sizeof(response2);
2572  p->payload = response2;
2573  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2574  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2575  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2576  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2577  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2578  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2579  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2580  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2581  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2582  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2583  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2584  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2585 
2586  /* response ack from request */
2587  p->tcph->th_ack = htonl(328);
2588  p->tcph->th_seq = htonl(18);
2589  p->tcph->th_flags = TH_ACK;
2590  p->flowflags = FLOW_PKT_TOSERVER;
2591  p->payload_len = 0;
2592  p->payload = NULL;
2593  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2594  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2595  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2596  FAIL_IF(f.alproto != ALPROTO_FAILED);
2597  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2598  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2599  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2600  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2601  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2602  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2603  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2604  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2605 
2606  TEST_END;
2607  PASS;
2608 }
2609 
2610 void AppLayerUnittestsRegister(void)
2611 {
2612  SCEnter();
2613 
2614  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2615  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2616  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2617  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2618  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2619  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2620  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2621  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2622  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2623  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2624  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2625 
2626  SCReturn;
2627 }
2628 
2629 #endif /* UNITTESTS */
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2059
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:98
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:413
flags
uint16_t flags
Definition: app-layer-dns-common.h:246
FlowSwap
void FlowSwap(Flow *f)
swap the flow&#39;s direction
Definition: flow.c:289
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1758
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:406
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:567
TEST_END
#define TEST_END
Definition: app-layer.c:1040
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:81
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:267
Flow_::proto
uint8_t proto
Definition: flow.h:343
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:791
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1560
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:236
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:195
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:841
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:380
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream *stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:551
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:186
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:97
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:862
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:73
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:210
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:776
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:66
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:68
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:106
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:520
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:239
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:846
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:742
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1789
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:269
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:64
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:157
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:756
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:351
Flow_::protoctx
void * protoctx
Definition: flow.h:395
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:118
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1477
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:67
AppLayerCounters_
Definition: app-layer.c:80
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4674
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:410
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:405
str
#define str(s)
Definition: suricata-common.h:258
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:257
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:82
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:803
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:247
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:268
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1116
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2610
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1366
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:38
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:112
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:275
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1000
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:418
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:262
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:273
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:405
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1863
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:212
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:942
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
TcpStream_
Definition: stream-tcp-private.h:94
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2042
SCFree
#define SCFree(a)
Definition: util-mem.h:228
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:266
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:248
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1484
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:825
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:853
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:161
STREAM_START
#define STREAM_START
Definition: stream.h:29
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:863
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
TEST_START
#define TEST_START
Definition: app-layer.c:957
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:197
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:255
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6288
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:749
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2005
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:256
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1103
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:671
SCReturn
#define SCReturn
Definition: util-debug.h:339
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1951
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
Packet_::flags
uint32_t flags
Definition: decode.h:441
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:541
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:65
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6282
AppLayerParserProtocolIsTxAware
int AppLayerParserProtocolIsTxAware(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1304
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2064
AppLayerCounterNames_
Definition: app-layer.c:75
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:277
Flow_::protomap
uint8_t protomap
Definition: flow.h:399
Flow_
Flow data structure.
Definition: flow.h:324
Packet_::payload
uint8_t * payload
Definition: decode.h:540
Flow_::flags
uint32_t flags
Definition: flow.h:374
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:913
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1049
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:181
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1117
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186