suricata
app-layer.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * Generic App-layer functions
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-htp-range.h"
35 #include "app-layer-detect-proto.h"
36 #include "app-layer-frames.h"
37 #include "stream-tcp-reassemble.h"
38 #include "stream-tcp-private.h"
39 #include "stream-tcp-inline.h"
40 #include "stream-tcp.h"
41 #include "flow.h"
42 #include "flow-util.h"
43 #include "flow-private.h"
44 #include "ippair.h"
45 #include "util-debug.h"
46 #include "util-print.h"
47 #include "util-profiling.h"
48 #include "util-validate.h"
49 #include "decode-events.h"
50 #include "app-layer-htp-mem.h"
51 #include "util-exception-policy.h"
52 
53 extern bool g_stats_eps_per_app_proto_errors;
54 /**
55  * \brief This is for the app layer in general and it contains per thread
56  * context relevant to both the alpd and alp.
57  */
58 struct AppLayerThreadCtx_ {
59  /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
60  AppLayerProtoDetectThreadCtx *alpd_tctx;
61  /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
62  AppLayerParserThreadCtx *alp_tctx;
63 
64 #ifdef PROFILING
65  uint64_t ticks_start;
66  uint64_t ticks_end;
67  uint64_t ticks_spent;
68  AppProto alproto;
69  uint64_t proto_detect_ticks_start;
70  uint64_t proto_detect_ticks_end;
71  uint64_t proto_detect_ticks_spent;
72 #endif
73 };
74 
75 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
76 
77 #define MAX_COUNTER_SIZE 64
78 typedef struct AppLayerCounterNames_ {
79  char name[MAX_COUNTER_SIZE];
80  char tx_name[MAX_COUNTER_SIZE];
81  char gap_error[MAX_COUNTER_SIZE];
82  char parser_error[MAX_COUNTER_SIZE];
83  char internal_error[MAX_COUNTER_SIZE];
84  char alloc_error[MAX_COUNTER_SIZE];
85  char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE];
86 } AppLayerCounterNames;
87 
88 typedef struct AppLayerCounters_ {
89  uint16_t counter_id;
90  uint16_t counter_tx_id;
91  uint16_t gap_error_id;
92  uint16_t parser_error_id;
93  uint16_t internal_error_id;
94  uint16_t alloc_error_id;
95  ExceptionPolicyCounters eps_error;
96 } AppLayerCounters;
97 
98 /* counter names. Only used at init. */
99 AppLayerCounterNames (*applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX];
100 /* counter id's. Used that runtime. */
101 AppLayerCounters (*applayer_counters)[FLOW_PROTO_APPLAYER_MAX];
102 /* Exception policy global counters ids */
103 ExceptionPolicyCounters eps_error_summary;
104 
105 /* Settings order as in the enum */
106 // clang-format off
107 ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
108  .valid_settings_ids = {
109  /* EXCEPTION_POLICY_NOT_SET */ false,
110  /* EXCEPTION_POLICY_AUTO */ false,
111  /* EXCEPTION_POLICY_PASS_PACKET */ true,
112  /* EXCEPTION_POLICY_PASS_FLOW */ true,
113  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
114  /* EXCEPTION_POLICY_DROP_PACKET */ false,
115  /* EXCEPTION_POLICY_DROP_FLOW */ false,
116  /* EXCEPTION_POLICY_REJECT */ true,
117  },
118  .valid_settings_ips = {
119  /* EXCEPTION_POLICY_NOT_SET */ false,
120  /* EXCEPTION_POLICY_AUTO */ false,
121  /* EXCEPTION_POLICY_PASS_PACKET */ true,
122  /* EXCEPTION_POLICY_PASS_FLOW */ true,
123  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
124  /* EXCEPTION_POLICY_DROP_PACKET */ true,
125  /* EXCEPTION_POLICY_DROP_FLOW */ true,
126  /* EXCEPTION_POLICY_REJECT */ true,
127  },
128 };
129 // clang-format on
130 
131 void AppLayerSetupCounters(void);
132 void AppLayerDeSetupCounters(void);
133 
134 /***** L7 layer dispatchers *****/
135 
136 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
137  const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
138  return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
139  (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
140 }
141 
142 /**
143  * \note id can be 0 if protocol parser is disabled but detection
144  * is enabled.
145  */
146 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
147 {
148  const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_id;
149  if (likely(tv && id > 0)) {
150  StatsIncr(tv, id);
151  }
152 }
153 
154 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
155 {
156  const uint16_t id = applayer_counters[f->alproto][f->protomap].counter_tx_id;
157  if (likely(tv && id > 0)) {
158  StatsAddUI64(tv, id, step);
159  }
160 }
161 
162 void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
163 {
164  const uint16_t id = applayer_counters[f->alproto][f->protomap].gap_error_id;
165  if (likely(tv && id > 0)) {
166  StatsIncr(tv, id);
167  }
168 }
169 
170 void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
171 {
172  const uint16_t id = applayer_counters[f->alproto][f->protomap].alloc_error_id;
173  if (likely(tv && id > 0)) {
174  StatsIncr(tv, id);
175  }
176 }
177 
178 void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
179 {
180  const uint16_t id = applayer_counters[f->alproto][f->protomap].parser_error_id;
181  if (likely(tv && id > 0)) {
182  StatsIncr(tv, id);
183  }
184 }
185 
186 void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
187 {
188  const uint16_t id = applayer_counters[f->alproto][f->protomap].internal_error_id;
189  if (likely(tv && id > 0)) {
190  StatsIncr(tv, id);
191  }
192 }
193 
194 static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy)
195 {
196 #ifdef UNITTESTS
197  if (tv == NULL) {
198  return;
199  }
200 #endif
201  uint16_t id = applayer_counters[f->alproto][f->protomap].eps_error.eps_id[policy];
202  /* for the summary values */
203  uint16_t g_id = eps_error_summary.eps_id[policy];
204 
205  if (likely(id > 0)) {
206  StatsIncr(tv, id);
207  }
208  if (likely(g_id > 0)) {
209  StatsIncr(tv, g_id);
210  }
211 }
212 
213 /* in IDS mode protocol detection is done in reverse order:
214  * when TCP data is ack'd. We want to flag the correct packet,
215  * so in this case we set a flag in the flow so that the first
216  * packet in the correct direction can be tagged.
217  *
218  * For IPS we update packet and flow. */
219 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
220 {
221  if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) {
222  if (flags & STREAM_TOSERVER) {
223  if (p->flowflags & FLOW_PKT_TOSERVER) {
224  p->flags |= PKT_PROTO_DETECT_TS_DONE;
225  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
226  } else {
227  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
228  }
229  } else {
230  if (p->flowflags & FLOW_PKT_TOCLIENT) {
231  p->flags |= PKT_PROTO_DETECT_TC_DONE;
232  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
233  } else {
234  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
235  }
236  }
237  } else {
238  if (flags & STREAM_TOSERVER) {
239  f->flags |= FLOW_PROTO_DETECT_TS_DONE;
240  } else {
241  f->flags |= FLOW_PROTO_DETECT_TC_DONE;
242  }
243  }
244 }
245 
246 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
247 {
248  SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
249  f, f->alproto, f->alproto_ts, f->alproto_tc);
250  FlowCleanupAppLayer(f);
251  StreamTcpDisableAppLayer(f);
252  TcpSession *ssn = f->protoctx;
253  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
254  f->alproto = ALPROTO_FAILED;
255  AppLayerIncFlowCounter(tv, f);
256 
257  if (f->alproto_tc != ALPROTO_FAILED) {
258  if (f->alproto_tc == ALPROTO_UNKNOWN) {
259  f->alproto_tc = ALPROTO_FAILED;
260  }
261  FlagPacketFlow(p, f, STREAM_TOCLIENT);
262  }
263  if (f->alproto_ts != ALPROTO_FAILED) {
264  if (f->alproto_ts == ALPROTO_UNKNOWN) {
265  f->alproto_ts = ALPROTO_FAILED;
266  }
267  FlagPacketFlow(p, f, STREAM_TOSERVER);
268  }
269  SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
270  f, f->alproto, f->alproto_ts, f->alproto_tc);
271 }
272 
273 /* See if we're going to have to give up:
274  *
275  * If we're getting a lot of data in one direction and the
276  * proto for this direction is unknown, proto detect will
277  * hold up segments in the segment list in the stream.
278  * They are held so that if we detect the protocol on the
279  * opposing stream, we can still parse this side of the stream
280  * as well. However, some sessions are very unbalanced. FTP
281  * data channels, large PUT/POST request and many others, can
282  * lead to cases where we would have to store many megabytes
283  * worth of segments before we see the opposing stream. This
284  * leads to risks of resource starvation.
285  *
286  * Here a cutoff point is enforced. If we've stored 100k in
287  * one direction and we've seen no data in the other direction,
288  * we give up.
289  *
290  * Giving up means we disable applayer an set an applayer event
291  */
292 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
293  Flow *f, TcpSession *ssn, Packet *p)
294 {
295  if (ssn->state < TCP_ESTABLISHED) {
296  SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
297  return;
298  }
299 
300  const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
301  const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
302  SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
303 
304  /* at least 100000 whatever the conditions
305  * and can be more if window is bigger and if configuration allows it */
306  const uint32_t size_tc_limit =
307  MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
308  const uint32_t size_ts_limit =
309  MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
310 
311  if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
312  ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
313  {
314  goto failure;
315 
316  /* we bail out whatever the pp and pm states if
317  * we received too much data */
318  } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
319  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
320  goto failure;
321 
322  } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
323  size_ts > size_ts_limit && size_tc == 0) {
324  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
325  APPLAYER_PROTO_DETECTION_SKIPPED);
326  goto failure;
327 
328  } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
329  size_tc > size_tc_limit && size_ts == 0) {
330  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
331  APPLAYER_PROTO_DETECTION_SKIPPED);
332  goto failure;
333 
334  /* little data in ts direction, pp done, pm not done (max
335  * depth not reached), ts direction done, lots of data in
336  * tc direction. */
337  } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
338  !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
339  FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
340  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
341  APPLAYER_PROTO_DETECTION_SKIPPED);
342  goto failure;
343 
344  /* little data in tc direction, pp done, pm not done (max
345  * depth not reached), tc direction done, lots of data in
346  * ts direction. */
347  } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
348  !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
349  FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
350  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
351  APPLAYER_PROTO_DETECTION_SKIPPED);
352  goto failure;
353  }
354  return;
355 
356 failure:
357  DisableAppLayer(tv, f, p);
358 }
359 
360 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
361  Packet *p, TcpSession *ssn, const TcpStream *stream)
362 {
363  TcpStream *opposing_stream = NULL;
364  if (stream == &ssn->client) {
365  opposing_stream = &ssn->server;
366  } else {
367  opposing_stream = &ssn->client;
368  }
369 
370  /* if the opposing side is not going to work, then
371  * we just have to give up. */
372  if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
373  SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
374  return -1;
375  }
376 
377  enum StreamUpdateDir dir = StreamTcpInlineMode() ?
378  UPDATE_DIR_OPPOSING :
379  UPDATE_DIR_PACKET;
380  int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
381  opposing_stream, p, dir);
382  return ret;
383 }
384 
385 extern enum ExceptionPolicy g_applayerparser_error_policy;
386 
387 /** \todo data const
388  * \retval int -1 error
389  * \retval int 0 ok
390  */
391 static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
392  AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
393  uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
394 {
395  AppProto *alproto;
396  AppProto *alproto_otherdir;
397  uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
398 
399  if (flags & STREAM_TOSERVER) {
400  alproto = &f->alproto_ts;
401  alproto_otherdir = &f->alproto_tc;
402  } else {
403  alproto = &f->alproto_tc;
404  alproto_otherdir = &f->alproto_ts;
405  }
406 
407  SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
408 #ifdef PRINT
409  if (data_len > 0) {
410  printf("=> Init Stream Data (app layer) -- start %s%s\n",
411  flags & STREAM_TOCLIENT ? "toclient" : "",
412  flags & STREAM_TOSERVER ? "toserver" : "");
413  PrintRawDataFp(stdout, data, data_len);
414  printf("=> Init Stream Data -- end\n");
415  }
416 #endif
417 
418  bool reverse_flow = false;
419  DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
420  PACKET_PROFILING_APP_PD_START(app_tctx);
421  *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
422  f, data, data_len,
423  IPPROTO_TCP, flags, &reverse_flow);
424  PACKET_PROFILING_APP_PD_END(app_tctx);
425  SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
426 
427  if (*alproto != ALPROTO_UNKNOWN) {
428  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
429  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
430  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
431 
432  if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
433  /* if we already invoked the parser, we go with that proto */
434  f->alproto = *alproto_otherdir;
435  } else {
436  /* no data sent to parser yet, we can still choose
437  * we're trusting the server more. */
438  if (flags & STREAM_TOCLIENT)
439  f->alproto = *alproto;
440  else
441  f->alproto = *alproto_otherdir;
442  }
443  } else {
444  f->alproto = *alproto;
445  }
446 
447  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
448  TcpSessionSetReassemblyDepth(ssn,
449  AppLayerParserGetStreamDepth(f));
450  FlagPacketFlow(p, f, flags);
451 
452  /* if protocol detection indicated that we need to reverse
453  * the direction of the flow, do it now. We flip the flow,
454  * packet and the direction flags */
455  if (reverse_flow &&
456  ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) ==
457  STREAMTCP_FLAG_MIDSTREAM)) {
458  /* but only if we didn't already detect it on the other side. */
459  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
460  SCLogDebug("reversing flow after proto detect told us so");
461  PacketSwap(p);
462  FlowSwap(f);
463  // Will reset signature groups in DetectRunSetup
464  f->de_ctx_version = UINT32_MAX;
465  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
466  if (*stream == &ssn->client) {
467  *stream = &ssn->server;
468  } else {
469  *stream = &ssn->client;
470  }
471  direction = 1 - direction;
472  } else {
473  // TODO event, error?
474  }
475  }
476 
477  /* account flow if we have both sides */
478  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
479  AppLayerIncFlowCounter(tv, f);
480  }
481 
482  /* if we have seen data from the other direction first, send
483  * data for that direction first to the parser. This shouldn't
484  * be an issue, since each stream processing happens
485  * independently of the other stream direction. At this point of
486  * call, you need to know that this function's already being
487  * called by the very same StreamReassembly() function that we
488  * will now call shortly for the opposing direction. */
489  if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
490  !(flags & ssn->data_first_seen_dir))
491  {
492  SCLogDebug("protocol %s needs first data in other direction",
493  AppProtoToString(*alproto));
494 
495  if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
496  p, ssn, *stream) != 0)
497  {
498  goto detect_error;
499  }
500  if (FlowChangeProto(f)) {
501  /* We have the first data which requested a protocol change from P1 to P2
502  * even if it was not recognized at first as being P1
503  * As the second data was recognized as P1, the protocol did not change !
504  */
505  FlowUnsetChangeProtoFlag(f);
506  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
507  APPLAYER_UNEXPECTED_PROTOCOL);
508  }
509  }
510 
511  /* if the parser operates such that it needs to see data from
512  * a particular direction first, we check if we have seen
513  * data from that direction first for the flow. IF it is not
514  * the same, we set an event and exit.
515  *
516  * \todo We need to figure out a more robust solution for this,
517  * as this can lead to easy evasion tactics, where the
518  * attacker can first send some dummy data in the wrong
519  * direction first to mislead our proto detection process.
520  * While doing this we need to update the parsers as well,
521  * since the parsers must be robust to see such wrong
522  * direction data.
523  * Either ways the moment we see the
524  * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
525  * flow, it shows something's fishy.
526  */
527  if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
528  uint8_t first_data_dir;
529  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
530 
531  if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
532  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
533  APPLAYER_WRONG_DIRECTION_FIRST_DATA);
534  goto detect_error;
535  }
536  /* This can happen if the current direction is not the
537  * right direction, and the data from the other(also
538  * the right direction) direction is available to be sent
539  * to the app layer, but it is not ack'ed yet and hence
540  * the forced call to STreamTcpAppLayerReassemble still
541  * hasn't managed to send data from the other direction
542  * to the app layer. */
543  if (first_data_dir && !(first_data_dir & flags)) {
544  FlowCleanupAppLayer(f);
545  StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
546  FLOW_RESET_PP_DONE(f, flags);
547  FLOW_RESET_PM_DONE(f, flags);
548  FLOW_RESET_PE_DONE(f, flags);
549  SCReturnInt(-1);
550  }
551  }
552 
553  /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
554  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
555 
556  /* finally, invoke the parser */
557  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
558  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
559  flags, data, data_len);
560  PACKET_PROFILING_APP_END(app_tctx);
561  p->app_update_direction = (uint8_t)app_update_dir;
562  if (r != 1) {
563  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
564  }
565  if (r == 0) {
566  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
567  TcpStream *opposing_stream;
568  if (*stream == &ssn->client) {
569  opposing_stream = &ssn->server;
570  } else {
571  opposing_stream = &ssn->client;
572  }
573  if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) {
574  // can happen in detection-only
575  AppLayerIncFlowCounter(tv, f);
576  }
577  }
578  }
579  if (r < 0) {
580  goto parser_error;
581  }
582  } else {
583  /* if the ssn is midstream, we may end up with a case where the
584  * start of an HTTP request is missing. We won't detect HTTP based
585  * on the request. However, the reply is fine, so we detect
586  * HTTP anyway. This leads to passing the incomplete request to
587  * the htp parser.
588  *
589  * This has been observed, where the http parser then saw many
590  * bogus requests in the incomplete data.
591  *
592  * To counter this case, a midstream session MUST find it's
593  * protocol in the toserver direction. If not, we assume the
594  * start of the request/toserver is incomplete and no reliable
595  * detection and parsing is possible. So we give up.
596  */
597  if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
598  !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
599  {
600  if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
601  SCLogDebug("midstream end pd %p", ssn);
602  /* midstream and toserver detection failed: give up */
603  DisableAppLayer(tv, f, p);
604  SCReturnInt(0);
605  }
606  }
607 
608  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
609  uint8_t first_data_dir;
610  first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
611 
612  /* this would handle this test case -
613  * http parser which says it wants to see toserver data first only.
614  * tcp handshake
615  * toclient data first received. - RUBBISH DATA which
616  * we don't detect as http
617  * toserver data next sent - we detect this as http.
618  * at this stage we see that toclient is the first data seen
619  * for this session and we try and redetect the app protocol,
620  * but we are unable to detect the app protocol like before.
621  * But since we have managed to detect the protocol for the
622  * other direction as http, we try to use that. At this
623  * stage we check if the direction of this stream matches
624  * to that acceptable by the app parser. If it is not the
625  * acceptable direction we error out.
626  */
627  if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
628  (first_data_dir) && !(first_data_dir & flags))
629  {
630  goto detect_error;
631  }
632 
633  /* if protocol detection is marked done for our direction we
634  * pass our data on. We're only succeeded in finding one
635  * direction: the opposing stream
636  *
637  * If PD was not yet complete, we don't do anything.
638  */
639  if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
640  if (data_len > 0)
641  ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
642 
643  if (*alproto_otherdir != ALPROTO_FAILED) {
644  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
645  int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
646  f->alproto, flags,
647  data, data_len);
648  PACKET_PROFILING_APP_END(app_tctx);
649  p->app_update_direction = (uint8_t)app_update_dir;
650  if (r != 1) {
651  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
652  }
653 
654  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
655  APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
656  TcpSessionSetReassemblyDepth(ssn,
657  AppLayerParserGetStreamDepth(f));
658  AppLayerIncFlowCounter(tv, f);
659 
660  *alproto = *alproto_otherdir;
661  SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
662  p->pcap_cnt, *alproto, *alproto_otherdir, r);
663  if (r < 0) {
664  goto parser_error;
665  }
666  }
667  *alproto = ALPROTO_FAILED;
668  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
669  FlagPacketFlow(p, f, flags);
670 
671  } else if (flags & STREAM_EOF) {
672  *alproto = f->alproto;
673  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
674  AppLayerIncFlowCounter(tv, f);
675  }
676  } else {
677  /* both sides unknown, let's see if we need to give up */
678  if (FlowChangeProto(f)) {
679  /* TCPProtoDetectCheckBailConditions does not work well because
680  * size_tc from STREAM_RIGHT_EDGE is not reset to zero
681  * so, we set a lower limit to the data we inspect
682  * We could instead have set ssn->server.sb.stream_offset = 0;
683  */
684  if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
685  DisableAppLayer(tv, f, p);
686  }
687  } else {
688  TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
689  }
690  }
691  }
692  SCReturnInt(0);
693 parser_error:
694  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
695  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
696  SCReturnInt(-1);
697 detect_error:
698  DisableAppLayer(tv, f, p);
699  SCReturnInt(-2);
700 }
701 
702 /** \brief handle TCP data for the app-layer.
703  *
704  * First run protocol detection and then when the protocol is known invoke
705  * the app layer parser.
706  *
707  * \param stream ptr-to-ptr to stream object. Might change if flow dir is
708  * reversed.
709  */
710 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f,
711  TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags,
712  enum StreamUpdateDir app_update_dir)
713 {
714  SCEnter();
715 
716  DEBUG_ASSERT_FLOW_LOCKED(f);
717  DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
718 
719  AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
720  AppProto alproto;
721  int r = 0;
722 
723  SCLogDebug("data_len %u flags %02X", data_len, flags);
724  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
725  SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
726  goto end;
727  }
728 
729  const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
730 
731  if (flags & STREAM_TOSERVER) {
732  alproto = f->alproto_ts;
733  } else {
734  alproto = f->alproto_tc;
735  }
736 
737  /* If a gap notification, relay the notification on to the
738  * app-layer if known. */
739  if (flags & STREAM_GAP) {
740  SCLogDebug("GAP of size %u", data_len);
741  if (alproto == ALPROTO_UNKNOWN) {
742  StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
743  SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
744  /* if the other side didn't already find the proto, we're done */
745  if (f->alproto == ALPROTO_UNKNOWN) {
746  goto failure;
747  }
748  AppLayerIncFlowCounter(tv, f);
749  }
750  if (FlowChangeProto(f)) {
751  FlowUnsetChangeProtoFlag(f);
752  SCLogDebug("Cannot handle gap while changing protocol");
753  goto failure;
754  }
755  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
756  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
757  flags, data, data_len);
758  PACKET_PROFILING_APP_END(app_tctx);
759  p->app_update_direction = (uint8_t)app_update_dir;
760  /* ignore parser result for gap */
761  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
762  if (r < 0) {
763  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
764  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
765  SCReturnInt(-1);
766  }
767  goto end;
768  }
769 
770  /* if we don't know the proto yet and we have received a stream
771  * initializer message, we run proto detection.
772  * We receive 2 stream init msgs (one for each direction), we
773  * only run the proto detection for both and emit an event
774  * in the case protocols mismatch. */
775  if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
776  DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
777  /* run protocol detection */
778  if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags,
779  app_update_dir) != 0) {
780  goto failure;
781  }
782  } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
783  SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
784  void *alstate_orig = f->alstate;
785  AppLayerParserState *alparser = f->alparser;
786  // we delay AppLayerParserStateCleanup because we may need previous parser state
787  AppLayerProtoDetectReset(f);
788  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
789  StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
790  /* rerun protocol detection */
791  int rd = TCPProtoDetect(
792  tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, app_update_dir);
793  if (f->alproto == ALPROTO_UNKNOWN) {
794  DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
795  // not enough data, revert AppLayerProtoDetectReset to rerun detection
796  f->alparser = alparser;
797  f->alproto = f->alproto_orig;
798  f->alproto_tc = f->alproto_orig;
799  f->alproto_ts = f->alproto_orig;
800  } else {
801  FlowUnsetChangeProtoFlag(f);
802  AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
803  if (alstate_orig == f->alstate) {
804  // we just freed it
805  f->alstate = NULL;
806  }
807  }
808  if (rd != 0) {
809  SCLogDebug("proto detect failure");
810  goto failure;
811  }
812  SCLogDebug("protocol change, old %s, new %s",
813  AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
814 
815  if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN &&
816  f->alproto != f->alproto_expect) {
817  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
818  APPLAYER_UNEXPECTED_PROTOCOL);
819 
820  if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
821  AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
822  APPLAYER_NO_TLS_AFTER_STARTTLS);
823 
824  }
825  }
826  } else {
827  SCLogDebug("stream data (len %" PRIu32 " alproto "
828  "%"PRIu16" (flow %p)", data_len, f->alproto, f);
829 #ifdef PRINT
830  if (data_len > 0) {
831  printf("=> Stream Data (app layer) -- start %s%s\n",
832  flags & STREAM_TOCLIENT ? "toclient" : "",
833  flags & STREAM_TOSERVER ? "toserver" : "");
834  PrintRawDataFp(stdout, data, data_len);
835  printf("=> Stream Data -- end\n");
836  }
837 #endif
838  /* if we don't have a data object here we are not getting it
839  * a start msg should have gotten us one */
840  if (f->alproto != ALPROTO_UNKNOWN) {
841  PACKET_PROFILING_APP_START(app_tctx, f->alproto);
842  r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
843  flags, data, data_len);
844  PACKET_PROFILING_APP_END(app_tctx);
845  p->app_update_direction = (uint8_t)app_update_dir;
846  if (r != 1) {
847  StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
848  if (r < 0) {
849  ExceptionPolicyApply(
850  p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
851  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
852  SCReturnInt(-1);
853  }
854  }
855  }
856  }
857 
858  goto end;
859  failure:
860  r = -1;
861  end:
862  SCReturnInt(r);
863 }
864 
865 /**
866  * \brief Handle a app layer UDP message
867  *
868  * If the protocol is yet unknown, the proto detection code is run first.
869  *
870  * \param dp_ctx Thread app layer detect context
871  * \param f *locked* flow
872  * \param p UDP packet
873  *
874  * \retval 0 ok
875  * \retval -1 error
876  */
877 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
878 {
879  SCEnter();
880  AppProto *alproto;
881  AppProto *alproto_otherdir;
882 
883  if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) {
884  SCReturnInt(0);
885  }
886 
887  int r = 0;
888  uint8_t flags = 0;
889  if (p->flowflags & FLOW_PKT_TOSERVER) {
890  flags |= STREAM_TOSERVER;
891  alproto = &f->alproto_ts;
892  alproto_otherdir = &f->alproto_tc;
893  } else {
894  flags |= STREAM_TOCLIENT;
895  alproto = &f->alproto_tc;
896  alproto_otherdir = &f->alproto_ts;
897  }
898 
899  AppLayerProfilingReset(tctx);
900 
901  /* if the protocol is still unknown, run detection */
902  if (*alproto == ALPROTO_UNKNOWN) {
903  SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
904  p->payload_len);
905 
906  bool reverse_flow = false;
907  PACKET_PROFILING_APP_PD_START(tctx);
908  *alproto = AppLayerProtoDetectGetProto(
909  tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow);
910  PACKET_PROFILING_APP_PD_END(tctx);
911 
912  switch (*alproto) {
913  case ALPROTO_UNKNOWN:
914  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
915  // Use recognized side
916  f->alproto = *alproto_otherdir;
917  // do not keep ALPROTO_UNKNOWN for this side so as not to loop
918  *alproto = *alproto_otherdir;
919  if (*alproto_otherdir == ALPROTO_FAILED) {
920  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
921  }
922  } else {
923  // First side of protocol is unknown
924  *alproto = ALPROTO_FAILED;
925  }
926  break;
927  case ALPROTO_FAILED:
928  if (*alproto_otherdir != ALPROTO_UNKNOWN) {
929  // Use recognized side
930  f->alproto = *alproto_otherdir;
931  if (*alproto_otherdir == ALPROTO_FAILED) {
932  SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
933  }
934  }
935  // else wait for second side of protocol
936  break;
937  default:
938  if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) {
939  if (*alproto_otherdir != *alproto) {
940  AppLayerDecoderEventsSetEventRaw(
941  &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
942  // data already sent to parser, we cannot change the protocol to use the one
943  // of the server
944  }
945  } else {
946  f->alproto = *alproto;
947  }
948  }
949  if (*alproto_otherdir == ALPROTO_UNKNOWN) {
950  if (f->alproto == ALPROTO_UNKNOWN) {
951  // so as to increase stat about .app_layer.flow.failed_udp
952  f->alproto = ALPROTO_FAILED;
953  }
954  // If the other side is unknown, this is the first packet of the flow
955  AppLayerIncFlowCounter(tv, f);
956  }
957 
958  // parse the data if we recognized one protocol
959  if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) {
960  if (reverse_flow) {
961  SCLogDebug("reversing flow after proto detect told us so");
962  PacketSwap(p);
963  FlowSwap(f);
964  SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
965  }
966 
967  PACKET_PROFILING_APP_START(tctx, f->alproto);
968  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
969  flags, p->payload, p->payload_len);
970  PACKET_PROFILING_APP_END(tctx);
971  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
972  }
973  PACKET_PROFILING_APP_STORE(tctx, p);
974  /* we do only inspection in one direction, so flag both
975  * sides as done here */
976  FlagPacketFlow(p, f, STREAM_TOSERVER);
977  FlagPacketFlow(p, f, STREAM_TOCLIENT);
978  } else {
979  SCLogDebug("data (len %" PRIu32 " ), alproto "
980  "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
981 
982  /* run the parser */
983  PACKET_PROFILING_APP_START(tctx, f->alproto);
984  r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
985  flags, p->payload, p->payload_len);
986  PACKET_PROFILING_APP_END(tctx);
987  PACKET_PROFILING_APP_STORE(tctx, p);
988  p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET;
989  }
990  if (r < 0) {
991  ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
992  AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy);
993  SCReturnInt(-1);
994  }
995 
996  SCReturnInt(r);
997 }
998 
999 /***** Utility *****/
1000 
1001 AppProto AppLayerGetProtoByName(const char *alproto_name)
1002 {
1003  SCEnter();
1004  AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
1005  SCReturnCT(r, "AppProto");
1006 }
1007 
1008 const char *AppLayerGetProtoName(AppProto alproto)
1009 {
1010  SCEnter();
1011  const char * r = AppLayerProtoDetectGetProtoName(alproto);
1012  SCReturnCT(r, "char *");
1013 }
1014 
1015 void AppLayerListSupportedProtocols(void)
1016 {
1017  SCEnter();
1018 
1019  AppProto alproto;
1020  AppProto alprotos[g_alproto_max];
1021 
1022  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1023 
1024  printf("=========Supported App Layer Protocols=========\n");
1025  for (alproto = 0; alproto < g_alproto_max; alproto++) {
1026  if (alprotos[alproto] == 1)
1027  printf("%s\n", AppLayerGetProtoName(alproto));
1028  }
1029 
1030  SCReturn;
1031 }
1032 
1033 /***** Setup/General Registration *****/
1034 static void AppLayerNamesSetup(void)
1035 {
1036  AppProtoRegisterProtoString(ALPROTO_UNKNOWN, "unknown");
1037  AppProtoRegisterProtoString(ALPROTO_FAILED, "failed");
1038  AppProtoRegisterProtoString(ALPROTO_HTTP1, "http1");
1039  AppProtoRegisterProtoString(ALPROTO_FTP, "ftp");
1040  AppProtoRegisterProtoString(ALPROTO_SMTP, "smtp");
1041  AppProtoRegisterProtoString(ALPROTO_TLS, "tls");
1042  AppProtoRegisterProtoString(ALPROTO_SSH, "ssh");
1043  AppProtoRegisterProtoString(ALPROTO_IMAP, "imap");
1044  AppProtoRegisterProtoString(ALPROTO_JABBER, "jabber");
1045  AppProtoRegisterProtoString(ALPROTO_SMB, "smb");
1046  AppProtoRegisterProtoString(ALPROTO_DCERPC, "dcerpc");
1047  AppProtoRegisterProtoString(ALPROTO_IRC, "irc");
1048  AppProtoRegisterProtoString(ALPROTO_DNS, "dns");
1049  AppProtoRegisterProtoString(ALPROTO_MODBUS, "modbus");
1050  AppProtoRegisterProtoString(ALPROTO_ENIP, "enip");
1051  AppProtoRegisterProtoString(ALPROTO_DNP3, "dnp3");
1052  AppProtoRegisterProtoString(ALPROTO_NFS, "nfs");
1053  AppProtoRegisterProtoString(ALPROTO_NTP, "ntp");
1054  AppProtoRegisterProtoString(ALPROTO_FTPDATA, "ftp-data");
1055  AppProtoRegisterProtoString(ALPROTO_TFTP, "tftp");
1056  AppProtoRegisterProtoString(ALPROTO_IKE, "ike");
1057  AppProtoRegisterProtoString(ALPROTO_KRB5, "krb5");
1058  AppProtoRegisterProtoString(ALPROTO_QUIC, "quic");
1059  AppProtoRegisterProtoString(ALPROTO_DHCP, "dhcp");
1060  AppProtoRegisterProtoString(ALPROTO_SNMP, "snmp");
1061  AppProtoRegisterProtoString(ALPROTO_SIP, "sip");
1062  AppProtoRegisterProtoString(ALPROTO_RFB, "rfb");
1063  AppProtoRegisterProtoString(ALPROTO_MQTT, "mqtt");
1064  AppProtoRegisterProtoString(ALPROTO_PGSQL, "pgsql");
1065  AppProtoRegisterProtoString(ALPROTO_TELNET, "telnet");
1066  AppProtoRegisterProtoString(ALPROTO_WEBSOCKET, "websocket");
1067  AppProtoRegisterProtoString(ALPROTO_LDAP, "ldap");
1068  AppProtoRegisterProtoString(ALPROTO_DOH2, "doh2");
1069  AppProtoRegisterProtoString(ALPROTO_TEMPLATE, "template");
1070  AppProtoRegisterProtoString(ALPROTO_RDP, "rdp");
1071  AppProtoRegisterProtoString(ALPROTO_HTTP2, "http2");
1072  AppProtoRegisterProtoString(ALPROTO_BITTORRENT_DHT, "bittorrent-dht");
1073  AppProtoRegisterProtoString(ALPROTO_POP3, "pop3");
1074  AppProtoRegisterProtoString(ALPROTO_HTTP, "http");
1075 }
1076 
1077 int AppLayerSetup(void)
1078 {
1079  SCEnter();
1080 
1081  AppLayerNamesSetup();
1082  AppLayerProtoDetectSetup();
1083  AppLayerParserSetup();
1084 
1085  AppLayerParserRegisterProtocolParsers();
1086  AppLayerProtoDetectPrepareState();
1087 
1088  AppLayerSetupCounters();
1089  FrameConfigInit();
1090 
1091  SCReturnInt(0);
1092 }
1093 
1094 int AppLayerDeSetup(void)
1095 {
1096  SCEnter();
1097 
1098  AppLayerProtoDetectDeSetup();
1099  AppLayerParserDeSetup();
1100 
1101  AppLayerDeSetupCounters();
1102  FrameConfigDeInit();
1103 
1104  SCReturnInt(0);
1105 }
1106 
1107 AppLayerThreadCtx *AppLayerGetCtxThread(void)
1108 {
1109  SCEnter();
1110 
1111  AppLayerThreadCtx *app_tctx = SCCalloc(1, sizeof(*app_tctx));
1112  if (app_tctx == NULL)
1113  goto error;
1114 
1115  if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
1116  goto error;
1117  if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
1118  goto error;
1119 
1120  goto done;
1121  error:
1122  AppLayerDestroyCtxThread(app_tctx);
1123  app_tctx = NULL;
1124  done:
1125  SCReturnPtr(app_tctx, "void *");
1126 }
1127 
1128 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
1129 {
1130  SCEnter();
1131 
1132  if (app_tctx == NULL)
1133  SCReturn;
1134 
1135  if (app_tctx->alpd_tctx != NULL)
1136  AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
1137  if (app_tctx->alp_tctx != NULL)
1138  AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
1139  SCFree(app_tctx);
1140 
1141  SCReturn;
1142 }
1143 
1144 #ifdef PROFILING
1145 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
1146 {
1147  PACKET_PROFILING_APP_RESET(app_tctx);
1148 }
1149 
1150 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
1151 {
1152  PACKET_PROFILING_APP_STORE(app_tctx, p);
1153 }
1154 #endif
1155 
1156 /** \brief HACK to work around our broken unix manager (re)init loop
1157  */
1158 void AppLayerRegisterGlobalCounters(void)
1159 {
1160  StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
1161  StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
1162  StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
1163  StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
1164  StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
1165  StatsRegisterGlobalCounter("http.byterange.memuse", HTPByteRangeMemuseGlobalCounter);
1166  StatsRegisterGlobalCounter("http.byterange.memcap", HTPByteRangeMemcapGlobalCounter);
1167  StatsRegisterGlobalCounter("ippair.memuse", IPPairGetMemuse);
1168  StatsRegisterGlobalCounter("ippair.memcap", IPPairGetMemuse);
1169  StatsRegisterGlobalCounter("host.memuse", HostGetMemuse);
1170  StatsRegisterGlobalCounter("host.memcap", HostGetMemcap);
1171 }
1172 
1173 static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy)
1174 {
1175  if (EngineModeIsIPS()) {
1176  return app_layer_error_eps_stats.valid_settings_ips[policy];
1177  }
1178  return app_layer_error_eps_stats.valid_settings_ids[policy];
1179 }
1180 
1181 static void AppLayerSetupExceptionPolicyPerProtoCounters(
1182  uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix)
1183 {
1184  if (g_stats_eps_per_app_proto_errors &&
1185  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1186  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1187  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1188  snprintf(applayer_counter_names[alproto][ipproto_map].eps_name[i],
1189  sizeof(applayer_counter_names[alproto][ipproto_map].eps_name[i]),
1190  "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix,
1191  ExceptionPolicyEnumToString(i, true));
1192  }
1193  }
1194  }
1195 }
1196 
1197 void AppLayerSetupCounters(void)
1198 {
1199  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1200  AppProto alprotos[g_alproto_max];
1201  const char *str = "app_layer.flow.";
1202  const char *estr = "app_layer.error.";
1203 
1204  applayer_counter_names =
1205  SCCalloc(g_alproto_max, sizeof(AppLayerCounterNames[FLOW_PROTO_APPLAYER_MAX]));
1206  if (unlikely(applayer_counter_names == NULL)) {
1207  FatalError("Unable to alloc applayer_counter_names.");
1208  }
1209  applayer_counters = SCCalloc(g_alproto_max, sizeof(AppLayerCounters[FLOW_PROTO_APPLAYER_MAX]));
1210  if (unlikely(applayer_counters == NULL)) {
1211  FatalError("Unable to alloc applayer_counters.");
1212  }
1213  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1214  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1215  /* Register global counters for app layer error exception policy summary */
1216  const char *eps_default_str = "app_layer.error.exception_policy.";
1217  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1218  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1219  snprintf(app_layer_error_eps_stats.eps_name[i],
1220  sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str,
1221  ExceptionPolicyEnumToString(i, true));
1222  }
1223  }
1224  }
1225 
1226  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1227 
1228  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1229  const uint8_t ipproto = ipprotos[p];
1230  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1231  const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp";
1232  uint8_t ipprotos_all[256 / 8];
1233 
1234  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1235  if (alprotos[alproto] == 1) {
1236  const char *tx_str = "app_layer.tx.";
1237  const char *alproto_str = AppLayerGetProtoName(alproto);
1238 
1239  memset(ipprotos_all, 0, sizeof(ipprotos_all));
1240  AppLayerProtoDetectSupportedIpprotos(alproto, ipprotos_all);
1241  if ((ipprotos_all[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) &&
1242  (ipprotos_all[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8)))) {
1243  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1244  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s",
1245  str, alproto_str, ipproto_suffix);
1246  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1247  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s%s",
1248  tx_str, alproto_str, ipproto_suffix);
1249 
1250  if (ipproto == IPPROTO_TCP) {
1251  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1252  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1253  "%s%s%s.gap", estr, alproto_str, ipproto_suffix);
1254  }
1255  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1256  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1257  "%s%s%s.alloc", estr, alproto_str, ipproto_suffix);
1258  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1259  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1260  "%s%s%s.parser", estr, alproto_str, ipproto_suffix);
1261  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1262  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1263  "%s%s%s.internal", estr, alproto_str, ipproto_suffix);
1264 
1265  AppLayerSetupExceptionPolicyPerProtoCounters(
1266  ipproto_map, alproto, alproto_str, ipproto_suffix);
1267  } else {
1268  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1269  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s", str,
1270  alproto_str);
1271  snprintf(applayer_counter_names[alproto][ipproto_map].tx_name,
1272  sizeof(applayer_counter_names[alproto][ipproto_map].tx_name), "%s%s",
1273  tx_str, alproto_str);
1274 
1275  if (ipproto == IPPROTO_TCP) {
1276  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1277  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1278  "%s%s.gap", estr, alproto_str);
1279  }
1280  snprintf(applayer_counter_names[alproto][ipproto_map].alloc_error,
1281  sizeof(applayer_counter_names[alproto][ipproto_map].alloc_error),
1282  "%s%s.alloc", estr, alproto_str);
1283  snprintf(applayer_counter_names[alproto][ipproto_map].parser_error,
1284  sizeof(applayer_counter_names[alproto][ipproto_map].parser_error),
1285  "%s%s.parser", estr, alproto_str);
1286  snprintf(applayer_counter_names[alproto][ipproto_map].internal_error,
1287  sizeof(applayer_counter_names[alproto][ipproto_map].internal_error),
1288  "%s%s.internal", estr, alproto_str);
1289  AppLayerSetupExceptionPolicyPerProtoCounters(
1290  ipproto_map, alproto, alproto_str, "");
1291  }
1292  } else if (alproto == ALPROTO_FAILED) {
1293  snprintf(applayer_counter_names[alproto][ipproto_map].name,
1294  sizeof(applayer_counter_names[alproto][ipproto_map].name), "%s%s%s", str,
1295  "failed", ipproto_suffix);
1296  if (ipproto == IPPROTO_TCP) {
1297  snprintf(applayer_counter_names[alproto][ipproto_map].gap_error,
1298  sizeof(applayer_counter_names[alproto][ipproto_map].gap_error),
1299  "%sfailed%s.gap", estr, ipproto_suffix);
1300  }
1301  }
1302  }
1303  }
1304 }
1305 
1306 void AppLayerRegisterThreadCounters(ThreadVars *tv)
1307 {
1308  const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
1309  AppProto alprotos[g_alproto_max];
1310  AppLayerProtoDetectSupportedAppProtocols(alprotos);
1311 
1312  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1313  if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1314  /* Register global counters for app layer error exception policy summary */
1315  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) {
1316  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1317  eps_error_summary.eps_id[i] =
1318  StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], tv);
1319  }
1320  }
1321  }
1322 
1323  for (uint8_t p = 0; p < FLOW_PROTO_APPLAYER_MAX; p++) {
1324  const uint8_t ipproto = ipprotos[p];
1325  const uint8_t ipproto_map = FlowGetProtoMapping(ipproto);
1326 
1327  for (AppProto alproto = 0; alproto < g_alproto_max; alproto++) {
1328  if (alprotos[alproto] == 1) {
1329  applayer_counters[alproto][ipproto_map].counter_id =
1330  StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv);
1331 
1332  applayer_counters[alproto][ipproto_map].counter_tx_id = StatsRegisterCounter(
1333  applayer_counter_names[alproto][ipproto_map].tx_name, tv);
1334 
1335  if (ipproto == IPPROTO_TCP) {
1336  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1337  applayer_counter_names[alproto][ipproto_map].gap_error, tv);
1338  }
1339  applayer_counters[alproto][ipproto_map].alloc_error_id = StatsRegisterCounter(
1340  applayer_counter_names[alproto][ipproto_map].alloc_error, tv);
1341  applayer_counters[alproto][ipproto_map].parser_error_id = StatsRegisterCounter(
1342  applayer_counter_names[alproto][ipproto_map].parser_error, tv);
1343  applayer_counters[alproto][ipproto_map].internal_error_id = StatsRegisterCounter(
1344  applayer_counter_names[alproto][ipproto_map].internal_error, tv);
1345  /* We don't log stats counters if exception policy is `ignore`/`not set` */
1346  if (g_stats_eps_per_app_proto_errors &&
1347  g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) {
1348  for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1;
1349  i < EXCEPTION_POLICY_MAX; i++) {
1350  if (IsAppLayerErrorExceptionPolicyStatsValid(i)) {
1351  applayer_counters[alproto][ipproto_map]
1352  .eps_error.eps_id[i] = StatsRegisterCounter(
1353  applayer_counter_names[alproto][ipproto_map].eps_name[i], tv);
1354  }
1355  }
1356  }
1357  } else if (alproto == ALPROTO_FAILED) {
1358  applayer_counters[alproto][ipproto_map].counter_id =
1359  StatsRegisterCounter(applayer_counter_names[alproto][ipproto_map].name, tv);
1360 
1361  if (ipproto == IPPROTO_TCP) {
1362  applayer_counters[alproto][ipproto_map].gap_error_id = StatsRegisterCounter(
1363  applayer_counter_names[alproto][ipproto_map].gap_error, tv);
1364  }
1365  }
1366  }
1367  }
1368 }
1369 
1370 void AppLayerDeSetupCounters(void)
1371 {
1372  SCFree(applayer_counter_names);
1373  SCFree(applayer_counters);
1374 }
1375 
1376 /***** Unittests *****/
1377 
1378 #ifdef UNITTESTS
1379 #include "pkt-var.h"
1380 #include "stream-tcp-util.h"
1381 #include "stream.h"
1382 #include "util-unittest.h"
1383 
1384 #define TEST_START \
1385  Packet *p = PacketGetFromAlloc(); \
1386  FAIL_IF_NULL(p); \
1387  Flow f; \
1388  ThreadVars tv; \
1389  StreamTcpThread *stt = NULL; \
1390  TCPHdr tcph; \
1391  PacketQueueNoLock pq; \
1392  memset(&pq, 0, sizeof(PacketQueueNoLock)); \
1393  memset(&f, 0, sizeof(Flow)); \
1394  memset(&tv, 0, sizeof(ThreadVars)); \
1395  memset(&tcph, 0, sizeof(TCPHdr)); \
1396  \
1397  FLOW_INITIALIZE(&f); \
1398  f.flags = FLOW_IPV4; \
1399  f.proto = IPPROTO_TCP; \
1400  p->flow = &f; \
1401  PacketSetTCP(p, (uint8_t *)&tcph); \
1402  \
1403  StreamTcpInitConfig(true); \
1404  IPPairInitConfig(true); \
1405  StreamTcpThreadInit(&tv, NULL, (void **)&stt); \
1406  \
1407  /* handshake */ \
1408  tcph.th_win = htons(5480); \
1409  tcph.th_flags = TH_SYN; \
1410  p->flowflags = FLOW_PKT_TOSERVER; \
1411  p->payload_len = 0; \
1412  p->payload = NULL; \
1413  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1414  TcpSession *ssn = (TcpSession *)f.protoctx; \
1415  \
1416  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1417  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1418  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1419  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1420  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1421  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1422  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1423  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1424  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1425  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1426  FAIL_IF(ssn->data_first_seen_dir != 0); \
1427  \
1428  /* handshake */ \
1429  tcph.th_ack = htonl(1); \
1430  tcph.th_flags = TH_SYN | TH_ACK; \
1431  p->flowflags = FLOW_PKT_TOCLIENT; \
1432  p->payload_len = 0; \
1433  p->payload = NULL; \
1434  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1435  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1436  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1437  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1438  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1439  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1440  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1441  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1442  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1443  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1444  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1445  FAIL_IF(ssn->data_first_seen_dir != 0); \
1446  \
1447  /* handshake */ \
1448  tcph.th_ack = htonl(1); \
1449  tcph.th_seq = htonl(1); \
1450  tcph.th_flags = TH_ACK; \
1451  p->flowflags = FLOW_PKT_TOSERVER; \
1452  p->payload_len = 0; \
1453  p->payload = NULL; \
1454  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \
1455  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \
1456  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \
1457  FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \
1458  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \
1459  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \
1460  FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \
1461  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \
1462  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \
1463  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \
1464  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \
1465  FAIL_IF(ssn->data_first_seen_dir != 0);
1466 #define TEST_END \
1467  StreamTcpSessionClear(p->flow->protoctx); \
1468  StreamTcpThreadDeinit(&tv, (void *)stt); \
1469  StreamTcpFreeConfig(true); \
1470  PacketFree(p); \
1471  FLOW_DESTROY(&f); \
1472  StatsThreadCleanup(&tv);
1473 
1474 /**
1475  * \test GET -> HTTP/1.1
1476  */
1477 static int AppLayerTest01(void)
1478 {
1479  TEST_START;
1480 
1481  /* full request */
1482  uint8_t request[] = {
1483  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1484  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1485  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1486  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1487  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1488  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1489  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1490  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1491  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1492  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1493  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1494  tcph.th_ack = htonl(1);
1495  tcph.th_seq = htonl(1);
1496  tcph.th_flags = TH_PUSH | TH_ACK;
1497  p->flowflags = FLOW_PKT_TOSERVER;
1498  p->payload_len = sizeof(request);
1499  p->payload = request;
1500  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1501  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1502  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1503  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1504  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1505  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1506  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1507  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1508  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1509  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1510  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1511  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1512 
1513  /* full response - request ack */
1514  uint8_t response[] = {
1515  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1516  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1517  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1518  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1519  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1520  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1521  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1522  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1523  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1524  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1525  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1526  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1527  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1528  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1529  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1530  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1531  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1532  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1533  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1534  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1535  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1536  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1537  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1538  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1539  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1540  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1541  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1542  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1543  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1544  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1545  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1546  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1547  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1548  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1549  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1550  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1551  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1552  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1553  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1554  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1555  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1556  tcph.th_ack = htonl(88);
1557  tcph.th_seq = htonl(1);
1558  tcph.th_flags = TH_PUSH | TH_ACK;
1559  p->flowflags = FLOW_PKT_TOCLIENT;
1560  p->payload_len = sizeof(response);
1561  p->payload = response;
1562  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1563  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1564  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1565  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1566  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1567  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1568  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1569  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1570  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1571  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1572  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1573  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1574 
1575  /* response ack */
1576  tcph.th_ack = htonl(328);
1577  tcph.th_seq = htonl(88);
1578  tcph.th_flags = TH_ACK;
1579  p->flowflags = FLOW_PKT_TOSERVER;
1580  p->payload_len = 0;
1581  p->payload = NULL;
1582  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1583  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1584  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1585  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1586  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1587  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1588  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1589  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1590  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1591  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1592  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1593  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1594 
1595  TEST_END;
1596  PASS;
1597 }
1598 
1599 /**
1600  * \test GE -> T -> HTTP/1.1
1601  */
1602 static int AppLayerTest02(void)
1603 {
1604  TEST_START;
1605 
1606  /* partial request */
1607  uint8_t request1[] = { 0x47, 0x45, };
1608  tcph.th_ack = htonl(1);
1609  tcph.th_seq = htonl(1);
1610  tcph.th_flags = TH_PUSH | TH_ACK;
1611  p->flowflags = FLOW_PKT_TOSERVER;
1612  p->payload_len = sizeof(request1);
1613  p->payload = request1;
1614  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1615  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1616  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1617  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1618  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1619  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1620  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1621  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1622  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1623  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1624  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1625  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1626 
1627  /* response ack against partial request */
1628  tcph.th_ack = htonl(3);
1629  tcph.th_seq = htonl(1);
1630  tcph.th_flags = TH_ACK;
1631  p->flowflags = FLOW_PKT_TOCLIENT;
1632  p->payload_len = 0;
1633  p->payload = NULL;
1634  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1635  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1636  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1637  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1638  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1639  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1640  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1641  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1642  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1643  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1644  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1645  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1646 
1647  /* complete partial request */
1648  uint8_t request2[] = {
1649  0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1650  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1651  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1652  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1653  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1654  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1655  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1656  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1657  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1658  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1659  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1660  tcph.th_ack = htonl(1);
1661  tcph.th_seq = htonl(3);
1662  tcph.th_flags = TH_PUSH | TH_ACK;
1663  p->flowflags = FLOW_PKT_TOSERVER;
1664  p->payload_len = sizeof(request2);
1665  p->payload = request2;
1666  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1667  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1668  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1669  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1670  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1671  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1672  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1673  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1674  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1675  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1676  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1677  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1678 
1679  /* response - request ack */
1680  uint8_t response[] = {
1681  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1682  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1683  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1684  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1685  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1686  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1687  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1688  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1689  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1690  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1691  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1692  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1693  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1694  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1695  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1696  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1697  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1698  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1699  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1700  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1701  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1702  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1703  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1704  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1705  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1706  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1707  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1708  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1709  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1710  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1711  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1712  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1713  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1714  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1715  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1716  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1717  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1718  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1719  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1720  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1721  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1722  tcph.th_ack = htonl(88);
1723  tcph.th_seq = htonl(1);
1724  tcph.th_flags = TH_PUSH | TH_ACK;
1725  p->flowflags = FLOW_PKT_TOCLIENT;
1726  p->payload_len = sizeof(response);
1727  p->payload = response;
1728  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1729  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1730  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1731  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1732  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1733  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1734  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1735  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1736  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1737  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1738  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1739  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1740 
1741  /* response ack */
1742  tcph.th_ack = htonl(328);
1743  tcph.th_seq = htonl(88);
1744  tcph.th_flags = TH_ACK;
1745  p->flowflags = FLOW_PKT_TOSERVER;
1746  p->payload_len = 0;
1747  p->payload = NULL;
1748  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1749  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1750  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1751  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1752  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1753  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
1754  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1755  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1756  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1757  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1758  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1759  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1760 
1761  TEST_END;
1762  PASS;
1763 }
1764 
1765 /**
1766  * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1767  */
1768 static int AppLayerTest03(void)
1769 {
1770  TEST_START;
1771 
1772  /* request */
1773  uint8_t request[] = {
1774  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1775  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1776  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1777  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1778  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1779  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1780  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1781  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1782  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1783  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1784  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1785  tcph.th_ack = htonl(1);
1786  tcph.th_seq = htonl(1);
1787  tcph.th_flags = TH_PUSH | TH_ACK;
1788  p->flowflags = FLOW_PKT_TOSERVER;
1789  p->payload_len = sizeof(request);
1790  p->payload = request;
1791  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1792  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1793  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1794  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1795  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1796  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1797  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1798  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1799  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1800  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1801  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1802  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1803 
1804  /* rubbish response */
1805  uint8_t response[] = {
1806  0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1807  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1808  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1809  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1810  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1811  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1812  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1813  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1814  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1815  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1816  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1817  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1818  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1819  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1820  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1821  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1822  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1823  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1824  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1825  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1826  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1827  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1828  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1829  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1830  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1831  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1832  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1833  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1834  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1835  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1836  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1837  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1838  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1839  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1840  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1841  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1842  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1843  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1844  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1845  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1846  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1847  tcph.th_ack = htonl(88);
1848  tcph.th_seq = htonl(1);
1849  tcph.th_flags = TH_PUSH | TH_ACK;
1850  p->flowflags = FLOW_PKT_TOCLIENT;
1851  p->payload_len = sizeof(response);
1852  p->payload = response;
1853  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1854  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1855  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1856  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1857  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1858  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1859  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1860  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1861  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1862  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1863  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1864  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1865 
1866  /* response ack */
1867  tcph.th_ack = htonl(328);
1868  tcph.th_seq = htonl(88);
1869  tcph.th_flags = TH_ACK;
1870  p->flowflags = FLOW_PKT_TOSERVER;
1871  p->payload_len = 0;
1872  p->payload = NULL;
1873  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1874  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1875  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1876  FAIL_IF(f.alproto != ALPROTO_HTTP1);
1877  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
1878  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1879  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1880  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1881  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1882  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1883  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1884  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1885 
1886  TEST_END;
1887  PASS;
1888 }
1889 
1890 /**
1891  * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1892  */
1893 static int AppLayerTest04(void)
1894 {
1895  TEST_START;
1896 
1897  /* request */
1898  uint8_t request[] = {
1899  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1900  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1901  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1902  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1903  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1904  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1905  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1906  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1907  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1908  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1909  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1910  PrintRawDataFp(stdout, request, sizeof(request));
1911  tcph.th_ack = htonl(1);
1912  tcph.th_seq = htonl(1);
1913  tcph.th_flags = TH_PUSH | TH_ACK;
1914  p->flowflags = FLOW_PKT_TOSERVER;
1915  p->payload_len = sizeof(request);
1916  p->payload = request;
1917  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1918  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1919  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1920  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1921  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1922  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1923  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1924  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1925  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1926  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1927  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1928  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1929 
1930  /* partial response */
1931  uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1932  PrintRawDataFp(stdout, response1, sizeof(response1));
1933  tcph.th_ack = htonl(88);
1934  tcph.th_seq = htonl(1);
1935  tcph.th_flags = TH_PUSH | TH_ACK;
1936  p->flowflags = FLOW_PKT_TOCLIENT;
1937  p->payload_len = sizeof(response1);
1938  p->payload = response1;
1939  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1940  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1941  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1942  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1943  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1944  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1945  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1946  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1947  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1948  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1949  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1950  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1951 
1952  /* partial response ack */
1953  tcph.th_ack = htonl(5);
1954  tcph.th_seq = htonl(88);
1955  tcph.th_flags = TH_ACK;
1956  p->flowflags = FLOW_PKT_TOSERVER;
1957  p->payload_len = 0;
1958  p->payload = NULL;
1959  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1960  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1961  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1962  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
1963  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
1964  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1965  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1966  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1967  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1968  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1969  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1970  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1971 
1972  /* remaining response */
1973  uint8_t response2[] = {
1974  0x2f, 0x31, 0x2e, 0x31,
1975  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1976  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1977  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1978  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1979  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1980  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1981  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1982  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1983  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1984  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1985  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1986  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1987  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1988  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1989  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1990  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1991  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1992  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1993  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1994  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1995  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1996  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1997  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1998  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1999  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2000  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2001  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2002  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2003  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2004  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2005  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2006  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2007  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2008  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2009  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2010  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2011  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2012  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2013  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2014  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2015  PrintRawDataFp(stdout, response2, sizeof(response2));
2016  tcph.th_ack = htonl(88);
2017  tcph.th_seq = htonl(5);
2018  tcph.th_flags = TH_PUSH | TH_ACK;
2019  p->flowflags = FLOW_PKT_TOCLIENT;
2020  p->payload_len = sizeof(response2);
2021  p->payload = response2;
2022  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2023  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2024  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2025  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2026  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2027  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2028  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2029  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2030  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2031  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2032  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2033  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2034 
2035  /* response ack */
2036  tcph.th_ack = htonl(328);
2037  tcph.th_seq = htonl(88);
2038  tcph.th_flags = TH_ACK;
2039  p->flowflags = FLOW_PKT_TOSERVER;
2040  p->payload_len = 0;
2041  p->payload = NULL;
2042  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2043  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
2044  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
2045  FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts
2046  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete
2047  FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
2048  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2049  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2050  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2051  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2052  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
2053  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
2054 
2055  TEST_END;
2056  PASS;
2057 }
2058 
2059 /**
2060  * \test RUBBISH -> HTTP/1.1
2061  */
2062 static int AppLayerTest05(void)
2063 {
2064  TEST_START;
2065 
2066  /* full request */
2067  uint8_t request[] = {
2068  0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2069  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2070  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2071  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2072  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2073  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2074  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2075  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2076  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2077  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2078  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2079  PrintRawDataFp(stdout, request, sizeof(request));
2080  tcph.th_ack = htonl(1);
2081  tcph.th_seq = htonl(1);
2082  tcph.th_flags = TH_PUSH | TH_ACK;
2083  p->flowflags = FLOW_PKT_TOSERVER;
2084  p->payload_len = sizeof(request);
2085  p->payload = request;
2086  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2087  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2088  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2089  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2090  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2091  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2092  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2093  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2094  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2095  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2096  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2097  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2098 
2099  /* full response - request ack */
2100  uint8_t response[] = {
2101  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2102  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2103  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2104  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2105  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2106  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2107  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2108  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2109  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2110  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2111  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2112  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2113  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2114  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2115  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2116  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2117  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2118  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2119  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2120  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2121  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2122  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2123  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2124  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2125  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2126  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2127  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2128  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2129  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2130  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2131  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2132  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2133  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2134  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2135  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2136  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2137  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2138  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2139  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2140  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2141  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2142  PrintRawDataFp(stdout, response, sizeof(response));
2143  tcph.th_ack = htonl(88);
2144  tcph.th_seq = htonl(1);
2145  tcph.th_flags = TH_PUSH | TH_ACK;
2146  p->flowflags = FLOW_PKT_TOCLIENT;
2147  p->payload_len = sizeof(response);
2148  p->payload = response;
2149  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2150  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2151  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2152  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2153  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2154  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2155  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2156  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2157  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2158  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2159  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2160  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2161 
2162  /* response ack */
2163  tcph.th_ack = htonl(328);
2164  tcph.th_seq = htonl(88);
2165  tcph.th_flags = TH_ACK;
2166  p->flowflags = FLOW_PKT_TOSERVER;
2167  p->payload_len = 0;
2168  p->payload = NULL;
2169  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2170  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2171  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2172  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2173  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2174  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2175  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2176  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2177  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2178  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2179  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2180  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2181 
2182  TEST_END;
2183  PASS;
2184 }
2185 
2186 /**
2187  * \test HTTP/1.1 -> GET
2188  */
2189 static int AppLayerTest06(void)
2190 {
2191  TEST_START;
2192 
2193  /* full response - request ack */
2194  uint8_t response[] = {
2195  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2196  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2197  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2198  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2199  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2200  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2201  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2202  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2203  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2204  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2205  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2206  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2207  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2208  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2209  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2210  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2211  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2212  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2213  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2214  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2215  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2216  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2217  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2218  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2219  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2220  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2221  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2222  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2223  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2224  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2225  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2226  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2227  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2228  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2229  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2230  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2231  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2232  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2233  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2234  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2235  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2236  tcph.th_ack = htonl(1);
2237  tcph.th_seq = htonl(1);
2238  tcph.th_flags = TH_PUSH | TH_ACK;
2239  p->flowflags = FLOW_PKT_TOCLIENT;
2240  p->payload_len = sizeof(response);
2241  p->payload = response;
2242  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2243  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2244  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2245  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2246  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2247  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2248  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2249  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2250  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2251  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2252  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2253  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
2254 
2255  /* full request - response ack*/
2256  uint8_t request[] = {
2257  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2258  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2259  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2260  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2261  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2262  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2263  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2264  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2265  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2266  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2267  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2268  tcph.th_ack = htonl(328);
2269  tcph.th_seq = htonl(1);
2270  tcph.th_flags = TH_PUSH | TH_ACK;
2271  p->flowflags = FLOW_PKT_TOSERVER;
2272  p->payload_len = sizeof(request);
2273  p->payload = request;
2274  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2275  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2276  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2277  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2278  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2279  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2280  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2281  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2282  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2283  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2284  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2285  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2286 
2287  tcph.th_ack = htonl(1 + sizeof(request));
2288  tcph.th_seq = htonl(328);
2289  tcph.th_flags = TH_PUSH | TH_ACK;
2290  p->flowflags = FLOW_PKT_TOCLIENT;
2291  p->payload_len = 0;
2292  p->payload = NULL;
2293  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2294  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2295  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2296  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2297  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2298  FAIL_IF(f.alproto_tc != ALPROTO_HTTP1);
2299  FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2300  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2301  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2302  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2303  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2304  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2305 
2306  TEST_END;
2307  PASS;
2308 }
2309 
2310 /**
2311  * \test GET -> DCERPC
2312  */
2313 static int AppLayerTest07(void)
2314 {
2315  TEST_START;
2316 
2317  /* full request */
2318  uint8_t request[] = {
2319  0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2320  0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2321  0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2322  0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2323  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2324  0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2325  0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2326  0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2327  0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2328  0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2329  0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2330  tcph.th_ack = htonl(1);
2331  tcph.th_seq = htonl(1);
2332  tcph.th_flags = TH_PUSH | TH_ACK;
2333  p->flowflags = FLOW_PKT_TOSERVER;
2334  p->payload_len = sizeof(request);
2335  p->payload = request;
2336  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2337  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2338  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2339  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2340  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2341  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2342  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2343  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2344  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2345  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2346  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2347  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2348 
2349  /* full response - request ack */
2350  uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30,
2351  0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c,
2352  0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36,
2353  0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72,
2354  0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2355  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f,
2356  0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
2357  0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20,
2358  0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47,
2359  0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39,
2360  0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66,
2361  0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52,
2362  0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2363  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20,
2364  0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a,
2365  0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
2366  0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d,
2367  0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64,
2368  0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d,
2369  0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68,
2370  0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2371  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2372  tcph.th_ack = htonl(88);
2373  tcph.th_seq = htonl(1);
2374  tcph.th_flags = TH_PUSH | TH_ACK;
2375  p->flowflags = FLOW_PKT_TOCLIENT;
2376  p->payload_len = sizeof(response);
2377  p->payload = response;
2378  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2379  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2380  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2381  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2382  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2383  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2384  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2385  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2386  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2387  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2388  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2389  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2390 
2391  /* response ack */
2392  tcph.th_ack = htonl(328);
2393  tcph.th_seq = htonl(88);
2394  tcph.th_flags = TH_ACK;
2395  p->flowflags = FLOW_PKT_TOSERVER;
2396  p->payload_len = 0;
2397  p->payload = NULL;
2398  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2399  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2400  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2401  FAIL_IF(f.alproto != ALPROTO_HTTP1);
2402  FAIL_IF(f.alproto_ts != ALPROTO_HTTP1);
2403  FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2404  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2405  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2406  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2407  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2408  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2409  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2410 
2411  TEST_END;
2412  PASS;
2413 }
2414 
2415 /**
2416  * \test RUBBISH(TC - PM and PP NOT DONE) ->
2417  * RUBBISH(TC - PM and PP DONE) ->
2418  * RUBBISH(TS - PM and PP DONE)
2419  */
2420 static int AppLayerTest09(void)
2421 {
2422  TEST_START;
2423 
2424  /* full request */
2425  uint8_t request1[] = {
2426  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2427  tcph.th_ack = htonl(1);
2428  tcph.th_seq = htonl(1);
2429  tcph.th_flags = TH_PUSH | TH_ACK;
2430  p->flowflags = FLOW_PKT_TOSERVER;
2431  p->payload_len = sizeof(request1);
2432  p->payload = request1;
2433  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2434  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2435  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2436  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2437  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2438  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2439  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2440  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2441  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2442  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2443  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2444  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2445 
2446  /* response - request ack */
2447  tcph.th_ack = htonl(9);
2448  tcph.th_seq = htonl(1);
2449  tcph.th_flags = TH_PUSH | TH_ACK;
2450  p->flowflags = FLOW_PKT_TOCLIENT;
2451  p->payload_len = 0;
2452  p->payload = NULL;
2453  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2454  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2455  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2456  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2457  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2458  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2459  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2460  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2461  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2462  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2463  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2464  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2465 
2466  /* full request */
2467  uint8_t request2[] = {
2468  0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2469  tcph.th_ack = htonl(1);
2470  tcph.th_seq = htonl(9);
2471  tcph.th_flags = TH_PUSH | TH_ACK;
2472  p->flowflags = FLOW_PKT_TOSERVER;
2473  p->payload_len = sizeof(request2);
2474  p->payload = request2;
2475  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2476  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2477  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2478  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2479  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2480  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2481  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2482  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2483  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2484  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2485  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2486  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2487 
2488  /* full response - request ack */
2489  uint8_t response[] = {
2490  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2491  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2492  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2493  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2494  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2495  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2496  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2497  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2498  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2499  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2500  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2501  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2502  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2503  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2504  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2505  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2506  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2507  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2508  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2509  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2510  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2511  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2512  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2513  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2514  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2515  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2516  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2517  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2518  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2519  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2520  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2521  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2522  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2523  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2524  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2525  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2526  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2527  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2528  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2529  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2530  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2531  tcph.th_ack = htonl(18);
2532  tcph.th_seq = htonl(1);
2533  tcph.th_flags = TH_PUSH | TH_ACK;
2534  p->flowflags = FLOW_PKT_TOCLIENT;
2535  p->payload_len = sizeof(response);
2536  p->payload = response;
2537  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2538  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2539  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2540  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2541  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2542  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2543  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2544  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2545  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2546  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2547  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2548  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2549 
2550  /* response ack */
2551  tcph.th_ack = htonl(328);
2552  tcph.th_seq = htonl(18);
2553  tcph.th_flags = TH_ACK;
2554  p->flowflags = FLOW_PKT_TOSERVER;
2555  p->payload_len = 0;
2556  p->payload = NULL;
2557  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2558  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2559  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2560  FAIL_IF(f.alproto != ALPROTO_FAILED);
2561  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2562  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2563  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2564  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2565  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2566  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2567  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2568  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2569 
2570  TEST_END;
2571  PASS;
2572 }
2573 
2574 /**
2575  * \test RUBBISH(TC - PM and PP DONE) ->
2576  * RUBBISH(TS - PM and PP DONE)
2577  */
2578 static int AppLayerTest10(void)
2579 {
2580  TEST_START;
2581 
2582  /* full request */
2583  uint8_t request1[] = {
2584  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2585  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2586  tcph.th_ack = htonl(1);
2587  tcph.th_seq = htonl(1);
2588  tcph.th_flags = TH_PUSH | TH_ACK;
2589  p->flowflags = FLOW_PKT_TOSERVER;
2590  p->payload_len = sizeof(request1);
2591  p->payload = request1;
2592  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2593  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2594  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2595  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2596  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2597  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2598  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2599  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2600  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2601  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2602  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2603  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2604 
2605  /* response - request ack */
2606  tcph.th_ack = htonl(18);
2607  tcph.th_seq = htonl(1);
2608  tcph.th_flags = TH_PUSH | TH_ACK;
2609  p->flowflags = FLOW_PKT_TOCLIENT;
2610  p->payload_len = 0;
2611  p->payload = NULL;
2612  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2613  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2614  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2615  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2616  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2617  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2618  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2619  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2620  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2621  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2622  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2623  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2624 
2625  /* full response - request ack */
2626  uint8_t response[] = {
2627  0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2628  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2629  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2630  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2631  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2632  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2633  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2634  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2635  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2636  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2637  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2638  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2639  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2640  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2641  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2642  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2643  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2644  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2645  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2646  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2647  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2648  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2649  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2650  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2651  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2652  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2653  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2654  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2655  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2656  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2657  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2658  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2659  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2660  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2661  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2662  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2663  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2664  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2665  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2666  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2667  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2668  tcph.th_ack = htonl(18);
2669  tcph.th_seq = htonl(1);
2670  tcph.th_flags = TH_PUSH | TH_ACK;
2671  p->flowflags = FLOW_PKT_TOCLIENT;
2672  p->payload_len = sizeof(response);
2673  p->payload = response;
2674  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2675  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2676  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2677  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2678  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2679  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2680  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2681  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2682  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2683  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2684  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2685  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2686 
2687  /* response ack */
2688  tcph.th_ack = htonl(328);
2689  tcph.th_seq = htonl(18);
2690  tcph.th_flags = TH_ACK;
2691  p->flowflags = FLOW_PKT_TOSERVER;
2692  p->payload_len = 0;
2693  p->payload = NULL;
2694  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2695  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2696  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2697  FAIL_IF(f.alproto != ALPROTO_FAILED);
2698  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2699  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2700  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2701  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2702  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2703  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2704  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2705  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2706 
2707  TEST_END;
2708  PASS;
2709 }
2710 
2711 /**
2712  * \test RUBBISH(TC - PM and PP DONE) ->
2713  * RUBBISH(TS - PM and PP NOT DONE) ->
2714  * RUBBISH(TS - PM and PP DONE)
2715  */
2716 static int AppLayerTest11(void)
2717 {
2718  TEST_START;
2719 
2720  /* full request */
2721  uint8_t request1[] = {
2722  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2723  0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2724  tcph.th_ack = htonl(1);
2725  tcph.th_seq = htonl(1);
2726  tcph.th_flags = TH_PUSH | TH_ACK;
2727  p->flowflags = FLOW_PKT_TOSERVER;
2728  p->payload_len = sizeof(request1);
2729  p->payload = request1;
2730  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2731  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2732  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2733  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2734  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2735  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2736  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2737  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2738  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2739  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2740  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2741  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2742 
2743  /* response - request ack */
2744  tcph.th_ack = htonl(18);
2745  tcph.th_seq = htonl(1);
2746  tcph.th_flags = TH_PUSH | TH_ACK;
2747  p->flowflags = FLOW_PKT_TOCLIENT;
2748  p->payload_len = 0;
2749  p->payload = NULL;
2750  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2751  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2752  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2753  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2754  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2755  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2756  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2757  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2758  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2759  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2760  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2761  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2762 
2763  /* full response - request ack */
2764  uint8_t response1[] = {
2765  0x55, 0x74, 0x54, 0x50, };
2766  tcph.th_ack = htonl(18);
2767  tcph.th_seq = htonl(1);
2768  tcph.th_flags = TH_PUSH | TH_ACK;
2769  p->flowflags = FLOW_PKT_TOCLIENT;
2770  p->payload_len = sizeof(response1);
2771  p->payload = response1;
2772  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2773  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2774  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2775  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2776  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2777  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2778  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2779  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2780  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2781  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2782  FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2783  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2784 
2785  /* response ack from request */
2786  tcph.th_ack = htonl(5);
2787  tcph.th_seq = htonl(18);
2788  tcph.th_flags = TH_ACK;
2789  p->flowflags = FLOW_PKT_TOSERVER;
2790  p->payload_len = 0;
2791  p->payload = NULL;
2792  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2793  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2794  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2795  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2796  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2797  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2798  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2799  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2800  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2801  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2802  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2803  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2804 
2805  uint8_t response2[] = {
2806  0x2f, 0x31, 0x2e, 0x31,
2807  0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2808  0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2809  0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2810  0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2811  0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2812  0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2813  0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2814  0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2815  0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2816  0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2817  0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2818  0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2819  0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2820  0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2821  0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2822  0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2823  0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2824  0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2825  0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2826  0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2827  0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2828  0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2829  0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2830  0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2831  0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2832  0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2833  0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2834  0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2835  0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2836  0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2837  0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2838  0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2839  0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2840  0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2841  0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2842  0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2843  0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2844  0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2845  0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2846  0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2847  tcph.th_ack = htonl(18);
2848  tcph.th_seq = htonl(5);
2849  tcph.th_flags = TH_PUSH | TH_ACK;
2850  p->flowflags = FLOW_PKT_TOCLIENT;
2851  p->payload_len = sizeof(response2);
2852  p->payload = response2;
2853  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2854  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2855  FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2856  FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2857  FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2858  FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2859  FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2860  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2861  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2862  FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2863  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2864  FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2865 
2866  /* response ack from request */
2867  tcph.th_ack = htonl(328);
2868  tcph.th_seq = htonl(18);
2869  tcph.th_flags = TH_ACK;
2870  p->flowflags = FLOW_PKT_TOSERVER;
2871  p->payload_len = 0;
2872  p->payload = NULL;
2873  FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2874  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2875  FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2876  FAIL_IF(f.alproto != ALPROTO_FAILED);
2877  FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2878  FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2879  FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2880  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2881  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2882  FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2883  FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2884  FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2885 
2886  TEST_END;
2887  PASS;
2888 }
2889 
2890 void AppLayerUnittestsRegister(void)
2891 {
2892  SCEnter();
2893 
2894  UtRegisterTest("AppLayerTest01", AppLayerTest01);
2895  UtRegisterTest("AppLayerTest02", AppLayerTest02);
2896  UtRegisterTest("AppLayerTest03", AppLayerTest03);
2897  UtRegisterTest("AppLayerTest04", AppLayerTest04);
2898  UtRegisterTest("AppLayerTest05", AppLayerTest05);
2899  UtRegisterTest("AppLayerTest06", AppLayerTest06);
2900  UtRegisterTest("AppLayerTest07", AppLayerTest07);
2901  UtRegisterTest("AppLayerTest09", AppLayerTest09);
2902  UtRegisterTest("AppLayerTest10", AppLayerTest10);
2903  UtRegisterTest("AppLayerTest11", AppLayerTest11);
2904 
2905  SCReturn;
2906 }
2907 
2908 #endif /* UNITTESTS */
AppLayerCounters_::alloc_error_id
uint16_t alloc_error_id
Definition: app-layer.c:94
APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
#define APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER
Definition: app-layer.h:40
AppLayerCounters_::counter_id
uint16_t counter_id
Definition: app-layer.c:89
FLOW_RESET_PP_DONE
#define FLOW_RESET_PP_DONE(f, dir)
Definition: flow.h:285
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
FlowUnsetChangeProtoFlag
void FlowUnsetChangeProtoFlag(Flow *f)
Unset flag to indicate to change proto for the flow.
Definition: flow.c:184
Packet_::proto
uint8_t proto
Definition: decode.h:498
AppLayerParserDeSetup
int AppLayerParserDeSetup(void)
Definition: app-layer-parser.c:273
TcpStream_
Definition: stream-tcp-private.h:106
APPLAYER_UNEXPECTED_PROTOCOL
@ APPLAYER_UNEXPECTED_PROTOCOL
Definition: app-layer-events.h:54
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:69
AppLayerCounters_::gap_error_id
uint16_t gap_error_id
Definition: app-layer.c:91
AppLayerCounters_
Definition: app-layer.c:88
ippair.h
app-layer-htp-range.h
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:137
AppLayerProtoDetectSetup
int AppLayerProtoDetectSetup(void)
The first function to be called. This initializes a global protocol detection context.
Definition: app-layer-detect-proto.c:1691
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
ExpectationGetCounter
uint64_t ExpectationGetCounter(void)
Definition: app-layer-expectation.c:140
AppLayerCounterNames_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]
Definition: app-layer.c:85
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
AppLayerCounters_::counter_tx_id
uint16_t counter_tx_id
Definition: app-layer.c:90
AppLayerCounters
struct AppLayerCounters_ AppLayerCounters
stream-tcp-inline.h
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
stream-tcp.h
ALPROTO_ENIP
@ ALPROTO_ENIP
Definition: app-layer-protos.h:49
StreamTcpInlineMode
bool StreamTcpInlineMode(void)
See if stream engine is operating in inline mode.
Definition: stream-tcp.c:7092
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
AppLayerGetProtoByName
AppProto AppLayerGetProtoByName(const char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
Definition: app-layer.c:1001
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
AppLayerCounterNames_::parser_error
char parser_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:82
StatsRegisterGlobalCounter
uint16_t StatsRegisterGlobalCounter(const char *name, uint64_t(*Func)(void))
Registers a counter, which represents a global value.
Definition: counters.c:1009
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:48
AppLayerProfilingStoreInternal
void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
Definition: app-layer.c:1150
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:85
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
Packet_::payload
uint8_t * payload
Definition: decode.h:574
ALPROTO_POP3
@ ALPROTO_POP3
Definition: app-layer-protos.h:72
TcpReassemblyThreadCtx_::app_tctx
void * app_tctx
Definition: stream-tcp-reassemble.h:62
Packet_::flags
uint32_t flags
Definition: decode.h:513
AppLayerThreadCtx_::proto_detect_ticks_spent
uint64_t proto_detect_ticks_spent
Definition: app-layer.c:71
PACKET_PROFILING_APP_PD_END
#define PACKET_PROFILING_APP_PD_END(dp)
Definition: util-profiling.h:186
ALPROTO_JABBER
@ ALPROTO_JABBER
Definition: app-layer-protos.h:42
TcpStreamCnf_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp.h:75
AppLayerThreadCtx_::alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: app-layer.c:62
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
AppLayerIncGapErrorCounter
void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:162
AppLayerCounters_::internal_error_id
uint16_t internal_error_id
Definition: app-layer.c:93
Flow_::protomap
uint8_t protomap
Definition: flow.h:443
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:40
AppLayerThreadCtx_::ticks_spent
uint64_t ticks_spent
Definition: app-layer.c:67
ALPROTO_IRC
@ ALPROTO_IRC
Definition: app-layer-protos.h:45
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:48
AppLayerParserGetFirstDataDir
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1135
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:217
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir app_update_dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1398
StreamTcpResetStreamFlagAppProtoDetectionCompleted
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:305
AppLayerRegisterThreadCounters
void AppLayerRegisterThreadCounters(ThreadVars *tv)
Registers per flow counters for all protocols.
Definition: app-layer.c:1306
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:454
AppLayerProtoDetectSupportedIpprotos
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
Definition: app-layer-detect-proto.c:2043
FTPMemuseGlobalCounter
uint64_t FTPMemuseGlobalCounter(void)
Definition: app-layer-ftp.c:77
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:60
AppLayerProfilingResetInternal
void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
Definition: app-layer.c:1145
AppLayerCounterNames_
Definition: app-layer.c:78
AppLayerParserStateProtoCleanup
void AppLayerParserStateProtoCleanup(uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate)
Definition: app-layer-parser.c:1604
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
AppLayerHandleTCPData
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir app_update_dir)
handle TCP data for the app-layer.
Definition: app-layer.c:710
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
ALPROTO_LDAP
@ ALPROTO_LDAP
Definition: app-layer-protos.h:66
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
StreamTcpUpdateAppLayerProgress
void StreamTcpUpdateAppLayerProgress(TcpSession *ssn, char direction, const uint32_t progress)
update reassembly progress
Definition: stream-tcp.c:6663
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:37
app_layer_error_eps_stats
ExceptionPolicyStatsSetts app_layer_error_eps_stats
Definition: app-layer.c:107
stream-tcp-reassemble.h
AppLayerThreadCtx_::proto_detect_ticks_end
uint64_t proto_detect_ticks_end
Definition: app-layer.c:70
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
AppLayerUnittestsRegister
void AppLayerUnittestsRegister(void)
Definition: app-layer.c:2890
APPLAYER_PROTO_DETECTION_SKIPPED
@ APPLAYER_PROTO_DETECTION_SKIPPED
Definition: app-layer-events.h:52
HTPMemuseGlobalCounter
uint64_t HTPMemuseGlobalCounter(void)
Definition: app-layer-htp-mem.c:81
AppLayerListSupportedProtocols
void AppLayerListSupportedProtocols(void)
Definition: app-layer.c:1015
AppLayerSetupCounters
void AppLayerSetupCounters(void)
Definition: app-layer.c:1197
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:40
app-layer-ftp.h
ALPROTO_DHCP
@ ALPROTO_DHCP
Definition: app-layer-protos.h:58
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
AppLayerThreadCtx_::alproto
AppProto alproto
Definition: app-layer.c:68
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
MAX
#define MAX(x, y)
Definition: suricata-common.h:404
Flow_::protoctx
void * protoctx
Definition: flow.h:439
AppLayerCounterNames_::tx_name
char tx_name[MAX_COUNTER_SIZE]
Definition: app-layer.c:80
AppLayerIncAllocErrorCounter
void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:170
EXCEPTION_POLICY_NOT_SET
@ EXCEPTION_POLICY_NOT_SET
Definition: util-exception-policy-types.h:26
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
Packet_::app_layer_events
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:601
util-unittest.h
PACKET_PROFILING_APP_PD_START
#define PACKET_PROFILING_APP_PD_START(dp)
Definition: util-profiling.h:181
AppLayerCounters_::parser_error_id
uint16_t parser_error_id
Definition: app-layer.c:92
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1094
HostGetMemcap
uint64_t HostGetMemcap(void)
Return memcap value.
Definition: host.c:83
PKT_PROTO_DETECT_TS_DONE
#define PKT_PROTO_DETECT_TS_DONE
Definition: decode.h:1299
MAX_COUNTER_SIZE
#define MAX_COUNTER_SIZE
Definition: app-layer.c:77
ALPROTO_KRB5
@ ALPROTO_KRB5
Definition: app-layer-protos.h:56
STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition: stream-tcp-private.h:170
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:59
FLOW_IS_PM_DONE
#define FLOW_IS_PM_DONE(f, dir)
Definition: flow.h:276
APPLAYER_NO_TLS_AFTER_STARTTLS
@ APPLAYER_NO_TLS_AFTER_STARTTLS
Definition: app-layer-events.h:53
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:473
EXCEPTION_POLICY_MAX
#define EXCEPTION_POLICY_MAX
Definition: util-exception-policy-types.h:36
AppLayerParserRegisterProtocolParsers
void AppLayerParserRegisterProtocolParsers(void)
Definition: app-layer-parser.c:1727
AppLayerThreadCtx_::proto_detect_ticks_start
uint64_t proto_detect_ticks_start
Definition: app-layer.c:69
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1077
app-layer-expectation.h
app-layer-detect-proto.h
AppLayerProtoDetectThreadCtx_
The app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:181
util-debug.h
AppLayerParserState_
Definition: app-layer-parser.c:129
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
ExceptionPolicyCounters_
Definition: util-exception-policy-types.h:43
APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
@ APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
Definition: app-layer-events.h:49
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
FLOW_IS_PP_DONE
#define FLOW_IS_PP_DONE(f, dir)
Definition: flow.h:277
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1158
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:50
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:366
AppLayerThreadCtx_::ticks_end
uint64_t ticks_end
Definition: app-layer.c:66
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:551
util-exception-policy.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
AppProtoRegisterProtoString
void AppProtoRegisterProtoString(AppProto alproto, const char *proto_name)
Definition: app-layer-protos.c:74
HTPByteRangeMemuseGlobalCounter
uint64_t HTPByteRangeMemuseGlobalCounter(void)
Definition: app-layer-htp-range.c:61
AppLayerThreadCtx_
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:58
ExceptionPolicyCounters_::eps_id
uint16_t eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:45
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
StreamTcpPacket
int StreamTcpPacket(ThreadVars *tv, Packet *p, StreamTcpThread *stt, PacketQueueNoLock *pq)
Definition: stream-tcp.c:5527
AppLayerProtoDetectReset
void AppLayerProtoDetectReset(Flow *f)
Reset proto detect for flow.
Definition: app-layer-detect-proto.c:1870
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
TEST_START
#define TEST_START
Definition: app-layer.c:1384
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:50
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
HostGetMemuse
uint64_t HostGetMemuse(void)
Return memuse value.
Definition: host.c:94
PACKET_PROFILING_APP_STORE
#define PACKET_PROFILING_APP_STORE(dp, p)
Definition: util-profiling.h:206
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
FLOW_PROTO_DETECT_TC_DONE
#define FLOW_PROTO_DETECT_TC_DONE
Definition: flow.h:103
AppLayerCounterNames
struct AppLayerCounterNames_ AppLayerCounterNames
util-profiling.h
AppLayerParserSetup
int AppLayerParserSetup(void)
Definition: app-layer-parser.c:248
SCReturn
#define SCReturn
Definition: util-debug.h:273
FLOW_RESET_PM_DONE
#define FLOW_RESET_PM_DONE(f, dir)
Definition: flow.h:284
stream.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:303
Packet_
Definition: decode.h:476
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:41
stream-tcp-private.h
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:69
FLOW_PROTO_APPLAYER_MAX
#define FLOW_PROTO_APPLAYER_MAX
Definition: flow-private.h:77
applayer_counters
AppLayerCounters(* applayer_counters)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:101
AppLayerHandleUdp
int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
Handle a app layer UDP message.
Definition: app-layer.c:877
DEBUG_ASSERT_FLOW_LOCKED
#define DEBUG_ASSERT_FLOW_LOCKED(f)
Definition: util-validate.h:99
StreamTcpSetStreamFlagAppProtoDetectionCompleted
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream)
Definition: stream-tcp-private.h:301
PACKET_PROFILING_APP_END
#define PACKET_PROFILING_APP_END(dp)
Definition: util-profiling.h:173
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
ALPROTO_TELNET
@ ALPROTO_TELNET
Definition: app-layer-protos.h:64
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:67
name
const char * name
Definition: tm-threads.c:2081
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerThreadCtx_::alpd_tctx
AppLayerProtoDetectThreadCtx * alpd_tctx
Definition: app-layer.c:60
StreamDataAvailableForProtoDetect
uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream)
Definition: stream-tcp-reassemble.c:723
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1107
ALPROTO_TFTP
@ ALPROTO_TFTP
Definition: app-layer-protos.h:54
AppLayerThreadCtx_::ticks_start
uint64_t ticks_start
Definition: app-layer.c:65
AppLayerIncParserErrorCounter
void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:178
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:70
FTPMemcapGlobalCounter
uint64_t FTPMemcapGlobalCounter(void)
Definition: app-layer-ftp.c:83
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:232
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:457
decode-events.h
UPDATE_DIR_OPPOSING
@ UPDATE_DIR_OPPOSING
Definition: stream-tcp-reassemble.h:57
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:285
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
app-layer-frames.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:448
suricata-common.h
FLOW_RESET_PE_DONE
#define FLOW_RESET_PE_DONE(f, dir)
Definition: flow.h:286
AppLayerProtoDetectDeSetup
int AppLayerProtoDetectDeSetup(void)
Cleans up the app layer protocol detection phase.
Definition: app-layer-detect-proto.c:1730
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
AppLayerDecoderEventsSetEventRaw
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event)
Set an app layer decoder event.
Definition: app-layer-events.c:94
ALPROTO_PGSQL
@ ALPROTO_PGSQL
Definition: app-layer-protos.h:63
IPPairGetMemuse
uint64_t IPPairGetMemuse(void)
Return memuse value.
Definition: ippair.c:92
Packet_::app_update_direction
uint8_t app_update_direction
Definition: decode.h:510
FLOW_PROTO_DETECT_TS_DONE
#define FLOW_PROTO_DETECT_TS_DONE
Definition: flow.h:102
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:53
AppLayerIncInternalErrorCounter
void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f)
Definition: app-layer.c:186
eps_error_summary
ExceptionPolicyCounters eps_error_summary
Definition: app-layer.c:103
FatalError
#define FatalError(...)
Definition: util-debug.h:502
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
@ APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
Definition: app-layer-events.h:51
STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition: stream-tcp-private.h:174
applayer_counter_names
AppLayerCounterNames(* applayer_counter_names)[FLOW_PROTO_APPLAYER_MAX]
Definition: app-layer.c:99
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:65
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PKT_PROTO_DETECT_TC_DONE
#define PKT_PROTO_DETECT_TC_DONE
Definition: decode.h:1300
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:39
AppLayerParserGetStreamDepth
uint32_t AppLayerParserGetStreamDepth(const Flow *f)
Definition: app-layer-parser.c:1565
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
FlowSwap
void FlowSwap(Flow *f)
swap the flow's direction
Definition: flow.c:244
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
AppLayerProtoDetectSupportedAppProtocols
void AppLayerProtoDetectSupportedAppProtocols(AppProto *alprotos)
Definition: app-layer-detect-proto.c:2105
AppLayerProtoDetectGetProto
AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, Flow *f, const uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t flags, bool *reverse_flow)
Returns the app layer protocol given a buffer.
Definition: app-layer-detect-proto.c:1403
AppLayerProtoDetectGetCtxThread
AppLayerProtoDetectThreadCtx * AppLayerProtoDetectGetCtxThread(void)
Inits and returns an app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:1964
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
AppLayerProtoDetectGetProtoByName
AppProto AppLayerProtoDetectGetProtoByName(const char *alproto_name)
Definition: app-layer-detect-proto.c:2063
str
#define str(s)
Definition: suricata-common.h:300
SWAP_FLAGS
#define SWAP_FLAGS(flags, a, b)
Definition: suricata-common.h:426
ExceptionPolicyEnumToString
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
Definition: util-exception-policy.c:35
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AppLayerCounterNames_::gap_error
char gap_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:81
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:449
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:51
TcpSessionSetReassemblyDepth
void TcpSessionSetReassemblyDepth(TcpSession *ssn, uint32_t size)
Definition: stream-tcp.c:7098
Flow_::alstate
void * alstate
Definition: flow.h:474
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1128
PACKET_PROFILING_APP_START
#define PACKET_PROFILING_APP_START(dp, id)
Definition: util-profiling.h:167
HTPByteRangeMemcapGlobalCounter
uint64_t HTPByteRangeMemcapGlobalCounter(void)
Definition: app-layer-htp-range.c:55
Flow_::flags
uint32_t flags
Definition: flow.h:419
HTPMemcapGlobalCounter
uint64_t HTPMemcapGlobalCounter(void)
Definition: app-layer-htp-mem.c:87
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:62
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1008
g_applayerparser_error_policy
enum ExceptionPolicy g_applayerparser_error_policy
Definition: app-layer-parser.c:149
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
AppLayerCounters_::eps_error
ExceptionPolicyCounters eps_error
Definition: app-layer.c:95
AppLayerIncTxCounter
void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
Definition: app-layer.c:154
stream-tcp-util.h
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
ALPROTO_FAILED
@ ALPROTO_FAILED
Definition: app-layer-protos.h:33
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:68
AppLayerCounterNames_::internal_error
char internal_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:83
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
app-layer-protos.h
AppLayerProfilingReset
#define AppLayerProfilingReset(app_tctx)
Definition: app-layer.h:127
app-layer-htp-mem.h
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:232
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition: stream-tcp-private.h:219
suricata.h
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:61
TEST_END
#define TEST_END
Definition: app-layer.c:1466
StreamUpdateDir
StreamUpdateDir
Definition: stream-tcp-reassemble.h:54
AppLayerProtoDetectDestroyCtxThread
void AppLayerProtoDetectDestroyCtxThread(AppLayerProtoDetectThreadCtx *alpd_tctx)
Destroys the app layer protocol detection thread context.
Definition: app-layer-detect-proto.c:2017
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:71
ALPROTO_NTP
@ ALPROTO_NTP
Definition: app-layer-protos.h:52
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
likely
#define likely(expr)
Definition: util-optimize.h:32
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
AppLayerCounterNames_::name
char name[MAX_COUNTER_SIZE]
Definition: app-layer.c:79
FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition: flow.c:194
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:50
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:288
flow.h
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:450
FLOW_PROTO_CHANGE_MAX_DEPTH
#define FLOW_PROTO_CHANGE_MAX_DEPTH
Definition: app-layer.c:75
AppLayerProtoDetectPrepareState
int AppLayerProtoDetectPrepareState(void)
Prepares the internal state for protocol detection. This needs to be called once all the patterns and...
Definition: app-layer-detect-proto.c:1491
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:448
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
AppLayerCounterNames_::alloc_error
char alloc_error[MAX_COUNTER_SIZE]
Definition: app-layer.c:84
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
PACKET_PROFILING_APP_RESET
#define PACKET_PROFILING_APP_RESET(dp)
Definition: util-profiling.h:195
APPLAYER_WRONG_DIRECTION_FIRST_DATA
@ APPLAYER_WRONG_DIRECTION_FIRST_DATA
Definition: app-layer-events.h:50
AppLayerDeSetupCounters
void AppLayerDeSetupCounters(void)
Definition: app-layer.c:1370
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
ExceptionPolicyStatsSetts_::eps_name
char eps_name[EXCEPTION_POLICY_MAX][EXCEPTION_POLICY_COUNTER_MAX_LEN]
Definition: util-exception-policy-types.h:49
STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition: stream-tcp-private.h:232
AppLayerProtoDetectGetProtoName
const char * AppLayerProtoDetectGetProtoName(AppProto alproto)
Definition: app-layer-detect-proto.c:2088
app-layer.h
Flow_::de_ctx_version
uint32_t de_ctx_version
Definition: flow.h:462