suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2018 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 * \author Victor Julien <victor@inliniac.net>
23 *
24 * Implements dce_stub_data keyword
25 */
26
27#include "suricata-common.h"
28
29#include "detect.h"
30#include "detect-parse.h"
31
32#include "detect-engine.h"
34#include "detect-engine-build.h"
35#include "detect-engine-mpm.h"
36#include "detect-engine-state.h"
39
40#include "flow.h"
41#include "flow-var.h"
42#include "flow-util.h"
43
44#include "app-layer.h"
45#include "app-layer-parser.h"
46#include "queue.h"
48
50#include "detect-dce-iface.h"
51
52#include "util-debug.h"
53
54#include "util-unittest.h"
56
57#include "stream-tcp.h"
58
59#include "rust.h"
60
61#define BUFFER_NAME "dce_stub_data"
62
63static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64#ifdef UNITTESTS
65static void DetectDceStubDataRegisterTests(void);
66#endif
67static int g_dce_stub_data_buffer_id = 0;
68
69static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70 const DetectEngineTransforms *transforms,
71 Flow *_f, const uint8_t flow_flags,
72 void *txv, const int list_id)
73{
74 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75 if (!buffer->initialized) {
76 uint32_t data_len = 0;
77 const uint8_t *data = NULL;
78 uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79 if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
80 return NULL;
81 SCLogDebug("have data!");
82
84 det_ctx, list_id, buffer, data, data_len, transforms);
85 }
86 return buffer;
87}
88
89static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90 const DetectEngineTransforms *transforms,
91 Flow *_f, const uint8_t flow_flags,
92 void *txv, const int list_id)
93{
94 InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95 if (!buffer->initialized) {
96 uint32_t data_len = 0;
97 const uint8_t *data = NULL;
98 uint8_t endianness;
99
100 SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
101 if (data == NULL || data_len == 0)
102 return NULL;
103
104 if (endianness > 0) {
106 } else {
107 buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108 }
110 det_ctx, list_id, buffer, data, data_len, transforms);
111 }
112 return buffer;
113}
114
115/**
116 * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117 */
119{
120 sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121 sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122 sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123#ifdef UNITTESTS
124 sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
125#endif
127
131 GetSMBData, ALPROTO_SMB, 0);
135 GetSMBData, ALPROTO_SMB, 0);
136
140 GetDCEData, ALPROTO_DCERPC, 0);
144 GetDCEData, ALPROTO_DCERPC, 0);
145
146 g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
147}
148
149/**
150 * \brief setups the dce_stub_data list
151 *
152 * \param de_ctx Pointer to the detection engine context
153 * \param s Pointer to signature for the current Signature being parsed
154 * from the rules
155 * \param arg Pointer to the string holding the keyword value
156 *
157 * \retval 0 on success, -1 on failure
158 */
159
160static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
161{
163 return -1;
164 if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
165 return -1;
166 return 0;
167}
168
169/************************************Unittests*********************************/
170
171#ifdef UNITTESTS
172#include "detect-engine-alert.h"
173
174/**
175 * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
176 */
177static int DetectDceStubDataTestParse02(void)
178{
179 int result = 0;
180 Signature *s = NULL;
181 ThreadVars th_v;
182 Packet *p = NULL;
183 Flow f;
184 TcpSession ssn;
185 DetectEngineThreadCtx *det_ctx = NULL;
186 DetectEngineCtx *de_ctx = NULL;
187 DCERPCState *dcerpc_state = NULL;
188 int r = 0;
189
190 uint8_t dcerpc_bind[] = {
191 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
192 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
193 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
194 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
195 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
196 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
197 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
198 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
199 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
200 };
201
202 uint8_t dcerpc_bindack[] = {
203 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
204 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
205 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
206 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
207 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
208 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
209 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
210 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
211 0x02, 0x00, 0x00, 0x00
212 };
213
214 /* todo chop the request frag length and change the
215 * length related parameters in the frag */
216 uint8_t dcerpc_request[] = {
217 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
218 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
219 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
220 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
221 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
222 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
223 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
224 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
225 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
226 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
227 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
228 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
229 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
230 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
231 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
232 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
233 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
234 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
235 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
236 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
237 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
238 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
239 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
240 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
241 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
242 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
243 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
244 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
245 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
246 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
247 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
248 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
249 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
250 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
251 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
252 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
253 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
254 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
255 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
256 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
257 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
258 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
259 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
260 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
261 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
262 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
263 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
264 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
265 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
266 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
267 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
268 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
269 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
270 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
271 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
272 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
273 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
274 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
275 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
276 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
277 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
278 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
279 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
280 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
281 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
282 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
283 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
284 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
285 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
286 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
287 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
288 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
289 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
290 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
291 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
292 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
293 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
294 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
295 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
296 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
297 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
298 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
299 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
300 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
301 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
302 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
303 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
464 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
465 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
466 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
467 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
468 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
469 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
470 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
471 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
472 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
473 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
474 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
475 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
476 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
477 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
478 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
479 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
480 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
481 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
482 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
483 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
484 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
485 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
486 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
487 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
488 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
489 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
490 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
491 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
492 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
493 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
494 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
495 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
497 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
498 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
499 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
565 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
566 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
567 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630 0x01, 0x02, 0x03, 0x04
631 };
632
633 uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
634 uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
635 uint32_t dcerpc_request_len = sizeof(dcerpc_request);
637
638 memset(&th_v, 0, sizeof(th_v));
639 memset(&f, 0, sizeof(f));
640 memset(&ssn, 0, sizeof(ssn));
641
642 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
643
644 FLOW_INITIALIZE(&f);
645 f.protoctx = (void *)&ssn;
646 f.proto = IPPROTO_TCP;
647 p->flow = &f;
652
654
656 if (de_ctx == NULL)
657 goto end;
658
660
662 "alert tcp any any -> any any "
663 "(msg:\"DCERPC\"; "
664 "dce_stub_data; content:\"|42 42 42 42|\";"
665 "sid:1;)");
666 if (s == NULL)
667 goto end;
668
670 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
671
673 STREAM_TOSERVER | STREAM_START, dcerpc_bind,
674 dcerpc_bind_len);
675 if (r != 0) {
676 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
677 goto end;
678 }
679
680 dcerpc_state = f.alstate;
681 if (dcerpc_state == NULL) {
682 SCLogDebug("no dcerpc state: ");
683 goto end;
684 }
685
686 p->flowflags &=~ FLOW_PKT_TOCLIENT;
688 /* do detect */
689 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690
691 /* we shouldn't have any stub data */
692 if (PacketAlertCheck(p, 1))
693 goto end;
694
695 /* do detect */
697 STREAM_TOCLIENT, dcerpc_bindack,
698 dcerpc_bindack_len);
699 if (r != 0) {
700 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
701 goto end;
702 }
703
704 p->flowflags &=~ FLOW_PKT_TOSERVER;
706 /* do detect */
707 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
708
709 /* we shouldn't have any stub data */
710 if (PacketAlertCheck(p, 1))
711 goto end;
712
714 STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
715 dcerpc_request_len);
716 if (r != 0) {
717 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
718 goto end;
719 }
720
721 p->flowflags &=~ FLOW_PKT_TOCLIENT;
723 /* do detect */
724 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
725
726 /* we should have the stub data since we previously parsed a request frag */
727 if (!PacketAlertCheck(p, 1))
728 goto end;
729
730 result = 1;
731
732 end:
733 if (alp_tctx != NULL)
737
738 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
740
742 FLOW_DESTROY(&f);
743
744 UTHFreePackets(&p, 1);
745 return result;
746}
747
748/**
749 * \test Test a valid dce_stub_data with just a request frag.
750 */
751static int DetectDceStubDataTestParse03(void)
752{
753 Signature *s = NULL;
754 ThreadVars th_v;
755 Packet *p = NULL;
756 Flow f;
757 TcpSession ssn;
758 DetectEngineThreadCtx *det_ctx = NULL;
759 DetectEngineCtx *de_ctx = NULL;
760 DCERPCState *dcerpc_state = NULL;
761 int r = 0;
762
763 /* todo chop the request frag length and change the
764 * length related parameters in the frag */
765 uint8_t dcerpc_request[] = {
766 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
767 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
768 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
769 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
770 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
771 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
772 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
773 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
774 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
775 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
776 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
777 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
778 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
779 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
780 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
781 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
782 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
783 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
784 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
785 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
786 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
787 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
788 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
789 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
790 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
791 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
792 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
793 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
794 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
795 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
796 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
797 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
798 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
799 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
800 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
801 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
802 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
803 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
804 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
805 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
806 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
807 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
808 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
809 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
810 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
811 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
812 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
813 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
814 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
815 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
816 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
817 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
818 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
819 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
820 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
821 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
822 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
823 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
824 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
825 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
826 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
827 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
828 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
829 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
830 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
831 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
832 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
833 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
834 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
835 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
836 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
837 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
838 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
839 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
840 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
841 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
842 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
843 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
844 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
845 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
846 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
847 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
848 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
849 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
850 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1013 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1014 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1015 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1016 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1017 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1018 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1019 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1020 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1021 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1022 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1023 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1024 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1025 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1026 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1027 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1028 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1029 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1031 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1032 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1033 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1034 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1035 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1036 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1037 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1038 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1039 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1040 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1042 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1043 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1044 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1045 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1046 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1047 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1048 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1114 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179 0x01, 0x02, 0x03, 0x04
1180 };
1181
1182 uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1183
1185
1186 memset(&th_v, 0, sizeof(th_v));
1187 memset(&f, 0, sizeof(f));
1188 memset(&ssn, 0, sizeof(ssn));
1189
1190 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1191
1192 FLOW_INITIALIZE(&f);
1193 f.protoctx = (void *)&ssn;
1194 f.proto = IPPROTO_TCP;
1195 p->flow = &f;
1200
1201 StreamTcpInitConfig(true);
1202
1204 FAIL_IF(de_ctx == NULL);
1205
1206 de_ctx->flags |= DE_QUIET;
1207
1209 "alert tcp any any -> any any "
1210 "(msg:\"DCERPC\"; "
1211 "dce_stub_data; content:\"|42 42 42 42|\";"
1212 "sid:1;)");
1213 FAIL_IF(s == NULL);
1214
1216 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1217
1219 STREAM_TOSERVER | STREAM_START, dcerpc_request,
1220 dcerpc_request_len);
1221 FAIL_IF(r != 0);
1222
1223 dcerpc_state = f.alstate;
1224 FAIL_IF (dcerpc_state == NULL);
1225
1226 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1228 /* do detect */
1229 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230 FAIL_IF(!PacketAlertCheck(p, 1));
1231
1232 if (alp_tctx != NULL)
1234 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1236 StreamTcpFreeConfig(true);
1237 FLOW_DESTROY(&f);
1238
1239 UTHFreePackets(&p, 1);
1240 PASS;
1241}
1242
1243static int DetectDceStubDataTestParse04(void)
1244{
1245 int result = 0;
1246 Signature *s = NULL;
1247 ThreadVars th_v;
1248 Packet *p = NULL;
1249 Flow f;
1250 TcpSession ssn;
1251 DetectEngineThreadCtx *det_ctx = NULL;
1252 DetectEngineCtx *de_ctx = NULL;
1253 DCERPCState *dcerpc_state = NULL;
1254 int r = 0;
1255
1256 uint8_t dcerpc_bind[] = {
1257 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1258 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1259 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1260 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1261 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1262 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1263 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1264 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1265 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1266 };
1267
1268 uint8_t dcerpc_bindack[] = {
1269 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1270 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1271 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1272 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1273 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1274 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1276 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1277 0x02, 0x00, 0x00, 0x00,
1278 };
1279
1280 uint8_t dcerpc_request1[] = {
1281 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1282 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1283 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1284 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1285 0x00, 0x00, 0x00, 0x02,
1286 };
1287
1288 uint8_t dcerpc_response1[] = {
1289 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1290 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1291 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1292 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1293 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1294 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1295 };
1296
1297 uint8_t dcerpc_request2[] = {
1298 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1299 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1300 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1302 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1303 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1304 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1305 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1306 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1307 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1308 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1309 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1310 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1311 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1312 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1313 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1314 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1315 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1316 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1317 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1318 0x03, 0x00, 0x00, 0x00,
1319 };
1320
1321 uint8_t dcerpc_response2[] = {
1322 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1323 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1324 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1325 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1326 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1327 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1328 };
1329
1330 uint8_t dcerpc_request3[] = {
1331 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1332 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1333 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1334 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1335 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1336 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1337 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1339 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1340 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1341 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1342 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1343 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1344 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1345 };
1346
1347 uint8_t dcerpc_response3[] = {
1348 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1349 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1350 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1351 0x00, 0x00, 0x00, 0x00,
1352 };
1353
1354 uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1355 uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1356
1357 uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1358 uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1359
1360 uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1361 uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1362
1363 uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1364 uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1365
1367
1368 memset(&th_v, 0, sizeof(th_v));
1369 memset(&f, 0, sizeof(f));
1370 memset(&ssn, 0, sizeof(ssn));
1371
1372 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1373
1374 FLOW_INITIALIZE(&f);
1375 f.protoctx = (void *)&ssn;
1376 f.proto = IPPROTO_TCP;
1377 p->flow = &f;
1382
1383 StreamTcpInitConfig(true);
1384
1386 if (de_ctx == NULL)
1387 goto end;
1388
1389 de_ctx->flags |= DE_QUIET;
1390
1391 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1392 "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1393 if (s == NULL)
1394 goto end;
1395 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1396 "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1397 if (s == NULL)
1398 goto end;
1399 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1400 "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1401 if (s == NULL)
1402 goto end;
1403
1405 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1406
1408 STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1409 dcerpc_bind_len);
1410 if (r != 0) {
1411 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1412 goto end;
1413 }
1414 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1416 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1417
1418 dcerpc_state = f.alstate;
1419 if (dcerpc_state == NULL) {
1420 SCLogDebug("no dcerpc state: ");
1421 goto end;
1422 }
1423
1425 STREAM_TOCLIENT, dcerpc_bindack,
1426 dcerpc_bindack_len);
1427 if (r != 0) {
1428 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1429 goto end;
1430 }
1431 p->flowflags &=~ FLOW_PKT_TOSERVER;
1433 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1434
1435 /* request1 */
1437 STREAM_TOSERVER, dcerpc_request1,
1438 dcerpc_request1_len);
1439 if (r != 0) {
1440 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1441 goto end;
1442 }
1443
1444 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1446 /* do detect */
1447 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1448
1449 if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1450 goto end;
1451
1452 /* response1 */
1454 STREAM_TOCLIENT, dcerpc_response1,
1455 dcerpc_response1_len);
1456 if (r != 0) {
1457 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1458 goto end;
1459 }
1460
1461 p->flowflags &=~ FLOW_PKT_TOSERVER;
1463 /* do detect */
1464 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1465
1466 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1467 goto end;
1468
1469 /* request2 */
1471 STREAM_TOSERVER, dcerpc_request2,
1472 dcerpc_request2_len);
1473 if (r != 0) {
1474 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1475 goto end;
1476 }
1477
1478 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1480 /* do detect */
1481 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1482
1483 if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1484 goto end;
1485
1486 /* response2 */
1488 STREAM_TOCLIENT, dcerpc_response2,
1489 dcerpc_response2_len);
1490 if (r != 0) {
1491 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1492 goto end;
1493 }
1494
1495 p->flowflags &=~ FLOW_PKT_TOSERVER;
1497 /* do detect */
1498 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1499
1500 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1501 goto end;
1502 /* request3 */
1504 STREAM_TOSERVER, dcerpc_request3,
1505 dcerpc_request3_len);
1506 if (r != 0) {
1507 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1508 goto end;
1509 }
1510
1511 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1513 /* do detect */
1514 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1515
1516 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1517 goto end;
1518
1519 /* response3 */
1521 STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1522 dcerpc_response3_len);
1523 if (r != 0) {
1524 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1525 goto end;
1526 }
1527
1528 p->flowflags &=~ FLOW_PKT_TOSERVER;
1530 /* do detect */
1531 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1532
1533 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1534 goto end;
1535
1536 result = 1;
1537
1538 end:
1539 if (alp_tctx != NULL)
1543
1544 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1546
1547 StreamTcpFreeConfig(true);
1548 FLOW_DESTROY(&f);
1549
1550 UTHFreePackets(&p, 1);
1551 return result;
1552}
1553
1554static int DetectDceStubDataTestParse05(void)
1555{
1556 int result = 0;
1557 Signature *s = NULL;
1558 ThreadVars th_v;
1559 Packet *p = NULL;
1560 Flow f;
1561 TcpSession ssn;
1562 DetectEngineThreadCtx *det_ctx = NULL;
1563 DetectEngineCtx *de_ctx = NULL;
1564 DCERPCState *dcerpc_state = NULL;
1565 int r = 0;
1566
1567 uint8_t dcerpc_request1[] = {
1568 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1569 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1570 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1571 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1572 0x00, 0x00, 0x00, 0x02,
1573 };
1574
1575 uint8_t dcerpc_response1[] = {
1576 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1577 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1578 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1580 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1581 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1582 };
1583
1584 uint8_t dcerpc_request2[] = {
1585 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1586 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1587 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1588 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1589 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1590 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1591 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1592 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1593 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1594 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1595 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1596 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1597 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1598 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1599 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1600 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1601 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1602 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1603 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1604 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1605 0x03, 0x00, 0x00, 0x00,
1606 };
1607
1608 uint8_t dcerpc_response2[] = {
1609 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1610 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1611 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1613 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1614 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1615 };
1616
1617 uint8_t dcerpc_request3[] = {
1618 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1619 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1620 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1621 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1622 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1623 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1624 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1626 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1627 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1628 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1629 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1630 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1631 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1632 };
1633
1634 uint8_t dcerpc_response3[] = {
1635 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1636 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1637 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638 0x00, 0x00, 0x00, 0x00,
1639 };
1640
1641 uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1642 uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1643
1644 uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1645 uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1646
1647 uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1648 uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1649
1651
1652 memset(&th_v, 0, sizeof(th_v));
1653 memset(&f, 0, sizeof(f));
1654 memset(&ssn, 0, sizeof(ssn));
1655
1656 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1657
1658 FLOW_INITIALIZE(&f);
1659 f.protoctx = (void *)&ssn;
1660 f.proto = IPPROTO_TCP;
1661 p->flow = &f;
1666
1667 StreamTcpInitConfig(true);
1668
1670 if (de_ctx == NULL)
1671 goto end;
1672
1673 de_ctx->flags |= DE_QUIET;
1674
1676 "alert tcp any any -> any any "
1677 "(msg:\"DCERPC\"; "
1678 "dce_stub_data; content:\"|00 02|\"; "
1679 "sid:1;)");
1680 if (s == NULL)
1681 goto end;
1683 "alert tcp any any -> any any "
1684 "(msg:\"DCERPC\"; "
1685 "dce_stub_data; content:\"|00 75|\"; "
1686 "sid:2;)");
1687 if (s == NULL)
1688 goto end;
1690 "alert tcp any any -> any any "
1691 "(msg:\"DCERPC\"; "
1692 "dce_stub_data; content:\"|00 18|\"; "
1693 "sid:3;)");
1694 if (s == NULL)
1695 goto end;
1696
1698 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1699
1700 /* request1 */
1702 STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1703 dcerpc_request1_len);
1704 if (r != 0) {
1705 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1706 goto end;
1707 }
1708
1709 dcerpc_state = f.alstate;
1710 if (dcerpc_state == NULL) {
1711 SCLogDebug("no dcerpc state: ");
1712 goto end;
1713 }
1714
1715 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1717 /* do detect */
1718 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1719
1720 if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1721 goto end;
1722
1723 /* response1 */
1725 STREAM_TOCLIENT, dcerpc_response1,
1726 dcerpc_response1_len);
1727 if (r != 0) {
1728 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1729 goto end;
1730 }
1731
1732 p->flowflags &=~ FLOW_PKT_TOSERVER;
1734 /* do detect */
1735 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1736
1737 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1738 goto end;
1739
1740 /* request2 */
1742 STREAM_TOSERVER, dcerpc_request2,
1743 dcerpc_request2_len);
1744 if (r != 0) {
1745 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1746 goto end;
1747 }
1748
1749 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1751 /* do detect */
1752 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1753
1754 if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1755 goto end;
1756
1757 /* response2 */
1759 STREAM_TOCLIENT, dcerpc_response2,
1760 dcerpc_response2_len);
1761 if (r != 0) {
1762 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1763 goto end;
1764 }
1765
1766 p->flowflags &=~ FLOW_PKT_TOSERVER;
1768 /* do detect */
1769 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1770
1771 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1772 goto end;
1773
1774 /* request3 */
1776 STREAM_TOSERVER, dcerpc_request3,
1777 dcerpc_request3_len);
1778 if (r != 0) {
1779 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1780 goto end;
1781 }
1782
1783 p->flowflags &=~ FLOW_PKT_TOCLIENT;
1785 /* do detect */
1786 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1787
1788 if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1789 goto end;
1790
1791 /* response3 */
1793 STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1794 dcerpc_response3_len);
1795 if (r != 0) {
1796 SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1797 goto end;
1798 }
1799
1800 p->flowflags &=~ FLOW_PKT_TOSERVER;
1802 /* do detect */
1803 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1804
1805 if (PacketAlertCheck(p, 1))
1806 goto end;
1807
1808 result = 1;
1809
1810 end:
1811 if (alp_tctx != NULL)
1813
1816
1817 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1819
1820 StreamTcpFreeConfig(true);
1821 FLOW_DESTROY(&f);
1822
1823 UTHFreePackets(&p, 1);
1824 return result;
1825}
1826
1827// invalid signature because of invalid protocol
1828static int DetectDceStubDataTestParse06(void)
1829{
1834 "alert dns any any -> any any dce_stub_data;content:\"0\";");
1837 PASS;
1838}
1839
1840static void DetectDceStubDataRegisterTests(void)
1841{
1842 UtRegisterTest("DetectDceStubDataTestParse02",
1843 DetectDceStubDataTestParse02);
1844 UtRegisterTest("DetectDceStubDataTestParse03",
1845 DetectDceStubDataTestParse03);
1846 UtRegisterTest("DetectDceStubDataTestParse04",
1847 DetectDceStubDataTestParse04);
1848 UtRegisterTest("DetectDceStubDataTestParse05",
1849 DetectDceStubDataTestParse05);
1850 UtRegisterTest("DetectDceStubDataTestParse06",
1851 DetectDceStubDataTestParse06);
1852}
1853#endif
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
@ ALPROTO_DCERPC
@ ALPROTO_SMB
#define PKT_HAS_FLOW
Definition decode.h:1266
#define PKT_STREAM_EST
Definition decode.h:1262
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
#define BUFFER_NAME
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_LE
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
@ DETECT_DCE_STUB_DATA
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Data structures and function prototypes for keeping state for the detection engine.
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
int DetectBufferTypeGetByName(const char *name)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
SigTableElmt * sigmatch_table
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
#define SIGMATCH_NOOPT
Definition detect.h:1651
#define DE_QUIET
Definition detect.h:330
#define SIG_FLAG_TOCLIENT
Definition detect.h:272
#define SIGMATCH_INFO_STICKY_BUFFER
Definition detect.h:1676
#define SIG_FLAG_TOSERVER
Definition detect.h:271
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
#define FLOW_DESTROY(f)
Definition flow-util.h:119
#define FLOW_PKT_TOSERVER
Definition flow.h:233
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
#define FLOW_PKT_TOCLIENT
Definition flow.h:234
AppLayerParserThreadCtx * alp_tctx
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
main detection engine ctx
Definition detect.h:932
uint8_t flags
Definition detect.h:934
Signature * sig_list
Definition detect.h:941
Flow data structure.
Definition flow.h:356
uint8_t proto
Definition flow.h:378
AppProto alproto
application level protocol
Definition flow.h:450
void * alstate
Definition flow.h:479
void * protoctx
Definition flow.h:441
uint8_t flowflags
Definition decode.h:532
struct Flow_ * flow
Definition decode.h:546
uint32_t flags
Definition decode.h:544
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
uint16_t flags
Definition detect.h:1450
void(* RegisterTests)(void)
Definition detect.h:1448
const char * alias
Definition detect.h:1460
const char * name
Definition detect.h:1459
Signature container.
Definition detect.h:668
struct Signature_ * next
Definition detect.h:750
Per thread variable structure.
Definition threadvars.h:58
#define SCLogDebug(...)
Definition util-debug.h:275
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.