1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23 *
24 * Generic App-layer functions
25 */
26
27 #include "suricata-common.h"
28
29 #include "app-layer.h"
30 #include "app-layer-parser.h"
31 #include "app-layer-protos.h"
32 #include "app-layer-expectation.h"
33 #include "app-layer-ftp.h"
34 #include "app-layer-detect-proto.h"
35 #include "stream-tcp-reassemble.h"
36 #include "stream-tcp-private.h"
37 #include "stream-tcp-inline.h"
38 #include "stream-tcp.h"
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-private.h"
42 #include "ippair.h"
43
44 #include "util-debug.h"
45 #include "util-print.h"
46 #include "util-profiling.h"
47 #include "util-validate.h"
48 #include "decode-events.h"
49
50 #include "app-layer-htp-mem.h"
51
52 /**
53 * \brief This is for the app layer in general and it contains per thread
54 * context relevant to both the alpd and alp.
55 */
56 struct AppLayerThreadCtx_ {
57 /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */
58 AppLayerProtoDetectThreadCtx *alpd_tctx;
59 /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */
60 AppLayerParserThreadCtx *alp_tctx;
61
62 #ifdef PROFILING
63 uint64_t ticks_start;
64 uint64_t ticks_end;
65 uint64_t ticks_spent;
66 AppProto alproto;
67 uint64_t proto_detect_ticks_start;
68 uint64_t proto_detect_ticks_end;
69 uint64_t proto_detect_ticks_spent;
70 #endif
71 };
72
73 #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096
74
75 #define MAX_COUNTER_SIZE 64
76 typedef struct AppLayerCounterNames_ {
77 char name[MAX_COUNTER_SIZE];
78 char tx_name[MAX_COUNTER_SIZE];
79 } AppLayerCounterNames;
80
81 typedef struct AppLayerCounters_ {
82 uint16_t counter_id;
83 uint16_t counter_tx_id;
84 } AppLayerCounters;
85
86 /* counter names. Only used at init. */
87 AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
88 /* counter id's. Used that runtime. */
89 AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX];
90
91 void AppLayerSetupCounters(void);
92 void AppLayerDeSetupCounters(void);
93
94 /***** L7 layer dispatchers *****/
95
ProtoDetectDone(const Flow * f,const TcpSession * ssn,uint8_t direction)96 static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) {
97 const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server;
98 return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) ||
99 (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction)));
100 }
101
102 /**
103 * \note id can be 0 if protocol parser is disabled but detection
104 * is enabled.
105 */
AppLayerIncFlowCounter(ThreadVars * tv,Flow * f)106 static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f)
107 {
108 const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id;
109 if (likely(tv && id > 0)) {
110 StatsIncr(tv, id);
111 }
112 }
113
AppLayerIncTxCounter(ThreadVars * tv,Flow * f,uint64_t step)114 void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step)
115 {
116 const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id;
117 if (likely(tv && id > 0)) {
118 StatsAddUI64(tv, id, step);
119 }
120 }
121
122 /* in IDS mode protocol detection is done in reverse order:
123 * when TCP data is ack'd. We want to flag the correct packet,
124 * so in this case we set a flag in the flow so that the first
125 * packet in the correct direction can be tagged.
126 *
127 * For IPS things are much simpler, and we don't use the flow
128 * flag. We just tag the packet directly. */
FlagPacketFlow(Packet * p,Flow * f,uint8_t flags)129 static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags)
130 {
131 if (EngineModeIsIPS()) {
132 if (flags & STREAM_TOSERVER) {
133 if (p->flowflags & FLOW_PKT_TOSERVER) {
134 p->flags |= PKT_PROTO_DETECT_TS_DONE;
135 } else {
136 f->flags |= FLOW_PROTO_DETECT_TS_DONE;
137 }
138 } else {
139 if (p->flowflags & FLOW_PKT_TOCLIENT) {
140 p->flags |= PKT_PROTO_DETECT_TC_DONE;
141 } else {
142 f->flags |= FLOW_PROTO_DETECT_TC_DONE;
143 }
144 }
145 } else {
146 if (flags & STREAM_TOSERVER) {
147 f->flags |= FLOW_PROTO_DETECT_TS_DONE;
148 } else {
149 f->flags |= FLOW_PROTO_DETECT_TC_DONE;
150 }
151 }
152 }
153
DisableAppLayer(ThreadVars * tv,Flow * f,Packet * p)154 static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p)
155 {
156 SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u",
157 f, f->alproto, f->alproto_ts, f->alproto_tc);
158 FlowCleanupAppLayer(f);
159 StreamTcpDisableAppLayer(f);
160 TcpSession *ssn = f->protoctx;
161 ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
162 f->alproto = ALPROTO_FAILED;
163 AppLayerIncFlowCounter(tv, f);
164
165 if (f->alproto_tc != ALPROTO_FAILED) {
166 if (f->alproto_tc == ALPROTO_UNKNOWN) {
167 f->alproto_tc = ALPROTO_FAILED;
168 }
169 FlagPacketFlow(p, f, STREAM_TOCLIENT);
170 }
171 if (f->alproto_ts != ALPROTO_FAILED) {
172 if (f->alproto_ts == ALPROTO_UNKNOWN) {
173 f->alproto_ts = ALPROTO_FAILED;
174 }
175 FlagPacketFlow(p, f, STREAM_TOSERVER);
176 }
177 SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u",
178 f, f->alproto, f->alproto_ts, f->alproto_tc);
179 }
180
181 /* See if we're going to have to give up:
182 *
183 * If we're getting a lot of data in one direction and the
184 * proto for this direction is unknown, proto detect will
185 * hold up segments in the segment list in the stream.
186 * They are held so that if we detect the protocol on the
187 * opposing stream, we can still parse this side of the stream
188 * as well. However, some sessions are very unbalanced. FTP
189 * data channels, large PUT/POST request and many others, can
190 * lead to cases where we would have to store many megabytes
191 * worth of segments before we see the opposing stream. This
192 * leads to risks of resource starvation.
193 *
194 * Here a cutoff point is enforced. If we've stored 100k in
195 * one direction and we've seen no data in the other direction,
196 * we give up.
197 *
198 * Giving up means we disable applayer an set an applayer event
199 */
TCPProtoDetectCheckBailConditions(ThreadVars * tv,Flow * f,TcpSession * ssn,Packet * p)200 static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
201 Flow *f, TcpSession *ssn, Packet *p)
202 {
203 if (ssn->state < TCP_ESTABLISHED) {
204 SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)");
205 return;
206 }
207
208 const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
209 const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
210 SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);
211
212 /* at least 100000 whatever the conditions
213 * and can be more if window is bigger and if configuration allows it */
214 const uint32_t size_tc_limit =
215 MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
216 const uint32_t size_ts_limit =
217 MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));
218
219 if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
220 ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
221 {
222 goto failure;
223
224 /* we bail out whatever the pp and pm states if
225 * we received too much data */
226 } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
227 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED);
228 goto failure;
229
230 } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
231 size_ts > size_ts_limit && size_tc == 0) {
232 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
233 APPLAYER_PROTO_DETECTION_SKIPPED);
234 goto failure;
235
236 } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
237 size_tc > size_tc_limit && size_ts == 0) {
238 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
239 APPLAYER_PROTO_DETECTION_SKIPPED);
240 goto failure;
241
242 /* little data in ts direction, pp done, pm not done (max
243 * depth not reached), ts direction done, lots of data in
244 * tc direction. */
245 } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
246 !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
247 FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
248 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
249 APPLAYER_PROTO_DETECTION_SKIPPED);
250 goto failure;
251
252 /* little data in tc direction, pp done, pm not done (max
253 * depth not reached), tc direction done, lots of data in
254 * ts direction. */
255 } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
256 !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
257 FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
258 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
259 APPLAYER_PROTO_DETECTION_SKIPPED);
260 goto failure;
261 }
262 return;
263
264 failure:
265 DisableAppLayer(tv, f, p);
266 return;
267 }
268
TCPProtoDetectTriggerOpposingSide(ThreadVars * tv,TcpReassemblyThreadCtx * ra_ctx,Packet * p,TcpSession * ssn,TcpStream * stream)269 static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv,
270 TcpReassemblyThreadCtx *ra_ctx,
271 Packet *p, TcpSession *ssn, TcpStream *stream)
272 {
273 TcpStream *opposing_stream = NULL;
274 if (stream == &ssn->client) {
275 opposing_stream = &ssn->server;
276 } else {
277 opposing_stream = &ssn->client;
278 }
279
280 /* if the opposing side is not going to work, then
281 * we just have to give up. */
282 if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) {
283 SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set");
284 return -1;
285 }
286
287 enum StreamUpdateDir dir = StreamTcpInlineMode() ?
288 UPDATE_DIR_OPPOSING :
289 UPDATE_DIR_PACKET;
290 int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn,
291 opposing_stream, p, dir);
292 return ret;
293 }
294
295 /** \todo data const
296 * \retval int -1 error
297 * \retval int 0 ok
298 */
TCPProtoDetect(ThreadVars * tv,TcpReassemblyThreadCtx * ra_ctx,AppLayerThreadCtx * app_tctx,Packet * p,Flow * f,TcpSession * ssn,TcpStream ** stream,uint8_t * data,uint32_t data_len,uint8_t flags)299 static int TCPProtoDetect(ThreadVars *tv,
300 TcpReassemblyThreadCtx *ra_ctx, AppLayerThreadCtx *app_tctx,
301 Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream,
302 uint8_t *data, uint32_t data_len, uint8_t flags)
303 {
304 AppProto *alproto;
305 AppProto *alproto_otherdir;
306 int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
307
308 if (flags & STREAM_TOSERVER) {
309 alproto = &f->alproto_ts;
310 alproto_otherdir = &f->alproto_tc;
311 } else {
312 alproto = &f->alproto_tc;
313 alproto_otherdir = &f->alproto_ts;
314 }
315
316 SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len);
317 #ifdef PRINT
318 if (data_len > 0) {
319 printf("=> Init Stream Data (app layer) -- start %s%s\n",
320 flags & STREAM_TOCLIENT ? "toclient" : "",
321 flags & STREAM_TOSERVER ? "toserver" : "");
322 PrintRawDataFp(stdout, data, data_len);
323 printf("=> Init Stream Data -- end\n");
324 }
325 #endif
326
327 bool reverse_flow = false;
328 DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0);
329 PACKET_PROFILING_APP_PD_START(app_tctx);
330 *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx,
331 f, data, data_len,
332 IPPROTO_TCP, flags, &reverse_flow);
333 PACKET_PROFILING_APP_PD_END(app_tctx);
334 SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false");
335
336 if (*alproto != ALPROTO_UNKNOWN) {
337 if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
338 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
339 APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
340
341 if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
342 /* if we already invoked the parser, we go with that proto */
343 f->alproto = *alproto_otherdir;
344 } else {
345 /* no data sent to parser yet, we can still choose
346 * we're trusting the server more. */
347 if (flags & STREAM_TOCLIENT)
348 f->alproto = *alproto;
349 else
350 f->alproto = *alproto_otherdir;
351 }
352 } else {
353 f->alproto = *alproto;
354 }
355
356 StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
357 TcpSessionSetReassemblyDepth(ssn,
358 AppLayerParserGetStreamDepth(f));
359 FlagPacketFlow(p, f, flags);
360 /* if protocol detection indicated that we need to reverse
361 * the direction of the flow, do it now. We flip the flow,
362 * packet and the direction flags */
363 if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) {
364 SCLogDebug("reversing flow after proto detect told us so");
365 PacketSwap(p);
366 FlowSwap(f);
367 SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
368 if (*stream == &ssn->client) {
369 *stream = &ssn->server;
370 } else {
371 *stream = &ssn->client;
372 }
373 direction = 1 - direction;
374 }
375
376 /* account flow if we have both sides */
377 if (*alproto_otherdir != ALPROTO_UNKNOWN) {
378 AppLayerIncFlowCounter(tv, f);
379 }
380
381 /* if we have seen data from the other direction first, send
382 * data for that direction first to the parser. This shouldn't
383 * be an issue, since each stream processing happens
384 * independently of the other stream direction. At this point of
385 * call, you need to know that this function's already being
386 * called by the very same StreamReassembly() function that we
387 * will now call shortly for the opposing direction. */
388 if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) &&
389 !(flags & ssn->data_first_seen_dir))
390 {
391 SCLogDebug("protocol %s needs first data in other direction",
392 AppProtoToString(*alproto));
393
394 if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx,
395 p, ssn, *stream) != 0)
396 {
397 DisableAppLayer(tv, f, p);
398 SCReturnInt(-1);
399 }
400 if (FlowChangeProto(f)) {
401 /* We have the first data which requested a protocol change from P1 to P2
402 * even if it was not recognized at first as being P1
403 * As the second data was recognized as P1, the protocol did not change !
404 */
405 FlowUnsetChangeProtoFlag(f);
406 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
407 APPLAYER_UNEXPECTED_PROTOCOL);
408 }
409 }
410
411 /* if the parser operates such that it needs to see data from
412 * a particular direction first, we check if we have seen
413 * data from that direction first for the flow. IF it is not
414 * the same, we set an event and exit.
415 *
416 * \todo We need to figure out a more robust solution for this,
417 * as this can lead to easy evasion tactics, where the
418 * attackeer can first send some dummy data in the wrong
419 * direction first to mislead our proto detection process.
420 * While doing this we need to update the parsers as well,
421 * since the parsers must be robust to see such wrong
422 * direction data.
423 * Either ways the moment we see the
424 * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the
425 * flow, it shows something's fishy.
426 */
427 if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) {
428 uint8_t first_data_dir;
429 first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto);
430
431 if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
432 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
433 APPLAYER_WRONG_DIRECTION_FIRST_DATA);
434 DisableAppLayer(tv, f, p);
435 SCReturnInt(-1);
436 }
437 /* This can happen if the current direction is not the
438 * right direction, and the data from the other(also
439 * the right direction) direction is available to be sent
440 * to the app layer, but it is not ack'ed yet and hence
441 * the forced call to STreamTcpAppLayerReassemble still
442 * hasn't managed to send data from the other direction
443 * to the app layer. */
444 if (first_data_dir && !(first_data_dir & flags)) {
445 FlowCleanupAppLayer(f);
446 StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream);
447 FLOW_RESET_PP_DONE(f, flags);
448 FLOW_RESET_PM_DONE(f, flags);
449 FLOW_RESET_PE_DONE(f, flags);
450 SCReturnInt(-1);
451 }
452 }
453
454 /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
455 ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
456
457 /* finally, invoke the parser */
458 PACKET_PROFILING_APP_START(app_tctx, f->alproto);
459 int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
460 flags, data, data_len);
461 PACKET_PROFILING_APP_END(app_tctx, f->alproto);
462 if (r < 0) {
463 SCReturnInt(-1);
464 } else if (r == 0) {
465 StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
466 }
467 } else {
468 /* if the ssn is midstream, we may end up with a case where the
469 * start of an HTTP request is missing. We won't detect HTTP based
470 * on the request. However, the reply is fine, so we detect
471 * HTTP anyway. This leads to passing the incomplete request to
472 * the htp parser.
473 *
474 * This has been observed, where the http parser then saw many
475 * bogus requests in the incomplete data.
476 *
477 * To counter this case, a midstream session MUST find it's
478 * protocol in the toserver direction. If not, we assume the
479 * start of the request/toserver is incomplete and no reliable
480 * detection and parsing is possible. So we give up.
481 */
482 if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) &&
483 !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK))
484 {
485 if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
486 SCLogDebug("midstream end pd %p", ssn);
487 /* midstream and toserver detection failed: give up */
488 DisableAppLayer(tv, f, p);
489 SCReturnInt(0);
490 }
491 }
492
493 if (*alproto_otherdir != ALPROTO_UNKNOWN) {
494 uint8_t first_data_dir;
495 first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir);
496
497 /* this would handle this test case -
498 * http parser which says it wants to see toserver data first only.
499 * tcp handshake
500 * toclient data first received. - RUBBISH DATA which
501 * we don't detect as http
502 * toserver data next sent - we detect this as http.
503 * at this stage we see that toclient is the first data seen
504 * for this session and we try and redetect the app protocol,
505 * but we are unable to detect the app protocol like before.
506 * But since we have managed to detect the protocol for the
507 * other direction as http, we try to use that. At this
508 * stage we check if the direction of this stream matches
509 * to that acceptable by the app parser. If it is not the
510 * acceptable direction we error out.
511 */
512 if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
513 (first_data_dir) && !(first_data_dir & flags))
514 {
515 DisableAppLayer(tv, f, p);
516 SCReturnInt(-1);
517 }
518
519 /* if protocol detection is marked done for our direction we
520 * pass our data on. We're only succeeded in finding one
521 * direction: the opposing stream
522 *
523 * If PD was not yet complete, we don't do anything.
524 */
525 if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) {
526 if (data_len > 0)
527 ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
528
529 if (*alproto_otherdir != ALPROTO_FAILED) {
530 PACKET_PROFILING_APP_START(app_tctx, f->alproto);
531 int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
532 f->alproto, flags,
533 data, data_len);
534 PACKET_PROFILING_APP_END(app_tctx, f->alproto);
535 if (r == 0) {
536 StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
537 }
538
539 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
540 APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
541 TcpSessionSetReassemblyDepth(ssn,
542 AppLayerParserGetStreamDepth(f));
543
544 *alproto = *alproto_otherdir;
545 SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
546 p->pcap_cnt, *alproto, *alproto_otherdir, r);
547 if (r < 0) {
548 SCReturnInt(-1);
549 }
550 }
551 *alproto = ALPROTO_FAILED;
552 StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
553 AppLayerIncFlowCounter(tv, f);
554 FlagPacketFlow(p, f, flags);
555
556 }
557 } else {
558 /* both sides unknown, let's see if we need to give up */
559 if (FlowChangeProto(f)) {
560 /* TCPProtoDetectCheckBailConditions does not work well because
561 * size_tc from STREAM_RIGHT_EDGE is not reset to zero
562 * so, we set a lower limit to the data we inspect
563 * We could instead have set ssn->server.sb.stream_offset = 0;
564 */
565 if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) {
566 DisableAppLayer(tv, f, p);
567 }
568 } else {
569 TCPProtoDetectCheckBailConditions(tv, f, ssn, p);
570 }
571 }
572 }
573 SCReturnInt(0);
574 }
575
576 /** \brief handle TCP data for the app-layer.
577 *
578 * First run protocol detection and then when the protocol is known invoke
579 * the app layer parser.
580 *
581 * \param stream ptr-to-ptr to stream object. Might change if flow dir is
582 * reversed.
583 */
AppLayerHandleTCPData(ThreadVars * tv,TcpReassemblyThreadCtx * ra_ctx,Packet * p,Flow * f,TcpSession * ssn,TcpStream ** stream,uint8_t * data,uint32_t data_len,uint8_t flags)584 int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
585 Packet *p, Flow *f,
586 TcpSession *ssn, TcpStream **stream,
587 uint8_t *data, uint32_t data_len,
588 uint8_t flags)
589 {
590 SCEnter();
591
592 DEBUG_ASSERT_FLOW_LOCKED(f);
593 DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX);
594
595 AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx;
596 AppProto alproto;
597 int r = 0;
598
599 SCLogDebug("data_len %u flags %02X", data_len, flags);
600 if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
601 SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
602 goto end;
603 }
604
605 const int direction = (flags & STREAM_TOSERVER) ? 0 : 1;
606
607 if (flags & STREAM_TOSERVER) {
608 alproto = f->alproto_ts;
609 } else {
610 alproto = f->alproto_tc;
611 }
612
613 /* If a gap notification, relay the notification on to the
614 * app-layer if known. */
615 if (flags & STREAM_GAP) {
616 if (alproto == ALPROTO_UNKNOWN) {
617 StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
618 SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
619 /* if the other side didn't already find the proto, we're done */
620 if (f->alproto == ALPROTO_UNKNOWN) {
621 goto failure;
622 }
623 }
624 if (FlowChangeProto(f)) {
625 FlowUnsetChangeProtoFlag(f);
626 SCLogDebug("Cannot handle gap while changing protocol");
627 goto failure;
628 }
629 PACKET_PROFILING_APP_START(app_tctx, f->alproto);
630 r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
631 flags, data, data_len);
632 PACKET_PROFILING_APP_END(app_tctx, f->alproto);
633 /* ignore parser result for gap */
634 StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
635 goto end;
636 }
637
638 /* if we don't know the proto yet and we have received a stream
639 * initializer message, we run proto detection.
640 * We receive 2 stream init msgs (one for each direction) but we
641 * only run the proto detection once. */
642 if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) {
643 DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f));
644 /* run protocol detection */
645 if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream,
646 data, data_len, flags) != 0) {
647 goto failure;
648 }
649 } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) {
650 SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig));
651 void *alstate_orig = f->alstate;
652 AppLayerParserState *alparser = f->alparser;
653 // we delay AppLayerParserStateCleanup because we may need previous parser state
654 AppLayerProtoDetectReset(f);
655 StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
656 StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
657 /* rerun protocol detection */
658 int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
659 if (f->alproto == ALPROTO_UNKNOWN) {
660 DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate);
661 // not enough data, revert AppLayerProtoDetectReset to rerun detection
662 f->alparser = alparser;
663 f->alproto = f->alproto_orig;
664 f->alproto_tc = f->alproto_orig;
665 f->alproto_ts = f->alproto_orig;
666 } else {
667 FlowUnsetChangeProtoFlag(f);
668 AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
669 if (alstate_orig == f->alstate) {
670 // we just freed it
671 f->alstate = NULL;
672 }
673 }
674 if (rd != 0) {
675 SCLogDebug("proto detect failure");
676 goto failure;
677 }
678 SCLogDebug("protocol change, old %s, new %s",
679 AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
680
681 if (f->alproto_expect != ALPROTO_UNKNOWN &&
682 f->alproto != f->alproto_expect)
683 {
684 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
685 APPLAYER_UNEXPECTED_PROTOCOL);
686
687 if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) {
688 AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
689 APPLAYER_NO_TLS_AFTER_STARTTLS);
690
691 }
692 }
693 } else {
694 SCLogDebug("stream data (len %" PRIu32 " alproto "
695 "%"PRIu16" (flow %p)", data_len, f->alproto, f);
696 #ifdef PRINT
697 if (data_len > 0) {
698 printf("=> Stream Data (app layer) -- start %s%s\n",
699 flags & STREAM_TOCLIENT ? "toclient" : "",
700 flags & STREAM_TOSERVER ? "toserver" : "");
701 PrintRawDataFp(stdout, data, data_len);
702 printf("=> Stream Data -- end\n");
703 }
704 #endif
705 /* if we don't have a data object here we are not getting it
706 * a start msg should have gotten us one */
707 if (f->alproto != ALPROTO_UNKNOWN) {
708 PACKET_PROFILING_APP_START(app_tctx, f->alproto);
709 r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
710 flags, data, data_len);
711 PACKET_PROFILING_APP_END(app_tctx, f->alproto);
712 if (r == 0) {
713 StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
714 }
715 }
716 }
717
718 goto end;
719 failure:
720 r = -1;
721 end:
722 SCReturnInt(r);
723 }
724
725 /**
726 * \brief Handle a app layer UDP message
727 *
728 * If the protocol is yet unknown, the proto detection code is run first.
729 *
730 * \param dp_ctx Thread app layer detect context
731 * \param f *locked* flow
732 * \param p UDP packet
733 *
734 * \retval 0 ok
735 * \retval -1 error
736 */
AppLayerHandleUdp(ThreadVars * tv,AppLayerThreadCtx * tctx,Packet * p,Flow * f)737 int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f)
738 {
739 SCEnter();
740
741 if (f->alproto == ALPROTO_FAILED) {
742 SCReturnInt(0);
743 }
744
745 int r = 0;
746 uint8_t flags = 0;
747 if (p->flowflags & FLOW_PKT_TOSERVER) {
748 flags |= STREAM_TOSERVER;
749 } else {
750 flags |= STREAM_TOCLIENT;
751 }
752
753 AppLayerProfilingReset(tctx);
754
755 /* if the protocol is still unknown, run detection */
756 if (f->alproto == ALPROTO_UNKNOWN) {
757 SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
758 p->payload_len);
759
760 bool reverse_flow = false;
761 PACKET_PROFILING_APP_PD_START(tctx);
762 f->alproto = AppLayerProtoDetectGetProto(tctx->alpd_tctx,
763 f, p->payload, p->payload_len,
764 IPPROTO_UDP, flags, &reverse_flow);
765 PACKET_PROFILING_APP_PD_END(tctx);
766
767 if (f->alproto != ALPROTO_UNKNOWN) {
768 AppLayerIncFlowCounter(tv, f);
769
770 if (reverse_flow) {
771 SCLogDebug("reversing flow after proto detect told us so");
772 PacketSwap(p);
773 FlowSwap(f);
774 SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT);
775 }
776
777 PACKET_PROFILING_APP_START(tctx, f->alproto);
778 r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
779 flags, p->payload, p->payload_len);
780 PACKET_PROFILING_APP_END(tctx, f->alproto);
781 } else {
782 f->alproto = ALPROTO_FAILED;
783 AppLayerIncFlowCounter(tv, f);
784 SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
785 }
786 PACKET_PROFILING_APP_STORE(tctx, p);
787 /* we do only inspection in one direction, so flag both
788 * sides as done here */
789 FlagPacketFlow(p, f, STREAM_TOSERVER);
790 FlagPacketFlow(p, f, STREAM_TOCLIENT);
791 } else {
792 SCLogDebug("data (len %" PRIu32 " ), alproto "
793 "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f);
794
795 /* run the parser */
796 PACKET_PROFILING_APP_START(tctx, f->alproto);
797 r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
798 flags, p->payload, p->payload_len);
799 PACKET_PROFILING_APP_END(tctx, f->alproto);
800 PACKET_PROFILING_APP_STORE(tctx, p);
801 }
802
803 SCReturnInt(r);
804 }
805
806 /***** Utility *****/
807
AppLayerGetProtoByName(char * alproto_name)808 AppProto AppLayerGetProtoByName(char *alproto_name)
809 {
810 SCEnter();
811 AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name);
812 SCReturnCT(r, "AppProto");
813 }
814
AppLayerGetProtoName(AppProto alproto)815 const char *AppLayerGetProtoName(AppProto alproto)
816 {
817 SCEnter();
818 const char * r = AppLayerProtoDetectGetProtoName(alproto);
819 SCReturnCT(r, "char *");
820 }
821
AppLayerListSupportedProtocols(void)822 void AppLayerListSupportedProtocols(void)
823 {
824 SCEnter();
825
826 AppProto alproto;
827 AppProto alprotos[ALPROTO_MAX];
828
829 AppLayerProtoDetectSupportedAppProtocols(alprotos);
830
831 printf("=========Supported App Layer Protocols=========\n");
832 for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
833 if (alprotos[alproto] == 1)
834 printf("%s\n", AppLayerGetProtoName(alproto));
835 }
836
837 SCReturn;
838 }
839
840 /***** Setup/General Registration *****/
841
AppLayerSetup(void)842 int AppLayerSetup(void)
843 {
844 SCEnter();
845
846 AppLayerProtoDetectSetup();
847 AppLayerParserSetup();
848
849 AppLayerParserRegisterProtocolParsers();
850 AppLayerProtoDetectPrepareState();
851
852 AppLayerSetupCounters();
853
854 SCReturnInt(0);
855 }
856
AppLayerDeSetup(void)857 int AppLayerDeSetup(void)
858 {
859 SCEnter();
860
861 AppLayerProtoDetectDeSetup();
862 AppLayerParserDeSetup();
863
864 AppLayerDeSetupCounters();
865
866 SCReturnInt(0);
867 }
868
AppLayerGetCtxThread(ThreadVars * tv)869 AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv)
870 {
871 SCEnter();
872
873 AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx));
874 if (app_tctx == NULL)
875 goto error;
876 memset(app_tctx, 0, sizeof(*app_tctx));
877
878 if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL)
879 goto error;
880 if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL)
881 goto error;
882
883 goto done;
884 error:
885 AppLayerDestroyCtxThread(app_tctx);
886 app_tctx = NULL;
887 done:
888 SCReturnPtr(app_tctx, "void *");
889 }
890
AppLayerDestroyCtxThread(AppLayerThreadCtx * app_tctx)891 void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
892 {
893 SCEnter();
894
895 if (app_tctx == NULL)
896 SCReturn;
897
898 if (app_tctx->alpd_tctx != NULL)
899 AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx);
900 if (app_tctx->alp_tctx != NULL)
901 AppLayerParserThreadCtxFree(app_tctx->alp_tctx);
902 SCFree(app_tctx);
903
904 SCReturn;
905 }
906
AppLayerProfilingResetInternal(AppLayerThreadCtx * app_tctx)907 void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx)
908 {
909 PACKET_PROFILING_APP_RESET(app_tctx);
910 }
911
AppLayerProfilingStoreInternal(AppLayerThreadCtx * app_tctx,Packet * p)912 void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p)
913 {
914 PACKET_PROFILING_APP_STORE(app_tctx, p);
915 }
916
917 /** \brief HACK to work around our broken unix manager (re)init loop
918 */
AppLayerRegisterGlobalCounters(void)919 void AppLayerRegisterGlobalCounters(void)
920 {
921 StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter);
922 StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter);
923 StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter);
924 StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter);
925 StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter);
926 }
927
928 #define IPPROTOS_MAX 2
AppLayerSetupCounters()929 void AppLayerSetupCounters()
930 {
931 uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
932 uint8_t ipproto;
933 AppProto alproto;
934 AppProto alprotos[ALPROTO_MAX];
935 const char *str = "app_layer.flow.";
936
937 AppLayerProtoDetectSupportedAppProtocols(alprotos);
938
939 for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
940 uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
941 uint8_t other_ipproto = (ipprotos[ipproto] == IPPROTO_TCP) ? IPPROTO_UDP : IPPROTO_TCP;
942 const char *ipproto_suffix = (ipprotos[ipproto] == IPPROTO_TCP) ? "_tcp" : "_udp";
943
944 for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
945 if (alprotos[alproto] == 1) {
946 const char *tx_str = "app_layer.tx.";
947 const char *alproto_str = AppLayerGetProtoName(alproto);
948
949 if (AppLayerParserProtoIsRegistered(ipprotos[ipproto], alproto) &&
950 AppLayerParserProtoIsRegistered(other_ipproto, alproto))
951 {
952 snprintf(applayer_counter_names[ipproto_map][alproto].name,
953 sizeof(applayer_counter_names[ipproto_map][alproto].name),
954 "%s%s%s", str, alproto_str, ipproto_suffix);
955 snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
956 sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
957 "%s%s%s", tx_str, alproto_str, ipproto_suffix);
958 } else {
959 snprintf(applayer_counter_names[ipproto_map][alproto].name,
960 sizeof(applayer_counter_names[ipproto_map][alproto].name),
961 "%s%s", str, alproto_str);
962 snprintf(applayer_counter_names[ipproto_map][alproto].tx_name,
963 sizeof(applayer_counter_names[ipproto_map][alproto].tx_name),
964 "%s%s", tx_str, alproto_str);
965 }
966 } else if (alproto == ALPROTO_FAILED) {
967 snprintf(applayer_counter_names[ipproto_map][alproto].name,
968 sizeof(applayer_counter_names[ipproto_map][alproto].name),
969 "%s%s%s", str, "failed", ipproto_suffix);
970 }
971 }
972 }
973 }
974
AppLayerRegisterThreadCounters(ThreadVars * tv)975 void AppLayerRegisterThreadCounters(ThreadVars *tv)
976 {
977 uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP };
978 uint8_t ipproto;
979 AppProto alproto;
980 AppProto alprotos[ALPROTO_MAX];
981
982 AppLayerProtoDetectSupportedAppProtocols(alprotos);
983
984 for (ipproto = 0; ipproto < IPPROTOS_MAX; ipproto++) {
985 uint8_t ipproto_map = FlowGetProtoMapping(ipprotos[ipproto]);
986
987 for (alproto = 0; alproto < ALPROTO_MAX; alproto++) {
988 if (alprotos[alproto] == 1) {
989 applayer_counters[ipproto_map][alproto].counter_id =
990 StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
991
992 applayer_counters[ipproto_map][alproto].counter_tx_id =
993 StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv);
994 } else if (alproto == ALPROTO_FAILED) {
995 applayer_counters[ipproto_map][alproto].counter_id =
996 StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv);
997 }
998 }
999 }
1000 }
1001
AppLayerDeSetupCounters()1002 void AppLayerDeSetupCounters()
1003 {
1004 memset(applayer_counter_names, 0, sizeof(applayer_counter_names));
1005 memset(applayer_counters, 0, sizeof(applayer_counters));
1006 }
1007
1008 /***** Unittests *****/
1009
1010 #ifdef UNITTESTS
1011 #include "pkt-var.h"
1012 #include "stream-tcp.h"
1013 #include "stream-tcp-util.h"
1014 #include "stream.h"
1015 #include "util-unittest.h"
1016
1017 #define TEST_START \
1018 Packet *p = SCMalloc(SIZE_OF_PACKET);\
1019 FAIL_IF_NULL(p);\
1020 Flow f;\
1021 ThreadVars tv;\
1022 StreamTcpThread *stt = NULL;\
1023 TCPHdr tcph;\
1024 PacketQueueNoLock pq;\
1025 memset(&pq,0,sizeof(PacketQueueNoLock));\
1026 memset(p, 0, SIZE_OF_PACKET);\
1027 memset (&f, 0, sizeof(Flow));\
1028 memset(&tv, 0, sizeof (ThreadVars));\
1029 memset(&tcph, 0, sizeof (TCPHdr));\
1030 \
1031 FLOW_INITIALIZE(&f);\
1032 f.flags = FLOW_IPV4;\
1033 f.proto = IPPROTO_TCP;\
1034 p->flow = &f;\
1035 p->tcph = &tcph;\
1036 \
1037 StreamTcpInitConfig(TRUE);\
1038 IPPairInitConfig(TRUE); \
1039 StreamTcpThreadInit(&tv, NULL, (void **)&stt);\
1040 \
1041 /* handshake */\
1042 tcph.th_win = htons(5480);\
1043 tcph.th_flags = TH_SYN;\
1044 p->flowflags = FLOW_PKT_TOSERVER;\
1045 p->payload_len = 0;\
1046 p->payload = NULL;\
1047 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1048 TcpSession *ssn = (TcpSession *)f.protoctx;\
1049 \
1050 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1051 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1052 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1053 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1054 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1055 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1056 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1057 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1058 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1059 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1060 FAIL_IF(ssn->data_first_seen_dir != 0);\
1061 \
1062 /* handshake */\
1063 p->tcph->th_ack = htonl(1);\
1064 p->tcph->th_flags = TH_SYN | TH_ACK;\
1065 p->flowflags = FLOW_PKT_TOCLIENT;\
1066 p->payload_len = 0;\
1067 p->payload = NULL;\
1068 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1069 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1070 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1071 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1072 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1073 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1074 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1075 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1076 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1077 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1078 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1079 FAIL_IF(ssn->data_first_seen_dir != 0);\
1080 \
1081 /* handshake */\
1082 p->tcph->th_ack = htonl(1);\
1083 p->tcph->th_seq = htonl(1);\
1084 p->tcph->th_flags = TH_ACK;\
1085 p->flowflags = FLOW_PKT_TOSERVER;\
1086 p->payload_len = 0;\
1087 p->payload = NULL;\
1088 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);\
1089 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));\
1090 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));\
1091 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);\
1092 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);\
1093 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);\
1094 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);\
1095 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));\
1096 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));\
1097 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));\
1098 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));\
1099 FAIL_IF(ssn->data_first_seen_dir != 0);
1100 #define TEST_END \
1101 StreamTcpSessionClear(p->flow->protoctx);\
1102 StreamTcpThreadDeinit(&tv, (void *)stt); \
1103 StreamTcpFreeConfig(TRUE);\
1104 PACKET_DESTRUCTOR(p);\
1105 SCFree(p);\
1106 FLOW_DESTROY(&f); \
1107 StatsThreadCleanup(&tv);
1108
1109 /**
1110 * \test GET -> HTTP/1.1
1111 */
AppLayerTest01(void)1112 static int AppLayerTest01(void)
1113 {
1114 TEST_START;
1115
1116 /* full request */
1117 uint8_t request[] = {
1118 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1119 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1120 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1121 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1122 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1123 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1124 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1125 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1126 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1127 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1128 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1129 p->tcph->th_ack = htonl(1);
1130 p->tcph->th_seq = htonl(1);
1131 p->tcph->th_flags = TH_PUSH | TH_ACK;
1132 p->flowflags = FLOW_PKT_TOSERVER;
1133 p->payload_len = sizeof(request);
1134 p->payload = request;
1135 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1136 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1137 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1138 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1139 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1140 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1141 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1142 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1143 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1144 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1145 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1146 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1147
1148 /* full response - request ack */
1149 uint8_t response[] = {
1150 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1151 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1152 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1153 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1154 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1155 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1156 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1157 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1158 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1159 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1160 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1161 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1162 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1163 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1164 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1165 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1166 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1167 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1168 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1169 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1170 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1171 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1172 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1173 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1174 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1175 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1176 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1177 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1178 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1179 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1180 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1181 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1182 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1183 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1184 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1185 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1186 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1187 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1188 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1189 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1190 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1191 p->tcph->th_ack = htonl(88);
1192 p->tcph->th_seq = htonl(1);
1193 p->tcph->th_flags = TH_PUSH | TH_ACK;
1194 p->flowflags = FLOW_PKT_TOCLIENT;
1195 p->payload_len = sizeof(response);
1196 p->payload = response;
1197 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1198 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1199 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1200 FAIL_IF(f.alproto != ALPROTO_HTTP);
1201 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1202 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1203 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1204 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1205 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1206 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1207 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1208 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1209
1210 /* response ack */
1211 p->tcph->th_ack = htonl(328);
1212 p->tcph->th_seq = htonl(88);
1213 p->tcph->th_flags = TH_ACK;
1214 p->flowflags = FLOW_PKT_TOSERVER;
1215 p->payload_len = 0;
1216 p->payload = NULL;
1217 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1218 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1219 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1220 FAIL_IF(f.alproto != ALPROTO_HTTP);
1221 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1222 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1223 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1224 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1225 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1226 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1227 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1228 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1229
1230 TEST_END;
1231 PASS;
1232 }
1233
1234 /**
1235 * \test GE -> T -> HTTP/1.1
1236 */
AppLayerTest02(void)1237 static int AppLayerTest02(void)
1238 {
1239 TEST_START;
1240
1241 /* partial request */
1242 uint8_t request1[] = { 0x47, 0x45, };
1243 p->tcph->th_ack = htonl(1);
1244 p->tcph->th_seq = htonl(1);
1245 p->tcph->th_flags = TH_PUSH | TH_ACK;
1246 p->flowflags = FLOW_PKT_TOSERVER;
1247 p->payload_len = sizeof(request1);
1248 p->payload = request1;
1249 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1250 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1251 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1252 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1253 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1254 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1255 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1256 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1257 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1258 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1259 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1260 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1261
1262 /* response ack against partial request */
1263 p->tcph->th_ack = htonl(3);
1264 p->tcph->th_seq = htonl(1);
1265 p->tcph->th_flags = TH_ACK;
1266 p->flowflags = FLOW_PKT_TOCLIENT;
1267 p->payload_len = 0;
1268 p->payload = NULL;
1269 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1270 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1271 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1272 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1273 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1274 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1275 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1276 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1277 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1278 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1279 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1280 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1281
1282 /* complete partial request */
1283 uint8_t request2[] = {
1284 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1285 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1286 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1287 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1288 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1289 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1290 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1291 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1292 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1293 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1294 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1295 p->tcph->th_ack = htonl(1);
1296 p->tcph->th_seq = htonl(3);
1297 p->tcph->th_flags = TH_PUSH | TH_ACK;
1298 p->flowflags = FLOW_PKT_TOSERVER;
1299 p->payload_len = sizeof(request2);
1300 p->payload = request2;
1301 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1302 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1303 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1304 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1305 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1306 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1307 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1308 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1309 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1310 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1311 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1312 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1313
1314 /* response - request ack */
1315 uint8_t response[] = {
1316 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1317 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1318 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1319 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1320 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1321 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1322 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1323 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1324 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1325 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1326 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1327 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1328 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1329 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1330 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1331 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1332 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1333 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1334 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1335 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1336 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1337 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1338 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1339 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1340 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1341 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1342 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1343 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1344 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1345 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1346 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1347 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1348 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1349 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1350 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1351 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1352 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1353 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1354 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1355 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1356 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1357 p->tcph->th_ack = htonl(88);
1358 p->tcph->th_seq = htonl(1);
1359 p->tcph->th_flags = TH_PUSH | TH_ACK;
1360 p->flowflags = FLOW_PKT_TOCLIENT;
1361 p->payload_len = sizeof(response);
1362 p->payload = response;
1363 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1364 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1365 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1366 FAIL_IF(f.alproto != ALPROTO_HTTP);
1367 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1368 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1369 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1370 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1371 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1372 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1373 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1374 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1375
1376 /* response ack */
1377 p->tcph->th_ack = htonl(328);
1378 p->tcph->th_seq = htonl(88);
1379 p->tcph->th_flags = TH_ACK;
1380 p->flowflags = FLOW_PKT_TOSERVER;
1381 p->payload_len = 0;
1382 p->payload = NULL;
1383 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1384 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1385 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1386 FAIL_IF(f.alproto != ALPROTO_HTTP);
1387 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1388 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1389 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1390 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1391 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1392 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1393 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1394 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1395
1396 TEST_END;
1397 PASS;
1398 }
1399
1400 /**
1401 * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO)
1402 */
AppLayerTest03(void)1403 static int AppLayerTest03(void)
1404 {
1405 TEST_START;
1406
1407 /* request */
1408 uint8_t request[] = {
1409 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1410 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1411 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1412 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1413 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1414 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1415 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1416 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1417 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1418 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1419 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1420 p->tcph->th_ack = htonl(1);
1421 p->tcph->th_seq = htonl(1);
1422 p->tcph->th_flags = TH_PUSH | TH_ACK;
1423 p->flowflags = FLOW_PKT_TOSERVER;
1424 p->payload_len = sizeof(request);
1425 p->payload = request;
1426 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1427 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1428 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1429 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1430 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1431 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1432 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1433 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1434 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1435 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1436 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1437 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1438
1439 /* rubbish response */
1440 uint8_t response[] = {
1441 0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1442 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1443 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1444 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1445 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1446 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1447 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1448 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1449 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1450 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1451 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1452 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1453 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1454 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1455 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1456 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1457 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1458 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1459 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1460 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1461 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1462 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1463 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1464 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1465 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1466 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1467 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1468 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1469 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1470 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1471 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1472 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1473 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1474 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1475 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1476 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1477 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1478 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1479 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1480 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1481 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1482 p->tcph->th_ack = htonl(88);
1483 p->tcph->th_seq = htonl(1);
1484 p->tcph->th_flags = TH_PUSH | TH_ACK;
1485 p->flowflags = FLOW_PKT_TOCLIENT;
1486 p->payload_len = sizeof(response);
1487 p->payload = response;
1488 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1489 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1490 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1491 FAIL_IF(f.alproto != ALPROTO_HTTP);
1492 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1493 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1494 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1495 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1496 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1497 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1498 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1499 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1500
1501 /* response ack */
1502 p->tcph->th_ack = htonl(328);
1503 p->tcph->th_seq = htonl(88);
1504 p->tcph->th_flags = TH_ACK;
1505 p->flowflags = FLOW_PKT_TOSERVER;
1506 p->payload_len = 0;
1507 p->payload = NULL;
1508 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1509 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1510 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1511 FAIL_IF(f.alproto != ALPROTO_HTTP);
1512 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1513 FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
1514 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1515 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1516 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1517 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1518 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1519 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1520
1521 TEST_END;
1522 PASS;
1523 }
1524
1525 /**
1526 * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
1527 */
AppLayerTest04(void)1528 static int AppLayerTest04(void)
1529 {
1530 TEST_START;
1531
1532 /* request */
1533 uint8_t request[] = {
1534 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1535 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1536 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1537 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1538 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1539 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1540 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1541 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1542 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1543 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1544 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1545 PrintRawDataFp(stdout, request, sizeof(request));
1546 p->tcph->th_ack = htonl(1);
1547 p->tcph->th_seq = htonl(1);
1548 p->tcph->th_flags = TH_PUSH | TH_ACK;
1549 p->flowflags = FLOW_PKT_TOSERVER;
1550 p->payload_len = sizeof(request);
1551 p->payload = request;
1552 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1553 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1554 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1555 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1556 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1557 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1558 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1559 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1560 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1561 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1562 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1563 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen
1564
1565 /* partial response */
1566 uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, };
1567 PrintRawDataFp(stdout, response1, sizeof(response1));
1568 p->tcph->th_ack = htonl(88);
1569 p->tcph->th_seq = htonl(1);
1570 p->tcph->th_flags = TH_PUSH | TH_ACK;
1571 p->flowflags = FLOW_PKT_TOCLIENT;
1572 p->payload_len = sizeof(response1);
1573 p->payload = response1;
1574 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1575 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1576 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1577 FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1578 FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1579 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1580 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1581 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1582 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1583 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1584 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1585 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1586
1587 /* partial response ack */
1588 p->tcph->th_ack = htonl(5);
1589 p->tcph->th_seq = htonl(88);
1590 p->tcph->th_flags = TH_ACK;
1591 p->flowflags = FLOW_PKT_TOSERVER;
1592 p->payload_len = 0;
1593 p->payload = NULL;
1594 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1595 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1596 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1597 FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1598 FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1599 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1600 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1601 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1602 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1603 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1604 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1605 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1606
1607 /* remaining response */
1608 uint8_t response2[] = {
1609 0x2f, 0x31, 0x2e, 0x31,
1610 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1611 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1612 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1613 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1614 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1615 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1616 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1617 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1618 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1619 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1620 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1621 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1622 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1623 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1624 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1625 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1626 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1627 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1628 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1629 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1630 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1631 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1632 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1633 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1634 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1635 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1636 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1637 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1638 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1639 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1640 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1641 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1642 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1643 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1644 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1645 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1646 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1647 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1648 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1649 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1650 PrintRawDataFp(stdout, response2, sizeof(response2));
1651 p->tcph->th_ack = htonl(88);
1652 p->tcph->th_seq = htonl(5);
1653 p->tcph->th_flags = TH_PUSH | TH_ACK;
1654 p->flowflags = FLOW_PKT_TOCLIENT;
1655 p->payload_len = sizeof(response2);
1656 p->payload = response2;
1657 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1658 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1659 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1660 FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1661 FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1662 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1663 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1664 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1665 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1666 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1667 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1668 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1669
1670 /* response ack */
1671 p->tcph->th_ack = htonl(328);
1672 p->tcph->th_seq = htonl(88);
1673 p->tcph->th_flags = TH_ACK;
1674 p->flowflags = FLOW_PKT_TOSERVER;
1675 p->payload_len = 0;
1676 p->payload = NULL;
1677 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1678 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed)
1679 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete
1680 FAIL_IF(f.alproto != ALPROTO_HTTP); // http based on ts
1681 FAIL_IF(f.alproto_ts != ALPROTO_HTTP); // ts complete
1682 FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed
1683 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1684 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1685 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1686 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1687 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing
1688 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer
1689
1690 TEST_END;
1691 PASS;
1692 }
1693
1694 /**
1695 * \test RUBBISH -> HTTP/1.1
1696 */
AppLayerTest05(void)1697 static int AppLayerTest05(void)
1698 {
1699 TEST_START;
1700
1701 /* full request */
1702 uint8_t request[] = {
1703 0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1704 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1705 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1706 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1707 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1708 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1709 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1710 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1711 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1712 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1713 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1714 PrintRawDataFp(stdout, request, sizeof(request));
1715 p->tcph->th_ack = htonl(1);
1716 p->tcph->th_seq = htonl(1);
1717 p->tcph->th_flags = TH_PUSH | TH_ACK;
1718 p->flowflags = FLOW_PKT_TOSERVER;
1719 p->payload_len = sizeof(request);
1720 p->payload = request;
1721 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1722 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1723 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1724 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1725 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1726 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1727 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1728 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1729 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1730 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1731 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1732 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1733
1734 /* full response - request ack */
1735 uint8_t response[] = {
1736 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1737 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1738 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1739 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1740 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1741 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1742 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1743 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1744 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1745 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1746 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1747 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1748 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1749 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1750 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1751 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1752 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1753 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1754 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1755 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1756 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1757 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1758 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1759 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1760 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1761 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1762 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1763 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1764 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1765 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1766 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1767 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1768 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1769 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1770 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1771 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1772 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1773 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1774 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1775 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1776 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1777 PrintRawDataFp(stdout, response, sizeof(response));
1778 p->tcph->th_ack = htonl(88);
1779 p->tcph->th_seq = htonl(1);
1780 p->tcph->th_flags = TH_PUSH | TH_ACK;
1781 p->flowflags = FLOW_PKT_TOCLIENT;
1782 p->payload_len = sizeof(response);
1783 p->payload = response;
1784 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1785 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1786 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1787 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1788 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1789 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1790 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1791 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1792 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1793 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1794 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1795 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1796
1797 /* response ack */
1798 p->tcph->th_ack = htonl(328);
1799 p->tcph->th_seq = htonl(88);
1800 p->tcph->th_flags = TH_ACK;
1801 p->flowflags = FLOW_PKT_TOSERVER;
1802 p->payload_len = 0;
1803 p->payload = NULL;
1804 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1805 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1806 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1807 FAIL_IF(f.alproto != ALPROTO_HTTP);
1808 FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
1809 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1810 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1811 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1812 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1813 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1814 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1815 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1816
1817 TEST_END;
1818 PASS;
1819 }
1820
1821 /**
1822 * \test HTTP/1.1 -> GET
1823 */
AppLayerTest06(void)1824 static int AppLayerTest06(void)
1825 {
1826 TEST_START;
1827
1828 /* full response - request ack */
1829 uint8_t response[] = {
1830 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
1831 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1832 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1833 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1834 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1835 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1836 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1837 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1838 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1839 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1840 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1841 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1842 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1843 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
1844 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
1845 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
1846 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
1847 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
1848 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
1849 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
1850 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
1851 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
1852 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
1853 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
1854 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
1855 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
1856 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
1857 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
1858 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
1859 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
1860 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
1861 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
1862 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
1863 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
1864 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
1865 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
1866 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
1867 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
1868 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
1869 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
1870 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
1871 p->tcph->th_ack = htonl(1);
1872 p->tcph->th_seq = htonl(1);
1873 p->tcph->th_flags = TH_PUSH | TH_ACK;
1874 p->flowflags = FLOW_PKT_TOCLIENT;
1875 p->payload_len = sizeof(response);
1876 p->payload = response;
1877 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1878 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1879 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1880 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1881 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1882 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1883 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1884 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1885 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1886 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1887 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1888 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT);
1889
1890 /* full request - response ack*/
1891 uint8_t request[] = {
1892 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1893 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1894 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1895 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1896 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1897 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1898 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1899 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1900 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1901 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1902 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1903 p->tcph->th_ack = htonl(328);
1904 p->tcph->th_seq = htonl(1);
1905 p->tcph->th_flags = TH_PUSH | TH_ACK;
1906 p->flowflags = FLOW_PKT_TOSERVER;
1907 p->payload_len = sizeof(request);
1908 p->payload = request;
1909 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1910 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1911 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1912 FAIL_IF(f.alproto != ALPROTO_HTTP);
1913 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1914 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1915 FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1916 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1917 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1918 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1919 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1920 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1921
1922 p->tcph->th_ack = htonl(1 + sizeof(request));
1923 p->tcph->th_seq = htonl(328);
1924 p->tcph->th_flags = TH_PUSH | TH_ACK;
1925 p->flowflags = FLOW_PKT_TOCLIENT;
1926 p->payload_len = 0;
1927 p->payload = NULL;
1928 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1929 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1930 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1931 FAIL_IF(f.alproto != ALPROTO_HTTP);
1932 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
1933 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
1934 FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
1935 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1936 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1937 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1938 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1939 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
1940
1941 TEST_END;
1942 PASS;
1943 }
1944
1945 /**
1946 * \test GET -> DCERPC
1947 */
AppLayerTest07(void)1948 static int AppLayerTest07(void)
1949 {
1950 TEST_START;
1951
1952 /* full request */
1953 uint8_t request[] = {
1954 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
1955 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
1956 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
1957 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
1958 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
1959 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
1960 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
1961 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
1962 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
1963 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
1964 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
1965 p->tcph->th_ack = htonl(1);
1966 p->tcph->th_seq = htonl(1);
1967 p->tcph->th_flags = TH_PUSH | TH_ACK;
1968 p->flowflags = FLOW_PKT_TOSERVER;
1969 p->payload_len = sizeof(request);
1970 p->payload = request;
1971 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
1972 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
1973 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
1974 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
1975 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
1976 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
1977 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
1978 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
1979 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
1980 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
1981 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
1982 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
1983
1984 /* full response - request ack */
1985 uint8_t response[] = {
1986 0x05, 0x00, 0x4d, 0x42, 0x2f, 0x31, 0x2e, 0x31,
1987 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
1988 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
1989 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
1990 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
1991 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
1992 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
1993 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
1994 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
1995 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
1996 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
1997 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
1998 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
1999 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2000 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2001 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2002 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2003 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2004 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2005 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2006 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2007 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2008 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2009 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2010 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2011 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2012 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2013 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2014 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2015 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2016 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2017 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2018 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2019 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2020 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2021 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2022 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2023 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2024 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2025 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2026 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2027 p->tcph->th_ack = htonl(88);
2028 p->tcph->th_seq = htonl(1);
2029 p->tcph->th_flags = TH_PUSH | TH_ACK;
2030 p->flowflags = FLOW_PKT_TOCLIENT;
2031 p->payload_len = sizeof(response);
2032 p->payload = response;
2033 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2034 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2035 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2036 FAIL_IF(f.alproto != ALPROTO_HTTP);
2037 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2038 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2039 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2040 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2041 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2042 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2043 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2044 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2045
2046 /* response ack */
2047 p->tcph->th_ack = htonl(328);
2048 p->tcph->th_seq = htonl(88);
2049 p->tcph->th_flags = TH_ACK;
2050 p->flowflags = FLOW_PKT_TOSERVER;
2051 p->payload_len = 0;
2052 p->payload = NULL;
2053 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2054 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2055 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2056 FAIL_IF(f.alproto != ALPROTO_HTTP);
2057 FAIL_IF(f.alproto_ts != ALPROTO_HTTP);
2058 FAIL_IF(f.alproto_tc != ALPROTO_DCERPC);
2059 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2060 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2061 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2062 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2063 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2064 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2065
2066 TEST_END;
2067 PASS;
2068 }
2069
2070 /**
2071 * \test SMB -> HTTP/1.1
2072 */
AppLayerTest08(void)2073 static int AppLayerTest08(void)
2074 {
2075 TEST_START;
2076
2077 /* full request */
2078 uint8_t request[] = {
2079 0x05, 0x00, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2080 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20,
2081 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30,
2082 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20,
2083 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
2084 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2085 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41,
2086 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e,
2087 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a,
2088 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20,
2089 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a };
2090 p->tcph->th_ack = htonl(1);
2091 p->tcph->th_seq = htonl(1);
2092 p->tcph->th_flags = TH_PUSH | TH_ACK;
2093 p->flowflags = FLOW_PKT_TOSERVER;
2094 p->payload_len = sizeof(request);
2095 p->payload = request;
2096 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2097 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2098 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2099 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2100 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2101 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2102 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2103 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2104 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2105 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2106 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2107 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2108
2109 /* full response - request ack */
2110 uint8_t response[] = {
2111 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2112 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2113 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2114 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2115 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2116 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2117 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2118 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2119 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2120 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2121 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2122 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2123 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2124 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2125 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2126 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2127 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2128 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2129 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2130 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2131 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2132 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2133 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2134 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2135 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2136 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2137 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2138 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2139 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2140 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2141 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2142 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2143 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2144 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2145 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2146 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2147 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2148 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2149 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2150 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2151 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2152 p->tcph->th_ack = htonl(88);
2153 p->tcph->th_seq = htonl(1);
2154 p->tcph->th_flags = TH_PUSH | TH_ACK;
2155 p->flowflags = FLOW_PKT_TOCLIENT;
2156 p->payload_len = sizeof(response);
2157 p->payload = response;
2158 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2159 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2160 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2161 FAIL_IF(f.alproto != ALPROTO_DCERPC);
2162 FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2163 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2164 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2165 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2166 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2167 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2168 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2169 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2170
2171 /* response ack */
2172 p->tcph->th_ack = htonl(328);
2173 p->tcph->th_seq = htonl(88);
2174 p->tcph->th_flags = TH_ACK;
2175 p->flowflags = FLOW_PKT_TOSERVER;
2176 p->payload_len = 0;
2177 p->payload = NULL;
2178 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2179 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2180 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2181 FAIL_IF(f.alproto != ALPROTO_DCERPC);
2182 FAIL_IF(f.alproto_ts != ALPROTO_DCERPC);
2183 FAIL_IF(f.alproto_tc != ALPROTO_HTTP);
2184 FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2185 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2186 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2187 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2188 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2189 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2190
2191 TEST_END;
2192 PASS;
2193 }
2194
2195 /**
2196 * \test RUBBISH(TC - PM and PP NOT DONE) ->
2197 * RUBBISH(TC - PM and PP DONE) ->
2198 * RUBBISH(TS - PM and PP DONE)
2199 */
AppLayerTest09(void)2200 static int AppLayerTest09(void)
2201 {
2202 TEST_START;
2203
2204 /* full request */
2205 uint8_t request1[] = {
2206 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 };
2207 p->tcph->th_ack = htonl(1);
2208 p->tcph->th_seq = htonl(1);
2209 p->tcph->th_flags = TH_PUSH | TH_ACK;
2210 p->flowflags = FLOW_PKT_TOSERVER;
2211 p->payload_len = sizeof(request1);
2212 p->payload = request1;
2213 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2214 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2215 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2216 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2217 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2218 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2219 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2220 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2221 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2222 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2223 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2224 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2225
2226 /* response - request ack */
2227 p->tcph->th_ack = htonl(9);
2228 p->tcph->th_seq = htonl(1);
2229 p->tcph->th_flags = TH_PUSH | TH_ACK;
2230 p->flowflags = FLOW_PKT_TOCLIENT;
2231 p->payload_len = 0;
2232 p->payload = NULL;
2233 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2234 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2235 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2236 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2237 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2238 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2239 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2240 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2241 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2242 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2243 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2244 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2245
2246 /* full request */
2247 uint8_t request2[] = {
2248 0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2249 p->tcph->th_ack = htonl(1);
2250 p->tcph->th_seq = htonl(9);
2251 p->tcph->th_flags = TH_PUSH | TH_ACK;
2252 p->flowflags = FLOW_PKT_TOSERVER;
2253 p->payload_len = sizeof(request2);
2254 p->payload = request2;
2255 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2256 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2257 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2258 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2259 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2260 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2261 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2262 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2263 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2264 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2265 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2266 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2267
2268 /* full response - request ack */
2269 uint8_t response[] = {
2270 0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2271 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2272 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2273 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2274 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2275 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2276 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2277 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2278 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2279 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2280 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2281 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2282 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2283 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2284 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2285 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2286 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2287 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2288 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2289 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2290 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2291 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2292 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2293 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2294 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2295 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2296 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2297 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2298 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2299 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2300 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2301 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2302 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2303 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2304 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2305 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2306 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2307 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2308 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2309 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2310 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2311 p->tcph->th_ack = htonl(18);
2312 p->tcph->th_seq = htonl(1);
2313 p->tcph->th_flags = TH_PUSH | TH_ACK;
2314 p->flowflags = FLOW_PKT_TOCLIENT;
2315 p->payload_len = sizeof(response);
2316 p->payload = response;
2317 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2318 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2319 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2320 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2321 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2322 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2323 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2324 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2325 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2326 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2327 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2328 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2329
2330 /* response ack */
2331 p->tcph->th_ack = htonl(328);
2332 p->tcph->th_seq = htonl(18);
2333 p->tcph->th_flags = TH_ACK;
2334 p->flowflags = FLOW_PKT_TOSERVER;
2335 p->payload_len = 0;
2336 p->payload = NULL;
2337 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2338 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2339 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2340 FAIL_IF(f.alproto != ALPROTO_FAILED);
2341 FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2342 FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2343 FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2344 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2345 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2346 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2347 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2348 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2349
2350 TEST_END;
2351 PASS;
2352 }
2353
2354 /**
2355 * \test RUBBISH(TC - PM and PP DONE) ->
2356 * RUBBISH(TS - PM and PP DONE)
2357 */
AppLayerTest10(void)2358 static int AppLayerTest10(void)
2359 {
2360 TEST_START;
2361
2362 /* full request */
2363 uint8_t request1[] = {
2364 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2365 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2366 p->tcph->th_ack = htonl(1);
2367 p->tcph->th_seq = htonl(1);
2368 p->tcph->th_flags = TH_PUSH | TH_ACK;
2369 p->flowflags = FLOW_PKT_TOSERVER;
2370 p->payload_len = sizeof(request1);
2371 p->payload = request1;
2372 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2373 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2374 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2375 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2376 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2377 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2378 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2379 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2380 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2381 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2382 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2383 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2384
2385 /* response - request ack */
2386 p->tcph->th_ack = htonl(18);
2387 p->tcph->th_seq = htonl(1);
2388 p->tcph->th_flags = TH_PUSH | TH_ACK;
2389 p->flowflags = FLOW_PKT_TOCLIENT;
2390 p->payload_len = 0;
2391 p->payload = NULL;
2392 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2393 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2394 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2395 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2396 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2397 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2398 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2399 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2400 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2401 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2402 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2403 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2404
2405 /* full response - request ack */
2406 uint8_t response[] = {
2407 0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31,
2408 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2409 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2410 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2411 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2412 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2413 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2414 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2415 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2416 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2417 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2418 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2419 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2420 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2421 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2422 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2423 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2424 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2425 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2426 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2427 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2428 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2429 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2430 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2431 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2432 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2433 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2434 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2435 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2436 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2437 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2438 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2439 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2440 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2441 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2442 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2443 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2444 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2445 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2446 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2447 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2448 p->tcph->th_ack = htonl(18);
2449 p->tcph->th_seq = htonl(1);
2450 p->tcph->th_flags = TH_PUSH | TH_ACK;
2451 p->flowflags = FLOW_PKT_TOCLIENT;
2452 p->payload_len = sizeof(response);
2453 p->payload = response;
2454 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2455 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2456 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2457 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2458 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2459 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2460 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2461 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2462 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2463 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2464 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2465 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2466
2467 /* response ack */
2468 p->tcph->th_ack = htonl(328);
2469 p->tcph->th_seq = htonl(18);
2470 p->tcph->th_flags = TH_ACK;
2471 p->flowflags = FLOW_PKT_TOSERVER;
2472 p->payload_len = 0;
2473 p->payload = NULL;
2474 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2475 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2476 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2477 FAIL_IF(f.alproto != ALPROTO_FAILED);
2478 FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2479 FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2480 FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2481 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2482 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2483 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2484 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2485 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2486
2487 TEST_END;
2488 PASS;
2489 }
2490
2491 /**
2492 * \test RUBBISH(TC - PM and PP DONE) ->
2493 * RUBBISH(TS - PM and PP NOT DONE) ->
2494 * RUBBISH(TS - PM and PP DONE)
2495 */
AppLayerTest11(void)2496 static int AppLayerTest11(void)
2497 {
2498 TEST_START;
2499
2500 /* full request */
2501 uint8_t request1[] = {
2502 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64,
2503 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff };
2504 p->tcph->th_ack = htonl(1);
2505 p->tcph->th_seq = htonl(1);
2506 p->tcph->th_flags = TH_PUSH | TH_ACK;
2507 p->flowflags = FLOW_PKT_TOSERVER;
2508 p->payload_len = sizeof(request1);
2509 p->payload = request1;
2510 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2511 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2512 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2513 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2514 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2515 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2516 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2517 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2518 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2519 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2520 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2521 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2522
2523 /* response - request ack */
2524 p->tcph->th_ack = htonl(18);
2525 p->tcph->th_seq = htonl(1);
2526 p->tcph->th_flags = TH_PUSH | TH_ACK;
2527 p->flowflags = FLOW_PKT_TOCLIENT;
2528 p->payload_len = 0;
2529 p->payload = NULL;
2530 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2531 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2532 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2533 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2534 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2535 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2536 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2537 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2538 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2539 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2540 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2541 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2542
2543 /* full response - request ack */
2544 uint8_t response1[] = {
2545 0x55, 0x74, 0x54, 0x50, };
2546 p->tcph->th_ack = htonl(18);
2547 p->tcph->th_seq = htonl(1);
2548 p->tcph->th_flags = TH_PUSH | TH_ACK;
2549 p->flowflags = FLOW_PKT_TOCLIENT;
2550 p->payload_len = sizeof(response1);
2551 p->payload = response1;
2552 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2553 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2554 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2555 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2556 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2557 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2558 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2559 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2560 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2561 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2562 FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2563 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2564
2565 /* response ack from request */
2566 p->tcph->th_ack = htonl(5);
2567 p->tcph->th_seq = htonl(18);
2568 p->tcph->th_flags = TH_ACK;
2569 p->flowflags = FLOW_PKT_TOSERVER;
2570 p->payload_len = 0;
2571 p->payload = NULL;
2572 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2573 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2574 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2575 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2576 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2577 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2578 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2579 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2580 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2581 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2582 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2583 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2584
2585 uint8_t response2[] = {
2586 0x2f, 0x31, 0x2e, 0x31,
2587 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
2588 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46,
2589 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53,
2590 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20,
2591 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39,
2592 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65,
2593 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70,
2594 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32,
2595 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69,
2596 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32,
2597 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d,
2598 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a,
2599 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34,
2600 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31,
2601 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a,
2602 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a,
2603 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61,
2604 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63,
2605 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61,
2606 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d,
2607 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d,
2608 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20,
2609 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43,
2610 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c,
2611 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34,
2612 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
2613 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63,
2614 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f,
2615 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79,
2616 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74,
2617 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58,
2618 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76,
2619 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77,
2620 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d,
2621 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c,
2622 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c,
2623 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f,
2624 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31,
2625 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e,
2626 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e };
2627 p->tcph->th_ack = htonl(18);
2628 p->tcph->th_seq = htonl(5);
2629 p->tcph->th_flags = TH_PUSH | TH_ACK;
2630 p->flowflags = FLOW_PKT_TOCLIENT;
2631 p->payload_len = sizeof(response2);
2632 p->payload = response2;
2633 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2634 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2635 FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2636 FAIL_IF(f.alproto != ALPROTO_UNKNOWN);
2637 FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN);
2638 FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN);
2639 FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
2640 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2641 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2642 FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2643 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2644 FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER);
2645
2646 /* response ack from request */
2647 p->tcph->th_ack = htonl(328);
2648 p->tcph->th_seq = htonl(18);
2649 p->tcph->th_flags = TH_ACK;
2650 p->flowflags = FLOW_PKT_TOSERVER;
2651 p->payload_len = 0;
2652 p->payload = NULL;
2653 FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1);
2654 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server));
2655 FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client));
2656 FAIL_IF(f.alproto != ALPROTO_FAILED);
2657 FAIL_IF(f.alproto_ts != ALPROTO_FAILED);
2658 FAIL_IF(f.alproto_tc != ALPROTO_FAILED);
2659 FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED));
2660 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER));
2661 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER));
2662 FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT));
2663 FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT));
2664 FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER);
2665
2666 TEST_END;
2667 PASS;
2668 }
2669
AppLayerUnittestsRegister(void)2670 void AppLayerUnittestsRegister(void)
2671 {
2672 SCEnter();
2673
2674 UtRegisterTest("AppLayerTest01", AppLayerTest01);
2675 UtRegisterTest("AppLayerTest02", AppLayerTest02);
2676 UtRegisterTest("AppLayerTest03", AppLayerTest03);
2677 UtRegisterTest("AppLayerTest04", AppLayerTest04);
2678 UtRegisterTest("AppLayerTest05", AppLayerTest05);
2679 UtRegisterTest("AppLayerTest06", AppLayerTest06);
2680 UtRegisterTest("AppLayerTest07", AppLayerTest07);
2681 UtRegisterTest("AppLayerTest08", AppLayerTest08);
2682 UtRegisterTest("AppLayerTest09", AppLayerTest09);
2683 UtRegisterTest("AppLayerTest10", AppLayerTest10);
2684 UtRegisterTest("AppLayerTest11", AppLayerTest11);
2685
2686 SCReturn;
2687 }
2688
2689 #endif /* UNITTESTS */
2690