/src/suricata7/src/app-layer.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2024 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Victor Julien <victor@inliniac.net> |
22 | | * \author Anoop Saldanha <anoopsaldanha@gmail.com> |
23 | | * |
24 | | * Generic App-layer functions |
25 | | */ |
26 | | |
27 | | #include "suricata-common.h" |
28 | | #include "suricata.h" |
29 | | #include "app-layer.h" |
30 | | #include "app-layer-parser.h" |
31 | | #include "app-layer-protos.h" |
32 | | #include "app-layer-expectation.h" |
33 | | #include "app-layer-ftp.h" |
34 | | #include "app-layer-detect-proto.h" |
35 | | #include "app-layer-frames.h" |
36 | | #include "stream-tcp-reassemble.h" |
37 | | #include "stream-tcp-private.h" |
38 | | #include "stream-tcp-inline.h" |
39 | | #include "stream-tcp.h" |
40 | | #include "flow.h" |
41 | | #include "flow-util.h" |
42 | | #include "flow-private.h" |
43 | | #include "ippair.h" |
44 | | #include "util-debug.h" |
45 | | #include "util-print.h" |
46 | | #include "util-profiling.h" |
47 | | #include "util-validate.h" |
48 | | #include "decode-events.h" |
49 | | #include "app-layer-htp-mem.h" |
50 | | #include "util-exception-policy.h" |
51 | | |
52 | | extern bool g_eps_stats_counters; |
53 | | extern bool g_stats_eps_per_app_proto_errors; |
54 | | /** |
55 | | * \brief This is for the app layer in general and it contains per thread |
56 | | * context relevant to both the alpd and alp. |
57 | | */ |
58 | | struct AppLayerThreadCtx_ { |
59 | | /* App layer protocol detection thread context, from AppLayerProtoDetectGetCtxThread(). */ |
60 | | AppLayerProtoDetectThreadCtx *alpd_tctx; |
61 | | /* App layer parser thread context, from AppLayerParserThreadCtxAlloc(). */ |
62 | | AppLayerParserThreadCtx *alp_tctx; |
63 | | |
64 | | #ifdef PROFILING |
65 | | uint64_t ticks_start; |
66 | | uint64_t ticks_end; |
67 | | uint64_t ticks_spent; |
68 | | AppProto alproto; |
69 | | uint64_t proto_detect_ticks_start; |
70 | | uint64_t proto_detect_ticks_end; |
71 | | uint64_t proto_detect_ticks_spent; |
72 | | #endif |
73 | | }; |
74 | | |
75 | 24.2k | #define FLOW_PROTO_CHANGE_MAX_DEPTH 4096 |
76 | | |
77 | | #define MAX_COUNTER_SIZE 64 |
78 | | typedef struct AppLayerCounterNames_ { |
79 | | char name[MAX_COUNTER_SIZE]; |
80 | | char tx_name[MAX_COUNTER_SIZE]; |
81 | | char gap_error[MAX_COUNTER_SIZE]; |
82 | | char parser_error[MAX_COUNTER_SIZE]; |
83 | | char internal_error[MAX_COUNTER_SIZE]; |
84 | | char alloc_error[MAX_COUNTER_SIZE]; |
85 | | char eps_name[EXCEPTION_POLICY_MAX][MAX_COUNTER_SIZE]; |
86 | | } AppLayerCounterNames; |
87 | | |
88 | | typedef struct AppLayerCounters_ { |
89 | | uint16_t counter_id; |
90 | | uint16_t counter_tx_id; |
91 | | uint16_t gap_error_id; |
92 | | uint16_t parser_error_id; |
93 | | uint16_t internal_error_id; |
94 | | uint16_t alloc_error_id; |
95 | | ExceptionPolicyCounters eps_error; |
96 | | } AppLayerCounters; |
97 | | |
98 | | /* counter names. Only used at init. */ |
99 | | AppLayerCounterNames applayer_counter_names[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]; |
100 | | /* counter id's. Used that runtime. */ |
101 | | AppLayerCounters applayer_counters[FLOW_PROTO_APPLAYER_MAX][ALPROTO_MAX]; |
102 | | /* Exception policy global counters ids */ |
103 | | ExceptionPolicyCounters eps_error_summary; |
104 | | |
105 | | /* Settings order as in the enum */ |
106 | | // clang-format off |
107 | | ExceptionPolicyStatsSetts app_layer_error_eps_stats = { |
108 | | .valid_settings_ids = { |
109 | | /* EXCEPTION_POLICY_NOT_SET */ false, |
110 | | /* EXCEPTION_POLICY_AUTO */ false, |
111 | | /* EXCEPTION_POLICY_PASS_PACKET */ true, |
112 | | /* EXCEPTION_POLICY_PASS_FLOW */ true, |
113 | | /* EXCEPTION_POLICY_BYPASS_FLOW */ true, |
114 | | /* EXCEPTION_POLICY_DROP_PACKET */ false, |
115 | | /* EXCEPTION_POLICY_DROP_FLOW */ false, |
116 | | /* EXCEPTION_POLICY_REJECT */ true, |
117 | | /* EXCEPTION_POLICY_REJECT_BOTH */ true, |
118 | | }, |
119 | | .valid_settings_ips = { |
120 | | /* EXCEPTION_POLICY_NOT_SET */ false, |
121 | | /* EXCEPTION_POLICY_AUTO */ false, |
122 | | /* EXCEPTION_POLICY_PASS_PACKET */ true, |
123 | | /* EXCEPTION_POLICY_PASS_FLOW */ true, |
124 | | /* EXCEPTION_POLICY_BYPASS_FLOW */ true, |
125 | | /* EXCEPTION_POLICY_DROP_PACKET */ true, |
126 | | /* EXCEPTION_POLICY_DROP_FLOW */ true, |
127 | | /* EXCEPTION_POLICY_REJECT */ true, |
128 | | /* EXCEPTION_POLICY_REJECT_BOTH */ true, |
129 | | }, |
130 | | }; |
131 | | // clang-format on |
132 | | |
133 | | void AppLayerSetupCounters(void); |
134 | | void AppLayerDeSetupCounters(void); |
135 | | |
136 | | /***** L7 layer dispatchers *****/ |
137 | | |
138 | 408k | static inline int ProtoDetectDone(const Flow *f, const TcpSession *ssn, uint8_t direction) { |
139 | 408k | const TcpStream *stream = (direction & STREAM_TOSERVER) ? &ssn->client : &ssn->server; |
140 | 408k | return ((stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) || |
141 | 397k | (FLOW_IS_PM_DONE(f, direction) && FLOW_IS_PP_DONE(f, direction))); |
142 | 408k | } |
143 | | |
144 | | /** |
145 | | * \note id can be 0 if protocol parser is disabled but detection |
146 | | * is enabled. |
147 | | */ |
148 | | static void AppLayerIncFlowCounter(ThreadVars *tv, Flow *f) |
149 | 247k | { |
150 | 247k | const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_id; |
151 | 247k | if (likely(tv && id > 0)) { |
152 | 247k | StatsIncr(tv, id); |
153 | 247k | } |
154 | 247k | } |
155 | | |
156 | | void AppLayerIncTxCounter(ThreadVars *tv, Flow *f, uint64_t step) |
157 | 1.28M | { |
158 | 1.28M | const uint16_t id = applayer_counters[f->protomap][f->alproto].counter_tx_id; |
159 | 1.28M | if (likely(tv && id > 0)) { |
160 | 1.28M | StatsAddUI64(tv, id, step); |
161 | 1.28M | } |
162 | 1.28M | } |
163 | | |
164 | | void AppLayerIncGapErrorCounter(ThreadVars *tv, Flow *f) |
165 | 14.2k | { |
166 | 14.2k | const uint16_t id = applayer_counters[f->protomap][f->alproto].gap_error_id; |
167 | 14.2k | if (likely(tv && id > 0)) { |
168 | 14.2k | StatsIncr(tv, id); |
169 | 14.2k | } |
170 | 14.2k | } |
171 | | |
172 | | void AppLayerIncAllocErrorCounter(ThreadVars *tv, Flow *f) |
173 | 0 | { |
174 | 0 | const uint16_t id = applayer_counters[f->protomap][f->alproto].alloc_error_id; |
175 | 0 | if (likely(tv && id > 0)) { |
176 | 0 | StatsIncr(tv, id); |
177 | 0 | } |
178 | 0 | } |
179 | | |
180 | | void AppLayerIncParserErrorCounter(ThreadVars *tv, Flow *f) |
181 | 229k | { |
182 | 229k | const uint16_t id = applayer_counters[f->protomap][f->alproto].parser_error_id; |
183 | 229k | if (likely(tv && id > 0)) { |
184 | 161k | StatsIncr(tv, id); |
185 | 161k | } |
186 | 229k | } |
187 | | |
188 | | void AppLayerIncInternalErrorCounter(ThreadVars *tv, Flow *f) |
189 | 0 | { |
190 | 0 | const uint16_t id = applayer_counters[f->protomap][f->alproto].internal_error_id; |
191 | 0 | if (likely(tv && id > 0)) { |
192 | 0 | StatsIncr(tv, id); |
193 | 0 | } |
194 | 0 | } |
195 | | |
196 | | static void AppLayerIncrErrorExcPolicyCounter(ThreadVars *tv, Flow *f, enum ExceptionPolicy policy) |
197 | 176k | { |
198 | | #ifdef UNITTESTS |
199 | | if (tv == NULL) { |
200 | | return; |
201 | | } |
202 | | #endif |
203 | 176k | uint16_t id = applayer_counters[f->protomap][f->alproto].eps_error.eps_id[policy]; |
204 | | /* for the summary values */ |
205 | 176k | uint16_t g_id = eps_error_summary.eps_id[policy]; |
206 | | |
207 | 176k | if (likely(id > 0)) { |
208 | 0 | StatsIncr(tv, id); |
209 | 0 | } |
210 | 176k | if (likely(g_id > 0)) { |
211 | 0 | StatsIncr(tv, g_id); |
212 | 0 | } |
213 | 176k | } |
214 | | |
215 | | /* in IDS mode protocol detection is done in reverse order: |
216 | | * when TCP data is ack'd. We want to flag the correct packet, |
217 | | * so in this case we set a flag in the flow so that the first |
218 | | * packet in the correct direction can be tagged. |
219 | | * |
220 | | * For IPS we update packet and flow. */ |
221 | | static inline void FlagPacketFlow(Packet *p, Flow *f, uint8_t flags) |
222 | 456k | { |
223 | 456k | if (p->proto != IPPROTO_TCP || EngineModeIsIPS()) { |
224 | 185k | if (flags & STREAM_TOSERVER) { |
225 | 92.6k | if (p->flowflags & FLOW_PKT_TOSERVER) { |
226 | 69.9k | p->flags |= PKT_PROTO_DETECT_TS_DONE; |
227 | 69.9k | f->flags |= FLOW_PROTO_DETECT_TS_DONE; |
228 | 69.9k | } else { |
229 | 22.6k | f->flags |= FLOW_PROTO_DETECT_TS_DONE; |
230 | 22.6k | } |
231 | 92.6k | } else { |
232 | 92.6k | if (p->flowflags & FLOW_PKT_TOCLIENT) { |
233 | 22.6k | p->flags |= PKT_PROTO_DETECT_TC_DONE; |
234 | 22.6k | f->flags |= FLOW_PROTO_DETECT_TC_DONE; |
235 | 69.9k | } else { |
236 | 69.9k | f->flags |= FLOW_PROTO_DETECT_TC_DONE; |
237 | 69.9k | } |
238 | 92.6k | } |
239 | 270k | } else { |
240 | 270k | if (flags & STREAM_TOSERVER) { |
241 | 174k | f->flags |= FLOW_PROTO_DETECT_TS_DONE; |
242 | 174k | } else { |
243 | 96.5k | f->flags |= FLOW_PROTO_DETECT_TC_DONE; |
244 | 96.5k | } |
245 | 270k | } |
246 | 456k | } |
247 | | |
248 | | static void DisableAppLayer(ThreadVars *tv, Flow *f, Packet *p) |
249 | 12.5k | { |
250 | 12.5k | SCLogDebug("disable app layer for flow %p alproto %u ts %u tc %u", |
251 | 12.5k | f, f->alproto, f->alproto_ts, f->alproto_tc); |
252 | 12.5k | FlowCleanupAppLayer(f); |
253 | 12.5k | StreamTcpDisableAppLayer(f); |
254 | 12.5k | TcpSession *ssn = f->protoctx; |
255 | 12.5k | ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; |
256 | 12.5k | f->alproto = ALPROTO_FAILED; |
257 | 12.5k | AppLayerIncFlowCounter(tv, f); |
258 | | |
259 | 12.5k | if (f->alproto_tc != ALPROTO_FAILED) { |
260 | 12.5k | if (f->alproto_tc == ALPROTO_UNKNOWN) { |
261 | 8.73k | f->alproto_tc = ALPROTO_FAILED; |
262 | 8.73k | } |
263 | 12.5k | FlagPacketFlow(p, f, STREAM_TOCLIENT); |
264 | 12.5k | } |
265 | 12.5k | if (f->alproto_ts != ALPROTO_FAILED) { |
266 | 12.5k | if (f->alproto_ts == ALPROTO_UNKNOWN) { |
267 | 12.3k | f->alproto_ts = ALPROTO_FAILED; |
268 | 12.3k | } |
269 | 12.5k | FlagPacketFlow(p, f, STREAM_TOSERVER); |
270 | 12.5k | } |
271 | 12.5k | SCLogDebug("disabled app layer for flow %p alproto %u ts %u tc %u", |
272 | 12.5k | f, f->alproto, f->alproto_ts, f->alproto_tc); |
273 | 12.5k | } |
274 | | |
275 | | /* See if we're going to have to give up: |
276 | | * |
277 | | * If we're getting a lot of data in one direction and the |
278 | | * proto for this direction is unknown, proto detect will |
279 | | * hold up segments in the segment list in the stream. |
280 | | * They are held so that if we detect the protocol on the |
281 | | * opposing stream, we can still parse this side of the stream |
282 | | * as well. However, some sessions are very unbalanced. FTP |
283 | | * data channels, large PUT/POST request and many others, can |
284 | | * lead to cases where we would have to store many megabytes |
285 | | * worth of segments before we see the opposing stream. This |
286 | | * leads to risks of resource starvation. |
287 | | * |
288 | | * Here a cutoff point is enforced. If we've stored 100k in |
289 | | * one direction and we've seen no data in the other direction, |
290 | | * we give up. |
291 | | * |
292 | | * Giving up means we disable applayer an set an applayer event |
293 | | */ |
294 | | static void TCPProtoDetectCheckBailConditions(ThreadVars *tv, |
295 | | Flow *f, TcpSession *ssn, Packet *p) |
296 | 202k | { |
297 | 202k | if (ssn->state < TCP_ESTABLISHED) { |
298 | 25.0k | SCLogDebug("skip as long as TCP is not ESTABLISHED (TCP fast open)"); |
299 | 25.0k | return; |
300 | 25.0k | } |
301 | | |
302 | 177k | const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client); |
303 | 177k | const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server); |
304 | 177k | SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc); |
305 | | |
306 | | /* at least 100000 whatever the conditions |
307 | | * and can be more if window is bigger and if configuration allows it */ |
308 | 177k | const uint32_t size_tc_limit = |
309 | 177k | MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth)); |
310 | 177k | const uint32_t size_ts_limit = |
311 | 177k | MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth)); |
312 | | |
313 | 177k | if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) && |
314 | 30.3k | ProtoDetectDone(f, ssn, STREAM_TOCLIENT)) |
315 | 989 | { |
316 | 989 | goto failure; |
317 | | |
318 | | /* we bail out whatever the pp and pm states if |
319 | | * we received too much data */ |
320 | 176k | } else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) { |
321 | 4 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED); |
322 | 4 | goto failure; |
323 | | |
324 | 176k | } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && |
325 | 26.8k | size_ts > size_ts_limit && size_tc == 0) { |
326 | 1 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
327 | 1 | APPLAYER_PROTO_DETECTION_SKIPPED); |
328 | 1 | goto failure; |
329 | | |
330 | 176k | } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && |
331 | 62.6k | size_tc > size_tc_limit && size_ts == 0) { |
332 | 4 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
333 | 4 | APPLAYER_PROTO_DETECTION_SKIPPED); |
334 | 4 | goto failure; |
335 | | |
336 | | /* little data in ts direction, pp done, pm not done (max |
337 | | * depth not reached), ts direction done, lots of data in |
338 | | * tc direction. */ |
339 | 176k | } else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && |
340 | 751 | !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && |
341 | 2 | FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) { |
342 | 2 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
343 | 2 | APPLAYER_PROTO_DETECTION_SKIPPED); |
344 | 2 | goto failure; |
345 | | |
346 | | /* little data in tc direction, pp done, pm not done (max |
347 | | * depth not reached), tc direction done, lots of data in |
348 | | * ts direction. */ |
349 | 176k | } else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && |
350 | 1.03k | !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && |
351 | 1 | FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) { |
352 | 1 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
353 | 1 | APPLAYER_PROTO_DETECTION_SKIPPED); |
354 | 1 | goto failure; |
355 | 1 | } |
356 | 176k | return; |
357 | | |
358 | 176k | failure: |
359 | 1.00k | DisableAppLayer(tv, f, p); |
360 | 1.00k | return; |
361 | 177k | } |
362 | | |
363 | | static int TCPProtoDetectTriggerOpposingSide(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, |
364 | | Packet *p, TcpSession *ssn, const TcpStream *stream) |
365 | 10.0k | { |
366 | 10.0k | TcpStream *opposing_stream = NULL; |
367 | 10.0k | if (stream == &ssn->client) { |
368 | 4.00k | opposing_stream = &ssn->server; |
369 | 6.02k | } else { |
370 | 6.02k | opposing_stream = &ssn->client; |
371 | 6.02k | } |
372 | | |
373 | | /* if the opposing side is not going to work, then |
374 | | * we just have to give up. */ |
375 | 10.0k | if (opposing_stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) { |
376 | 629 | SCLogDebug("opposing dir has STREAMTCP_STREAM_FLAG_NOREASSEMBLY set"); |
377 | 629 | return -1; |
378 | 629 | } |
379 | | |
380 | 9.40k | enum StreamUpdateDir dir = StreamTcpInlineMode() ? |
381 | 0 | UPDATE_DIR_OPPOSING : |
382 | 9.40k | UPDATE_DIR_PACKET; |
383 | 9.40k | int ret = StreamTcpReassembleAppLayer(tv, ra_ctx, ssn, |
384 | 9.40k | opposing_stream, p, dir); |
385 | 9.40k | return ret; |
386 | 10.0k | } |
387 | | |
388 | | extern enum ExceptionPolicy g_applayerparser_error_policy; |
389 | | |
390 | | /** \todo data const |
391 | | * \retval int -1 error |
392 | | * \retval int 0 ok |
393 | | */ |
394 | | static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, |
395 | | AppLayerThreadCtx *app_tctx, Packet *p, Flow *f, TcpSession *ssn, TcpStream **stream, |
396 | | uint8_t *data, uint32_t data_len, uint8_t flags, enum StreamUpdateDir dir) |
397 | 754k | { |
398 | 754k | AppProto *alproto; |
399 | 754k | AppProto *alproto_otherdir; |
400 | 754k | uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; |
401 | | |
402 | 754k | if (flags & STREAM_TOSERVER) { |
403 | 396k | alproto = &f->alproto_ts; |
404 | 396k | alproto_otherdir = &f->alproto_tc; |
405 | 396k | } else { |
406 | 357k | alproto = &f->alproto_tc; |
407 | 357k | alproto_otherdir = &f->alproto_ts; |
408 | 357k | } |
409 | | |
410 | 754k | SCLogDebug("Stream initializer (len %" PRIu32 ")", data_len); |
411 | | #ifdef PRINT |
412 | | if (data_len > 0) { |
413 | | printf("=> Init Stream Data (app layer) -- start %s%s\n", |
414 | | flags & STREAM_TOCLIENT ? "toclient" : "", |
415 | | flags & STREAM_TOSERVER ? "toserver" : ""); |
416 | | PrintRawDataFp(stdout, data, data_len); |
417 | | printf("=> Init Stream Data -- end\n"); |
418 | | } |
419 | | #endif |
420 | | |
421 | 754k | bool reverse_flow = false; |
422 | 754k | DEBUG_VALIDATE_BUG_ON(data == NULL && data_len > 0); |
423 | 754k | PACKET_PROFILING_APP_PD_START(app_tctx); |
424 | 754k | *alproto = AppLayerProtoDetectGetProto(app_tctx->alpd_tctx, |
425 | 754k | f, data, data_len, |
426 | 754k | IPPROTO_TCP, flags, &reverse_flow); |
427 | 754k | PACKET_PROFILING_APP_PD_END(app_tctx); |
428 | 754k | SCLogDebug("alproto %u rev %s", *alproto, reverse_flow ? "true" : "false"); |
429 | | |
430 | 754k | if (*alproto != ALPROTO_UNKNOWN) { |
431 | 230k | if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) { |
432 | 799 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
433 | 799 | APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); |
434 | | |
435 | 799 | if (ssn->data_first_seen_dir == APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) { |
436 | | /* if we already invoked the parser, we go with that proto */ |
437 | 797 | f->alproto = *alproto_otherdir; |
438 | 797 | } else { |
439 | | /* no data sent to parser yet, we can still choose |
440 | | * we're trusting the server more. */ |
441 | 2 | if (flags & STREAM_TOCLIENT) |
442 | 1 | f->alproto = *alproto; |
443 | 1 | else |
444 | 1 | f->alproto = *alproto_otherdir; |
445 | 2 | } |
446 | 229k | } else { |
447 | 229k | f->alproto = *alproto; |
448 | 229k | } |
449 | | |
450 | 230k | StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream); |
451 | 230k | TcpSessionSetReassemblyDepth(ssn, |
452 | 230k | AppLayerParserGetStreamDepth(f)); |
453 | 230k | FlagPacketFlow(p, f, flags); |
454 | | |
455 | | /* if protocol detection indicated that we need to reverse |
456 | | * the direction of the flow, do it now. We flip the flow, |
457 | | * packet and the direction flags */ |
458 | 230k | if (reverse_flow && |
459 | 36.0k | ((ssn->flags & (STREAMTCP_FLAG_MIDSTREAM | STREAMTCP_FLAG_MIDSTREAM_SYNACK)) == |
460 | 36.0k | STREAMTCP_FLAG_MIDSTREAM)) { |
461 | | /* but only if we didn't already detect it on the other side. */ |
462 | 31.8k | if (*alproto_otherdir == ALPROTO_UNKNOWN) { |
463 | 30.6k | SCLogDebug("reversing flow after proto detect told us so"); |
464 | 30.6k | PacketSwap(p); |
465 | 30.6k | FlowSwap(f); |
466 | | // Will reset signature groups in DetectRunSetup |
467 | 30.6k | f->de_ctx_version = UINT32_MAX; |
468 | 30.6k | SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); |
469 | 30.6k | if (*stream == &ssn->client) { |
470 | 29.7k | *stream = &ssn->server; |
471 | 29.7k | } else { |
472 | 943 | *stream = &ssn->client; |
473 | 943 | } |
474 | 30.6k | direction = 1 - direction; |
475 | 30.6k | } else { |
476 | | // TODO event, error? |
477 | 1.12k | } |
478 | 31.8k | } |
479 | | |
480 | | /* account flow if we have both sides */ |
481 | 230k | if (*alproto_otherdir != ALPROTO_UNKNOWN) { |
482 | 94.2k | AppLayerIncFlowCounter(tv, f); |
483 | 94.2k | } |
484 | | |
485 | | /* if we have seen data from the other direction first, send |
486 | | * data for that direction first to the parser. This shouldn't |
487 | | * be an issue, since each stream processing happens |
488 | | * independently of the other stream direction. At this point of |
489 | | * call, you need to know that this function's already being |
490 | | * called by the very same StreamReassembly() function that we |
491 | | * will now call shortly for the opposing direction. */ |
492 | 230k | if ((ssn->data_first_seen_dir & (STREAM_TOSERVER | STREAM_TOCLIENT)) && |
493 | 163k | !(flags & ssn->data_first_seen_dir)) |
494 | 10.0k | { |
495 | 10.0k | SCLogDebug("protocol %s needs first data in other direction", |
496 | 10.0k | AppProtoToString(*alproto)); |
497 | | |
498 | 10.0k | if (TCPProtoDetectTriggerOpposingSide(tv, ra_ctx, |
499 | 10.0k | p, ssn, *stream) != 0) |
500 | 629 | { |
501 | 629 | goto detect_error; |
502 | 629 | } |
503 | 9.40k | if (FlowChangeProto(f)) { |
504 | | /* We have the first data which requested a protocol change from P1 to P2 |
505 | | * even if it was not recognized at first as being P1 |
506 | | * As the second data was recognized as P1, the protocol did not change ! |
507 | | */ |
508 | 0 | FlowUnsetChangeProtoFlag(f); |
509 | 0 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
510 | 0 | APPLAYER_UNEXPECTED_PROTOCOL); |
511 | 0 | } |
512 | 9.40k | } |
513 | | |
514 | | /* if the parser operates such that it needs to see data from |
515 | | * a particular direction first, we check if we have seen |
516 | | * data from that direction first for the flow. IF it is not |
517 | | * the same, we set an event and exit. |
518 | | * |
519 | | * \todo We need to figure out a more robust solution for this, |
520 | | * as this can lead to easy evasion tactics, where the |
521 | | * attacker can first send some dummy data in the wrong |
522 | | * direction first to mislead our proto detection process. |
523 | | * While doing this we need to update the parsers as well, |
524 | | * since the parsers must be robust to see such wrong |
525 | | * direction data. |
526 | | * Either ways the moment we see the |
527 | | * APPLAYER_WRONG_DIRECTION_FIRST_DATA event set for the |
528 | | * flow, it shows something's fishy. |
529 | | */ |
530 | 229k | if (ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) { |
531 | 158k | uint8_t first_data_dir; |
532 | 158k | first_data_dir = AppLayerParserGetFirstDataDir(f->proto, f->alproto); |
533 | | |
534 | 158k | if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) { |
535 | 2.72k | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
536 | 2.72k | APPLAYER_WRONG_DIRECTION_FIRST_DATA); |
537 | 2.72k | goto detect_error; |
538 | 2.72k | } |
539 | | /* This can happen if the current direction is not the |
540 | | * right direction, and the data from the other(also |
541 | | * the right direction) direction is available to be sent |
542 | | * to the app layer, but it is not ack'ed yet and hence |
543 | | * the forced call to STreamTcpAppLayerReassemble still |
544 | | * hasn't managed to send data from the other direction |
545 | | * to the app layer. */ |
546 | 155k | if (first_data_dir && !(first_data_dir & flags)) { |
547 | 359 | FlowCleanupAppLayer(f); |
548 | 359 | StreamTcpResetStreamFlagAppProtoDetectionCompleted(*stream); |
549 | 359 | FLOW_RESET_PP_DONE(f, flags); |
550 | 359 | FLOW_RESET_PM_DONE(f, flags); |
551 | 359 | FLOW_RESET_PE_DONE(f, flags); |
552 | 359 | SCReturnInt(-1); |
553 | 359 | } |
554 | 155k | } |
555 | | |
556 | | /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */ |
557 | 226k | ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; |
558 | | |
559 | | /* finally, invoke the parser */ |
560 | 226k | PACKET_PROFILING_APP_START(app_tctx, f->alproto); |
561 | 226k | int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto, |
562 | 226k | flags, data, data_len); |
563 | 226k | PACKET_PROFILING_APP_END(app_tctx, f->alproto); |
564 | 226k | p->app_update_direction = (uint8_t)dir; |
565 | 226k | if (r != 1) { |
566 | 199k | StreamTcpUpdateAppLayerProgress(ssn, direction, data_len); |
567 | 199k | } |
568 | 226k | if (r == 0) { |
569 | 190k | if (*alproto_otherdir == ALPROTO_UNKNOWN) { |
570 | 111k | TcpStream *opposing_stream; |
571 | 111k | if (*stream == &ssn->client) { |
572 | 95.2k | opposing_stream = &ssn->server; |
573 | 95.2k | } else { |
574 | 15.8k | opposing_stream = &ssn->client; |
575 | 15.8k | } |
576 | 111k | if (StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(opposing_stream)) { |
577 | | // can happen in detection-only |
578 | 947 | AppLayerIncFlowCounter(tv, f); |
579 | 947 | } |
580 | 111k | } |
581 | 190k | } |
582 | 226k | if (r < 0) { |
583 | 8.60k | goto parser_error; |
584 | 8.60k | } |
585 | 523k | } else { |
586 | | /* if the ssn is midstream, we may end up with a case where the |
587 | | * start of an HTTP request is missing. We won't detect HTTP based |
588 | | * on the request. However, the reply is fine, so we detect |
589 | | * HTTP anyway. This leads to passing the incomplete request to |
590 | | * the htp parser. |
591 | | * |
592 | | * This has been observed, where the http parser then saw many |
593 | | * bogus requests in the incomplete data. |
594 | | * |
595 | | * To counter this case, a midstream session MUST find it's |
596 | | * protocol in the toserver direction. If not, we assume the |
597 | | * start of the request/toserver is incomplete and no reliable |
598 | | * detection and parsing is possible. So we give up. |
599 | | */ |
600 | 523k | if ((ssn->flags & STREAMTCP_FLAG_MIDSTREAM) && |
601 | 257k | !(ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK)) |
602 | 167k | { |
603 | 167k | if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) { |
604 | 7.57k | SCLogDebug("midstream end pd %p", ssn); |
605 | | /* midstream and toserver detection failed: give up */ |
606 | 7.57k | DisableAppLayer(tv, f, p); |
607 | 7.57k | SCReturnInt(0); |
608 | 7.57k | } |
609 | 167k | } |
610 | | |
611 | 516k | if (*alproto_otherdir != ALPROTO_UNKNOWN) { |
612 | 117k | uint8_t first_data_dir; |
613 | 117k | first_data_dir = AppLayerParserGetFirstDataDir(f->proto, *alproto_otherdir); |
614 | | |
615 | | /* this would handle this test case - |
616 | | * http parser which says it wants to see toserver data first only. |
617 | | * tcp handshake |
618 | | * toclient data first received. - RUBBISH DATA which |
619 | | * we don't detect as http |
620 | | * toserver data next sent - we detect this as http. |
621 | | * at this stage we see that toclient is the first data seen |
622 | | * for this session and we try and redetect the app protocol, |
623 | | * but we are unable to detect the app protocol like before. |
624 | | * But since we have managed to detect the protocol for the |
625 | | * other direction as http, we try to use that. At this |
626 | | * stage we check if the direction of this stream matches |
627 | | * to that acceptable by the app parser. If it is not the |
628 | | * acceptable direction we error out. |
629 | | */ |
630 | 117k | if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) && |
631 | 7.91k | (first_data_dir) && !(first_data_dir & flags)) |
632 | 109 | { |
633 | 109 | goto detect_error; |
634 | 109 | } |
635 | | |
636 | | /* if protocol detection is marked done for our direction we |
637 | | * pass our data on. We're only succeeded in finding one |
638 | | * direction: the opposing stream |
639 | | * |
640 | | * If PD was not yet complete, we don't do anything. |
641 | | */ |
642 | 117k | if (FLOW_IS_PM_DONE(f, flags) && FLOW_IS_PP_DONE(f, flags)) { |
643 | 16.0k | if (data_len > 0) |
644 | 16.0k | ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; |
645 | | |
646 | 16.0k | if (*alproto_otherdir != ALPROTO_FAILED) { |
647 | 16.0k | PACKET_PROFILING_APP_START(app_tctx, f->alproto); |
648 | 16.0k | int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, |
649 | 16.0k | f->alproto, flags, |
650 | 16.0k | data, data_len); |
651 | 16.0k | PACKET_PROFILING_APP_END(app_tctx, f->alproto); |
652 | 16.0k | p->app_update_direction = (uint8_t)dir; |
653 | 16.0k | if (r != 1) { |
654 | 12.4k | StreamTcpUpdateAppLayerProgress(ssn, direction, data_len); |
655 | 12.4k | } |
656 | | |
657 | 16.0k | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
658 | 16.0k | APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION); |
659 | 16.0k | TcpSessionSetReassemblyDepth(ssn, |
660 | 16.0k | AppLayerParserGetStreamDepth(f)); |
661 | | |
662 | 16.0k | *alproto = *alproto_otherdir; |
663 | 16.0k | SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set", |
664 | 16.0k | p->pcap_cnt, *alproto, *alproto_otherdir, r); |
665 | 16.0k | if (r < 0) { |
666 | 803 | goto parser_error; |
667 | 803 | } |
668 | 16.0k | } |
669 | 15.2k | *alproto = ALPROTO_FAILED; |
670 | 15.2k | StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream); |
671 | 15.2k | AppLayerIncFlowCounter(tv, f); |
672 | 15.2k | FlagPacketFlow(p, f, flags); |
673 | | |
674 | 101k | } else if (flags & STREAM_EOF) { |
675 | 25.4k | *alproto = f->alproto; |
676 | 25.4k | StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream); |
677 | 25.4k | AppLayerIncFlowCounter(tv, f); |
678 | 25.4k | } |
679 | 398k | } else { |
680 | | /* both sides unknown, let's see if we need to give up */ |
681 | 398k | if (FlowChangeProto(f)) { |
682 | | /* TCPProtoDetectCheckBailConditions does not work well because |
683 | | * size_tc from STREAM_RIGHT_EDGE is not reset to zero |
684 | | * so, we set a lower limit to the data we inspect |
685 | | * We could instead have set ssn->server.sb.stream_offset = 0; |
686 | | */ |
687 | 12.1k | if (data_len >= FLOW_PROTO_CHANGE_MAX_DEPTH || (flags & STREAM_EOF)) { |
688 | 94 | DisableAppLayer(tv, f, p); |
689 | 94 | } |
690 | 386k | } else { |
691 | 386k | TCPProtoDetectCheckBailConditions(tv, f, ssn, p); |
692 | 386k | } |
693 | 398k | } |
694 | 516k | } |
695 | 754k | SCReturnInt(0); |
696 | 9.40k | parser_error: |
697 | 9.40k | ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR); |
698 | 9.40k | AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy); |
699 | 9.40k | SCReturnInt(-1); |
700 | 3.46k | detect_error: |
701 | 3.46k | DisableAppLayer(tv, f, p); |
702 | 3.46k | SCReturnInt(-2); |
703 | 754k | } |
704 | | |
705 | | /** \brief handle TCP data for the app-layer. |
706 | | * |
707 | | * First run protocol detection and then when the protocol is known invoke |
708 | | * the app layer parser. |
709 | | * |
710 | | * \param stream ptr-to-ptr to stream object. Might change if flow dir is |
711 | | * reversed. |
712 | | */ |
713 | | int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, Packet *p, Flow *f, |
714 | | TcpSession *ssn, TcpStream **stream, uint8_t *data, uint32_t data_len, uint8_t flags, |
715 | | enum StreamUpdateDir dir) |
716 | 4.20M | { |
717 | 4.20M | SCEnter(); |
718 | | |
719 | 4.20M | DEBUG_ASSERT_FLOW_LOCKED(f); |
720 | 4.20M | DEBUG_VALIDATE_BUG_ON(data_len > (uint32_t)INT_MAX); |
721 | | |
722 | 4.20M | AppLayerThreadCtx *app_tctx = ra_ctx->app_tctx; |
723 | 4.20M | AppProto alproto; |
724 | 4.20M | int r = 0; |
725 | | |
726 | 4.20M | SCLogDebug("data_len %u flags %02X", data_len, flags); |
727 | 4.20M | if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) { |
728 | 419 | SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set"); |
729 | 419 | goto end; |
730 | 419 | } |
731 | | |
732 | 4.20M | const uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; |
733 | | |
734 | 4.20M | if (flags & STREAM_TOSERVER) { |
735 | 1.97M | alproto = f->alproto_ts; |
736 | 2.23M | } else { |
737 | 2.23M | alproto = f->alproto_tc; |
738 | 2.23M | } |
739 | | |
740 | | /* If a gap notification, relay the notification on to the |
741 | | * app-layer if known. */ |
742 | 4.20M | if (flags & STREAM_GAP) { |
743 | 196k | SCLogDebug("GAP of size %u", data_len); |
744 | 196k | if (alproto == ALPROTO_UNKNOWN) { |
745 | 149k | StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream); |
746 | 149k | SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); |
747 | | /* if the other side didn't already find the proto, we're done */ |
748 | 149k | if (f->alproto == ALPROTO_UNKNOWN) { |
749 | 121k | goto failure; |
750 | 121k | } |
751 | 27.5k | AppLayerIncFlowCounter(tv, f); |
752 | 27.5k | } |
753 | 74.6k | if (FlowChangeProto(f)) { |
754 | 536 | FlowUnsetChangeProtoFlag(f); |
755 | 536 | SCLogDebug("Cannot handle gap while changing protocol"); |
756 | 536 | goto failure; |
757 | 536 | } |
758 | 74.1k | PACKET_PROFILING_APP_START(app_tctx, f->alproto); |
759 | 74.1k | r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto, |
760 | 74.1k | flags, data, data_len); |
761 | 74.1k | PACKET_PROFILING_APP_END(app_tctx, f->alproto); |
762 | 74.1k | p->app_update_direction = (uint8_t)dir; |
763 | | /* ignore parser result for gap */ |
764 | 74.1k | StreamTcpUpdateAppLayerProgress(ssn, direction, data_len); |
765 | 74.1k | if (r < 0) { |
766 | 14.7k | ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR); |
767 | 14.7k | AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy); |
768 | 14.7k | SCReturnInt(-1); |
769 | 14.7k | } |
770 | 59.3k | goto end; |
771 | 74.1k | } |
772 | | |
773 | | /* if we don't know the proto yet and we have received a stream |
774 | | * initializer message, we run proto detection. |
775 | | * We receive 2 stream init msgs (one for each direction), we |
776 | | * only run the proto detection for both and emit an event |
777 | | * in the case protocols mismatch. */ |
778 | 4.00M | if (alproto == ALPROTO_UNKNOWN && (flags & STREAM_START)) { |
779 | 738k | DEBUG_VALIDATE_BUG_ON(FlowChangeProto(f)); |
780 | | /* run protocol detection */ |
781 | 738k | if (TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir) != |
782 | 738k | 0) { |
783 | 13.2k | goto failure; |
784 | 13.2k | } |
785 | 3.27M | } else if (alproto != ALPROTO_UNKNOWN && FlowChangeProto(f)) { |
786 | 16.3k | SCLogDebug("protocol change, old %s", AppProtoToString(f->alproto_orig)); |
787 | 16.3k | void *alstate_orig = f->alstate; |
788 | 16.3k | AppLayerParserState *alparser = f->alparser; |
789 | | // we delay AppLayerParserStateCleanup because we may need previous parser state |
790 | 16.3k | AppLayerProtoDetectReset(f); |
791 | 16.3k | StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client); |
792 | 16.3k | StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server); |
793 | | /* rerun protocol detection */ |
794 | 16.3k | int rd = |
795 | 16.3k | TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags, dir); |
796 | 16.3k | if (f->alproto == ALPROTO_UNKNOWN) { |
797 | 12.0k | DEBUG_VALIDATE_BUG_ON(alstate_orig != f->alstate); |
798 | | // not enough data, revert AppLayerProtoDetectReset to rerun detection |
799 | 12.0k | f->alparser = alparser; |
800 | 12.0k | f->alproto = f->alproto_orig; |
801 | 12.0k | f->alproto_tc = f->alproto_orig; |
802 | 12.0k | f->alproto_ts = f->alproto_orig; |
803 | 12.0k | } else { |
804 | 4.26k | FlowUnsetChangeProtoFlag(f); |
805 | 4.26k | AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser); |
806 | 4.26k | if (alstate_orig == f->alstate) { |
807 | | // we just freed it |
808 | 0 | f->alstate = NULL; |
809 | 0 | } |
810 | 4.26k | } |
811 | 16.3k | if (rd != 0) { |
812 | 5 | SCLogDebug("proto detect failure"); |
813 | 5 | goto failure; |
814 | 5 | } |
815 | 16.2k | SCLogDebug("protocol change, old %s, new %s", |
816 | 16.2k | AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto)); |
817 | | |
818 | 16.2k | if (f->alproto_expect != ALPROTO_UNKNOWN && f->alproto != ALPROTO_UNKNOWN && |
819 | 10.3k | f->alproto != f->alproto_expect) { |
820 | 9.61k | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
821 | 9.61k | APPLAYER_UNEXPECTED_PROTOCOL); |
822 | | |
823 | 9.61k | if (f->alproto_expect == ALPROTO_TLS && f->alproto != ALPROTO_TLS) { |
824 | 789 | AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, |
825 | 789 | APPLAYER_NO_TLS_AFTER_STARTTLS); |
826 | | |
827 | 789 | } |
828 | 9.61k | } |
829 | 3.25M | } else { |
830 | 3.25M | SCLogDebug("stream data (len %" PRIu32 " alproto " |
831 | 3.25M | "%"PRIu16" (flow %p)", data_len, f->alproto, f); |
832 | | #ifdef PRINT |
833 | | if (data_len > 0) { |
834 | | printf("=> Stream Data (app layer) -- start %s%s\n", |
835 | | flags & STREAM_TOCLIENT ? "toclient" : "", |
836 | | flags & STREAM_TOSERVER ? "toserver" : ""); |
837 | | PrintRawDataFp(stdout, data, data_len); |
838 | | printf("=> Stream Data -- end\n"); |
839 | | } |
840 | | #endif |
841 | | /* if we don't have a data object here we are not getting it |
842 | | * a start msg should have gotten us one */ |
843 | 3.25M | if (f->alproto != ALPROTO_UNKNOWN) { |
844 | 3.24M | PACKET_PROFILING_APP_START(app_tctx, f->alproto); |
845 | 3.24M | r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto, |
846 | 3.24M | flags, data, data_len); |
847 | 3.24M | PACKET_PROFILING_APP_END(app_tctx, f->alproto); |
848 | 3.24M | p->app_update_direction = (uint8_t)dir; |
849 | 3.24M | if (r != 1) { |
850 | 2.80M | StreamTcpUpdateAppLayerProgress(ssn, direction, data_len); |
851 | 2.80M | if (r < 0) { |
852 | 4.76k | ExceptionPolicyApply( |
853 | 4.76k | p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR); |
854 | 4.76k | AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy); |
855 | 4.76k | SCReturnInt(-1); |
856 | 4.76k | } |
857 | 2.80M | } |
858 | 3.24M | } |
859 | 3.25M | } |
860 | | |
861 | 3.99M | goto end; |
862 | 3.99M | failure: |
863 | 135k | r = -1; |
864 | 4.18M | end: |
865 | 4.18M | SCReturnInt(r); |
866 | 135k | } |
867 | | |
868 | | /** |
869 | | * \brief Handle a app layer UDP message |
870 | | * |
871 | | * If the protocol is yet unknown, the proto detection code is run first. |
872 | | * |
873 | | * \param dp_ctx Thread app layer detect context |
874 | | * \param f *locked* flow |
875 | | * \param p UDP packet |
876 | | * |
877 | | * \retval 0 ok |
878 | | * \retval -1 error |
879 | | */ |
880 | | int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *f) |
881 | 206k | { |
882 | 206k | SCEnter(); |
883 | 206k | AppProto *alproto; |
884 | 206k | AppProto *alproto_otherdir; |
885 | | |
886 | 206k | if (f->alproto_ts == ALPROTO_FAILED && f->alproto_tc == ALPROTO_FAILED) { |
887 | 2.92k | SCReturnInt(0); |
888 | 2.92k | } |
889 | | |
890 | 203k | int r = 0; |
891 | 203k | uint8_t flags = 0; |
892 | 203k | if (p->flowflags & FLOW_PKT_TOSERVER) { |
893 | 156k | flags |= STREAM_TOSERVER; |
894 | 156k | alproto = &f->alproto_ts; |
895 | 156k | alproto_otherdir = &f->alproto_tc; |
896 | 156k | } else { |
897 | 47.5k | flags |= STREAM_TOCLIENT; |
898 | 47.5k | alproto = &f->alproto_tc; |
899 | 47.5k | alproto_otherdir = &f->alproto_ts; |
900 | 47.5k | } |
901 | | |
902 | 203k | AppLayerProfilingReset(tctx); |
903 | | |
904 | | /* if the protocol is still unknown, run detection */ |
905 | 203k | if (*alproto == ALPROTO_UNKNOWN) { |
906 | 20.2k | SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")", |
907 | 20.2k | p->payload_len); |
908 | | |
909 | 20.2k | bool reverse_flow = false; |
910 | 20.2k | PACKET_PROFILING_APP_PD_START(tctx); |
911 | 20.2k | *alproto = AppLayerProtoDetectGetProto( |
912 | 20.2k | tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow); |
913 | 20.2k | PACKET_PROFILING_APP_PD_END(tctx); |
914 | | |
915 | 20.2k | switch (*alproto) { |
916 | 7.17k | case ALPROTO_UNKNOWN: |
917 | 7.17k | if (*alproto_otherdir != ALPROTO_UNKNOWN) { |
918 | | // Use recognized side |
919 | 1.18k | f->alproto = *alproto_otherdir; |
920 | | // do not keep ALPROTO_UNKNOWN for this side so as not to loop |
921 | 1.18k | *alproto = *alproto_otherdir; |
922 | 1.18k | if (*alproto_otherdir == ALPROTO_FAILED) { |
923 | 609 | SCLogDebug("ALPROTO_UNKNOWN flow %p", f); |
924 | 609 | } |
925 | 5.99k | } else { |
926 | | // First side of protocol is unknown |
927 | 5.99k | *alproto = ALPROTO_FAILED; |
928 | 5.99k | } |
929 | 7.17k | break; |
930 | 0 | case ALPROTO_FAILED: |
931 | 0 | if (*alproto_otherdir != ALPROTO_UNKNOWN) { |
932 | | // Use recognized side |
933 | 0 | f->alproto = *alproto_otherdir; |
934 | 0 | if (*alproto_otherdir == ALPROTO_FAILED) { |
935 | 0 | SCLogDebug("ALPROTO_UNKNOWN flow %p", f); |
936 | 0 | } |
937 | 0 | } |
938 | | // else wait for second side of protocol |
939 | 0 | break; |
940 | 13.1k | default: |
941 | 13.1k | if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) { |
942 | 3.10k | if (*alproto_otherdir != *alproto) { |
943 | 0 | AppLayerDecoderEventsSetEventRaw( |
944 | 0 | &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); |
945 | | // data already sent to parser, we cannot change the protocol to use the one |
946 | | // of the server |
947 | 0 | } |
948 | 10.0k | } else { |
949 | 10.0k | f->alproto = *alproto; |
950 | 10.0k | } |
951 | 20.2k | } |
952 | 20.2k | if (*alproto_otherdir == ALPROTO_UNKNOWN) { |
953 | 15.7k | if (f->alproto == ALPROTO_UNKNOWN) { |
954 | | // so as to increase stat about .app_layer.flow.failed_udp |
955 | 5.99k | f->alproto = ALPROTO_FAILED; |
956 | 5.99k | } |
957 | | // If the other side is unknown, this is the first packet of the flow |
958 | 15.7k | AppLayerIncFlowCounter(tv, f); |
959 | 15.7k | } |
960 | | |
961 | | // parse the data if we recognized one protocol |
962 | 20.2k | if (f->alproto != ALPROTO_UNKNOWN && f->alproto != ALPROTO_FAILED) { |
963 | 13.6k | if (reverse_flow) { |
964 | 623 | SCLogDebug("reversing flow after proto detect told us so"); |
965 | 623 | PacketSwap(p); |
966 | 623 | FlowSwap(f); |
967 | 623 | SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); |
968 | 623 | } |
969 | | |
970 | 13.6k | PACKET_PROFILING_APP_START(tctx, f->alproto); |
971 | 13.6k | r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto, |
972 | 13.6k | flags, p->payload, p->payload_len); |
973 | 13.6k | PACKET_PROFILING_APP_END(tctx, f->alproto); |
974 | 13.6k | p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET; |
975 | 13.6k | } |
976 | 20.2k | PACKET_PROFILING_APP_STORE(tctx, p); |
977 | | /* we do only inspection in one direction, so flag both |
978 | | * sides as done here */ |
979 | 20.2k | FlagPacketFlow(p, f, STREAM_TOSERVER); |
980 | 20.2k | FlagPacketFlow(p, f, STREAM_TOCLIENT); |
981 | 183k | } else { |
982 | 183k | SCLogDebug("data (len %" PRIu32 " ), alproto " |
983 | 183k | "%"PRIu16" (flow %p)", p->payload_len, f->alproto, f); |
984 | | |
985 | | /* run the parser */ |
986 | 183k | PACKET_PROFILING_APP_START(tctx, f->alproto); |
987 | 183k | r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto, |
988 | 183k | flags, p->payload, p->payload_len); |
989 | 183k | PACKET_PROFILING_APP_END(tctx, f->alproto); |
990 | 183k | PACKET_PROFILING_APP_STORE(tctx, p); |
991 | 183k | p->app_update_direction = (uint8_t)UPDATE_DIR_PACKET; |
992 | 183k | } |
993 | 203k | if (r < 0) { |
994 | 33.7k | ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR); |
995 | 33.7k | AppLayerIncrErrorExcPolicyCounter(tv, f, g_applayerparser_error_policy); |
996 | 33.7k | SCReturnInt(-1); |
997 | 33.7k | } |
998 | | |
999 | 203k | SCReturnInt(r); |
1000 | 203k | } |
1001 | | |
1002 | | /***** Utility *****/ |
1003 | | |
1004 | | AppProto AppLayerGetProtoByName(char *alproto_name) |
1005 | 1.36M | { |
1006 | 1.36M | SCEnter(); |
1007 | 1.36M | AppProto r = AppLayerProtoDetectGetProtoByName(alproto_name); |
1008 | 1.36M | SCReturnCT(r, "AppProto"); |
1009 | 1.36M | } |
1010 | | |
1011 | | const char *AppLayerGetProtoName(AppProto alproto) |
1012 | 418k | { |
1013 | 418k | SCEnter(); |
1014 | 418k | const char * r = AppLayerProtoDetectGetProtoName(alproto); |
1015 | 418k | SCReturnCT(r, "char *"); |
1016 | 418k | } |
1017 | | |
1018 | | void AppLayerListSupportedProtocols(void) |
1019 | 0 | { |
1020 | 0 | SCEnter(); |
1021 | |
|
1022 | 0 | AppProto alproto; |
1023 | 0 | AppProto alprotos[ALPROTO_MAX]; |
1024 | |
|
1025 | 0 | AppLayerProtoDetectSupportedAppProtocols(alprotos); |
1026 | |
|
1027 | 0 | printf("=========Supported App Layer Protocols=========\n"); |
1028 | 0 | for (alproto = 0; alproto < ALPROTO_MAX; alproto++) { |
1029 | 0 | if (alprotos[alproto] == 1) |
1030 | 0 | printf("%s\n", AppLayerGetProtoName(alproto)); |
1031 | 0 | } |
1032 | |
|
1033 | 0 | SCReturn; |
1034 | 0 | } |
1035 | | |
1036 | | /***** Setup/General Registration *****/ |
1037 | | |
1038 | | int AppLayerSetup(void) |
1039 | 73 | { |
1040 | 73 | SCEnter(); |
1041 | | |
1042 | 73 | AppLayerProtoDetectSetup(); |
1043 | 73 | AppLayerParserSetup(); |
1044 | | |
1045 | 73 | AppLayerParserRegisterProtocolParsers(); |
1046 | 73 | AppLayerProtoDetectPrepareState(); |
1047 | | |
1048 | 73 | AppLayerSetupCounters(); |
1049 | | |
1050 | 73 | SCReturnInt(0); |
1051 | 73 | } |
1052 | | |
1053 | | int AppLayerDeSetup(void) |
1054 | 0 | { |
1055 | 0 | SCEnter(); |
1056 | |
|
1057 | 0 | AppLayerProtoDetectDeSetup(); |
1058 | 0 | AppLayerParserDeSetup(); |
1059 | |
|
1060 | 0 | AppLayerDeSetupCounters(); |
1061 | |
|
1062 | 0 | SCReturnInt(0); |
1063 | 0 | } |
1064 | | |
1065 | | AppLayerThreadCtx *AppLayerGetCtxThread(ThreadVars *tv) |
1066 | 14 | { |
1067 | 14 | SCEnter(); |
1068 | | |
1069 | 14 | AppLayerThreadCtx *app_tctx = SCMalloc(sizeof(*app_tctx)); |
1070 | 14 | if (app_tctx == NULL) |
1071 | 0 | goto error; |
1072 | 14 | memset(app_tctx, 0, sizeof(*app_tctx)); |
1073 | | |
1074 | 14 | if ((app_tctx->alpd_tctx = AppLayerProtoDetectGetCtxThread()) == NULL) |
1075 | 0 | goto error; |
1076 | 14 | if ((app_tctx->alp_tctx = AppLayerParserThreadCtxAlloc()) == NULL) |
1077 | 0 | goto error; |
1078 | | |
1079 | 14 | goto done; |
1080 | 14 | error: |
1081 | 0 | AppLayerDestroyCtxThread(app_tctx); |
1082 | 0 | app_tctx = NULL; |
1083 | 14 | done: |
1084 | 14 | SCReturnPtr(app_tctx, "void *"); |
1085 | 0 | } |
1086 | | |
1087 | | void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx) |
1088 | 0 | { |
1089 | 0 | SCEnter(); |
1090 | |
|
1091 | 0 | if (app_tctx == NULL) |
1092 | 0 | SCReturn; |
1093 | | |
1094 | 0 | if (app_tctx->alpd_tctx != NULL) |
1095 | 0 | AppLayerProtoDetectDestroyCtxThread(app_tctx->alpd_tctx); |
1096 | 0 | if (app_tctx->alp_tctx != NULL) |
1097 | 0 | AppLayerParserThreadCtxFree(app_tctx->alp_tctx); |
1098 | 0 | SCFree(app_tctx); |
1099 | |
|
1100 | 0 | SCReturn; |
1101 | 0 | } |
1102 | | |
1103 | | #ifdef PROFILING |
1104 | | void AppLayerProfilingResetInternal(AppLayerThreadCtx *app_tctx) |
1105 | | { |
1106 | | PACKET_PROFILING_APP_RESET(app_tctx); |
1107 | | } |
1108 | | |
1109 | | void AppLayerProfilingStoreInternal(AppLayerThreadCtx *app_tctx, Packet *p) |
1110 | | { |
1111 | | PACKET_PROFILING_APP_STORE(app_tctx, p); |
1112 | | } |
1113 | | #endif |
1114 | | |
1115 | | /** \brief HACK to work around our broken unix manager (re)init loop |
1116 | | */ |
1117 | | void AppLayerRegisterGlobalCounters(void) |
1118 | 71 | { |
1119 | 71 | StatsRegisterGlobalCounter("http.memuse", HTPMemuseGlobalCounter); |
1120 | 71 | StatsRegisterGlobalCounter("http.memcap", HTPMemcapGlobalCounter); |
1121 | 71 | StatsRegisterGlobalCounter("ftp.memuse", FTPMemuseGlobalCounter); |
1122 | 71 | StatsRegisterGlobalCounter("ftp.memcap", FTPMemcapGlobalCounter); |
1123 | 71 | StatsRegisterGlobalCounter("app_layer.expectations", ExpectationGetCounter); |
1124 | 71 | } |
1125 | | |
1126 | | static bool IsAppLayerErrorExceptionPolicyStatsValid(enum ExceptionPolicy policy) |
1127 | 0 | { |
1128 | 0 | if (EngineModeIsIPS()) { |
1129 | 0 | return app_layer_error_eps_stats.valid_settings_ips[policy]; |
1130 | 0 | } |
1131 | 0 | return app_layer_error_eps_stats.valid_settings_ids[policy]; |
1132 | 0 | } |
1133 | | |
1134 | | static void AppLayerSetupExceptionPolicyPerProtoCounters( |
1135 | | uint8_t ipproto_map, AppProto alproto, const char *alproto_str, const char *ipproto_suffix) |
1136 | 4.77k | { |
1137 | 4.77k | if (g_stats_eps_per_app_proto_errors && |
1138 | 0 | g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) { |
1139 | 0 | for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) { |
1140 | 0 | if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { |
1141 | 0 | snprintf(applayer_counter_names[ipproto_map][alproto].eps_name[i], |
1142 | 0 | sizeof(applayer_counter_names[ipproto_map][alproto].eps_name[i]), |
1143 | 0 | "app_layer.error.%s%s.exception_policy.%s", alproto_str, ipproto_suffix, |
1144 | 0 | ExceptionPolicyEnumToString(i, true)); |
1145 | 0 | } |
1146 | 0 | } |
1147 | 0 | } |
1148 | 4.77k | } |
1149 | | |
1150 | 105 | #define IPPROTOS_MAX 2 |
1151 | | void AppLayerSetupCounters(void) |
1152 | 33 | { |
1153 | 33 | const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP }; |
1154 | 33 | AppProto alprotos[ALPROTO_MAX]; |
1155 | 33 | const char *str = "app_layer.flow."; |
1156 | 33 | const char *estr = "app_layer.error."; |
1157 | | |
1158 | | /* We don't log stats counters if exception policy is `ignore`/`not set` */ |
1159 | 33 | if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET && g_eps_stats_counters) { |
1160 | | /* Register global counters for app layer error exception policy summary */ |
1161 | 0 | const char *eps_default_str = "exception_policy.app_layer.error."; |
1162 | 0 | for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) { |
1163 | 0 | if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { |
1164 | 0 | snprintf(app_layer_error_eps_stats.eps_name[i], |
1165 | 0 | sizeof(app_layer_error_eps_stats.eps_name[i]), "%s%s", eps_default_str, |
1166 | 0 | ExceptionPolicyEnumToString(i, true)); |
1167 | 0 | } |
1168 | 0 | } |
1169 | 0 | } |
1170 | | |
1171 | 33 | AppLayerProtoDetectSupportedAppProtocols(alprotos); |
1172 | | |
1173 | 99 | for (uint8_t p = 0; p < IPPROTOS_MAX; p++) { |
1174 | 66 | const uint8_t ipproto = ipprotos[p]; |
1175 | 66 | const uint8_t ipproto_map = FlowGetProtoMapping(ipproto); |
1176 | 66 | const uint8_t other_ipproto = ipproto == IPPROTO_TCP ? IPPROTO_UDP : IPPROTO_TCP; |
1177 | 66 | const char *ipproto_suffix = (ipproto == IPPROTO_TCP) ? "_tcp" : "_udp"; |
1178 | | |
1179 | 2.37k | for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { |
1180 | 2.31k | if (alprotos[alproto] == 1) { |
1181 | 1.97k | const char *tx_str = "app_layer.tx."; |
1182 | 1.97k | const char *alproto_str = AppLayerGetProtoName(alproto); |
1183 | | |
1184 | 1.97k | if (AppLayerParserProtoIsRegistered(ipproto, alproto) && |
1185 | 1.11k | AppLayerParserProtoIsRegistered(other_ipproto, alproto)) { |
1186 | 328 | snprintf(applayer_counter_names[ipproto_map][alproto].name, |
1187 | 328 | sizeof(applayer_counter_names[ipproto_map][alproto].name), |
1188 | 328 | "%s%s%s", str, alproto_str, ipproto_suffix); |
1189 | 328 | snprintf(applayer_counter_names[ipproto_map][alproto].tx_name, |
1190 | 328 | sizeof(applayer_counter_names[ipproto_map][alproto].tx_name), |
1191 | 328 | "%s%s%s", tx_str, alproto_str, ipproto_suffix); |
1192 | | |
1193 | 328 | if (ipproto == IPPROTO_TCP) { |
1194 | 164 | snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, |
1195 | 164 | sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), |
1196 | 164 | "%s%s%s.gap", estr, alproto_str, ipproto_suffix); |
1197 | 164 | } |
1198 | 328 | snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error, |
1199 | 328 | sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error), |
1200 | 328 | "%s%s%s.alloc", estr, alproto_str, ipproto_suffix); |
1201 | 328 | snprintf(applayer_counter_names[ipproto_map][alproto].parser_error, |
1202 | 328 | sizeof(applayer_counter_names[ipproto_map][alproto].parser_error), |
1203 | 328 | "%s%s%s.parser", estr, alproto_str, ipproto_suffix); |
1204 | 328 | snprintf(applayer_counter_names[ipproto_map][alproto].internal_error, |
1205 | 328 | sizeof(applayer_counter_names[ipproto_map][alproto].internal_error), |
1206 | 328 | "%s%s%s.internal", estr, alproto_str, ipproto_suffix); |
1207 | | |
1208 | 328 | AppLayerSetupExceptionPolicyPerProtoCounters( |
1209 | 328 | ipproto_map, alproto, alproto_str, ipproto_suffix); |
1210 | 1.65k | } else { |
1211 | 1.65k | snprintf(applayer_counter_names[ipproto_map][alproto].name, |
1212 | 1.65k | sizeof(applayer_counter_names[ipproto_map][alproto].name), |
1213 | 1.65k | "%s%s", str, alproto_str); |
1214 | 1.65k | snprintf(applayer_counter_names[ipproto_map][alproto].tx_name, |
1215 | 1.65k | sizeof(applayer_counter_names[ipproto_map][alproto].tx_name), |
1216 | 1.65k | "%s%s", tx_str, alproto_str); |
1217 | | |
1218 | 1.65k | if (ipproto == IPPROTO_TCP) { |
1219 | 825 | snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, |
1220 | 825 | sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), |
1221 | 825 | "%s%s.gap", estr, alproto_str); |
1222 | 825 | } |
1223 | 1.65k | snprintf(applayer_counter_names[ipproto_map][alproto].alloc_error, |
1224 | 1.65k | sizeof(applayer_counter_names[ipproto_map][alproto].alloc_error), |
1225 | 1.65k | "%s%s.alloc", estr, alproto_str); |
1226 | 1.65k | snprintf(applayer_counter_names[ipproto_map][alproto].parser_error, |
1227 | 1.65k | sizeof(applayer_counter_names[ipproto_map][alproto].parser_error), |
1228 | 1.65k | "%s%s.parser", estr, alproto_str); |
1229 | 1.65k | snprintf(applayer_counter_names[ipproto_map][alproto].internal_error, |
1230 | 1.65k | sizeof(applayer_counter_names[ipproto_map][alproto].internal_error), |
1231 | 1.65k | "%s%s.internal", estr, alproto_str); |
1232 | 1.65k | AppLayerSetupExceptionPolicyPerProtoCounters( |
1233 | 1.65k | ipproto_map, alproto, alproto_str, ""); |
1234 | 1.65k | } |
1235 | 1.97k | } else if (alproto == ALPROTO_FAILED) { |
1236 | 66 | snprintf(applayer_counter_names[ipproto_map][alproto].name, |
1237 | 66 | sizeof(applayer_counter_names[ipproto_map][alproto].name), |
1238 | 66 | "%s%s%s", str, "failed", ipproto_suffix); |
1239 | 66 | if (ipproto == IPPROTO_TCP) { |
1240 | 33 | snprintf(applayer_counter_names[ipproto_map][alproto].gap_error, |
1241 | 33 | sizeof(applayer_counter_names[ipproto_map][alproto].gap_error), |
1242 | 33 | "%sfailed%s.gap", estr, ipproto_suffix); |
1243 | 33 | } |
1244 | 66 | } |
1245 | 2.31k | } |
1246 | 66 | } |
1247 | 33 | } |
1248 | | |
1249 | | void AppLayerRegisterThreadCounters(ThreadVars *tv) |
1250 | 2 | { |
1251 | 2 | const uint8_t ipprotos[] = { IPPROTO_TCP, IPPROTO_UDP }; |
1252 | 2 | AppProto alprotos[ALPROTO_MAX]; |
1253 | 2 | AppLayerProtoDetectSupportedAppProtocols(alprotos); |
1254 | | |
1255 | | /* We don't log stats counters if exception policy is `ignore`/`not set` */ |
1256 | 2 | if (g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET && g_eps_stats_counters) { |
1257 | | /* Register global counters for app layer error exception policy summary */ |
1258 | 0 | for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; i < EXCEPTION_POLICY_MAX; i++) { |
1259 | 0 | if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { |
1260 | 0 | eps_error_summary.eps_id[i] = |
1261 | 0 | StatsRegisterCounter(app_layer_error_eps_stats.eps_name[i], tv); |
1262 | 0 | } |
1263 | 0 | } |
1264 | 0 | } |
1265 | | |
1266 | 6 | for (uint8_t p = 0; p < IPPROTOS_MAX; p++) { |
1267 | 4 | const uint8_t ipproto = ipprotos[p]; |
1268 | 4 | const uint8_t ipproto_map = FlowGetProtoMapping(ipproto); |
1269 | | |
1270 | 144 | for (AppProto alproto = 0; alproto < ALPROTO_MAX; alproto++) { |
1271 | 140 | if (alprotos[alproto] == 1) { |
1272 | 120 | applayer_counters[ipproto_map][alproto].counter_id = |
1273 | 120 | StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv); |
1274 | | |
1275 | 120 | applayer_counters[ipproto_map][alproto].counter_tx_id = |
1276 | 120 | StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].tx_name, tv); |
1277 | | |
1278 | 120 | if (ipproto == IPPROTO_TCP) { |
1279 | 60 | applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter( |
1280 | 60 | applayer_counter_names[ipproto_map][alproto].gap_error, tv); |
1281 | 60 | } |
1282 | 120 | applayer_counters[ipproto_map][alproto].alloc_error_id = StatsRegisterCounter( |
1283 | 120 | applayer_counter_names[ipproto_map][alproto].alloc_error, tv); |
1284 | 120 | applayer_counters[ipproto_map][alproto].parser_error_id = StatsRegisterCounter( |
1285 | 120 | applayer_counter_names[ipproto_map][alproto].parser_error, tv); |
1286 | 120 | applayer_counters[ipproto_map][alproto].internal_error_id = StatsRegisterCounter( |
1287 | 120 | applayer_counter_names[ipproto_map][alproto].internal_error, tv); |
1288 | | /* We don't log stats counters if exception policy is `ignore`/`not set` */ |
1289 | 120 | if (g_stats_eps_per_app_proto_errors && |
1290 | 0 | g_applayerparser_error_policy != EXCEPTION_POLICY_NOT_SET) { |
1291 | 0 | for (enum ExceptionPolicy i = EXCEPTION_POLICY_NOT_SET + 1; |
1292 | 0 | i < EXCEPTION_POLICY_MAX; i++) { |
1293 | 0 | if (IsAppLayerErrorExceptionPolicyStatsValid(i)) { |
1294 | 0 | applayer_counters[ipproto_map][alproto] |
1295 | 0 | .eps_error.eps_id[i] = StatsRegisterCounter( |
1296 | 0 | applayer_counter_names[ipproto_map][alproto].eps_name[i], tv); |
1297 | 0 | } |
1298 | 0 | } |
1299 | 0 | } |
1300 | 120 | } else if (alproto == ALPROTO_FAILED) { |
1301 | 4 | applayer_counters[ipproto_map][alproto].counter_id = |
1302 | 4 | StatsRegisterCounter(applayer_counter_names[ipproto_map][alproto].name, tv); |
1303 | | |
1304 | 4 | if (ipproto == IPPROTO_TCP) { |
1305 | 2 | applayer_counters[ipproto_map][alproto].gap_error_id = StatsRegisterCounter( |
1306 | 2 | applayer_counter_names[ipproto_map][alproto].gap_error, tv); |
1307 | 2 | } |
1308 | 4 | } |
1309 | 140 | } |
1310 | 4 | } |
1311 | 2 | } |
1312 | | |
1313 | | void AppLayerDeSetupCounters(void) |
1314 | 0 | { |
1315 | 0 | memset(applayer_counter_names, 0, sizeof(applayer_counter_names)); |
1316 | 0 | memset(applayer_counters, 0, sizeof(applayer_counters)); |
1317 | 0 | } |
1318 | | |
1319 | | /***** Unittests *****/ |
1320 | | |
1321 | | #ifdef UNITTESTS |
1322 | | #include "pkt-var.h" |
1323 | | #include "stream-tcp-util.h" |
1324 | | #include "stream.h" |
1325 | | #include "util-unittest.h" |
1326 | | |
1327 | | #define TEST_START \ |
1328 | | Packet *p = PacketGetFromAlloc(); \ |
1329 | | FAIL_IF_NULL(p); \ |
1330 | | Flow f; \ |
1331 | | ThreadVars tv; \ |
1332 | | StreamTcpThread *stt = NULL; \ |
1333 | | TCPHdr tcph; \ |
1334 | | PacketQueueNoLock pq; \ |
1335 | | memset(&pq, 0, sizeof(PacketQueueNoLock)); \ |
1336 | | memset(&f, 0, sizeof(Flow)); \ |
1337 | | memset(&tv, 0, sizeof(ThreadVars)); \ |
1338 | | memset(&tcph, 0, sizeof(TCPHdr)); \ |
1339 | | \ |
1340 | | FLOW_INITIALIZE(&f); \ |
1341 | | f.flags = FLOW_IPV4; \ |
1342 | | f.proto = IPPROTO_TCP; \ |
1343 | | p->flow = &f; \ |
1344 | | p->tcph = &tcph; \ |
1345 | | \ |
1346 | | StreamTcpInitConfig(true); \ |
1347 | | IPPairInitConfig(true); \ |
1348 | | StreamTcpThreadInit(&tv, NULL, (void **)&stt); \ |
1349 | | \ |
1350 | | /* handshake */ \ |
1351 | | tcph.th_win = htons(5480); \ |
1352 | | tcph.th_flags = TH_SYN; \ |
1353 | | p->flowflags = FLOW_PKT_TOSERVER; \ |
1354 | | p->payload_len = 0; \ |
1355 | | p->payload = NULL; \ |
1356 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \ |
1357 | | TcpSession *ssn = (TcpSession *)f.protoctx; \ |
1358 | | \ |
1359 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \ |
1360 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \ |
1361 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \ |
1362 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \ |
1363 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \ |
1364 | | FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \ |
1365 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \ |
1366 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \ |
1367 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \ |
1368 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \ |
1369 | | FAIL_IF(ssn->data_first_seen_dir != 0); \ |
1370 | | \ |
1371 | | /* handshake */ \ |
1372 | | p->tcph->th_ack = htonl(1); \ |
1373 | | p->tcph->th_flags = TH_SYN | TH_ACK; \ |
1374 | | p->flowflags = FLOW_PKT_TOCLIENT; \ |
1375 | | p->payload_len = 0; \ |
1376 | | p->payload = NULL; \ |
1377 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \ |
1378 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \ |
1379 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \ |
1380 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \ |
1381 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \ |
1382 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \ |
1383 | | FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \ |
1384 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \ |
1385 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \ |
1386 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \ |
1387 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \ |
1388 | | FAIL_IF(ssn->data_first_seen_dir != 0); \ |
1389 | | \ |
1390 | | /* handshake */ \ |
1391 | | p->tcph->th_ack = htonl(1); \ |
1392 | | p->tcph->th_seq = htonl(1); \ |
1393 | | p->tcph->th_flags = TH_ACK; \ |
1394 | | p->flowflags = FLOW_PKT_TOSERVER; \ |
1395 | | p->payload_len = 0; \ |
1396 | | p->payload = NULL; \ |
1397 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); \ |
1398 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); \ |
1399 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); \ |
1400 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); \ |
1401 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); \ |
1402 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); \ |
1403 | | FAIL_IF(ssn->flags &STREAMTCP_FLAG_APP_LAYER_DISABLED); \ |
1404 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); \ |
1405 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); \ |
1406 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); \ |
1407 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); \ |
1408 | | FAIL_IF(ssn->data_first_seen_dir != 0); |
1409 | | #define TEST_END \ |
1410 | | StreamTcpSessionClear(p->flow->protoctx); \ |
1411 | | StreamTcpThreadDeinit(&tv, (void *)stt); \ |
1412 | | StreamTcpFreeConfig(true); \ |
1413 | | PacketFree(p); \ |
1414 | | FLOW_DESTROY(&f); \ |
1415 | | StatsThreadCleanup(&tv); |
1416 | | |
1417 | | /** |
1418 | | * \test GET -> HTTP/1.1 |
1419 | | */ |
1420 | | static int AppLayerTest01(void) |
1421 | | { |
1422 | | TEST_START; |
1423 | | |
1424 | | /* full request */ |
1425 | | uint8_t request[] = { |
1426 | | 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
1427 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
1428 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
1429 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
1430 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
1431 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
1432 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
1433 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
1434 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
1435 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
1436 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
1437 | | p->tcph->th_ack = htonl(1); |
1438 | | p->tcph->th_seq = htonl(1); |
1439 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1440 | | p->flowflags = FLOW_PKT_TOSERVER; |
1441 | | p->payload_len = sizeof(request); |
1442 | | p->payload = request; |
1443 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1444 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1445 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1446 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1447 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1448 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1449 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1450 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1451 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1452 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1453 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1454 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
1455 | | |
1456 | | /* full response - request ack */ |
1457 | | uint8_t response[] = { |
1458 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
1459 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
1460 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
1461 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
1462 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
1463 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
1464 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
1465 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
1466 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
1467 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
1468 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
1469 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
1470 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
1471 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
1472 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
1473 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
1474 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
1475 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
1476 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
1477 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
1478 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
1479 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
1480 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
1481 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
1482 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
1483 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
1484 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
1485 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
1486 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
1487 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
1488 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
1489 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
1490 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
1491 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
1492 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
1493 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
1494 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
1495 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
1496 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
1497 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
1498 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
1499 | | p->tcph->th_ack = htonl(88); |
1500 | | p->tcph->th_seq = htonl(1); |
1501 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1502 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1503 | | p->payload_len = sizeof(response); |
1504 | | p->payload = response; |
1505 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1506 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1507 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1508 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1509 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1510 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1511 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1512 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1513 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1514 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1515 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1516 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1517 | | |
1518 | | /* response ack */ |
1519 | | p->tcph->th_ack = htonl(328); |
1520 | | p->tcph->th_seq = htonl(88); |
1521 | | p->tcph->th_flags = TH_ACK; |
1522 | | p->flowflags = FLOW_PKT_TOSERVER; |
1523 | | p->payload_len = 0; |
1524 | | p->payload = NULL; |
1525 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1526 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1527 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1528 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1529 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1530 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
1531 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1532 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1533 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1534 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1535 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1536 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1537 | | |
1538 | | TEST_END; |
1539 | | PASS; |
1540 | | } |
1541 | | |
1542 | | /** |
1543 | | * \test GE -> T -> HTTP/1.1 |
1544 | | */ |
1545 | | static int AppLayerTest02(void) |
1546 | | { |
1547 | | TEST_START; |
1548 | | |
1549 | | /* partial request */ |
1550 | | uint8_t request1[] = { 0x47, 0x45, }; |
1551 | | p->tcph->th_ack = htonl(1); |
1552 | | p->tcph->th_seq = htonl(1); |
1553 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1554 | | p->flowflags = FLOW_PKT_TOSERVER; |
1555 | | p->payload_len = sizeof(request1); |
1556 | | p->payload = request1; |
1557 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1558 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1559 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1560 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1561 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1562 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1563 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1564 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1565 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1566 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1567 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1568 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
1569 | | |
1570 | | /* response ack against partial request */ |
1571 | | p->tcph->th_ack = htonl(3); |
1572 | | p->tcph->th_seq = htonl(1); |
1573 | | p->tcph->th_flags = TH_ACK; |
1574 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1575 | | p->payload_len = 0; |
1576 | | p->payload = NULL; |
1577 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1578 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1579 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1580 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1581 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1582 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1583 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1584 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1585 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1586 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1587 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1588 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
1589 | | |
1590 | | /* complete partial request */ |
1591 | | uint8_t request2[] = { |
1592 | | 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
1593 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
1594 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
1595 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
1596 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
1597 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
1598 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
1599 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
1600 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
1601 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
1602 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
1603 | | p->tcph->th_ack = htonl(1); |
1604 | | p->tcph->th_seq = htonl(3); |
1605 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1606 | | p->flowflags = FLOW_PKT_TOSERVER; |
1607 | | p->payload_len = sizeof(request2); |
1608 | | p->payload = request2; |
1609 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1610 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1611 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1612 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1613 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1614 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1615 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1616 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1617 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1618 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1619 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1620 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
1621 | | |
1622 | | /* response - request ack */ |
1623 | | uint8_t response[] = { |
1624 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
1625 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
1626 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
1627 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
1628 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
1629 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
1630 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
1631 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
1632 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
1633 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
1634 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
1635 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
1636 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
1637 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
1638 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
1639 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
1640 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
1641 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
1642 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
1643 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
1644 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
1645 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
1646 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
1647 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
1648 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
1649 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
1650 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
1651 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
1652 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
1653 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
1654 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
1655 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
1656 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
1657 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
1658 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
1659 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
1660 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
1661 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
1662 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
1663 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
1664 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
1665 | | p->tcph->th_ack = htonl(88); |
1666 | | p->tcph->th_seq = htonl(1); |
1667 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1668 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1669 | | p->payload_len = sizeof(response); |
1670 | | p->payload = response; |
1671 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1672 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1673 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1674 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1675 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1676 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1677 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1678 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1679 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1680 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1681 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1682 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1683 | | |
1684 | | /* response ack */ |
1685 | | p->tcph->th_ack = htonl(328); |
1686 | | p->tcph->th_seq = htonl(88); |
1687 | | p->tcph->th_flags = TH_ACK; |
1688 | | p->flowflags = FLOW_PKT_TOSERVER; |
1689 | | p->payload_len = 0; |
1690 | | p->payload = NULL; |
1691 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1692 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1693 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1694 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1695 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1696 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
1697 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1698 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1699 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1700 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1701 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1702 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1703 | | |
1704 | | TEST_END; |
1705 | | PASS; |
1706 | | } |
1707 | | |
1708 | | /** |
1709 | | * \test GET -> RUBBISH(PM AND PP DONE IN ONE GO) |
1710 | | */ |
1711 | | static int AppLayerTest03(void) |
1712 | | { |
1713 | | TEST_START; |
1714 | | |
1715 | | /* request */ |
1716 | | uint8_t request[] = { |
1717 | | 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
1718 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
1719 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
1720 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
1721 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
1722 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
1723 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
1724 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
1725 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
1726 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
1727 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
1728 | | p->tcph->th_ack = htonl(1); |
1729 | | p->tcph->th_seq = htonl(1); |
1730 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1731 | | p->flowflags = FLOW_PKT_TOSERVER; |
1732 | | p->payload_len = sizeof(request); |
1733 | | p->payload = request; |
1734 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1735 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1736 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1737 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1738 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1739 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1740 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1741 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1742 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1743 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1744 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1745 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
1746 | | |
1747 | | /* rubbish response */ |
1748 | | uint8_t response[] = { |
1749 | | 0x58, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
1750 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
1751 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
1752 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
1753 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
1754 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
1755 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
1756 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
1757 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
1758 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
1759 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
1760 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
1761 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
1762 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
1763 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
1764 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
1765 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
1766 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
1767 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
1768 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
1769 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
1770 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
1771 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
1772 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
1773 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
1774 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
1775 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
1776 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
1777 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
1778 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
1779 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
1780 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
1781 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
1782 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
1783 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
1784 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
1785 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
1786 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
1787 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
1788 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
1789 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
1790 | | p->tcph->th_ack = htonl(88); |
1791 | | p->tcph->th_seq = htonl(1); |
1792 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1793 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1794 | | p->payload_len = sizeof(response); |
1795 | | p->payload = response; |
1796 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1797 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1798 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1799 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1800 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1801 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1802 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1803 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1804 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1805 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1806 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1807 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1808 | | |
1809 | | /* response ack */ |
1810 | | p->tcph->th_ack = htonl(328); |
1811 | | p->tcph->th_seq = htonl(88); |
1812 | | p->tcph->th_flags = TH_ACK; |
1813 | | p->flowflags = FLOW_PKT_TOSERVER; |
1814 | | p->payload_len = 0; |
1815 | | p->payload = NULL; |
1816 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1817 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1818 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1819 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
1820 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
1821 | | FAIL_IF(f.alproto_tc != ALPROTO_FAILED); |
1822 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1823 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1824 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1825 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1826 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1827 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
1828 | | |
1829 | | TEST_END; |
1830 | | PASS; |
1831 | | } |
1832 | | |
1833 | | /** |
1834 | | * \test GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE). |
1835 | | */ |
1836 | | static int AppLayerTest04(void) |
1837 | | { |
1838 | | TEST_START; |
1839 | | |
1840 | | /* request */ |
1841 | | uint8_t request[] = { |
1842 | | 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
1843 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
1844 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
1845 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
1846 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
1847 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
1848 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
1849 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
1850 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
1851 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
1852 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
1853 | | PrintRawDataFp(stdout, request, sizeof(request)); |
1854 | | p->tcph->th_ack = htonl(1); |
1855 | | p->tcph->th_seq = htonl(1); |
1856 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1857 | | p->flowflags = FLOW_PKT_TOSERVER; |
1858 | | p->payload_len = sizeof(request); |
1859 | | p->payload = request; |
1860 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1861 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1862 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
1863 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
1864 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
1865 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1866 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1867 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1868 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1869 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1870 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1871 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); // TOSERVER data now seen |
1872 | | |
1873 | | /* partial response */ |
1874 | | uint8_t response1[] = { 0x58, 0x54, 0x54, 0x50, }; |
1875 | | PrintRawDataFp(stdout, response1, sizeof(response1)); |
1876 | | p->tcph->th_ack = htonl(88); |
1877 | | p->tcph->th_seq = htonl(1); |
1878 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1879 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1880 | | p->payload_len = sizeof(response1); |
1881 | | p->payload = response1; |
1882 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1883 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1884 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete |
1885 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts |
1886 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete |
1887 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1888 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1889 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1890 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1891 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1892 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
1893 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer |
1894 | | |
1895 | | /* partial response ack */ |
1896 | | p->tcph->th_ack = htonl(5); |
1897 | | p->tcph->th_seq = htonl(88); |
1898 | | p->tcph->th_flags = TH_ACK; |
1899 | | p->flowflags = FLOW_PKT_TOSERVER; |
1900 | | p->payload_len = 0; |
1901 | | p->payload = NULL; |
1902 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1903 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1904 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete |
1905 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts |
1906 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete |
1907 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1908 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1909 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1910 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1911 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1912 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing |
1913 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer |
1914 | | |
1915 | | /* remaining response */ |
1916 | | uint8_t response2[] = { |
1917 | | 0x2f, 0x31, 0x2e, 0x31, |
1918 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
1919 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
1920 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
1921 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
1922 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
1923 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
1924 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
1925 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
1926 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
1927 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
1928 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
1929 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
1930 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
1931 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
1932 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
1933 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
1934 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
1935 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
1936 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
1937 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
1938 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
1939 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
1940 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
1941 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
1942 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
1943 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
1944 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
1945 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
1946 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
1947 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
1948 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
1949 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
1950 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
1951 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
1952 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
1953 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
1954 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
1955 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
1956 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
1957 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
1958 | | PrintRawDataFp(stdout, response2, sizeof(response2)); |
1959 | | p->tcph->th_ack = htonl(88); |
1960 | | p->tcph->th_seq = htonl(5); |
1961 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
1962 | | p->flowflags = FLOW_PKT_TOCLIENT; |
1963 | | p->payload_len = sizeof(response2); |
1964 | | p->payload = response2; |
1965 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1966 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
1967 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete |
1968 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts |
1969 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete |
1970 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
1971 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1972 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1973 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1974 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1975 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing |
1976 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer |
1977 | | |
1978 | | /* response ack */ |
1979 | | p->tcph->th_ack = htonl(328); |
1980 | | p->tcph->th_seq = htonl(88); |
1981 | | p->tcph->th_flags = TH_ACK; |
1982 | | p->flowflags = FLOW_PKT_TOSERVER; |
1983 | | p->payload_len = 0; |
1984 | | p->payload = NULL; |
1985 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
1986 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); // toclient complete (failed) |
1987 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); // toserver complete |
1988 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); // http based on ts |
1989 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); // ts complete |
1990 | | FAIL_IF(f.alproto_tc != ALPROTO_FAILED); // tc failed |
1991 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
1992 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
1993 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
1994 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
1995 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); // to client pp got nothing |
1996 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); // first data sent to applayer |
1997 | | |
1998 | | TEST_END; |
1999 | | PASS; |
2000 | | } |
2001 | | |
2002 | | /** |
2003 | | * \test RUBBISH -> HTTP/1.1 |
2004 | | */ |
2005 | | static int AppLayerTest05(void) |
2006 | | { |
2007 | | TEST_START; |
2008 | | |
2009 | | /* full request */ |
2010 | | uint8_t request[] = { |
2011 | | 0x48, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
2012 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
2013 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
2014 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
2015 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
2016 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
2017 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
2018 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
2019 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
2020 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
2021 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
2022 | | PrintRawDataFp(stdout, request, sizeof(request)); |
2023 | | p->tcph->th_ack = htonl(1); |
2024 | | p->tcph->th_seq = htonl(1); |
2025 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2026 | | p->flowflags = FLOW_PKT_TOSERVER; |
2027 | | p->payload_len = sizeof(request); |
2028 | | p->payload = request; |
2029 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2030 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2031 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2032 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2033 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2034 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2035 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2036 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2037 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2038 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2039 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2040 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2041 | | |
2042 | | /* full response - request ack */ |
2043 | | uint8_t response[] = { |
2044 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
2045 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2046 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2047 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2048 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2049 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2050 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2051 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2052 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2053 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2054 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2055 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2056 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2057 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2058 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2059 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2060 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2061 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2062 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2063 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2064 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2065 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2066 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2067 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2068 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2069 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2070 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2071 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2072 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2073 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2074 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2075 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2076 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2077 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2078 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2079 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2080 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2081 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2082 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2083 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2084 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2085 | | PrintRawDataFp(stdout, response, sizeof(response)); |
2086 | | p->tcph->th_ack = htonl(88); |
2087 | | p->tcph->th_seq = htonl(1); |
2088 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2089 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2090 | | p->payload_len = sizeof(response); |
2091 | | p->payload = response; |
2092 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2093 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2094 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2095 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2096 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2097 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2098 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2099 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2100 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2101 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2102 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2103 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2104 | | |
2105 | | /* response ack */ |
2106 | | p->tcph->th_ack = htonl(328); |
2107 | | p->tcph->th_seq = htonl(88); |
2108 | | p->tcph->th_flags = TH_ACK; |
2109 | | p->flowflags = FLOW_PKT_TOSERVER; |
2110 | | p->payload_len = 0; |
2111 | | p->payload = NULL; |
2112 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2113 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2114 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2115 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
2116 | | FAIL_IF(f.alproto_ts != ALPROTO_FAILED); |
2117 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
2118 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2119 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2120 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2121 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2122 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2123 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2124 | | |
2125 | | TEST_END; |
2126 | | PASS; |
2127 | | } |
2128 | | |
2129 | | /** |
2130 | | * \test HTTP/1.1 -> GET |
2131 | | */ |
2132 | | static int AppLayerTest06(void) |
2133 | | { |
2134 | | TEST_START; |
2135 | | |
2136 | | /* full response - request ack */ |
2137 | | uint8_t response[] = { |
2138 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
2139 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2140 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2141 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2142 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2143 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2144 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2145 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2146 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2147 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2148 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2149 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2150 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2151 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2152 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2153 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2154 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2155 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2156 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2157 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2158 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2159 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2160 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2161 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2162 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2163 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2164 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2165 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2166 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2167 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2168 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2169 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2170 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2171 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2172 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2173 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2174 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2175 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2176 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2177 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2178 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2179 | | p->tcph->th_ack = htonl(1); |
2180 | | p->tcph->th_seq = htonl(1); |
2181 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2182 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2183 | | p->payload_len = sizeof(response); |
2184 | | p->payload = response; |
2185 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2186 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2187 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2188 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2189 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2190 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2191 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2192 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2193 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2194 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2195 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2196 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOCLIENT); |
2197 | | |
2198 | | /* full request - response ack*/ |
2199 | | uint8_t request[] = { |
2200 | | 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
2201 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
2202 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
2203 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
2204 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
2205 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
2206 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
2207 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
2208 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
2209 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
2210 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
2211 | | p->tcph->th_ack = htonl(328); |
2212 | | p->tcph->th_seq = htonl(1); |
2213 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2214 | | p->flowflags = FLOW_PKT_TOSERVER; |
2215 | | p->payload_len = sizeof(request); |
2216 | | p->payload = request; |
2217 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2218 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2219 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2220 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
2221 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2222 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
2223 | | FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2224 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2225 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2226 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2227 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2228 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2229 | | |
2230 | | p->tcph->th_ack = htonl(1 + sizeof(request)); |
2231 | | p->tcph->th_seq = htonl(328); |
2232 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2233 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2234 | | p->payload_len = 0; |
2235 | | p->payload = NULL; |
2236 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2237 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2238 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2239 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
2240 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
2241 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
2242 | | FAIL_IF((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2243 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2244 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2245 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2246 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2247 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2248 | | |
2249 | | TEST_END; |
2250 | | PASS; |
2251 | | } |
2252 | | |
2253 | | /** |
2254 | | * \test GET -> DCERPC |
2255 | | */ |
2256 | | static int AppLayerTest07(void) |
2257 | | { |
2258 | | TEST_START; |
2259 | | |
2260 | | /* full request */ |
2261 | | uint8_t request[] = { |
2262 | | 0x47, 0x45, 0x54, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
2263 | | 0x65, 0x78, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x20, |
2264 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, |
2265 | | 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, |
2266 | | 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, |
2267 | | 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, |
2268 | | 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, |
2269 | | 0x70, 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, |
2270 | | 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
2271 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, |
2272 | | 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
2273 | | p->tcph->th_ack = htonl(1); |
2274 | | p->tcph->th_seq = htonl(1); |
2275 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2276 | | p->flowflags = FLOW_PKT_TOSERVER; |
2277 | | p->payload_len = sizeof(request); |
2278 | | p->payload = request; |
2279 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2280 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2281 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2282 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2283 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2284 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2285 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2286 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2287 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2288 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2289 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2290 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2291 | | |
2292 | | /* full response - request ack */ |
2293 | | uint8_t response[] = { 0x05, 0x00, 0x4d, 0x42, 0x00, 0x01, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30, |
2294 | | 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, 0x72, 0x69, 0x2c, |
2295 | | 0x20, 0x32, 0x33, 0x20, 0x53, 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, 0x30, 0x36, |
2296 | | 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, 0x72, |
2297 | | 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2298 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, |
2299 | | 0x32, 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, |
2300 | | 0x64, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, 0x20, 0x4e, 0x6f, 0x76, 0x20, |
2301 | | 0x32, 0x30, 0x31, 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, 0x34, 0x36, 0x20, 0x47, |
2302 | | 0x4d, 0x54, 0x0d, 0x0a, 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, 0x62, 0x38, 0x39, |
2303 | | 0x36, 0x35, 0x2d, 0x32, 0x63, 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, 0x37, 0x66, |
2304 | | 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52, |
2305 | | 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2306 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, |
2307 | | 0x34, 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, |
2308 | | 0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, |
2309 | | 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, |
2310 | | 0x6c, 0x0d, 0x0a, 0x58, 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, 0x6f, 0x69, 0x64, |
2311 | | 0x20, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, 0x0a, 0x0d, |
2312 | | 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x68, |
2313 | | 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2314 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2315 | | p->tcph->th_ack = htonl(88); |
2316 | | p->tcph->th_seq = htonl(1); |
2317 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2318 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2319 | | p->payload_len = sizeof(response); |
2320 | | p->payload = response; |
2321 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2322 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2323 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2324 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
2325 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
2326 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2327 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2328 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2329 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2330 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2331 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2332 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2333 | | |
2334 | | /* response ack */ |
2335 | | p->tcph->th_ack = htonl(328); |
2336 | | p->tcph->th_seq = htonl(88); |
2337 | | p->tcph->th_flags = TH_ACK; |
2338 | | p->flowflags = FLOW_PKT_TOSERVER; |
2339 | | p->payload_len = 0; |
2340 | | p->payload = NULL; |
2341 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2342 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2343 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2344 | | FAIL_IF(f.alproto != ALPROTO_HTTP1); |
2345 | | FAIL_IF(f.alproto_ts != ALPROTO_HTTP1); |
2346 | | FAIL_IF(f.alproto_tc != ALPROTO_DCERPC); |
2347 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2348 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2349 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2350 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2351 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2352 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2353 | | |
2354 | | TEST_END; |
2355 | | PASS; |
2356 | | } |
2357 | | |
2358 | | /** |
2359 | | * \test SMB -> HTTP/1.1 |
2360 | | */ |
2361 | | static int AppLayerTest08(void) |
2362 | | { |
2363 | | TEST_START; |
2364 | | |
2365 | | /* full request */ |
2366 | | uint8_t request[] = { 0x05, 0x00, 0x54, 0x20, 0x00, 0x01, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x68, |
2367 | | 0x74, 0x6d, 0x6c, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, 0x48, |
2368 | | 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x0d, |
2369 | | 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x41, 0x70, |
2370 | | 0x61, 0x63, 0x68, 0x65, 0x42, 0x65, 0x6e, 0x63, 0x68, 0x2f, 0x32, 0x2e, 0x33, 0x0d, 0x0a, |
2371 | | 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f, 0x2a, 0x0d, 0x0a, 0x0d, 0x0a }; |
2372 | | p->tcph->th_ack = htonl(1); |
2373 | | p->tcph->th_seq = htonl(1); |
2374 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2375 | | p->flowflags = FLOW_PKT_TOSERVER; |
2376 | | p->payload_len = sizeof(request); |
2377 | | p->payload = request; |
2378 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2379 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2380 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2381 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2382 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2383 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2384 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2385 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2386 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2387 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2388 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2389 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2390 | | |
2391 | | /* full response - request ack */ |
2392 | | uint8_t response[] = { |
2393 | | 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
2394 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2395 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2396 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2397 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2398 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2399 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2400 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2401 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2402 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2403 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2404 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2405 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2406 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2407 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2408 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2409 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2410 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2411 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2412 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2413 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2414 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2415 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2416 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2417 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2418 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2419 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2420 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2421 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2422 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2423 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2424 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2425 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2426 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2427 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2428 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2429 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2430 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2431 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2432 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2433 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2434 | | p->tcph->th_ack = htonl(88); |
2435 | | p->tcph->th_seq = htonl(1); |
2436 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2437 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2438 | | p->payload_len = sizeof(response); |
2439 | | p->payload = response; |
2440 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2441 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2442 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2443 | | FAIL_IF(f.alproto != ALPROTO_DCERPC); |
2444 | | FAIL_IF(f.alproto_ts != ALPROTO_DCERPC); |
2445 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2446 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2447 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2448 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2449 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2450 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2451 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2452 | | |
2453 | | /* response ack */ |
2454 | | p->tcph->th_ack = htonl(328); |
2455 | | p->tcph->th_seq = htonl(88); |
2456 | | p->tcph->th_flags = TH_ACK; |
2457 | | p->flowflags = FLOW_PKT_TOSERVER; |
2458 | | p->payload_len = 0; |
2459 | | p->payload = NULL; |
2460 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2461 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2462 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2463 | | FAIL_IF(f.alproto != ALPROTO_DCERPC); |
2464 | | FAIL_IF(f.alproto_ts != ALPROTO_DCERPC); |
2465 | | FAIL_IF(f.alproto_tc != ALPROTO_HTTP1); |
2466 | | FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2467 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2468 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2469 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2470 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2471 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2472 | | |
2473 | | TEST_END; |
2474 | | PASS; |
2475 | | } |
2476 | | |
2477 | | /** |
2478 | | * \test RUBBISH(TC - PM and PP NOT DONE) -> |
2479 | | * RUBBISH(TC - PM and PP DONE) -> |
2480 | | * RUBBISH(TS - PM and PP DONE) |
2481 | | */ |
2482 | | static int AppLayerTest09(void) |
2483 | | { |
2484 | | TEST_START; |
2485 | | |
2486 | | /* full request */ |
2487 | | uint8_t request1[] = { |
2488 | | 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64 }; |
2489 | | p->tcph->th_ack = htonl(1); |
2490 | | p->tcph->th_seq = htonl(1); |
2491 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2492 | | p->flowflags = FLOW_PKT_TOSERVER; |
2493 | | p->payload_len = sizeof(request1); |
2494 | | p->payload = request1; |
2495 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2496 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2497 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2498 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2499 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2500 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2501 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2502 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2503 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2504 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2505 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2506 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2507 | | |
2508 | | /* response - request ack */ |
2509 | | p->tcph->th_ack = htonl(9); |
2510 | | p->tcph->th_seq = htonl(1); |
2511 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2512 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2513 | | p->payload_len = 0; |
2514 | | p->payload = NULL; |
2515 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2516 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2517 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2518 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2519 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2520 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2521 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2522 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2523 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2524 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2525 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2526 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2527 | | |
2528 | | /* full request */ |
2529 | | uint8_t request2[] = { |
2530 | | 0x44, 0x44, 0x45, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff }; |
2531 | | p->tcph->th_ack = htonl(1); |
2532 | | p->tcph->th_seq = htonl(9); |
2533 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2534 | | p->flowflags = FLOW_PKT_TOSERVER; |
2535 | | p->payload_len = sizeof(request2); |
2536 | | p->payload = request2; |
2537 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2538 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2539 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2540 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2541 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2542 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2543 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2544 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2545 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2546 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2547 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2548 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2549 | | |
2550 | | /* full response - request ack */ |
2551 | | uint8_t response[] = { |
2552 | | 0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
2553 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2554 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2555 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2556 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2557 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2558 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2559 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2560 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2561 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2562 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2563 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2564 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2565 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2566 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2567 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2568 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2569 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2570 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2571 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2572 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2573 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2574 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2575 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2576 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2577 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2578 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2579 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2580 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2581 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2582 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2583 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2584 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2585 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2586 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2587 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2588 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2589 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2590 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2591 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2592 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2593 | | p->tcph->th_ack = htonl(18); |
2594 | | p->tcph->th_seq = htonl(1); |
2595 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2596 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2597 | | p->payload_len = sizeof(response); |
2598 | | p->payload = response; |
2599 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2600 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2601 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2602 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2603 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2604 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2605 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2606 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2607 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2608 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2609 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2610 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2611 | | |
2612 | | /* response ack */ |
2613 | | p->tcph->th_ack = htonl(328); |
2614 | | p->tcph->th_seq = htonl(18); |
2615 | | p->tcph->th_flags = TH_ACK; |
2616 | | p->flowflags = FLOW_PKT_TOSERVER; |
2617 | | p->payload_len = 0; |
2618 | | p->payload = NULL; |
2619 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2620 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2621 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2622 | | FAIL_IF(f.alproto != ALPROTO_FAILED); |
2623 | | FAIL_IF(f.alproto_ts != ALPROTO_FAILED); |
2624 | | FAIL_IF(f.alproto_tc != ALPROTO_FAILED); |
2625 | | FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2626 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2627 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2628 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2629 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2630 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2631 | | |
2632 | | TEST_END; |
2633 | | PASS; |
2634 | | } |
2635 | | |
2636 | | /** |
2637 | | * \test RUBBISH(TC - PM and PP DONE) -> |
2638 | | * RUBBISH(TS - PM and PP DONE) |
2639 | | */ |
2640 | | static int AppLayerTest10(void) |
2641 | | { |
2642 | | TEST_START; |
2643 | | |
2644 | | /* full request */ |
2645 | | uint8_t request1[] = { |
2646 | | 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
2647 | | 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff }; |
2648 | | p->tcph->th_ack = htonl(1); |
2649 | | p->tcph->th_seq = htonl(1); |
2650 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2651 | | p->flowflags = FLOW_PKT_TOSERVER; |
2652 | | p->payload_len = sizeof(request1); |
2653 | | p->payload = request1; |
2654 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2655 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2656 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2657 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2658 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2659 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2660 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2661 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2662 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2663 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2664 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2665 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2666 | | |
2667 | | /* response - request ack */ |
2668 | | p->tcph->th_ack = htonl(18); |
2669 | | p->tcph->th_seq = htonl(1); |
2670 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2671 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2672 | | p->payload_len = 0; |
2673 | | p->payload = NULL; |
2674 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2675 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2676 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2677 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2678 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2679 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2680 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2681 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2682 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2683 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2684 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2685 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2686 | | |
2687 | | /* full response - request ack */ |
2688 | | uint8_t response[] = { |
2689 | | 0x55, 0x74, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, |
2690 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2691 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2692 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2693 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2694 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2695 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2696 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2697 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2698 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2699 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2700 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2701 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2702 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2703 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2704 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2705 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2706 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2707 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2708 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2709 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2710 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2711 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2712 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2713 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2714 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2715 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2716 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2717 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2718 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2719 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2720 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2721 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2722 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2723 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2724 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2725 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2726 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2727 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2728 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2729 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2730 | | p->tcph->th_ack = htonl(18); |
2731 | | p->tcph->th_seq = htonl(1); |
2732 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2733 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2734 | | p->payload_len = sizeof(response); |
2735 | | p->payload = response; |
2736 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2737 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2738 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2739 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2740 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2741 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2742 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2743 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2744 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2745 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2746 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2747 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2748 | | |
2749 | | /* response ack */ |
2750 | | p->tcph->th_ack = htonl(328); |
2751 | | p->tcph->th_seq = htonl(18); |
2752 | | p->tcph->th_flags = TH_ACK; |
2753 | | p->flowflags = FLOW_PKT_TOSERVER; |
2754 | | p->payload_len = 0; |
2755 | | p->payload = NULL; |
2756 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2757 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2758 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2759 | | FAIL_IF(f.alproto != ALPROTO_FAILED); |
2760 | | FAIL_IF(f.alproto_ts != ALPROTO_FAILED); |
2761 | | FAIL_IF(f.alproto_tc != ALPROTO_FAILED); |
2762 | | FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2763 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2764 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2765 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2766 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2767 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2768 | | |
2769 | | TEST_END; |
2770 | | PASS; |
2771 | | } |
2772 | | |
2773 | | /** |
2774 | | * \test RUBBISH(TC - PM and PP DONE) -> |
2775 | | * RUBBISH(TS - PM and PP NOT DONE) -> |
2776 | | * RUBBISH(TS - PM and PP DONE) |
2777 | | */ |
2778 | | static int AppLayerTest11(void) |
2779 | | { |
2780 | | TEST_START; |
2781 | | |
2782 | | /* full request */ |
2783 | | uint8_t request1[] = { |
2784 | | 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, |
2785 | | 0x47, 0x47, 0x49, 0x20, 0x2f, 0x69, 0x6e, 0x64, 0xff }; |
2786 | | p->tcph->th_ack = htonl(1); |
2787 | | p->tcph->th_seq = htonl(1); |
2788 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2789 | | p->flowflags = FLOW_PKT_TOSERVER; |
2790 | | p->payload_len = sizeof(request1); |
2791 | | p->payload = request1; |
2792 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2793 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2794 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2795 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2796 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2797 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2798 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2799 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2800 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2801 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2802 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2803 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2804 | | |
2805 | | /* response - request ack */ |
2806 | | p->tcph->th_ack = htonl(18); |
2807 | | p->tcph->th_seq = htonl(1); |
2808 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2809 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2810 | | p->payload_len = 0; |
2811 | | p->payload = NULL; |
2812 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2813 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2814 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2815 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2816 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2817 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2818 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2819 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2820 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2821 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2822 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2823 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2824 | | |
2825 | | /* full response - request ack */ |
2826 | | uint8_t response1[] = { |
2827 | | 0x55, 0x74, 0x54, 0x50, }; |
2828 | | p->tcph->th_ack = htonl(18); |
2829 | | p->tcph->th_seq = htonl(1); |
2830 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2831 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2832 | | p->payload_len = sizeof(response1); |
2833 | | p->payload = response1; |
2834 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2835 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2836 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2837 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2838 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2839 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2840 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2841 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2842 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2843 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2844 | | FAIL_IF(FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2845 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2846 | | |
2847 | | /* response ack from request */ |
2848 | | p->tcph->th_ack = htonl(5); |
2849 | | p->tcph->th_seq = htonl(18); |
2850 | | p->tcph->th_flags = TH_ACK; |
2851 | | p->flowflags = FLOW_PKT_TOSERVER; |
2852 | | p->payload_len = 0; |
2853 | | p->payload = NULL; |
2854 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2855 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2856 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2857 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2858 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2859 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2860 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2861 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2862 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2863 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2864 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2865 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2866 | | |
2867 | | uint8_t response2[] = { |
2868 | | 0x2f, 0x31, 0x2e, 0x31, |
2869 | | 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, |
2870 | | 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x46, |
2871 | | 0x72, 0x69, 0x2c, 0x20, 0x32, 0x33, 0x20, 0x53, |
2872 | | 0x65, 0x70, 0x20, 0x32, 0x30, 0x31, 0x31, 0x20, |
2873 | | 0x30, 0x36, 0x3a, 0x32, 0x39, 0x3a, 0x33, 0x39, |
2874 | | 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x53, 0x65, |
2875 | | 0x72, 0x76, 0x65, 0x72, 0x3a, 0x20, 0x41, 0x70, |
2876 | | 0x61, 0x63, 0x68, 0x65, 0x2f, 0x32, 0x2e, 0x32, |
2877 | | 0x2e, 0x31, 0x35, 0x20, 0x28, 0x55, 0x6e, 0x69, |
2878 | | 0x78, 0x29, 0x20, 0x44, 0x41, 0x56, 0x2f, 0x32, |
2879 | | 0x0d, 0x0a, 0x4c, 0x61, 0x73, 0x74, 0x2d, 0x4d, |
2880 | | 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x3a, |
2881 | | 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x30, 0x34, |
2882 | | 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x32, 0x30, 0x31, |
2883 | | 0x30, 0x20, 0x31, 0x35, 0x3a, 0x30, 0x34, 0x3a, |
2884 | | 0x34, 0x36, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, |
2885 | | 0x45, 0x54, 0x61, 0x67, 0x3a, 0x20, 0x22, 0x61, |
2886 | | 0x62, 0x38, 0x39, 0x36, 0x35, 0x2d, 0x32, 0x63, |
2887 | | 0x2d, 0x34, 0x39, 0x34, 0x33, 0x62, 0x37, 0x61, |
2888 | | 0x37, 0x66, 0x37, 0x66, 0x38, 0x30, 0x22, 0x0d, |
2889 | | 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, |
2890 | | 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, |
2891 | | 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x43, |
2892 | | 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, |
2893 | | 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x34, |
2894 | | 0x34, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, |
2895 | | 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, |
2896 | | 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x43, 0x6f, |
2897 | | 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, |
2898 | | 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, |
2899 | | 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x58, |
2900 | | 0x2d, 0x50, 0x61, 0x64, 0x3a, 0x20, 0x61, 0x76, |
2901 | | 0x6f, 0x69, 0x64, 0x20, 0x62, 0x72, 0x6f, 0x77, |
2902 | | 0x73, 0x65, 0x72, 0x20, 0x62, 0x75, 0x67, 0x0d, |
2903 | | 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x74, 0x6d, 0x6c, |
2904 | | 0x3e, 0x3c, 0x62, 0x6f, 0x64, 0x79, 0x3e, 0x3c, |
2905 | | 0x68, 0x31, 0x3e, 0x49, 0x74, 0x20, 0x77, 0x6f, |
2906 | | 0x72, 0x6b, 0x73, 0x21, 0x3c, 0x2f, 0x68, 0x31, |
2907 | | 0x3e, 0x3c, 0x2f, 0x62, 0x6f, 0x64, 0x79, 0x3e, |
2908 | | 0x3c, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3e }; |
2909 | | p->tcph->th_ack = htonl(18); |
2910 | | p->tcph->th_seq = htonl(5); |
2911 | | p->tcph->th_flags = TH_PUSH | TH_ACK; |
2912 | | p->flowflags = FLOW_PKT_TOCLIENT; |
2913 | | p->payload_len = sizeof(response2); |
2914 | | p->payload = response2; |
2915 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2916 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2917 | | FAIL_IF(StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2918 | | FAIL_IF(f.alproto != ALPROTO_UNKNOWN); |
2919 | | FAIL_IF(f.alproto_ts != ALPROTO_UNKNOWN); |
2920 | | FAIL_IF(f.alproto_tc != ALPROTO_UNKNOWN); |
2921 | | FAIL_IF(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); |
2922 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2923 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2924 | | FAIL_IF(FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2925 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2926 | | FAIL_IF(ssn->data_first_seen_dir != STREAM_TOSERVER); |
2927 | | |
2928 | | /* response ack from request */ |
2929 | | p->tcph->th_ack = htonl(328); |
2930 | | p->tcph->th_seq = htonl(18); |
2931 | | p->tcph->th_flags = TH_ACK; |
2932 | | p->flowflags = FLOW_PKT_TOSERVER; |
2933 | | p->payload_len = 0; |
2934 | | p->payload = NULL; |
2935 | | FAIL_IF(StreamTcpPacket(&tv, p, stt, &pq) == -1); |
2936 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server)); |
2937 | | FAIL_IF(!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client)); |
2938 | | FAIL_IF(f.alproto != ALPROTO_FAILED); |
2939 | | FAIL_IF(f.alproto_ts != ALPROTO_FAILED); |
2940 | | FAIL_IF(f.alproto_tc != ALPROTO_FAILED); |
2941 | | FAIL_IF(!(ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)); |
2942 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOSERVER)); |
2943 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOSERVER)); |
2944 | | FAIL_IF(!FLOW_IS_PM_DONE(&f, STREAM_TOCLIENT)); |
2945 | | FAIL_IF(!FLOW_IS_PP_DONE(&f, STREAM_TOCLIENT)); |
2946 | | FAIL_IF(ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER); |
2947 | | |
2948 | | TEST_END; |
2949 | | PASS; |
2950 | | } |
2951 | | |
2952 | | void AppLayerUnittestsRegister(void) |
2953 | | { |
2954 | | SCEnter(); |
2955 | | |
2956 | | UtRegisterTest("AppLayerTest01", AppLayerTest01); |
2957 | | UtRegisterTest("AppLayerTest02", AppLayerTest02); |
2958 | | UtRegisterTest("AppLayerTest03", AppLayerTest03); |
2959 | | UtRegisterTest("AppLayerTest04", AppLayerTest04); |
2960 | | UtRegisterTest("AppLayerTest05", AppLayerTest05); |
2961 | | UtRegisterTest("AppLayerTest06", AppLayerTest06); |
2962 | | UtRegisterTest("AppLayerTest07", AppLayerTest07); |
2963 | | UtRegisterTest("AppLayerTest08", AppLayerTest08); |
2964 | | UtRegisterTest("AppLayerTest09", AppLayerTest09); |
2965 | | UtRegisterTest("AppLayerTest10", AppLayerTest10); |
2966 | | UtRegisterTest("AppLayerTest11", AppLayerTest11); |
2967 | | |
2968 | | SCReturn; |
2969 | | } |
2970 | | |
2971 | | #endif /* UNITTESTS */ |