suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-dce-iface.h"
35 
36 #include "flow.h"
37 #include "flow-var.h"
38 #include "flow-util.h"
39 
40 #include "app-layer.h"
41 #include "app-layer-dcerpc.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 
52 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$"
53 
54 static DetectParseRegex parse_regex;
55 
56 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
57  Flow *f, uint8_t flags, void *state, void *txv,
58  const Signature *s, const SigMatchCtx *m);
59 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
60 static void DetectDceIfaceFree(void *);
61 static void DetectDceIfaceRegisterTests(void);
62 static int g_dce_generic_list_id = 0;
63 
64 static int InspectDceGeneric(ThreadVars *tv,
65  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
66  const Signature *s, const SigMatchData *smd,
67  Flow *f, uint8_t flags, void *alstate,
68  void *txv, uint64_t tx_id);
69 
70 /**
71  * \brief Registers the keyword handlers for the "dce_iface" keyword.
72  */
73 void DetectDceIfaceRegister(void)
74 {
75  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
76  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
77  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
78  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
79  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
80  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
81 
82  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
83 
84  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
85 
86  DetectAppLayerInspectEngineRegister("dce_generic",
87  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
88  DetectAppLayerInspectEngineRegister("dce_generic",
89  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
90 
91  DetectAppLayerInspectEngineRegister("dce_generic",
92  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
93  DetectAppLayerInspectEngineRegister("dce_generic",
94  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
95 }
96 
97 static int InspectDceGeneric(ThreadVars *tv,
98  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
99  const Signature *s, const SigMatchData *smd,
100  Flow *f, uint8_t flags, void *alstate,
101  void *txv, uint64_t tx_id)
102 {
103  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
104  f, flags, alstate, txv, tx_id);
105 }
106 
107 
108 /**
109  * \internal
110  * \brief Parses the argument sent along with the "dce_iface" keyword.
111  *
112  * \param arg Pointer to the string containing the argument to be parsed.
113  *
114  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
115  * from the parsed arg.
116  */
117 static DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg)
118 {
119  DetectDceIfaceData *did = NULL;
120  int ret = 0, res = 0;
121  int ov[MAX_SUBSTRINGS];
122  uint8_t hex_value;
123  char copy_str[128] = "";
124  int i = 0, j = 0;
125  int len = 0;
126  char temp_str[3] = "";
127  int version;
128 
129  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0, ov, MAX_SUBSTRINGS);
130  if (ret < 2) {
131  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
132  goto error;
133  }
134 
135  if ( (did = SCMalloc(sizeof(DetectDceIfaceData))) == NULL)
136  goto error;
137  memset(did, 0, sizeof(DetectDceIfaceData));
138 
139  /* retrieve the iface uuid string. iface uuid is a compulsion in the keyword */
140  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 1, copy_str, sizeof(copy_str));
141  if (res < 0) {
142  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
143  goto error;
144  }
145 
146  /* parse the iface uuid string */
147  len = strlen(copy_str);
148  j = 0;
149  temp_str[2] = '\0';
150  for (i = 0; i < len; ) {
151  if (copy_str[i] == '-') {
152  i++;
153  continue;
154  }
155 
156  temp_str[0] = copy_str[i];
157  temp_str[1] = copy_str[i + 1];
158 
159  hex_value = strtol(temp_str, NULL, 16);
160  did->uuid[j] = hex_value;
161  i += 2;
162  j++;
163  }
164 
165  /* if the regex has 3 or 5, any_frag option is present in the signature */
166  if (ret == 3 || ret == 5)
167  did->any_frag = 1;
168 
169  /* if the regex has 4 or 5, version/operator is present in the signature */
170  if (ret == 4 || ret == 5) {
171  /* first handle the version number, so that we can do some additional
172  * validations of the version number, wrt. the operator */
173  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 3, copy_str, sizeof(copy_str));
174  if (res < 0) {
175  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
176  goto error;
177  }
178 
179  version = atoi(copy_str);
180  if (version > UINT16_MAX) {
181  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version "
182  "invalid: %d\n", version);
183  goto error;
184  }
185  did->version = version;
186 
187  /* now let us handle the operator supplied with the version number */
188  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 2, copy_str, sizeof(copy_str));
189  if (res < 0) {
190  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
191  goto error;
192  }
193 
194  switch (copy_str[0]) {
195  case '<':
196  if (version == 0) {
197  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
198  "version invalid: %d. Version can't be less"
199  "than 0, with \"<\" operator", version);
200  goto error;
201  }
202 
203  did->op = DETECT_DCE_IFACE_OP_LT;
204  break;
205  case '>':
206  if (version == UINT16_MAX) {
207  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
208  "version invalid: %d. Version can't be greater"
209  "than %d, with \">\" operator", version,
210  UINT16_MAX);
211  goto error;
212  }
213 
214  did->op = DETECT_DCE_IFACE_OP_GT;
215  break;
216  case '=':
217  did->op = DETECT_DCE_IFACE_OP_EQ;
218  break;
219  case '!':
220  did->op = DETECT_DCE_IFACE_OP_NE;
221  break;
222  }
223  }
224 
225  return did;
226 
227  error:
228  if (did != NULL)
229  SCFree(did);
230  return NULL;
231 }
232 
233 /**
234  * \internal
235  * \brief Internal function that compares the dce interface version for this
236  * flow, to the signature's interface version specified using the
237  * dce_iface keyword.
238  *
239  * \param version The dce interface version for this flow.
240  * \param dce_data Pointer to the Signature's dce_iface keyword
241  * state(DetectDceIfaceData *).
242  */
243 static inline int DetectDceIfaceMatchIfaceVersion(const uint16_t version,
244  const DetectDceIfaceData *dce_data)
245 {
246  switch (dce_data->op) {
247  case DETECT_DCE_IFACE_OP_LT:
248  return (version < dce_data->version);
249  case DETECT_DCE_IFACE_OP_GT:
250  return (version > dce_data->version);
251  case DETECT_DCE_IFACE_OP_EQ:
252  return (version == dce_data->version);
253  case DETECT_DCE_IFACE_OP_NE:
254  return (version != dce_data->version);
255  default:
256  return 1;
257  }
258 }
259 
260 /**
261  * \brief App layer match function for the "dce_iface" keyword.
262  *
263  * \param t Pointer to the ThreadVars instance.
264  * \param det_ctx Pointer to the DetectEngineThreadCtx.
265  * \param f Pointer to the flow.
266  * \param flags Pointer to the flags indicating the flow direction.
267  * \param state Pointer to the app layer state data.
268  * \param s Pointer to the Signature instance.
269  * \param m Pointer to the SigMatch.
270  *
271  * \retval 1 On Match.
272  * \retval 0 On no match.
273  */
274 static int DetectDceIfaceMatch(DetectEngineThreadCtx *det_ctx,
275  Flow *f, uint8_t flags, void *state, void *txv,
276  const Signature *s, const SigMatchCtx *m)
277 {
278  SCEnter();
279 
280  int ret = 0;
281  const DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
282 
283  DCERPCUuidEntry *item = NULL;
284  const DCERPCState *dcerpc_state = state;
285  if (dcerpc_state == NULL) {
286  SCLogDebug("No DCERPCState for the flow");
287  SCReturnInt(0);
288  }
289 
290  /* we still haven't seen a request */
291  if (!dcerpc_state->dcerpc.dcerpcrequest.first_request_seen)
292  goto end;
293 
294  if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST ||
295  dcerpc_state->dcerpc.dcerpchdr.type == RESPONSE))
296  goto end;
297 
298  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.accepted_uuid_list, next) {
299  SCLogDebug("item %p", item);
300  ret = 1;
301 
302  /* if any_frag is not enabled, we need to match only against the first
303  * fragment */
304  if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF))
305  continue;
306 
307  /* if the uuid has been rejected(item->result == 1), we skip to the
308  * next uuid */
309  if (item->result != 0)
310  continue;
311 
312  /* check the interface uuid */
313  for (int i = 0; i < 16; i++) {
314  if (dce_data->uuid[i] != item->uuid[i]) {
315  ret = 0;
316  break;
317  }
318  }
319  ret &= (item->ctxid == dcerpc_state->dcerpc.dcerpcrequest.ctxid);
320  if (ret == 0)
321  continue;
322 
323  /* check the interface version */
324  if (dce_data->op != DETECT_DCE_IFACE_OP_NONE &&
325  !DetectDceIfaceMatchIfaceVersion(item->version, dce_data)) {
326  ret &= 0;
327  }
328 
329  /* we have a match. Time to leave with a match */
330  if (ret == 1)
331  goto end;
332  }
333 
334 end:
335  SCReturnInt(ret);
336 }
337 
338 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
339  Flow *f, uint8_t flags, void *state, void *txv,
340  const Signature *s, const SigMatchCtx *m)
341 {
342  SCEnter();
343 
344  if (f->alproto == ALPROTO_DCERPC) {
345  return DetectDceIfaceMatch(det_ctx, f, flags,
346  state, txv, s, m);
347  }
348 
349  int ret = 0;
350  DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
351 
352  if (rs_smb_tx_get_dce_iface(f->alstate, txv, dce_data->uuid, 16, dce_data->op, dce_data->version) != 1) {
353  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
354  } else {
355  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
356  ret = 1;
357  // TODO validate frag
358  }
359  SCReturnInt(ret);
360 }
361 
362 /**
363  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
364  * and appends it to the Signature(s).
365  *
366  * \param de_ctx Pointer to the detection engine context.
367  * \param s Pointer to signature for the current Signature being parsed
368  * from the rules.
369  * \param arg Pointer to the string holding the keyword value.
370  *
371  * \retval 0 on success, -1 on failure.
372  */
373 
374 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
375 {
376  DetectDceIfaceData *did = DetectDceIfaceArgParse(arg);
377  if (did == NULL) {
378  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_iface option in "
379  "signature");
380  return -1;
381  }
382 
383  SigMatch *sm = SigMatchAlloc();
384  if (sm == NULL) {
385  DetectDceIfaceFree(did);
386  return -1;
387  }
388 
389  sm->type = DETECT_DCE_IFACE;
390  sm->ctx = (void *)did;
391 
392  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
393  return 0;
394 }
395 
396 static void DetectDceIfaceFree(void *ptr)
397 {
398  SCFree(ptr);
399 
400  return;
401 }
402 
403 /************************************Unittests*********************************/
404 
405 #ifdef UNITTESTS
406 
407 static int DetectDceIfaceTestParse01(void)
408 {
409  SCEnter();
410 
411  Signature *s = SigAlloc();
412  if (s == NULL)
413  return 0;
414 
415  int result = 0;
416  DetectDceIfaceData *did = NULL;
417  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
418  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
419  SigMatch *temp = NULL;
420  int i = 0;
421 
422  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC") == 0);
423 
424  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
425  SCReturnInt(0);
426  }
427 
428  temp = s->sm_lists[g_dce_generic_list_id];
429  did = (DetectDceIfaceData *)temp->ctx;
430  if (did == NULL) {
431  SCReturnInt(0);
432  }
433 
434  result &= 1;
435  for (i = 0; i < 16; i++) {
436  if (did->uuid[i] != test_uuid[i]) {
437  result = 0;
438  break;
439  }
440  }
441 
442  result &= (did->version == 0);
443  result &= (did->op == 0);
444  result &= (did->any_frag == 0);
445 
446  SigFree(s);
447  SCReturnInt(result);
448 }
449 
450 static int DetectDceIfaceTestParse02(void)
451 {
452  SCEnter();
453 
454  Signature *s = SigAlloc();
455  if (s == NULL)
456  return 0;
457 
458  int result = 0;
459  DetectDceIfaceData *did = NULL;
460  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
461  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
462  SigMatch *temp = NULL;
463  int i = 0;
464 
465  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1") == 0);
466 
467  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
468  SCReturnInt(0);
469  }
470 
471  temp = s->sm_lists[g_dce_generic_list_id];
472  did = (DetectDceIfaceData *)temp->ctx;
473  if (did == NULL) {
474  SCReturnInt(0);
475  }
476 
477  result &= 1;
478  for (i = 0; i < 16; i++) {
479  if (did->uuid[i] != test_uuid[i]) {
480  result = 0;
481  break;
482  }
483  }
484 
485  result &= (did->version == 1);
486  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
487  result &= (did->any_frag == 0);
488 
489  SigFree(s);
490  SCReturnInt(result);
491 }
492 
493 static int DetectDceIfaceTestParse03(void)
494 {
495  SCEnter();
496 
497  Signature *s = SigAlloc();
498  if (s == NULL)
499  return 0;
500 
501  int result = 0;
502  DetectDceIfaceData *did = NULL;
503  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
504  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
505  SigMatch *temp = NULL;
506  int i = 0;
507 
508  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<10") == 0);
509 
510  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
511  SCReturnInt(0);
512  }
513 
514  temp = s->sm_lists[g_dce_generic_list_id];
515  did = (DetectDceIfaceData *)temp->ctx;
516  result &= 1;
517  for (i = 0; i < 16; i++) {
518  if (did->uuid[i] != test_uuid[i]) {
519  result = 0;
520  break;
521  }
522  }
523 
524  result &= (did->version == 10);
525  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
526  result &= (did->any_frag == 0);
527 
528  SigFree(s);
529  SCReturnInt(result);
530 }
531 
532 static int DetectDceIfaceTestParse04(void)
533 {
534  SCEnter();
535 
536  Signature *s = SigAlloc();
537  if (s == NULL)
538  return 0;
539 
540  int result = 0;
541  DetectDceIfaceData *did = NULL;
542  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
543  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
544  SigMatch *temp = NULL;
545  int i = 0;
546 
547  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!10") == 0);
548 
549  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
550  SCReturnInt(0);
551  }
552 
553  temp = s->sm_lists[g_dce_generic_list_id];
554  did = (DetectDceIfaceData *)temp->ctx;
555  if (did == NULL) {
556  SCReturnInt(0);
557  }
558 
559  result &= 1;
560  for (i = 0; i < 16; i++) {
561  if (did->uuid[i] != test_uuid[i]) {
562  result = 0;
563  break;
564  }
565  }
566 
567  result &= (did->version == 10);
568  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
569  result &= (did->any_frag == 0);
570 
571  SigFree(s);
572  SCReturnInt(result);
573 }
574 
575 static int DetectDceIfaceTestParse05(void)
576 {
577  SCEnter();
578 
579  Signature *s = SigAlloc();
580  int result = 0;
581  DetectDceIfaceData *did = NULL;
582  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
583  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
584  SigMatch *temp = NULL;
585  int i = 0;
586 
587  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=10") == 0);
588 
589  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
590  SCReturnInt(0);
591  }
592 
593  temp = s->sm_lists[g_dce_generic_list_id];
594  did = (DetectDceIfaceData *)temp->ctx;
595  if (did == NULL) {
596  SCReturnInt(0);
597  }
598 
599  result &= 1;
600  for (i = 0; i < 16; i++) {
601  if (did->uuid[i] != test_uuid[i]) {
602  result = 0;
603  break;
604  }
605  }
606 
607  result &= (did->version == 10);
608  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
609  result &= (did->any_frag == 0);
610 
611  SigFree(s);
612  SCReturnInt(result);
613 }
614 
615 static int DetectDceIfaceTestParse06(void)
616 {
617  SCEnter();
618 
619  Signature *s = SigAlloc();
620  if (s == NULL)
621  return 0;
622 
623  int result = 0;
624  DetectDceIfaceData *did = NULL;
625  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
626  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
627  SigMatch *temp = NULL;
628  int i = 0;
629 
630  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,any_frag") == 0);
631 
632  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
633  SCReturnInt(0);
634  }
635 
636  temp = s->sm_lists[g_dce_generic_list_id];
637  did = (DetectDceIfaceData *)temp->ctx;
638  if (did == NULL) {
639  SCReturnInt(0);
640  }
641 
642  result &= 1;
643  for (i = 0; i < 16; i++) {
644  if (did->uuid[i] != test_uuid[i]) {
645  result = 0;
646  break;
647  }
648  }
649 
650  result &= (did->version == 0);
651  result &= (did->op == 0);
652  result &= (did->any_frag == 1);
653 
654  SigFree(s);
655  SCReturnInt(result);
656 }
657 
658 static int DetectDceIfaceTestParse07(void)
659 {
660  SCEnter();
661 
662  Signature *s = SigAlloc();
663  if (s == NULL)
664  return 0;
665 
666  int result = 0;
667  DetectDceIfaceData *did = NULL;
668  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
669  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
670  SigMatch *temp = NULL;
671  int i = 0;
672 
673  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,any_frag") == 0);
674 
675  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
676  SCReturnInt(0);
677  }
678 
679  temp = s->sm_lists[g_dce_generic_list_id];
680  did = (DetectDceIfaceData *)temp->ctx;
681  if (did == NULL) {
682  SCReturnInt(0);
683  }
684 
685  result &= 1;
686  for (i = 0; i < 16; i++) {
687  if (did->uuid[i] != test_uuid[i]) {
688  result = 0;
689  break;
690  }
691  }
692 
693  result &= (did->version == 1);
694  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
695  result &= (did->any_frag == 1);
696 
697  SigFree(s);
698  SCReturnInt(result);
699 }
700 
701 static int DetectDceIfaceTestParse08(void)
702 {
703  Signature *s = SigAlloc();
704  if (s == NULL)
705  return 0;
706 
707  int result = 0;
708  DetectDceIfaceData *did = NULL;
709  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
710  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
711  SigMatch *temp = NULL;
712  int i = 0;
713 
714  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<1,any_frag") == 0);
715 
716  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
717  SCReturnInt(0);
718  }
719 
720  temp = s->sm_lists[g_dce_generic_list_id];
721  did = (DetectDceIfaceData *)temp->ctx;
722  if (did == NULL) {
723  SCReturnInt(0);
724  }
725 
726  result &= 1;
727  for (i = 0; i < 16; i++) {
728  if (did->uuid[i] != test_uuid[i]) {
729  result = 0;
730  break;
731  }
732  }
733 
734  result &= (did->version == 1);
735  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
736  result &= (did->any_frag == 1);
737 
738  SigFree(s);
739  SCReturnInt(result);
740 }
741 
742 static int DetectDceIfaceTestParse09(void)
743 {
744  SCEnter();
745 
746  Signature *s = SigAlloc();
747  if (s == NULL)
748  return 0;
749 
750  int result = 0;
751  DetectDceIfaceData *did = NULL;
752  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
753  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
754  SigMatch *temp = NULL;
755  int i = 0;
756 
757  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=1,any_frag") == 0);
758 
759  temp = s->sm_lists[g_dce_generic_list_id];
760  did = (DetectDceIfaceData *)temp->ctx;
761  if (did == NULL) {
762  SCReturnInt(0);
763  }
764 
765  result &= 1;
766  for (i = 0; i < 16; i++) {
767  if (did->uuid[i] != test_uuid[i]) {
768  result = 0;
769  break;
770  }
771  }
772 
773  result &= (did->version == 1);
774  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
775  result &= (did->any_frag == 1);
776 
777  SigFree(s);
778  SCReturnInt(result);
779 }
780 
781 static int DetectDceIfaceTestParse10(void)
782 {
783  SCEnter();
784 
785  Signature *s = SigAlloc();
786  if (s == NULL)
787  return 0;
788 
789  int result = 0;
790  DetectDceIfaceData *did = NULL;
791  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
792  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
793  SigMatch *temp = NULL;
794  int i = 0;
795 
796  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!1,any_frag") == 0);
797 
798  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
799  SCReturnInt(0);
800  }
801 
802  temp = s->sm_lists[g_dce_generic_list_id];
803  did = (DetectDceIfaceData *)temp->ctx;
804  if (did == NULL) {
805  SCReturnInt(0);
806  }
807 
808  result &= 1;
809  for (i = 0; i < 16; i++) {
810  if (did->uuid[i] != test_uuid[i]) {
811  result = 0;
812  break;
813  }
814  }
815 
816  result &= (did->version == 1);
817  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
818  result &= (did->any_frag == 1);
819 
820  SigFree(s);
821  SCReturnInt(result);
822 }
823 
824 static int DetectDceIfaceTestParse11(void)
825 {
826  SCEnter();
827 
828  Signature *s = SigAlloc();
829  if (s == NULL)
830  return 0;
831 
832  int result = 1;
833 
834  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,ay_frag") == -1);
835  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-12345679ABC,>1,any_frag") == -1);
836  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-134-123456789ABC,>1,any_frag") == -1);
837  result &= (DetectDceIfaceSetup(NULL, s, "12345678-123-124-1234-123456789ABC,>1,any_frag") == -1);
838  result &= (DetectDceIfaceSetup(NULL, s, "1234568-1234-1234-1234-123456789ABC,>1,any_frag") == -1);
839  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65536,any_frag") == -1);
840  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>=1,any_frag") == -1);
841  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<0,any_frag") == -1);
842  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65535,any_frag") == -1);
843 
844  SigFree(s);
845  return result;
846 }
847 
848 /**
849  * \test Test a valid dce_iface entry for a bind and bind_ack
850  */
851 static int DetectDceIfaceTestParse12(void)
852 {
853  Signature *s = NULL;
854  ThreadVars th_v;
855  Packet *p = NULL;
856  Flow f;
857  TcpSession ssn;
858  DetectEngineThreadCtx *det_ctx = NULL;
859  DetectEngineCtx *de_ctx = NULL;
860  DCERPCState *dcerpc_state = NULL;
861  int r = 0;
862 
863  uint8_t dcerpc_bind[] = {
864  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
865  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
866  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
867  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
868  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
869  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
870  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
871  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
872  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
873  };
874 
875  uint8_t dcerpc_bindack[] = {
876  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
877  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
878  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
879  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
880  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
881  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
882  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
883  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
884  0x02, 0x00, 0x00, 0x00
885  };
886 
887  uint8_t dcerpc_request[] = {
888  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
889  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
890  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
891  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
892  };
893 
894  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
895  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
896  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
897 
898  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
899 
900  memset(&th_v, 0, sizeof(th_v));
901  memset(&f, 0, sizeof(f));
902  memset(&ssn, 0, sizeof(ssn));
903 
904  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
905 
906  FLOW_INITIALIZE(&f);
907  f.protoctx = (void *)&ssn;
908  f.proto = IPPROTO_TCP;
909  p->flow = &f;
910  p->flowflags |= FLOW_PKT_TOSERVER;
911  p->flowflags |= FLOW_PKT_ESTABLISHED;
912  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
913  f.alproto = ALPROTO_DCERPC;
914 
915  StreamTcpInitConfig(TRUE);
916 
917  de_ctx = DetectEngineCtxInit();
918  FAIL_IF(de_ctx == NULL);
919  de_ctx->flags |= DE_QUIET;
920 
921  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
922  "(msg:\"DCERPC\"; "
923  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; "
924  "sid:1;)");
925  FAIL_IF(s == NULL);
926 
927  SigGroupBuild(de_ctx);
928  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
929 
930  SCLogDebug("handling to_server chunk");
931 
932  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
933  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
934  dcerpc_bind_len);
935  FAIL_IF(r != 0);
936 
937  dcerpc_state = f.alstate;
938  FAIL_IF(dcerpc_state == NULL);
939 
940  /* do detect */
941  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
942  FAIL_IF(PacketAlertCheck(p, 1));
943 
944  SCLogDebug("handling to_client chunk");
945 
946  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
947  STREAM_TOCLIENT, dcerpc_bindack,
948  dcerpc_bindack_len);
949  FAIL_IF(r != 0);
950 
951  /* do detect */
952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
953  FAIL_IF(PacketAlertCheck(p, 1));
954 
955  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
956  STREAM_TOCLIENT, dcerpc_request,
957  dcerpc_request_len);
958  FAIL_IF(r != 0);
959 
960  /* do detect */
961  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
962 
963  FAIL_IF(!PacketAlertCheck(p, 1));
964  if (alp_tctx != NULL)
965  AppLayerParserThreadCtxFree(alp_tctx);
966  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
967  DetectEngineCtxFree(de_ctx);
968  StreamTcpFreeConfig(TRUE);
969  FLOW_DESTROY(&f);
970  UTHFreePackets(&p, 1);
971  PASS;
972 }
973 
974 /* Disabled because of bug_753. Would be enabled, once we rewrite
975  * dce parser */
976 #if 0
977 
978 /**
979  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
980  */
981 static int DetectDceIfaceTestParse13(void)
982 {
983  int result = 0;
984  Signature *s = NULL;
985  ThreadVars th_v;
986  Packet *p = NULL;
987  Flow f;
988  TcpSession ssn;
989  DetectEngineThreadCtx *det_ctx = NULL;
990  DetectEngineCtx *de_ctx = NULL;
991  DCERPCState *dcerpc_state = NULL;
992  int r = 0;
993 
994  uint8_t dcerpc_bind[] = {
995  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
996  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
997  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
998  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
999  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1000  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1001  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1002  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1003  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1004  };
1005 
1006  uint8_t dcerpc_bindack[] = {
1007  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1008  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1009  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1010  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1011  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1012  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1013  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1014  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1015  0x02, 0x00, 0x00, 0x00,
1016  };
1017 
1018  uint8_t dcerpc_request1[] = {
1019  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1020  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1021  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1022  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1023  0x00, 0x00, 0x00, 0x02,
1024  };
1025 
1026  uint8_t dcerpc_response1[] = {
1027  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1028  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1029  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1031  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1032  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1033  };
1034 
1035  uint8_t dcerpc_request2[] = {
1036  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1037  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1038  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1039  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1040  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1041  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1042  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1043  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1044  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1045  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1046  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1047  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1048  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1049  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1050  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1051  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1052  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1053  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1054  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1055  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1056  0x03, 0x00, 0x00, 0x00,
1057  };
1058 
1059  uint8_t dcerpc_response2[] = {
1060  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1061  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1062  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1063  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1064  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1065  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1066  };
1067 
1068  uint8_t dcerpc_request3[] = {
1069  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1070  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1071  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1072  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1073  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1074  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1075  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1076  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1077  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1078  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1079  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1080  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1081  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1082  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1083  };
1084 
1085  uint8_t dcerpc_response3[] = {
1086  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1087  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1088  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1089  0x00, 0x00, 0x00, 0x00,
1090  };
1091 
1092  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1093  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1094 
1095  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1096  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1097 
1098  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1099  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1100 
1101  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1102  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1103 
1104  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1105 
1106  memset(&th_v, 0, sizeof(th_v));
1107  memset(&p, 0, sizeof(p));
1108  memset(&f, 0, sizeof(f));
1109  memset(&ssn, 0, sizeof(ssn));
1110 
1111  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1112 
1113  FLOW_INITIALIZE(&f);
1114  f.protoctx = (void *)&ssn;
1115  f.proto = IPPROTO_TCP;
1116  p->flow = &f;
1117  p->flowflags |= FLOW_PKT_TOSERVER;
1118  p->flowflags |= FLOW_PKT_ESTABLISHED;
1119  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1120  f.alproto = ALPROTO_DCERPC;
1121 
1122  StreamTcpInitConfig(TRUE);
1123 
1124  de_ctx = DetectEngineCtxInit();
1125  if (de_ctx == NULL)
1126  goto end;
1127 
1128  de_ctx->flags |= DE_QUIET;
1129 
1130  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
1131  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
1132  if (s == NULL)
1133  goto end;
1134 
1135  SigGroupBuild(de_ctx);
1136  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1137 
1138  SCLogDebug("chunk 1, bind");
1139 
1140  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1141  dcerpc_bind, dcerpc_bind_len);
1142  if (r != 0) {
1143  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1144  goto end;
1145  }
1146 
1147  dcerpc_state = f.alstate;
1148  if (dcerpc_state == NULL) {
1149  SCLogDebug("no dcerpc state: ");
1150  goto end;
1151  }
1152 
1153  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1154  p->flowflags |= FLOW_PKT_TOSERVER;
1155  /* do detect */
1156  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1157 
1158  if (PacketAlertCheck(p, 1)) {
1159  printf("sig 1 didn't match after bind request: ");
1160  goto end;
1161  }
1162 
1163  SCLogDebug("chunk 2, bind_ack");
1164 
1165  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
1166  dcerpc_bindack_len);
1167  if (r != 0) {
1168  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1169  goto end;
1170  }
1171 
1172  p->flowflags &=~ FLOW_PKT_TOSERVER;
1173  p->flowflags |= FLOW_PKT_TOCLIENT;
1174  /* do detect */
1175  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1176 
1177  if (PacketAlertCheck(p, 1)) {
1178  printf("sig 1 matched again after bind ack: ");
1179  goto end;
1180  }
1181 
1182  SCLogDebug("chunk 3, request 1");
1183 
1184  /* request1 */
1185  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
1186  dcerpc_request1_len);
1187  if (r != 0) {
1188  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1189  goto end;
1190  }
1191 
1192  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1193  p->flowflags |= FLOW_PKT_TOSERVER;
1194  /* do detect */
1195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1196 
1197  if (!(PacketAlertCheck(p, 1))) {
1198  printf("sig 1 didn't match after request1: ");
1199  goto end;
1200  }
1201 
1202  SCLogDebug("sending response1");
1203 
1204  /* response1 */
1205  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
1206  dcerpc_response1_len);
1207  if (r != 0) {
1208  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1209  goto end;
1210  }
1211 
1212  p->flowflags &=~ FLOW_PKT_TOSERVER;
1213  p->flowflags |= FLOW_PKT_TOCLIENT;
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1216 
1217  if (PacketAlertCheck(p, 1)) {
1218  printf("sig 1 matched after response1, but shouldn't: ");
1219  goto end;
1220  }
1221 
1222  SCLogDebug("sending request2");
1223 
1224  /* request2 */
1225  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
1226  dcerpc_request2_len);
1227  if (r != 0) {
1228  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1229  goto end;
1230  }
1231 
1232  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1233  p->flowflags |= FLOW_PKT_TOSERVER;
1234  /* do detect */
1235  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1236 
1237  if (!(PacketAlertCheck(p, 1))) {
1238  printf("sig 1 didn't match after request2: ");
1239  goto end;
1240  }
1241 
1242  /* response2 */
1243  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
1244  dcerpc_response2_len);
1245  if (r != 0) {
1246  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1247  goto end;
1248  }
1249 
1250  p->flowflags &=~ FLOW_PKT_TOSERVER;
1251  p->flowflags |= FLOW_PKT_TOCLIENT;
1252  /* do detect */
1253  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1254 
1255  if (PacketAlertCheck(p, 1)) {
1256  printf("sig 1 matched after response2, but shouldn't have: ");
1257  goto end;
1258  }
1259 
1260  /* request3 */
1261  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
1262  dcerpc_request3_len);
1263  if (r != 0) {
1264  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1265  goto end;
1266  }
1267 
1268  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1269  p->flowflags |= FLOW_PKT_TOSERVER;
1270  /* do detect */
1271  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1272 
1273  if (!(PacketAlertCheck(p, 1))) {
1274  printf("sig 1 didn't match after request3: ");
1275  goto end;
1276  }
1277 
1278  /* response3 */
1279  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
1280  dcerpc_response3, dcerpc_response3_len);
1281  if (r != 0) {
1282  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1283  goto end;
1284  }
1285 
1286  p->flowflags &=~ FLOW_PKT_TOSERVER;
1287  p->flowflags |= FLOW_PKT_TOCLIENT;
1288  /* do detect */
1289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1290 
1291  if (PacketAlertCheck(p, 1)) {
1292  printf("sig 1 matched after response3, but shouldn't have: ");
1293  goto end;
1294  }
1295 
1296  result = 1;
1297 
1298  end:
1299  if (alp_tctx != NULL)
1300  AppLayerParserThreadCtxFree(alp_tctx);
1301  SigGroupCleanup(de_ctx);
1302  SigCleanSignatures(de_ctx);
1303 
1304  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1305  DetectEngineCtxFree(de_ctx);
1306 
1307  StreamTcpFreeConfig(TRUE);
1308  UTHFreePackets(&p, 1);
1309  return result;
1310 }
1311 
1312 #endif
1313 
1314 /**
1315  * \test Test a valid dce_iface entry for a bind and bind_ack
1316  */
1317 static int DetectDceIfaceTestParse14(void)
1318 {
1319  int result = 0;
1320  Signature *s = NULL;
1321  ThreadVars th_v;
1322  Packet *p = NULL;
1323  Flow f;
1324  TcpSession ssn;
1325  DetectEngineThreadCtx *det_ctx = NULL;
1326  DetectEngineCtx *de_ctx = NULL;
1327  DCERPCState *dcerpc_state = NULL;
1328  int r = 0;
1329 
1330  uint8_t dcerpc_bind[] = {
1331  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1332  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1333  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1334  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1335  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
1336  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
1337  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1338  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1339  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1340  };
1341 
1342  uint8_t dcerpc_bindack[] = {
1343  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1344  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1345  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
1346  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1347  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
1348  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1349  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1350  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1351  0x02, 0x00, 0x00, 0x00
1352  };
1353 
1354  uint8_t dcerpc_request[] = {
1355  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
1356  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1357  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1358  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359  };
1360 
1361  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1362  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1363  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1364 
1365  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1366 
1367  memset(&th_v, 0, sizeof(th_v));
1368  memset(&p, 0, sizeof(p));
1369  memset(&f, 0, sizeof(f));
1370  memset(&ssn, 0, sizeof(ssn));
1371 
1372  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1373 
1374  FLOW_INITIALIZE(&f);
1375  f.protoctx = (void *)&ssn;
1376  f.proto = IPPROTO_TCP;
1377  p->flow = &f;
1378  p->flowflags |= FLOW_PKT_TOSERVER;
1379  p->flowflags |= FLOW_PKT_ESTABLISHED;
1380  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1381  f.alproto = ALPROTO_DCERPC;
1382 
1383  StreamTcpInitConfig(TRUE);
1384 
1385  de_ctx = DetectEngineCtxInit();
1386  if (de_ctx == NULL)
1387  goto end;
1388 
1389  de_ctx->flags |= DE_QUIET;
1390 
1391  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1392  "(msg:\"DCERPC\"; "
1393  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; "
1394  "sid:1;)");
1395  if (s == NULL)
1396  goto end;
1397 
1398  SigGroupBuild(de_ctx);
1399  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1400 
1401  FLOWLOCK_WRLOCK(&f);
1402  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1403  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1404  dcerpc_bind_len);
1405  if (r != 0) {
1406  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1407  FLOWLOCK_UNLOCK(&f);
1408  goto end;
1409  }
1410  FLOWLOCK_UNLOCK(&f);
1411 
1412  dcerpc_state = f.alstate;
1413  if (dcerpc_state == NULL) {
1414  SCLogDebug("no dcerpc state: ");
1415  goto end;
1416  }
1417 
1418  /* do detect */
1419  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1420 
1421  if (PacketAlertCheck(p, 1))
1422  goto end;
1423 
1424  FLOWLOCK_WRLOCK(&f);
1425  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1426  STREAM_TOCLIENT, dcerpc_bindack,
1427  dcerpc_bindack_len);
1428  if (r != 0) {
1429  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1430  FLOWLOCK_UNLOCK(&f);
1431  goto end;
1432  }
1433  FLOWLOCK_UNLOCK(&f);
1434 
1435  /* do detect */
1436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1437 
1438  if (PacketAlertCheck(p, 1)) {
1439  printf("sig 1 matched but shouldn't have: ");
1440  goto end;
1441  }
1442 
1443  FLOWLOCK_WRLOCK(&f);
1444  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1445  STREAM_TOCLIENT, dcerpc_request,
1446  dcerpc_request_len);
1447  if (r != 0) {
1448  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1449  FLOWLOCK_UNLOCK(&f);
1450  goto end;
1451  }
1452  FLOWLOCK_UNLOCK(&f);
1453 
1454  /* do detect */
1455  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1456 
1457  if (!PacketAlertCheck(p, 1)) {
1458  printf("sig 1 matched but shouldn't have: ");
1459  goto end;
1460  }
1461 
1462  result = 1;
1463 
1464  end:
1465  if (alp_tctx != NULL)
1466  AppLayerParserThreadCtxFree(alp_tctx);
1467  SigGroupCleanup(de_ctx);
1468  SigCleanSignatures(de_ctx);
1469 
1470  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1471  DetectEngineCtxFree(de_ctx);
1472 
1473  StreamTcpFreeConfig(TRUE);
1474  FLOW_DESTROY(&f);
1475  UTHFreePackets(&p, 1);
1476  return result;
1477 }
1478 
1479 /**
1480  * \test Test a valid dce_iface entry for a bind and bind_ack
1481  */
1482 static int DetectDceIfaceTestParse15(void)
1483 {
1484  int result = 0;
1485  Signature *s = NULL;
1486  ThreadVars th_v;
1487  Packet *p = NULL;
1488  Flow f;
1489  TcpSession ssn;
1490  DetectEngineThreadCtx *det_ctx = NULL;
1491  DetectEngineCtx *de_ctx = NULL;
1492  DCERPCState *dcerpc_state = NULL;
1493  int r = 0;
1494 
1495  uint8_t dcerpc_bind[] = {
1496  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1497  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1498  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1499  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1500  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
1501  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1502  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1503  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1504  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1505  };
1506  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1507 
1508  uint8_t dcerpc_bindack[] = {
1509  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1510  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1511  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1512  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
1513  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
1514  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1515  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1516  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1517  0x02, 0x00, 0x00, 0x00
1518  };
1519  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1520 
1521  uint8_t dcerpc_alter_context[] = {
1522  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
1523  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1524  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1525  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
1526  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
1527  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1528  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1529  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1530  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1531  };
1532  uint32_t dcerpc_alter_context_len = sizeof(dcerpc_alter_context);
1533 
1534  uint8_t dcerpc_alter_context_resp[] = {
1535  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
1536  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1537  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1538  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
1539  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1540  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1541  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1542  };
1543  uint32_t dcerpc_alter_context_resp_len = sizeof(dcerpc_alter_context_resp);
1544 
1545  uint8_t dcerpc_request1[] = {
1546  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1547  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1548  0x20, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1549  0xdd, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1550  };
1551  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1552 
1553  uint8_t dcerpc_response1[] = {
1554  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1555  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1556  0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1557  0x00, 0x00, 0x00, 0x00, 0xf5, 0x66, 0xbf, 0x54,
1558  0xc4, 0xdb, 0xdb, 0x4f, 0xa0, 0x01, 0x6d, 0xf4,
1559  0xf6, 0xa8, 0x44, 0xb3, 0x00, 0x00, 0x00, 0x00
1560  };
1561  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1562 
1563  uint8_t dcerpc_request2[] = {
1564  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1565  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1566  0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
1567  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1568  };
1569  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1570 
1571  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1572 
1573  memset(&th_v, 0, sizeof(th_v));
1574  memset(&p, 0, sizeof(p));
1575  memset(&f, 0, sizeof(f));
1576  memset(&ssn, 0, sizeof(ssn));
1577 
1578  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1579 
1580  FLOW_INITIALIZE(&f);
1581  f.protoctx = (void *)&ssn;
1582  f.proto = IPPROTO_TCP;
1583  p->flow = &f;
1584  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1585  p->flowflags |= FLOW_PKT_TOSERVER;
1586  p->flowflags |= FLOW_PKT_ESTABLISHED;
1587  f.alproto = ALPROTO_DCERPC;
1588 
1589  StreamTcpInitConfig(TRUE);
1590 
1591  de_ctx = DetectEngineCtxInit();
1592  if (de_ctx == NULL)
1593  goto end;
1594 
1595  de_ctx->flags |= DE_QUIET;
1596 
1597  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1598  "(msg:\"DCERPC\"; "
1599  "dce_iface:57674cd0-5200-11ce-a897-08002b2e9c6d; "
1600  "sid:1;)");
1601  if (s == NULL)
1602  goto end;
1603 
1604  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1605  "(msg:\"DCERPC\"; "
1606  "dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; "
1607  "sid:2;)");
1608  if (s == NULL)
1609  goto end;
1610 
1611  SigGroupBuild(de_ctx);
1612  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1613 
1614  FLOWLOCK_WRLOCK(&f);
1615  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1616  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1617  dcerpc_bind_len);
1618  if (r != 0) {
1619  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1620  FLOWLOCK_UNLOCK(&f);
1621  goto end;
1622  }
1623  FLOWLOCK_UNLOCK(&f);
1624 
1625  dcerpc_state = f.alstate;
1626  if (dcerpc_state == NULL) {
1627  SCLogDebug("no dcerpc state: ");
1628  goto end;
1629  }
1630 
1631  /* do detect */
1632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1633 
1634  if (PacketAlertCheck(p, 1))
1635  goto end;
1636  if (PacketAlertCheck(p, 2))
1637  goto end;
1638 
1639  FLOWLOCK_WRLOCK(&f);
1640  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1641  STREAM_TOCLIENT, dcerpc_bindack,
1642  dcerpc_bindack_len);
1643  if (r != 0) {
1644  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1645  FLOWLOCK_UNLOCK(&f);
1646  goto end;
1647  }
1648  FLOWLOCK_UNLOCK(&f);
1649 
1650  /* do detect */
1651  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1652 
1653  if (PacketAlertCheck(p, 1)) {
1654  printf("sig 1 matched but shouldn't have: ");
1655  goto end;
1656  }
1657  if (PacketAlertCheck(p, 2)) {
1658  printf("sig 1 matched but shouldn't have: ");
1659  goto end;
1660  }
1661 
1662  FLOWLOCK_WRLOCK(&f);
1663  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1664  STREAM_TOSERVER, dcerpc_alter_context,
1665  dcerpc_alter_context_len);
1666  if (r != 0) {
1667  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1668  FLOWLOCK_UNLOCK(&f);
1669  goto end;
1670  }
1671  FLOWLOCK_UNLOCK(&f);
1672 
1673  /* do detect */
1674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1675 
1676  if (PacketAlertCheck(p, 1)) {
1677  printf("sig 1 matched but shouldn't have: ");
1678  goto end;
1679  }
1680  if (PacketAlertCheck(p, 2)) {
1681  printf("sig 1 matched but shouldn't have: ");
1682  goto end;
1683  }
1684 
1685  FLOWLOCK_WRLOCK(&f);
1686  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1687  STREAM_TOCLIENT, dcerpc_alter_context_resp,
1688  dcerpc_alter_context_resp_len);
1689  if (r != 0) {
1690  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1691  FLOWLOCK_UNLOCK(&f);
1692  goto end;
1693  }
1694  FLOWLOCK_UNLOCK(&f);
1695 
1696  /* do detect */
1697  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1698 
1699  if (PacketAlertCheck(p, 1)) {
1700  printf("sig 1 matched but shouldn't have: ");
1701  goto end;
1702  }
1703  if (PacketAlertCheck(p, 2)) {
1704  printf("sig 1 matched but shouldn't have: ");
1705  goto end;
1706  }
1707 
1708  FLOWLOCK_WRLOCK(&f);
1709  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1710  STREAM_TOSERVER, dcerpc_request1,
1711  dcerpc_request1_len);
1712  if (r != 0) {
1713  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1714  FLOWLOCK_UNLOCK(&f);
1715  goto end;
1716  }
1717  FLOWLOCK_UNLOCK(&f);
1718 
1719  /* do detect */
1720  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1721 
1722  if (!PacketAlertCheck(p, 1)) {
1723  printf("sig 1 matched but shouldn't have: ");
1724  goto end;
1725  }
1726  if (PacketAlertCheck(p, 2)) {
1727  printf("sig 1 matched but shouldn't have: ");
1728  goto end;
1729  }
1730 
1731  FLOWLOCK_WRLOCK(&f);
1732  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1733  STREAM_TOCLIENT, dcerpc_response1,
1734  dcerpc_response1_len);
1735  if (r != 0) {
1736  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1737  FLOWLOCK_UNLOCK(&f);
1738  goto end;
1739  }
1740  FLOWLOCK_UNLOCK(&f);
1741 
1742  /* do detect */
1743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1744 
1745  if (PacketAlertCheck(p, 1)) {
1746  printf("sig 1 matched but shouldn't have: ");
1747  goto end;
1748  }
1749  if (PacketAlertCheck(p, 2)) {
1750  printf("sig 1 matched but shouldn't have: ");
1751  goto end;
1752  }
1753 
1754  FLOWLOCK_WRLOCK(&f);
1755  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1756  STREAM_TOSERVER, dcerpc_request2,
1757  dcerpc_request2_len);
1758  if (r != 0) {
1759  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1760  FLOWLOCK_UNLOCK(&f);
1761  goto end;
1762  }
1763  FLOWLOCK_UNLOCK(&f);
1764 
1765  /* do detect */
1766  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1767 
1768  if (PacketAlertCheck(p, 1)) {
1769  printf("sig 1 matched but shouldn't have: ");
1770  goto end;
1771  }
1772  if (!PacketAlertCheck(p, 2)) {
1773  printf("sig 1 matched but shouldn't have: ");
1774  goto end;
1775  }
1776 
1777  result = 1;
1778 
1779  end:
1780  if (alp_tctx != NULL)
1781  AppLayerParserThreadCtxFree(alp_tctx);
1782  SigGroupCleanup(de_ctx);
1783  SigCleanSignatures(de_ctx);
1784 
1785  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1786  DetectEngineCtxFree(de_ctx);
1787 
1788  StreamTcpFreeConfig(TRUE);
1789  FLOW_DESTROY(&f);
1790  UTHFreePackets(&p, 1);
1791  return result;
1792 }
1793 
1794 #endif
1795 
1796 static void DetectDceIfaceRegisterTests(void)
1797 {
1798 #ifdef UNITTESTS
1799  UtRegisterTest("DetectDceIfaceTestParse01", DetectDceIfaceTestParse01);
1800  UtRegisterTest("DetectDceIfaceTestParse02", DetectDceIfaceTestParse02);
1801  UtRegisterTest("DetectDceIfaceTestParse03", DetectDceIfaceTestParse03);
1802  UtRegisterTest("DetectDceIfaceTestParse04", DetectDceIfaceTestParse04);
1803  UtRegisterTest("DetectDceIfaceTestParse05", DetectDceIfaceTestParse05);
1804  UtRegisterTest("DetectDceIfaceTestParse06", DetectDceIfaceTestParse06);
1805  UtRegisterTest("DetectDceIfaceTestParse07", DetectDceIfaceTestParse07);
1806  UtRegisterTest("DetectDceIfaceTestParse08", DetectDceIfaceTestParse08);
1807  UtRegisterTest("DetectDceIfaceTestParse09", DetectDceIfaceTestParse09);
1808  UtRegisterTest("DetectDceIfaceTestParse10", DetectDceIfaceTestParse10);
1809  UtRegisterTest("DetectDceIfaceTestParse11", DetectDceIfaceTestParse11);
1810  UtRegisterTest("DetectDceIfaceTestParse12", DetectDceIfaceTestParse12);
1811  /* Disabled because of bug_753. Would be enabled, once we rewrite
1812  * dce parser */
1813 #if 0
1814  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
1815 #endif
1816  UtRegisterTest("DetectDceIfaceTestParse14", DetectDceIfaceTestParse14);
1817  UtRegisterTest("DetectDceIfaceTestParse15", DetectDceIfaceTestParse15);
1818 #endif
1819 }
app-layer-dcerpc.h
DCERPC_::dcerpchdr
DCERPCHdr dcerpchdr
Definition: app-layer-dcerpc-common.h:188
len
uint8_t len
Definition: app-layer-dnp3.h:4
detect-engine.h
detect-dce-iface.h
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
DETECT_DCE_IFACE_OP_NONE
@ DETECT_DCE_IFACE_OP_NONE
Definition: detect-dce-iface.h:30
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:2
DetectDceIfaceData_::any_frag
uint8_t any_frag
Definition: detect-dce-iface.h:41
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:444
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:73
DETECT_DCE_IFACE_OP_GT
@ DETECT_DCE_IFACE_OP_GT
Definition: detect-dce-iface.h:32
Flow_
Flow data structure.
Definition: flow.h:342
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1377
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:190
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1174
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
DETECT_DCE_IFACE_OP_LT
@ DETECT_DCE_IFACE_OP_LT
Definition: detect-dce-iface.h:31
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
DCERPCUuidEntry_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:138
m
SCMutex m
Definition: flow-hash.h:5
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
DCERPC_UUID_ENTRY_FLAG_FF
#define DCERPC_UUID_ENTRY_FLAG_FF
Definition: app-layer-dcerpc-common.h:134
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigMatchData_
Data needed for Match()
Definition: detect.h:327
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
util-unittest.h
util-unittest-helper.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1533
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
STREAM_START
#define STREAM_START
Definition: stream.h:29
DCERPCBindBindAck_::accepted_uuid_list
DCERPCUuidEntryList accepted_uuid_list
Definition: app-layer-dcerpc-common.h:161
DCERPCRequest_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:169
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
REQUEST
#define REQUEST
Definition: app-layer-dcerpc-common.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectDceIfaceData_::uuid
uint8_t uuid[16]
Definition: detect-dce-iface.h:38
DCERPCUuidEntry_::result
uint16_t result
Definition: app-layer-dcerpc-common.h:140
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
DETECT_DCE_IFACE
@ DETECT_DCE_IFACE
Definition: detect-engine-register.h:170
DCERPCHdr_::type
uint8_t type
Definition: app-layer-dcerpc-common.h:100
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DCERPCRequest_::first_request_seen
uint8_t first_request_seen
Definition: app-layer-dcerpc-common.h:175
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2316
DETECT_DCE_IFACE_OP_EQ
@ DETECT_DCE_IFACE_OP_EQ
Definition: detect-dce-iface.h:33
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DETECT_DCE_IFACE_OP_NE
@ DETECT_DCE_IFACE_OP_NE
Definition: detect-dce-iface.h:34
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:816
flags
uint8_t flags
Definition: decode-gre.h:2
SigTableElmt_::alias
const char * alias
Definition: detect.h:1202
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1181
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
DetectDceIfaceData_::op
uint8_t op
Definition: detect-dce-iface.h:39
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
version
uint8_t version
Definition: decode-gre.h:3
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DCERPC_::dcerpcbindbindack
DCERPCBindBindAck dcerpcbindbindack
Definition: app-layer-dcerpc-common.h:189
Flow_::alstate
void * alstate
Definition: flow.h:454
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
DetectDceIfaceData_
Definition: detect-dce-iface.h:37
DCERPCUuidEntry_::uuid
uint8_t uuid[16]
Definition: app-layer-dcerpc-common.h:141
RESPONSE
#define RESPONSE
Definition: app-layer-dcerpc-common.h:40
DCERPCUuidEntry_::version
uint16_t version
Definition: app-layer-dcerpc-common.h:142
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1254
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:170
DCERPCUuidEntry_::flags
uint16_t flags
Definition: app-layer-dcerpc-common.h:144
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DCERPCState_
Definition: app-layer-dcerpc.h:34
DetectDceIfaceData_::version
uint16_t version
Definition: detect-dce-iface.h:40
flow-var.h
DCERPCUuidEntry_
Definition: app-layer-dcerpc-common.h:137
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1075
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393