suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2011 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49 
50 #include "app-layer-htp-mem.h"
51 #include "app-layer-dns-common.h"
52 
53 /**
54  * \brief This is for the app layer in general and it contains per thread
55  * context relevant to both the alpd and alp.
56  */
57 struct AppLayerThreadCtx_ {
58  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
59  AppLayerProtoDetectThreadCtx *alpd_tctx;
60  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
61  AppLayerParserThreadCtx *alp_tctx;
62 
63 #ifdef PROFILING
64  uint64_t ticks_start;
65  uint64_t ticks_end;
66  uint64_t ticks_spent;
67  AppProto alproto;
68  uint64_t proto_detect_ticks_start;
69  uint64_t proto_detect_ticks_end;
70  uint64_t proto_detect_ticks_spent;
71 #endif
72 };
73 
74 #define MAX_COUNTER_SIZE 64
75 typedef struct AppLayerCounterNames_ {
76  char name[MAX_COUNTER_SIZE];
77  char tx_name[MAX_COUNTER_SIZE];
78 } AppLayerCounterNames;
79 
80 typedef struct AppLayerCounters_ {
81  uint16_t counter_id;
82  uint16_t counter_tx_id;
83 } AppLayerCounters;
84 
85 /* counter names. Only used at init. */
86 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
87 /* counter id's. Used that runtime. */
88 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
89 
90 void AppLayerSetupCounters(void);
91 void AppLayerDeSetupCounters(void);
92 
93 /***** L7 layer dispatchers *****/
94 
95 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
96  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
97  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
98  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
99 }
100 
101 /**
102  * \note id can be 0 if protocol parser is disabled but detection
103  * is enabled.
104  */
105 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
106 {
107  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
108  if (likely(tv && id > 0)) {
109  StatsIncr(tv, id);
110  }
111 }
112 
113 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
114 {
115  const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
116  if (likely(tv && id > 0)) {
117  StatsAddUI64(tv, id, step);
118  }
119 }
120 
121 /* in IDS mode protocol detection is done in reverse order:
122  * when TCP data is ack'd. We want to flag the correct packet,
123  * so in this case we set a flag in the flow so that the first
124  * packet in the correct direction can be tagged.
125  *
126  * For IPS things are much simpler, and we don't use the flow
127  * flag. We just tag the packet directly. */
128 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
129 {
130  if (EngineModeIsIPS()) {
131  if (flags & STREAM_TOSERVER) {
132  if (p->flowflags & FLOW_PKT_TOSERVER) {
133  p->flags |= PKT_PROTO_DETECT_TS_DONE;
134  } else {
135  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
136  }
137  } else {
138  if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  p->flags |= PKT_PROTO_DETECT_TC_DONE;
140  } else {
141  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
142  }
143  }
144  } else {
145  if (flags & STREAM_TOSERVER) {
146  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
147  } else {
148  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
149  }
150  }
151 }
152 
153 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
154 {
155  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
156  f, f->alproto, f->alproto_ts, f->alproto_tc);
157  FlowCleanupAppLayer(f);
158  StreamTcpDisableAppLayer(f);
159  TcpSession *ssn = f->protoctx;
160  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
161  f->alproto = ALPROTO_FAILED;
162  AppLayerIncFlowCounter(tv, f);
163 
164  if (f->alproto_tc != ALPROTO_FAILED) {
165  if (f->alproto_tc == ALPROTO_UNKNOWN) {
166  f->alproto_tc = ALPROTO_FAILED;
167  }
168  FlagPacketFlow(p, f, STREAM_TOCLIENT);
169  }
170  if (f->alproto_ts != ALPROTO_FAILED) {
171  if (f->alproto_ts == ALPROTO_UNKNOWN) {
172  f->alproto_ts = ALPROTO_FAILED;
173  }
174  FlagPacketFlow(p, f, STREAM_TOSERVER);
175  }
176  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
177  f, f->alproto, f->alproto_ts, f->alproto_tc);
178 }
179 
180 /* See if we're going to have to give up:
181  *
182  * If we're getting a lot of data in one direction and the
183  * proto for this direction is unknown, proto detect will
184  * hold up segments in the segment list in the stream.
185  * They are held so that if we detect the protocol on the
186  * opposing stream, we can still parse this side of the stream
187  * as well. However, some sessions are very unbalanced. FTP
188  * data channels, large PUT/POST request and many others, can
189  * lead to cases where we would have to store many megabytes
190  * worth of segments before we see the opposing stream. This
191  * leads to risks of resource starvation.
192  *
193  * Here a cutoff point is enforced. If we've stored 100k in
194  * one direction and we've seen no data in the other direction,
195  * we give up.
196  *
197  * Giving up means we disable applayer an set an applayer event
198  */
199 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
200  Flow *f, TcpSession *ssn, Packet *p)
201 {
202  uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
203  uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
204  SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
205 
206 #ifdef DEBUG_VALIDATION
207  if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
208  BUG_ON(size_ts > 1000000UL);
209  if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
210  BUG_ON(size_tc > 1000000UL);
211 #endif /* DEBUG_VALIDATION */
212 
213  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
214  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
215  {
216  goto failure;
217 
218  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
219  size_ts > 100000 && size_tc == 0)
220  {
221  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
222  APPLAYER_PROTO_DETECTION_SKIPPED);
223  goto failure;
224 
225  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
226  size_tc > 100000 && size_ts == 0)
227  {
228  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
229  APPLAYER_PROTO_DETECTION_SKIPPED);
230  goto failure;
231 
232  /* little data in ts direction, pp done, pm not done (max
233  * depth not reached), ts direction done, lots of data in
234  * tc direction. */
235  } else if (size_tc > 100000 &&
236  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
237  FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
238  {
239  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
240  APPLAYER_PROTO_DETECTION_SKIPPED);
241  goto failure;
242 
243  /* little data in tc direction, pp done, pm not done (max
244  * depth not reached), tc direction done, lots of data in
245  * ts direction. */
246  } else if (size_ts > 100000 &&
247  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
248  FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
249  {
250  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
251  APPLAYER_PROTO_DETECTION_SKIPPED);
252  goto failure;
253 
254  /* in case of really low TS data (e.g. 4 bytes) we can have
255  * the PP complete, PM not complete (depth not reached) and
256  * the TC side also not recognized (proto unknown) */
257  } else if (size_tc > 100000 &&
258  FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
259  (!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
260  {
261  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
262  APPLAYER_PROTO_DETECTION_SKIPPED);
263  goto failure;
264  }
265  return;
266 
267 failure:
268  DisableAppLayer(tv, f, p);
269  return;
270 }
271 
272 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
273  TcpReassemblyThreadCtx *ra_ctx,
274  Packet *p, TcpSession *ssn, TcpStream *stream)
275 {
276  TcpStream *opposing_stream = NULL;
277  if (stream == &ssn->client) {
278  opposing_stream = &ssn->server;
279  } else {
280  opposing_stream = &ssn->client;
281  }
282 
283  /* if the opposing side is not going to work, then
284  * we just have to give up. */
285  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
286  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
287  return -1;
288  }
289 
290  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
291  UPDATE_DIR_OPPOSING :
292  UPDATE_DIR_PACKET;
293  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
294  opposing_stream, p, dir);
295  return ret;
296 }
297 
298 /** \todo data const */
299 static int TCPProtoDetect(ThreadVars *tv,
300  TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301  Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
302  uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304  AppProto *alproto;
305  AppProto *alproto_otherdir;
306 
307  if (flags & STREAM_TOSERVER) {
308  alproto = &f->alproto_ts;
309  alproto_otherdir = &f->alproto_tc;
310  } else {
311  alproto = &f->alproto_tc;
312  alproto_otherdir = &f->alproto_ts;
313  }
314 
315  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
316 #ifdef PRINT
317  if (data_len > 0) {
318  printf("=> Init Stream Data (app layer) -- start %s%s\n",
319  flags & STREAM_TOCLIENT ? "toclient" : "",
320  flags & STREAM_TOSERVER ? "toserver" : "");
321  PrintRawDataFp(stdout, data, data_len);
322  printf("=> Init Stream Data -- end\n");
323  }
324 #endif
325 
326  bool reverse_flow = false;
327  PACKET_PROFILING_APP_PD_START(app_tctx);
328  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
329  f, data, data_len,
330  IPPROTO_TCP, flags, &reverse_flow);
331  PACKET_PROFILING_APP_PD_END(app_tctx);
332  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
333 
334  if (*alproto != ALPROTO_UNKNOWN) {
335  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
336  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
337  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
338 
339  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
340  /* if we already invoked the parser, we go with that proto */
341  f->alproto = *alproto_otherdir;
342  } else {
343  /* no data sent to parser yet, we can still choose
344  * we're trusting the server more. */
345  if (flags & STREAM_TOCLIENT)
346  f->alproto = *alproto;
347  else
348  f->alproto = *alproto_otherdir;
349  }
350  } else {
351  f->alproto = *alproto;
352  }
353 
354  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
355  TcpSessionSetReassemblyDepth(ssn,
356  AppLayerParserGetStreamDepth(f));
357  FlagPacketFlow(p, f, flags);
358  /* if protocol detection indicated that we need to reverse
359  * the direction of the flow, do it now. We flip the flow,
360  * packet and the direction flags */
361  if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
362  SCLogDebug("reversing flow after proto detect told us so");
363  PacketSwap(p);
364  FlowSwap(f);
365  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
366  if (*stream == &ssn->client) {
367  *stream = &ssn->server;
368  } else {
369  *stream = &ssn->client;
370  }
371  }
372 
373  /* account flow if we have both sides */
374  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
375  AppLayerIncFlowCounter(tv, f);
376  }
377 
378  /* if we have seen data from the other direction first, send
379  * data for that direction first to the parser. This shouldn't
380  * be an issue, since each stream processing happens
381  * independently of the other stream direction. At this point of
382  * call, you need to know that this function's already being
383  * called by the very same StreamReassembly() function that we
384  * will now call shortly for the opposing direction. */
385  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
386  !(flags & ssn->data_first_seen_dir))
387  {
388  SCLogDebug("protocol %s needs first data in other direction",
389  AppProtoToString(*alproto));
390 
391  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
392  p, ssn, *stream) != 0)
393  {
394  DisableAppLayer(tv, f, p);
395  goto failure;
396  }
397  }
398 
399  /* if the parser operates such that it needs to see data from
400  * a particular direction first, we check if we have seen
401  * data from that direction first for the flow. IF it is not
402  * the same, we set an event and exit.
403  *
404  * \todo We need to figure out a more robust solution for this,
405  * as this can lead to easy evasion tactics, where the
406  * attackeer can first send some dummy data in the wrong
407  * direction first to mislead our proto detection process.
408  * While doing this we need to update the parsers as well,
409  * since the parsers must be robust to see such wrong
410  * direction data.
411  * Either ways the moment we see the
412  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
413  * flow, it shows something's fishy.
414  */
415  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
416  uint8_t first_data_dir;
417  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
418 
419  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
420  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
421  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
422  DisableAppLayer(tv, f, p);
423  goto failure;
424  }
425  /* This can happen if the current direction is not the
426  * right direction, and the data from the other(also
427  * the right direction) direction is available to be sent
428  * to the app layer, but it is not ack'ed yet and hence
429  * the forced call to STreamTcpAppLayerReassemble still
430  * hasn't managed to send data from the other direction
431  * to the app layer. */
432  if (first_data_dir && !(first_data_dir & flags)) {
433  FlowCleanupAppLayer(f);
434  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
435  FLOW_RESET_PP_DONE(f, flags);
436  FLOW_RESET_PM_DONE(f, flags);
437  FLOW_RESET_PE_DONE(f, flags);
438  goto failure;
439  }
440  }
441 
442  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
443  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
444 
445  /* finally, invoke the parser */
446  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
447  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
448  flags, data, data_len);
449  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
450  if (r < 0)
451  goto failure;
452  (*stream)->app_progress_rel += data_len;
453 
454  } else {
455  /* if the ssn is midstream, we may end up with a case where the
456  * start of an HTTP request is missing. We won't detect HTTP based
457  * on the request. However, the reply is fine, so we detect
458  * HTTP anyway. This leads to passing the incomplete request to
459  * the htp parser.
460  *
461  * This has been observed, where the http parser then saw many
462  * bogus requests in the incomplete data.
463  *
464  * To counter this case, a midstream session MUST find it's
465  * protocol in the toserver direction. If not, we assume the
466  * start of the request/toserver is incomplete and no reliable
467  * detection and parsing is possible. So we give up.
468  */
469  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
470  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
471  {
472  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
473  SCLogDebug("midstream end pd %p", ssn);
474  /* midstream and toserver detection failed: give up */
475  DisableAppLayer(tv, f, p);
476  goto end;
477  }
478  }
479 
480  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
481  uint8_t first_data_dir;
482  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
483 
484  /* this would handle this test case -
485  * http parser which says it wants to see toserver data first only.
486  * tcp handshake
487  * toclient data first received. - RUBBISH DATA which
488  * we don't detect as http
489  * toserver data next sent - we detect this as http.
490  * at this stage we see that toclient is the first data seen
491  * for this session and we try and redetect the app protocol,
492  * but we are unable to detect the app protocol like before.
493  * But since we have managed to detect the protocol for the
494  * other direction as http, we try to use that. At this
495  * stage we check if the direction of this stream matches
496  * to that acceptable by the app parser. If it is not the
497  * acceptable direction we error out.
498  */
499  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
500  (first_data_dir) && !(first_data_dir & flags))
501  {
502  DisableAppLayer(tv, f, p);
503  goto failure;
504  }
505 
506  /* if protocol detection is marked done for our direction we
507  * pass our data on. We're only succeeded in finding one
508  * direction: the opposing stream
509  *
510  * If PD was not yet complete, we don't do anything.
511  */
512  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
513  if (data_len > 0)
514  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
515 
516  if (*alproto_otherdir != ALPROTO_FAILED) {
517  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
518  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
519  f->alproto, flags,
520  data, data_len);
521  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
522  if (r >= 0) {
523  (*stream)->app_progress_rel += data_len;
524  }
525 
526  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
527  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
528  TcpSessionSetReassemblyDepth(ssn,
529  AppLayerParserGetStreamDepth(f));
530 
531  *alproto = *alproto_otherdir;
532  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
533  p->pcap_cnt, *alproto, *alproto_otherdir, r);
534  if (r < 0)
535  goto failure;
536  }
537  *alproto = ALPROTO_FAILED;
538  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
539  AppLayerIncFlowCounter(tv, f);
540  FlagPacketFlow(p, f, flags);
541 
542  }
543  } else {
544  /* both sides unknown, let's see if we need to give up */
545  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
546  }
547  }
548 end:
549  return 0;
550 
551 failure:
552  return -1;
553 }
554 
555 /** \brief handle TCP data for the app-layer.
556  *
557  * First run protocol detection and then when the protocol is known invoke
558  * the app layer parser.
559  *
560  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
561  * reversed.
562  */
563 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
564  Packet *p, Flow *f,
565  TcpSession *ssn, TcpStream **stream,
566  uint8_t *data, uint32_t data_len,
567  uint8_t flags)
568 {
569  SCEnter();
570 
571  DEBUG_ASSERT_FLOW_LOCKED(f);
572 
573  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
574  AppProto alproto;
575  int r = 0;
576 
577  SCLogDebug("data_len %u flags %02X", data_len, flags);
578  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
579  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
580  goto end;
581  }
582 
583  if (flags & STREAM_TOSERVER) {
584  alproto = f->alproto_ts;
585  } else {
586  alproto = f->alproto_tc;
587  }
588 
589  /* If a gap notification, relay the notification on to the
590  * app-layer if known. */
591  if (flags & STREAM_GAP) {
592  if (alproto == ALPROTO_UNKNOWN) {
593  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
594  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
595  /* if the other side didn't already find the proto, we're done */
596  if (f->alproto == ALPROTO_UNKNOWN) {
597  goto failure;
598  }
599  }
600  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
601  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
602  flags, data, data_len);
603  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
604  /* ignore parser result for gap */
605  (*stream)->app_progress_rel += data_len;
606  goto end;
607  }
608 
609  /* if we don't know the proto yet and we have received a stream
610  * initializer message, we run proto detection.
611  * We receive 2 stream init msgs (one for each direction) but we
612  * only run the proto detection once. */
613  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
614  /* run protocol detection */
615  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
616  data, data_len, flags) != 0) {
617  goto failure;
618  }
619  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
620  f->alproto_orig = f->alproto;
621  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
622  AppLayerProtoDetectReset(f);
623  /* rerun protocol detection */
624  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
625  data, data_len, flags) != 0) {
626  SCLogDebug("proto detect failure");
627  goto failure;
628  }
629  SCLogDebug("protocol change, old %s, new %s",
630  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
631 
632  if (f->alproto_expect != ALPROTO_UNKNOWN &&
633  f->alproto != f->alproto_expect)
634  {
635  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
636  APPLAYER_UNEXPECTED_PROTOCOL);
637 
638  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
639  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
640  APPLAYER_NO_TLS_AFTER_STARTTLS);
641 
642  }
643  }
644  } else {
645  SCLogDebug("stream data (len %" PRIu32 " alproto "
646  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
647 #ifdef PRINT
648  if (data_len > 0) {
649  printf("=> Stream Data (app layer) -- start %s%s\n",
650  flags & STREAM_TOCLIENT ? "toclient" : "",
651  flags & STREAM_TOSERVER ? "toserver" : "");
652  PrintRawDataFp(stdout, data, data_len);
653  printf("=> Stream Data -- end\n");
654  }
655 #endif
656  /* if we don't have a data object here we are not getting it
657  * a start msg should have gotten us one */
658  if (f->alproto != ALPROTO_UNKNOWN) {
659  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
660  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
661  flags, data, data_len);
662  PACKET_PROFILING_APP_END(app_tctx, f->alproto);
663  if (r >= 0) {
664  (*stream)->app_progress_rel += data_len;
665  }
666  }
667  }
668 
669  goto end;
670  failure:
671  r = -1;
672  end:
673  SCReturnInt(r);
674 }
675 
676 /**
677  * \brief Handle a app layer UDP message
678  *
679  * If the protocol is yet unknown, the proto detection code is run first.
680  *
681  * \param dp_ctx Thread app layer detect context
682  * \param f *locked* flow
683  * \param p UDP packet
684  *
685  * \retval 0 ok
686  * \retval -1 error
687  */
688 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
689 {
690  SCEnter();
691 
692  if (f->alproto == ALPROTO_FAILED) {
693  SCReturnInt(0);
694  }
695 
696  int r = 0;
697  uint8_t flags = 0;
698  if (p->flowflags & FLOW_PKT_TOSERVER) {
699  flags |= STREAM_TOSERVER;
700  } else {
701  flags |= STREAM_TOCLIENT;
702  }
703 
704  AppLayerProfilingReset(tctx);
705 
706  /* if the protocol is still unknown, run detection */
707  if (f->alproto == ALPROTO_UNKNOWN) {
708  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
709  p->payload_len);
710 
711  bool reverse_flow = false;
712  PACKET_PROFILING_APP_PD_START(tctx);
713  f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
714  f, p->payload, p->payload_len,
715  IPPROTO_UDP, flags, &reverse_flow);
716  PACKET_PROFILING_APP_PD_END(tctx);
717 
718  if (f->alproto != ALPROTO_UNKNOWN) {
719  AppLayerIncFlowCounter(tv, f);
720 
721  if (reverse_flow) {
722  SCLogDebug("reversing flow after proto detect told us so");
723  PacketSwap(p);
724  FlowSwap(f);
725  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
726  }
727 
728  PACKET_PROFILING_APP_START(tctx, f->alproto);
729  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
730  flags, p->payload, p->payload_len);
731  PACKET_PROFILING_APP_END(tctx, f->alproto);
732  } else {
733  f->alproto = ALPROTO_FAILED;
734  AppLayerIncFlowCounter(tv, f);
735  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
736  }
737  PACKET_PROFILING_APP_STORE(tctx, p);
738  /* we do only inspection in one direction, so flag both
739  * sides as done here */
740  FlagPacketFlow(p, f, STREAM_TOSERVER);
741  FlagPacketFlow(p, f, STREAM_TOCLIENT);
742  } else {
743  SCLogDebug("data (len %" PRIu32 " ), alproto "
744  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
745 
746  /* run the parser */
747  PACKET_PROFILING_APP_START(tctx, f->alproto);
748  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
749  flags, p->payload, p->payload_len);
750  PACKET_PROFILING_APP_END(tctx, f->alproto);
751  PACKET_PROFILING_APP_STORE(tctx, p);
752  }
753 
754  SCReturnInt(r);
755 }
756 
757 /***** Utility *****/
758 
759 AppProto AppLayerGetProtoByName(char *alproto_name)
760 {
761  SCEnter();
762  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
763  SCReturnCT(r, "AppProto");
764 }
765 
766 const char *AppLayerGetProtoName(AppProto alproto)
767 {
768  SCEnter();
769  const char * r = AppLayerProtoDetectGetProtoName(alproto);
770  SCReturnCT(r, "char *");
771 }
772 
773 void AppLayerListSupportedProtocols(void)
774 {
775  SCEnter();
776 
777  AppProto alproto;
778  AppProto alprotos[ALPROTO_MAX];
779 
780  AppLayerProtoDetectSupportedAppProtocols(alprotos);
781 
782  printf("=========Supported App Layer Protocols=========\n");
783  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
784  if (alprotos[alproto] == 1)
785  printf("%s\n", AppLayerGetProtoName(alproto));
786  }
787 
788  SCReturn;
789 }
790 
791 /***** Setup/General Registration *****/
792 
793 int AppLayerSetup(void)
794 {
795  SCEnter();
796 
797  AppLayerProtoDetectSetup();
798  AppLayerParserSetup();
799 
800  AppLayerParserRegisterProtocolParsers();
801  AppLayerProtoDetectPrepareState();
802 
803  AppLayerSetupCounters();
804 
805  SCReturnInt(0);
806 }
807 
808 int AppLayerDeSetup(void)
809 {
810  SCEnter();
811 
812  AppLayerProtoDetectDeSetup();
813  AppLayerParserDeSetup();
814 
815  AppLayerDeSetupCounters();
816 
817  SCReturnInt(0);
818 }
819 
820 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
821 {
822  SCEnter();
823 
824  AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
825  if (app_tctx == NULL)
826  goto error;
827  memset(app_tctx, 0, sizeof(*app_tctx));
828 
829  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
830  goto error;
831  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
832  goto error;
833 
834  goto done;
835  error:
836  AppLayerDestroyCtxThread(app_tctx);
837  app_tctx = NULL;
838  done:
839  SCReturnPtr(app_tctx, "void *");
840 }
841 
842 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
843 {
844  SCEnter();
845 
846  if (app_tctx == NULL)
847  SCReturn;
848 
849  if (app_tctx->alpd_tctx != NULL)
850  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
851  if (app_tctx->alp_tctx != NULL)
852  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
853  SCFree(app_tctx);
854 
855  SCReturn;
856 }
857 
858 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
859 {
860  PACKET_PROFILING_APP_RESET(app_tctx);
861 }
862 
863 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
864 {
865  PACKET_PROFILING_APP_STORE(app_tctx, p);
866 }
867 
868 /** \brief HACK to work around our broken unix manager (re)init loop
869  */
870 void AppLayerRegisterGlobalCounters(void)
871 {
872  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
873  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
874  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
875  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
876  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
877 }
878 
879 #define IPPROTOS_MAX 2
880 void AppLayerSetupCounters()
881 {
882  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
883  uint8_t ipproto;
884  AppProto alproto;
885  AppProto alprotos[ALPROTO_MAX];
886  const char *str = "app_layer.flow.";
887 
888  AppLayerProtoDetectSupportedAppProtocols(alprotos);
889 
890  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
891  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
892  uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
893  const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
894 
895  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
896  if (alprotos[alproto] == 1) {
897  const char *tx_str = "app_layer.tx.";
898  const char *alproto_str = AppLayerGetProtoName(alproto);
899 
900  if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
901  AppLayerParserProtoIsRegistered(other_ipproto, alproto))
902  {
903  snprintf(applayer_counter_names[ipproto_map][alproto].name,
904  sizeof(applayer_counter_names[ipproto_map][alproto].name),
905  "%s%s%s", str, alproto_str, ipproto_suffix);
906  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
907  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
908  "%s%s%s", tx_str, alproto_str, ipproto_suffix);
909  } else {
910  snprintf(applayer_counter_names[ipproto_map][alproto].name,
911  sizeof(applayer_counter_names[ipproto_map][alproto].name),
912  "%s%s", str, alproto_str);
913  snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
914  sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
915  "%s%s", tx_str, alproto_str);
916  }
917  } else if (alproto == ALPROTO_FAILED) {
918  snprintf(applayer_counter_names[ipproto_map][alproto].name,
919  sizeof(applayer_counter_names[ipproto_map][alproto].name),
920  "%s%s%s", str, "failed", ipproto_suffix);
921  }
922  }
923  }
924 }
925 
926 void AppLayerRegisterThreadCounters(ThreadVars *tv)
927 {
928  uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
929  uint8_t ipproto;
930  AppProto alproto;
931  AppProto alprotos[ALPROTO_MAX];
932 
933  AppLayerProtoDetectSupportedAppProtocols(alprotos);
934 
935  for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
936  uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
937 
938  for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
939  if (alprotos[alproto] == 1) {
940  applayer_counters[ipproto_map][alproto].counter_id =
941  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
942 
943  applayer_counters[ipproto_map][alproto].counter_tx_id =
944  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
945  } else if (alproto == ALPROTO_FAILED) {
946  applayer_counters[ipproto_map][alproto].counter_id =
947  StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
948  }
949  }
950  }
951 }
952 
953 void AppLayerDeSetupCounters()
954 {
955  memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
956  memset(applayer_counters, 0, sizeof(applayer_counters));
957 }
958 
959 /***** Unittests *****/
960 
961 #ifdef UNITTESTS
962 #include "pkt-var.h"
963 #include "stream-tcp.h"
964 #include "stream-tcp-util.h"
965 #include "stream.h"
966 #include "util-unittest.h"
967 
968 #define TEST_START \
969  Packet *p = SCMalloc(SIZE_OF_PACKET);\
970  FAIL_IF_NULL(p);\
971  Flow f;\
972  ThreadVars tv;\
973  StreamTcpThread *stt = NULL;\
974  TCPHdr tcph;\
975  PacketQueue pq;\
976  memset(&pq,0,sizeof(PacketQueue));\
977  memset(p, 0, SIZE_OF_PACKET);\
978  memset (&f, 0, sizeof(Flow));\
979  memset(&tv, 0, sizeof (ThreadVars));\
980  memset(&tcph, 0, sizeof (TCPHdr));\
981 \
982  FLOW_INITIALIZE(&f);\
983  f.flags = FLOW_IPV4;\
984  f.proto = IPPROTO_TCP;\
985  p->flow = &f;\
986  p->tcph = &tcph;\
987 \
988  StreamTcpInitConfig(TRUE);\
989  IPPairInitConfig(TRUE); \
990  StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
991 \
992  /* handshake */\
993  tcph.th_win = htons(5480);\
994  tcph.th_flags = TH_SYN;\
995  p->flowflags = FLOW_PKT_TOSERVER;\
996  p->payload_len = 0;\
997  p->payload = NULL;\
998  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
999  TcpSession *ssn = (TcpSession *)f.protoctx;\
1000 \
1001  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1002  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1003  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1004  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1005  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1006  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1007  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1008  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1009  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1010  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1011  FAIL_IF(ssn->data_first_seen_dir != 0);\
1012 \
1013  /* handshake */\
1014  p->tcph->th_ack = htonl(1);\
1015  p->tcph->th_flags = TH_SYN | TH_ACK;\
1016  p->flowflags = FLOW_PKT_TOCLIENT;\
1017  p->payload_len = 0;\
1018  p->payload = NULL;\
1019  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1020  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1021  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1022  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1023  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1024  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1025  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1026  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1027  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1028  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1029  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1030  FAIL_IF(ssn->data_first_seen_dir != 0);\
1031 \
1032  /* handshake */\
1033  p->tcph->th_ack = htonl(1);\
1034  p->tcph->th_seq = htonl(1);\
1035  p->tcph->th_flags = TH_ACK;\
1036  p->flowflags = FLOW_PKT_TOSERVER;\
1037  p->payload_len = 0;\
1038  p->payload = NULL;\
1039  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1040  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1041  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1042  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1043  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1044  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1045  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1046  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1047  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1048  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1049  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1050  FAIL_IF(ssn->data_first_seen_dir != 0);
1051 #define TEST_END \
1052  StreamTcpSessionClear(p->flow->protoctx);\
1053  StreamTcpThreadDeinit(&tv, (void *)stt); \
1054  StreamTcpFreeConfig(TRUE);\
1055  PACKET_DESTRUCTOR(p);\
1056  SCFree(p);\
1057  FLOW_DESTROY(&f); \
1058  StatsThreadCleanup(&tv);
1059 
1060 /**
1061  * \test GET -> HTTP/1.1
1062  */
1063 static int AppLayerTest01(void)
1064 {
1065  TEST_START;
1066 
1067  /* full request */
1068  uint8_t request[] = {
1069  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1070  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1071  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1072  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1073  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1074  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1075  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1076  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1077  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1078  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1079  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1080  p->tcph->th_ack = htonl(1);
1081  p->tcph->th_seq = htonl(1);
1082  p->tcph->th_flags = TH_PUSH | TH_ACK;
1083  p->flowflags = FLOW_PKT_TOSERVER;
1084  p->payload_len = sizeof(request);
1085  p->payload = request;
1086  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1087  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1088  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1089  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1090  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1091  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1092  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1093  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1094  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1095  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1096  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1097  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1098 
1099  /* full response - request ack */
1100  uint8_t response[] = {
1101  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1102  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1103  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1104  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1105  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1106  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1107  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1108  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1109  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1110  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1111  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1112  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1113  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1114  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1115  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1116  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1117  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1118  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1119  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1120  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1121  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1122  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1123  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1124  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1125  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1126  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1127  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1128  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1129  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1130  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1131  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1132  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1133  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1134  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1135  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1136  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1137  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1138  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1139  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1140  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1141  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1142  p->tcph->th_ack = htonl(88);
1143  p->tcph->th_seq = htonl(1);
1144  p->tcph->th_flags = TH_PUSH | TH_ACK;
1145  p->flowflags = FLOW_PKT_TOCLIENT;
1146  p->payload_len = sizeof(response);
1147  p->payload = response;
1148  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1149  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1150  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1151  FAIL_IF(f.alproto != ALPROTO_HTTP);
1152  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1153  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1154  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1155  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1156  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1157  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1158  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1159  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1160 
1161  /* response ack */
1162  p->tcph->th_ack = htonl(328);
1163  p->tcph->th_seq = htonl(88);
1164  p->tcph->th_flags = TH_ACK;
1165  p->flowflags = FLOW_PKT_TOSERVER;
1166  p->payload_len = 0;
1167  p->payload = NULL;
1168  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1169  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1170  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1171  FAIL_IF(f.alproto != ALPROTO_HTTP);
1172  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1173  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1174  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1175  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1176  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1177  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1178  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1179  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1180 
1181  TEST_END;
1182  PASS;
1183 }
1184 
1185 /**
1186  * \test GE -> T -> HTTP/1.1
1187  */
1188 static int AppLayerTest02(void)
1189 {
1190  TEST_START;
1191 
1192  /* partial request */
1193  uint8_t request1[] = { 0x47, 0x45, };
1194  p->tcph->th_ack = htonl(1);
1195  p->tcph->th_seq = htonl(1);
1196  p->tcph->th_flags = TH_PUSH | TH_ACK;
1197  p->flowflags = FLOW_PKT_TOSERVER;
1198  p->payload_len = sizeof(request1);
1199  p->payload = request1;
1200  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1201  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1202  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1203  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1204  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1205  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1206  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1207  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1208  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1209  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1210  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1211  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1212 
1213  /* response ack against partial request */
1214  p->tcph->th_ack = htonl(3);
1215  p->tcph->th_seq = htonl(1);
1216  p->tcph->th_flags = TH_ACK;
1217  p->flowflags = FLOW_PKT_TOCLIENT;
1218  p->payload_len = 0;
1219  p->payload = NULL;
1220  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1221  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1222  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1223  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1224  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1225  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1226  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1227  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1228  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1229  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1230  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1231  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1232 
1233  /* complete partial request */
1234  uint8_t request2[] = {
1235  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1236  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1237  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1238  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1239  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1240  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1241  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1242  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1243  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1244  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1245  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1246  p->tcph->th_ack = htonl(1);
1247  p->tcph->th_seq = htonl(3);
1248  p->tcph->th_flags = TH_PUSH | TH_ACK;
1249  p->flowflags = FLOW_PKT_TOSERVER;
1250  p->payload_len = sizeof(request2);
1251  p->payload = request2;
1252  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1253  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1254  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1255  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1256  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1257  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1258  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1259  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1260  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1261  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1262  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1263  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1264 
1265  /* response - request ack */
1266  uint8_t response[] = {
1267  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1268  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1269  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1270  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1271  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1272  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1273  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1274  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1275  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1276  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1277  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1278  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1279  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1280  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1281  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1282  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1283  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1284  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1285  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1286  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1287  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1288  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1289  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1290  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1291  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1292  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1293  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1294  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1295  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1296  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1297  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1298  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1299  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1300  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1301  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1302  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1303  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1304  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1305  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1306  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1307  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1308  p->tcph->th_ack = htonl(88);
1309  p->tcph->th_seq = htonl(1);
1310  p->tcph->th_flags = TH_PUSH | TH_ACK;
1311  p->flowflags = FLOW_PKT_TOCLIENT;
1312  p->payload_len = sizeof(response);
1313  p->payload = response;
1314  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1315  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1316  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1317  FAIL_IF(f.alproto != ALPROTO_HTTP);
1318  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1319  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1320  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1321  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1322  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1323  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1324  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1325  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1326 
1327  /* response ack */
1328  p->tcph->th_ack = htonl(328);
1329  p->tcph->th_seq = htonl(88);
1330  p->tcph->th_flags = TH_ACK;
1331  p->flowflags = FLOW_PKT_TOSERVER;
1332  p->payload_len = 0;
1333  p->payload = NULL;
1334  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1335  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1336  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1337  FAIL_IF(f.alproto != ALPROTO_HTTP);
1338  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1339  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1340  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1341  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1342  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1343  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1344  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1345  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1346 
1347  TEST_END;
1348  PASS;
1349 }
1350 
1351 /**
1352  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1353  */
1354 static int AppLayerTest03(void)
1355 {
1356  TEST_START;
1357 
1358  /* request */
1359  uint8_t request[] = {
1360  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1361  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1362  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1363  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1364  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1365  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1366  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1367  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1368  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1369  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1370  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1371  p->tcph->th_ack = htonl(1);
1372  p->tcph->th_seq = htonl(1);
1373  p->tcph->th_flags = TH_PUSH | TH_ACK;
1374  p->flowflags = FLOW_PKT_TOSERVER;
1375  p->payload_len = sizeof(request);
1376  p->payload = request;
1377  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1378  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1379  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1380  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1381  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1382  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1383  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1384  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1385  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1386  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1387  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1388  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1389 
1390  /* rubbish response */
1391  uint8_t response[] = {
1392  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1393  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1394  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1395  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1396  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1397  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1398  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1399  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1400  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1401  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1402  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1403  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1404  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1405  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1406  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1407  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1408  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1409  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1410  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1411  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1412  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1413  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1414  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1415  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1416  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1417  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1418  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1419  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1420  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1421  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1422  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1423  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1424  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1425  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1426  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1427  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1428  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1429  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1430  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1431  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1432  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1433  p->tcph->th_ack = htonl(88);
1434  p->tcph->th_seq = htonl(1);
1435  p->tcph->th_flags = TH_PUSH | TH_ACK;
1436  p->flowflags = FLOW_PKT_TOCLIENT;
1437  p->payload_len = sizeof(response);
1438  p->payload = response;
1439  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1440  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1441  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1442  FAIL_IF(f.alproto != ALPROTO_HTTP);
1443  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1444  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1445  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1446  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1447  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1448  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1449  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1450  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1451 
1452  /* response ack */
1453  p->tcph->th_ack = htonl(328);
1454  p->tcph->th_seq = htonl(88);
1455  p->tcph->th_flags = TH_ACK;
1456  p->flowflags = FLOW_PKT_TOSERVER;
1457  p->payload_len = 0;
1458  p->payload = NULL;
1459  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1460  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1461  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1462  FAIL_IF(f.alproto != ALPROTO_HTTP);
1463  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1464  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1465  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1466  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1467  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1468  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1469  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1470  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1471 
1472  TEST_END;
1473  PASS;
1474 }
1475 
1476 /**
1477  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1478  */
1479 static int AppLayerTest04(void)
1480 {
1481  TEST_START;
1482 
1483  /* request */
1484  uint8_t request[] = {
1485  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1486  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1487  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1488  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1489  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1490  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1491  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1492  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1493  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1494  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1495  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1496  PrintRawDataFp(stdout, request, sizeof(request));
1497  p->tcph->th_ack = htonl(1);
1498  p->tcph->th_seq = htonl(1);
1499  p->tcph->th_flags = TH_PUSH | TH_ACK;
1500  p->flowflags = FLOW_PKT_TOSERVER;
1501  p->payload_len = sizeof(request);
1502  p->payload = request;
1503  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1504  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1505  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1506  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1507  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1508  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1509  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1510  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1511  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1512  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1513  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1514  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1515 
1516  /* partial response */
1517  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1518  PrintRawDataFp(stdout, response1, sizeof(response1));
1519  p->tcph->th_ack = htonl(88);
1520  p->tcph->th_seq = htonl(1);
1521  p->tcph->th_flags = TH_PUSH | TH_ACK;
1522  p->flowflags = FLOW_PKT_TOCLIENT;
1523  p->payload_len = sizeof(response1);
1524  p->payload = response1;
1525  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1526  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1527  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1528  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1529  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1530  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1531  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1532  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1533  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1534  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1535  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1536  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1537 
1538  /* partial response ack */
1539  p->tcph->th_ack = htonl(5);
1540  p->tcph->th_seq = htonl(88);
1541  p->tcph->th_flags = TH_ACK;
1542  p->flowflags = FLOW_PKT_TOSERVER;
1543  p->payload_len = 0;
1544  p->payload = NULL;
1545  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1546  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1547  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1548  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1549  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1550  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1551  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1552  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1553  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1554  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1555  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1556  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1557 
1558  /* remaining response */
1559  uint8_t response2[] = {
1560  0x2f, 0x31, 0x2e, 0x31,
1561  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1562  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1563  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1564  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1565  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1566  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1567  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1568  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1569  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1570  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1571  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1572  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1573  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1574  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1575  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1576  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1577  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1578  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1579  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1580  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1581  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1582  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1583  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1584  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1585  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1586  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1587  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1588  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1589  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1590  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1591  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1592  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1593  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1594  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1595  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1596  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1597  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1598  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1599  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1600  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1601  PrintRawDataFp(stdout, response2, sizeof(response2));
1602  p->tcph->th_ack = htonl(88);
1603  p->tcph->th_seq = htonl(5);
1604  p->tcph->th_flags = TH_PUSH | TH_ACK;
1605  p->flowflags = FLOW_PKT_TOCLIENT;
1606  p->payload_len = sizeof(response2);
1607  p->payload = response2;
1608  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1609  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1610  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1611  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1612  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1613  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1614  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1615  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1616  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1617  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1618  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1619  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1620 
1621  /* response ack */
1622  p->tcph->th_ack = htonl(328);
1623  p->tcph->th_seq = htonl(88);
1624  p->tcph->th_flags = TH_ACK;
1625  p->flowflags = FLOW_PKT_TOSERVER;
1626  p->payload_len = 0;
1627  p->payload = NULL;
1628  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1629  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1630  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1631  FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1632  FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1633  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1634  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1635  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1636  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1637  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1638  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1639  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1640 
1641  TEST_END;
1642  PASS;
1643 }
1644 
1645 /**
1646  * \test RUBBISH -> HTTP/1.1
1647  */
1648 static int AppLayerTest05(void)
1649 {
1650  TEST_START;
1651 
1652  /* full request */
1653  uint8_t request[] = {
1654  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1655  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1656  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1657  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1658  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1659  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1660  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1661  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1662  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1663  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1664  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1665  PrintRawDataFp(stdout, request, sizeof(request));
1666  p->tcph->th_ack = htonl(1);
1667  p->tcph->th_seq = htonl(1);
1668  p->tcph->th_flags = TH_PUSH | TH_ACK;
1669  p->flowflags = FLOW_PKT_TOSERVER;
1670  p->payload_len = sizeof(request);
1671  p->payload = request;
1672  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1673  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1674  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1675  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1676  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1677  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1678  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1679  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1680  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1681  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1682  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1683  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1684 
1685  /* full response - request ack */
1686  uint8_t response[] = {
1687  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1688  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1689  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1690  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1691  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1692  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1693  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1694  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1695  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1696  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1697  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1698  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1699  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1700  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1701  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1702  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1703  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1704  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1705  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1706  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1707  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1708  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1709  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1710  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1711  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1712  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1713  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1714  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1715  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1716  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1717  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1718  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1719  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1720  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1721  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1722  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1723  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1724  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1725  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1726  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1727  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1728  PrintRawDataFp(stdout, response, sizeof(response));
1729  p->tcph->th_ack = htonl(88);
1730  p->tcph->th_seq = htonl(1);
1731  p->tcph->th_flags = TH_PUSH | TH_ACK;
1732  p->flowflags = FLOW_PKT_TOCLIENT;
1733  p->payload_len = sizeof(response);
1734  p->payload = response;
1735  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1736  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1737  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1738  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1739  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1740  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1741  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1742  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1743  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1744  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1745  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1746  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1747 
1748  /* response ack */
1749  p->tcph->th_ack = htonl(328);
1750  p->tcph->th_seq = htonl(88);
1751  p->tcph->th_flags = TH_ACK;
1752  p->flowflags = FLOW_PKT_TOSERVER;
1753  p->payload_len = 0;
1754  p->payload = NULL;
1755  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1756  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1757  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1758  FAIL_IF(f.alproto != ALPROTO_HTTP);
1759  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1760  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1761  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1762  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1763  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1764  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1765  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1766  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1767 
1768  TEST_END;
1769  PASS;
1770 }
1771 
1772 /**
1773  * \test HTTP/1.1 -> GET
1774  */
1775 static int AppLayerTest06(void)
1776 {
1777  TEST_START;
1778 
1779  /* full response - request ack */
1780  uint8_t response[] = {
1781  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1782  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1783  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1784  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1785  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1786  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1787  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1788  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1789  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1790  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1791  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1792  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1793  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1794  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1795  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1796  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1797  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1798  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1799  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1800  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1801  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1802  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1803  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1804  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1805  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1806  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1807  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1808  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1809  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1810  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1811  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1812  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1813  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1814  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1815  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1816  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1817  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1818  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1819  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1820  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1821  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1822  p->tcph->th_ack = htonl(1);
1823  p->tcph->th_seq = htonl(1);
1824  p->tcph->th_flags = TH_PUSH | TH_ACK;
1825  p->flowflags = FLOW_PKT_TOCLIENT;
1826  p->payload_len = sizeof(response);
1827  p->payload = response;
1828  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1829  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1830  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1831  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1832  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1833  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1834  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1835  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1836  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1837  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1838  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1839  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1840 
1841  /* full request - response ack*/
1842  uint8_t request[] = {
1843  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1844  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1845  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1846  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1847  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1848  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1849  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1850  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1851  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1852  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1853  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1854  p->tcph->th_ack = htonl(328);
1855  p->tcph->th_seq = htonl(1);
1856  p->tcph->th_flags = TH_PUSH | TH_ACK;
1857  p->flowflags = FLOW_PKT_TOSERVER;
1858  p->payload_len = sizeof(request);
1859  p->payload = request;
1860  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1861  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1862  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1863  FAIL_IF(f.alproto != ALPROTO_HTTP);
1864  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1865  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1866  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1867  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1868  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1869  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1870  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1871  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1872 
1873  p->tcph->th_ack = htonl(1 + sizeof(request));
1874  p->tcph->th_seq = htonl(328);
1875  p->tcph->th_flags = TH_PUSH | TH_ACK;
1876  p->flowflags = FLOW_PKT_TOCLIENT;
1877  p->payload_len = 0;
1878  p->payload = NULL;
1879  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1880  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1881  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1882  FAIL_IF(f.alproto != ALPROTO_HTTP);
1883  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1884  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1885  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1886  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1887  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1888  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1889  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1890  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1891 
1892  TEST_END;
1893  PASS;
1894 }
1895 
1896 /**
1897  * \test GET -> DCERPC
1898  */
1899 static int AppLayerTest07(void)
1900 {
1901  TEST_START;
1902 
1903  /* full request */
1904  uint8_t request[] = {
1905  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1906  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1907  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1908  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1909  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1910  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1911  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1912  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1913  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1914  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1915  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1916  p->tcph->th_ack = htonl(1);
1917  p->tcph->th_seq = htonl(1);
1918  p->tcph->th_flags = TH_PUSH | TH_ACK;
1919  p->flowflags = FLOW_PKT_TOSERVER;
1920  p->payload_len = sizeof(request);
1921  p->payload = request;
1922  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1923  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1924  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1925  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1926  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1927  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1928  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1929  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1930  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1931  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1932  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1933  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1934 
1935  /* full response - request ack */
1936  uint8_t response[] = {
1937  0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1938  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1939  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1940  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1941  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1942  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1943  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1944  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1945  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1946  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1947  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1948  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1949  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1950  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1951  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1952  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1953  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1954  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1955  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1956  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1957  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1958  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1959  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1960  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1961  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1962  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1963  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1964  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1965  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1966  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1967  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1968  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1969  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1970  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1971  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1972  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1973  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1974  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1975  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1976  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1977  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1978  p->tcph->th_ack = htonl(88);
1979  p->tcph->th_seq = htonl(1);
1980  p->tcph->th_flags = TH_PUSH | TH_ACK;
1981  p->flowflags = FLOW_PKT_TOCLIENT;
1982  p->payload_len = sizeof(response);
1983  p->payload = response;
1984  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1985  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1986  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1987  FAIL_IF(f.alproto != ALPROTO_HTTP);
1988  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1989  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1990  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1991  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1992  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1993  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1994  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1995  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1996 
1997  /* response ack */
1998  p->tcph->th_ack = htonl(328);
1999  p->tcph->th_seq = htonl(88);
2000  p->tcph->th_flags = TH_ACK;
2001  p->flowflags = FLOW_PKT_TOSERVER;
2002  p->payload_len = 0;
2003  p->payload = NULL;
2004  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2005  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2006  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2007  FAIL_IF(f.alproto != ALPROTO_HTTP);
2008  FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2009  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2010  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2011  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2012  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2013  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2014  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2015  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2016 
2017  TEST_END;
2018  PASS;
2019 }
2020 
2021 /**
2022  * \test SMB -> HTTP/1.1
2023  */
2024 static int AppLayerTest08(void)
2025 {
2026  TEST_START;
2027 
2028  /* full request */
2029  uint8_t request[] = {
2030  0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2031  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2032  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2033  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2034  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2035  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2036  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2037  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2038  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2039  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2040  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2041  p->tcph->th_ack = htonl(1);
2042  p->tcph->th_seq = htonl(1);
2043  p->tcph->th_flags = TH_PUSH | TH_ACK;
2044  p->flowflags = FLOW_PKT_TOSERVER;
2045  p->payload_len = sizeof(request);
2046  p->payload = request;
2047  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2048  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2049  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2050  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2051  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2052  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2053  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2054  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2055  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2056  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2057  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2058  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2059 
2060  /* full response - request ack */
2061  uint8_t response[] = {
2062  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2063  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2064  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2065  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2066  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2067  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2068  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2069  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2070  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2071  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2072  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2073  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2074  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2075  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2076  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2077  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2078  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2079  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2080  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2081  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2082  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2083  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2084  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2085  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2086  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2087  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2088  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2089  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2090  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2091  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2092  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2093  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2094  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2095  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2096  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2097  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2098  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2099  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2100  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2101  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2102  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2103  p->tcph->th_ack = htonl(88);
2104  p->tcph->th_seq = htonl(1);
2105  p->tcph->th_flags = TH_PUSH | TH_ACK;
2106  p->flowflags = FLOW_PKT_TOCLIENT;
2107  p->payload_len = sizeof(response);
2108  p->payload = response;
2109  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2110  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2111  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2112  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2113  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2114  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2115  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2116  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2117  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2118  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2119  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2120  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2121 
2122  /* response ack */
2123  p->tcph->th_ack = htonl(328);
2124  p->tcph->th_seq = htonl(88);
2125  p->tcph->th_flags = TH_ACK;
2126  p->flowflags = FLOW_PKT_TOSERVER;
2127  p->payload_len = 0;
2128  p->payload = NULL;
2129  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2130  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2131  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2132  FAIL_IF(f.alproto != ALPROTO_DCERPC);
2133  FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2134  FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2135  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2136  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2137  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2138  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2139  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2140  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2141 
2142  TEST_END;
2143  PASS;
2144 }
2145 
2146 /**
2147  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2148  * RUBBISH(TC - PM and PP DONE) ->
2149  * RUBBISH(TS - PM and PP DONE)
2150  */
2151 static int AppLayerTest09(void)
2152 {
2153  TEST_START;
2154 
2155  /* full request */
2156  uint8_t request1[] = {
2157  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2158  p->tcph->th_ack = htonl(1);
2159  p->tcph->th_seq = htonl(1);
2160  p->tcph->th_flags = TH_PUSH | TH_ACK;
2161  p->flowflags = FLOW_PKT_TOSERVER;
2162  p->payload_len = sizeof(request1);
2163  p->payload = request1;
2164  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2165  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2166  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2167  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2168  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2169  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2170  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2171  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2172  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2173  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2174  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2175  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2176 
2177  /* response - request ack */
2178  p->tcph->th_ack = htonl(9);
2179  p->tcph->th_seq = htonl(1);
2180  p->tcph->th_flags = TH_PUSH | TH_ACK;
2181  p->flowflags = FLOW_PKT_TOCLIENT;
2182  p->payload_len = 0;
2183  p->payload = NULL;
2184  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2185  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2186  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2187  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2188  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2189  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2190  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2191  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2192  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2193  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2194  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2195  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2196 
2197  /* full request */
2198  uint8_t request2[] = {
2199  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2200  p->tcph->th_ack = htonl(1);
2201  p->tcph->th_seq = htonl(9);
2202  p->tcph->th_flags = TH_PUSH | TH_ACK;
2203  p->flowflags = FLOW_PKT_TOSERVER;
2204  p->payload_len = sizeof(request2);
2205  p->payload = request2;
2206  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2207  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2208  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2209  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2210  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2211  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2212  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2213  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2214  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2215  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2216  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2217  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2218 
2219  /* full response - request ack */
2220  uint8_t response[] = {
2221  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2222  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2223  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2224  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2225  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2226  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2227  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2228  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2229  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2230  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2231  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2232  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2233  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2234  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2235  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2236  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2237  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2238  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2239  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2240  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2241  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2242  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2243  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2244  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2245  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2246  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2247  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2248  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2249  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2250  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2251  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2252  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2253  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2254  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2255  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2256  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2257  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2258  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2259  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2260  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2261  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2262  p->tcph->th_ack = htonl(18);
2263  p->tcph->th_seq = htonl(1);
2264  p->tcph->th_flags = TH_PUSH | TH_ACK;
2265  p->flowflags = FLOW_PKT_TOCLIENT;
2266  p->payload_len = sizeof(response);
2267  p->payload = response;
2268  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2269  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2270  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2271  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2272  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2273  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2274  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2275  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2276  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2277  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2278  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2279  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2280 
2281  /* response ack */
2282  p->tcph->th_ack = htonl(328);
2283  p->tcph->th_seq = htonl(18);
2284  p->tcph->th_flags = TH_ACK;
2285  p->flowflags = FLOW_PKT_TOSERVER;
2286  p->payload_len = 0;
2287  p->payload = NULL;
2288  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2289  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2290  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2291  FAIL_IF(f.alproto != ALPROTO_FAILED);
2292  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2293  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2294  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2295  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2296  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2297  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2298  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2299  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2300 
2301  TEST_END;
2302  PASS;
2303 }
2304 
2305 /**
2306  * \test RUBBISH(TC - PM and PP DONE) ->
2307  * RUBBISH(TS - PM and PP DONE)
2308  */
2309 static int AppLayerTest10(void)
2310 {
2311  TEST_START;
2312 
2313  /* full request */
2314  uint8_t request1[] = {
2315  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2316  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2317  p->tcph->th_ack = htonl(1);
2318  p->tcph->th_seq = htonl(1);
2319  p->tcph->th_flags = TH_PUSH | TH_ACK;
2320  p->flowflags = FLOW_PKT_TOSERVER;
2321  p->payload_len = sizeof(request1);
2322  p->payload = request1;
2323  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2324  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2325  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2326  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2327  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2328  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2329  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2330  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2331  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2332  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2333  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2334  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2335 
2336  /* response - request ack */
2337  p->tcph->th_ack = htonl(18);
2338  p->tcph->th_seq = htonl(1);
2339  p->tcph->th_flags = TH_PUSH | TH_ACK;
2340  p->flowflags = FLOW_PKT_TOCLIENT;
2341  p->payload_len = 0;
2342  p->payload = NULL;
2343  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2344  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2345  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2346  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2347  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2348  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2349  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2350  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2351  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2352  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2353  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2354  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2355 
2356  /* full response - request ack */
2357  uint8_t response[] = {
2358  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2359  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2360  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2361  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2362  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2363  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2364  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2365  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2366  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2367  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2368  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2369  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2370  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2371  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2372  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2373  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2374  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2375  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2376  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2377  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2378  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2379  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2380  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2381  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2382  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2383  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2384  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2385  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2386  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2387  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2388  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2389  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2390  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2391  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2392  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2393  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2394  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2395  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2396  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2397  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2398  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2399  p->tcph->th_ack = htonl(18);
2400  p->tcph->th_seq = htonl(1);
2401  p->tcph->th_flags = TH_PUSH | TH_ACK;
2402  p->flowflags = FLOW_PKT_TOCLIENT;
2403  p->payload_len = sizeof(response);
2404  p->payload = response;
2405  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2406  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2407  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2408  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2409  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2410  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2411  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2412  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2413  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2414  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2415  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2416  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2417 
2418  /* response ack */
2419  p->tcph->th_ack = htonl(328);
2420  p->tcph->th_seq = htonl(18);
2421  p->tcph->th_flags = TH_ACK;
2422  p->flowflags = FLOW_PKT_TOSERVER;
2423  p->payload_len = 0;
2424  p->payload = NULL;
2425  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2426  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2427  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2428  FAIL_IF(f.alproto != ALPROTO_FAILED);
2429  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2430  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2431  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2432  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2433  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2434  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2435  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2436  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2437 
2438  TEST_END;
2439  PASS;
2440 }
2441 
2442 /**
2443  * \test RUBBISH(TC - PM and PP DONE) ->
2444  * RUBBISH(TS - PM and PP NOT DONE) ->
2445  * RUBBISH(TS - PM and PP DONE)
2446  */
2447 static int AppLayerTest11(void)
2448 {
2449  TEST_START;
2450 
2451  /* full request */
2452  uint8_t request1[] = {
2453  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2454  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2455  p->tcph->th_ack = htonl(1);
2456  p->tcph->th_seq = htonl(1);
2457  p->tcph->th_flags = TH_PUSH | TH_ACK;
2458  p->flowflags = FLOW_PKT_TOSERVER;
2459  p->payload_len = sizeof(request1);
2460  p->payload = request1;
2461  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2462  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2463  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2464  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2465  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2466  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2467  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2468  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2469  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2470  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2471  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2472  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2473 
2474  /* response - request ack */
2475  p->tcph->th_ack = htonl(18);
2476  p->tcph->th_seq = htonl(1);
2477  p->tcph->th_flags = TH_PUSH | TH_ACK;
2478  p->flowflags = FLOW_PKT_TOCLIENT;
2479  p->payload_len = 0;
2480  p->payload = NULL;
2481  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2482  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2483  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2484  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2485  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2486  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2487  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2488  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2489  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2490  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2491  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2492  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2493 
2494  /* full response - request ack */
2495  uint8_t response1[] = {
2496  0x55, 0x74, 0x54, 0x50, };
2497  p->tcph->th_ack = htonl(18);
2498  p->tcph->th_seq = htonl(1);
2499  p->tcph->th_flags = TH_PUSH | TH_ACK;
2500  p->flowflags = FLOW_PKT_TOCLIENT;
2501  p->payload_len = sizeof(response1);
2502  p->payload = response1;
2503  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2504  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2505  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2506  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2507  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2508  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2509  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2510  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2511  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2512  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2513  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2514  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2515 
2516  /* response ack from request */
2517  p->tcph->th_ack = htonl(5);
2518  p->tcph->th_seq = htonl(18);
2519  p->tcph->th_flags = TH_ACK;
2520  p->flowflags = FLOW_PKT_TOSERVER;
2521  p->payload_len = 0;
2522  p->payload = NULL;
2523  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2524  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2525  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2526  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2527  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2528  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2529  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2530  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2531  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2532  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2533  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2534  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2535 
2536  uint8_t response2[] = {
2537  0x2f, 0x31, 0x2e, 0x31,
2538  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2539  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2540  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2541  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2542  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2543  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2544  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2545  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2546  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2547  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2548  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2549  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2550  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2551  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2552  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2553  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2554  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2555  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2556  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2557  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2558  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2559  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2560  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2561  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2562  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2563  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2564  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2565  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2566  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2567  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2568  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2569  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2570  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2571  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2572  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2573  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2574  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2575  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2576  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2577  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2578  p->tcph->th_ack = htonl(18);
2579  p->tcph->th_seq = htonl(5);
2580  p->tcph->th_flags = TH_PUSH | TH_ACK;
2581  p->flowflags = FLOW_PKT_TOCLIENT;
2582  p->payload_len = sizeof(response2);
2583  p->payload = response2;
2584  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2585  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2586  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2587  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2588  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2589  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2590  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2591  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2592  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2593  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2594  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2595  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2596 
2597  /* response ack from request */
2598  p->tcph->th_ack = htonl(328);
2599  p->tcph->th_seq = htonl(18);
2600  p->tcph->th_flags = TH_ACK;
2601  p->flowflags = FLOW_PKT_TOSERVER;
2602  p->payload_len = 0;
2603  p->payload = NULL;
2604  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2605  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2606  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2607  FAIL_IF(f.alproto != ALPROTO_FAILED);
2608  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2609  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2610  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2611  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2612  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2613  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2614  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2615  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2616 
2617  TEST_END;
2618  PASS;
2619 }
2620 
2621 void AppLayerUnittestsRegister(void)
2622 {
2623  SCEnter();
2624 
2625  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2626  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2627  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2628  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2629  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2630  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2631  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2632  UtRegisterTest("AppLayerTest08", AppLayerTest08);
2633  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2634  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2635  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2636 
2637  SCReturn;
2638 }
2639 
2640 #endif /* UNITTESTS */
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2064
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:99
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:418
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
FlowSwap
void FlowSwap(Flow *f)
swap the flow&#39;s direction
Definition: flow.c:289
TcpSession_
Definition: stream-tcp-private.h:259
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1763
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:411
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:568
TEST_END
#define TEST_END
Definition: app-layer.c:1051
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:81
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:70
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
Flow_::proto
uint8_t proto
Definition: flow.h:344
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:808
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1565
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:243
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:61
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:197
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:858
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1489
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:378
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:336
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:85
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:186
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:98
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
IPPROTOS_MAX
#define IPPROTOS_MAX
Definition: app-layer.c:879
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:89
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:212
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:793
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:66
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:562
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:70
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:171
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:523
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:247
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:863
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:759
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1794
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:78
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:271
applayer_counter_names
AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:86
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:64
applayer_counters
AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]
Definition: app-layer.c:88
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:157
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:773
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:351
Flow_::protoctx
void * protoctx
Definition: flow.h:400
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:118
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:61
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:201
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1528
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:67
AppLayerCounters_
Definition: app-layer.c:80
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:943
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueue *pq)
Definition: stream-tcp.c:4725
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:415
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:410
str
#define str(s)
Definition: suricata-common.h:256
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:258
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:82
STREAM_GAP
#define STREAM_GAP
Definition: stream.h:33
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:820
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:248
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:270
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1118
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:108
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2621
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:91
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:240
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1399
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:38
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:177
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:253
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:277
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1001
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:439
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:264
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:275
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:408
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1868
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:219
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:59
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags)
handle TCP data for the app-layer.
Definition: app-layer.c:563
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:953
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
TcpStream_
Definition: stream-tcp-private.h:94
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:74
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:69
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:113
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2047
SCFree
#define SCFree(a)
Definition: util-mem.h:322
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:268
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:226
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:249
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:842
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:870
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:161
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1184
STREAM_START
#define STREAM_START
Definition: stream.h:29
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:880
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
TEST_START
#define TEST_START
Definition: app-layer.c:968
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:199
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:256
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:6210
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:103
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:766
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp, id)
Definition: util-profiling.h:192
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2010
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:257
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:215
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1085
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:688
SCReturn
#define SCReturn
Definition: util-debug.h:339
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1956
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:167
Packet_::flags
uint32_t flags
Definition: decode.h:444
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:147
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:65
StreamTcpInlineMode
int StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:6204
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2069
AppLayerCounterNames_
Definition: app-layer.c:75
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:279
Flow_::protomap
uint8_t protomap
Definition: flow.h:404
Flow_
Flow data structure.
Definition: flow.h:325
Packet_::payload
uint8_t * payload
Definition: decode.h:541
Flow_::flags
uint32_t flags
Definition: flow.h:379
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:36
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:68
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:206
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:926
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1092
AppLayerParserProtoIsRegistered
int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:188
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1119
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:186