suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-dce-iface.h"
35 
36 #include "flow.h"
37 #include "flow-var.h"
38 #include "flow-util.h"
39 
40 #include "app-layer.h"
41 #include "app-layer-dcerpc.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 #include "rust-smb-detect-gen.h"
52 
53 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,(<|>|=|!)([0-9]{1,5}))?(?:\\s*,(any_frag))?\\s*$"
54 
55 static pcre *parse_regex = NULL;
56 static pcre_extra *parse_regex_study = NULL;
57 
58 static int DetectDceIfaceMatchRust(ThreadVars *t,
59  DetectEngineThreadCtx *det_ctx,
60  Flow *f, uint8_t flags, void *state, void *txv,
61  const Signature *s, const SigMatchCtx *m);
62 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
63 static void DetectDceIfaceFree(void *);
64 static void DetectDceIfaceRegisterTests(void);
65 static int g_dce_generic_list_id = 0;
66 
67 static int InspectDceGeneric(ThreadVars *tv,
68  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
69  const Signature *s, const SigMatchData *smd,
70  Flow *f, uint8_t flags, void *alstate,
71  void *txv, uint64_t tx_id);
72 
73 /**
74  * \brief Registers the keyword handlers for the "dce_iface" keyword.
75  */
76 void DetectDceIfaceRegister(void)
77 {
78  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
79  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
80  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
81  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
82  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
83  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
84 
85  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
86 
87  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
88 
89  DetectAppLayerInspectEngineRegister("dce_generic",
90  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
91  DetectAppLayerInspectEngineRegister("dce_generic",
92  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
93 
94  DetectAppLayerInspectEngineRegister("dce_generic",
95  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
96  DetectAppLayerInspectEngineRegister("dce_generic",
97  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
98 }
99 
100 static int InspectDceGeneric(ThreadVars *tv,
101  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
102  const Signature *s, const SigMatchData *smd,
103  Flow *f, uint8_t flags, void *alstate,
104  void *txv, uint64_t tx_id)
105 {
106  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
107  f, flags, alstate, txv, tx_id);
108 }
109 
110 
111 /**
112  * \internal
113  * \brief Parses the argument sent along with the "dce_iface" keyword.
114  *
115  * \param arg Pointer to the string containing the argument to be parsed.
116  *
117  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
118  * from the parsed arg.
119  */
120 static DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg)
121 {
122  DetectDceIfaceData *did = NULL;
123 #define MAX_SUBSTRINGS 30
124  int ret = 0, res = 0;
125  int ov[MAX_SUBSTRINGS];
126  uint8_t hex_value;
127  char copy_str[128] = "";
128  int i = 0, j = 0;
129  int len = 0;
130  char temp_str[3] = "";
131  int version;
132 
133  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
134  MAX_SUBSTRINGS);
135  if (ret < 2) {
136  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
137  goto error;
138  }
139 
140  if ( (did = SCMalloc(sizeof(DetectDceIfaceData))) == NULL)
141  goto error;
142  memset(did, 0, sizeof(DetectDceIfaceData));
143 
144  /* retrieve the iface uuid string. iface uuid is a compulsion in the keyword */
145  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 1, copy_str, sizeof(copy_str));
146  if (res < 0) {
147  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
148  goto error;
149  }
150 
151  /* parse the iface uuid string */
152  len = strlen(copy_str);
153  j = 0;
154  temp_str[2] = '\0';
155  for (i = 0; i < len; ) {
156  if (copy_str[i] == '-') {
157  i++;
158  continue;
159  }
160 
161  temp_str[0] = copy_str[i];
162  temp_str[1] = copy_str[i + 1];
163 
164  hex_value = strtol(temp_str, NULL, 16);
165  did->uuid[j] = hex_value;
166  i += 2;
167  j++;
168  }
169 
170  /* if the regex has 3 or 5, any_frag option is present in the signature */
171  if (ret == 3 || ret == 5)
172  did->any_frag = 1;
173 
174  /* if the regex has 4 or 5, version/operator is present in the signature */
175  if (ret == 4 || ret == 5) {
176  /* first handle the version number, so that we can do some additional
177  * validations of the version number, wrt. the operator */
178  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 3, copy_str, sizeof(copy_str));
179  if (res < 0) {
180  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
181  goto error;
182  }
183 
184  version = atoi(copy_str);
185  if (version > UINT16_MAX) {
186  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version "
187  "invalid: %d\n", version);
188  goto error;
189  }
190  did->version = version;
191 
192  /* now let us handle the operator supplied with the version number */
193  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 2, copy_str, sizeof(copy_str));
194  if (res < 0) {
195  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
196  goto error;
197  }
198 
199  switch (copy_str[0]) {
200  case '<':
201  if (version == 0) {
202  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
203  "version invalid: %d. Version can't be less"
204  "than 0, with \"<\" operator", version);
205  goto error;
206  }
207 
208  did->op = DETECT_DCE_IFACE_OP_LT;
209  break;
210  case '>':
211  if (version == UINT16_MAX) {
212  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
213  "version invalid: %d. Version can't be greater"
214  "than %d, with \">\" operator", version,
215  UINT16_MAX);
216  goto error;
217  }
218 
219  did->op = DETECT_DCE_IFACE_OP_GT;
220  break;
221  case '=':
222  did->op = DETECT_DCE_IFACE_OP_EQ;
223  break;
224  case '!':
225  did->op = DETECT_DCE_IFACE_OP_NE;
226  break;
227  }
228  }
229 
230  return did;
231 
232  error:
233  if (did != NULL)
234  SCFree(did);
235  return NULL;
236 }
237 
238 /**
239  * \internal
240  * \brief Internal function that compares the dce interface version for this
241  * flow, to the signature's interface version specified using the
242  * dce_iface keyword.
243  *
244  * \param version The dce interface version for this flow.
245  * \param dce_data Pointer to the Signature's dce_iface keyword
246  * state(DetectDceIfaceData *).
247  */
248 static inline int DetectDceIfaceMatchIfaceVersion(const uint16_t version,
249  const DetectDceIfaceData *dce_data)
250 {
251  switch (dce_data->op) {
252  case DETECT_DCE_IFACE_OP_LT:
253  return (version < dce_data->version);
254  case DETECT_DCE_IFACE_OP_GT:
255  return (version > dce_data->version);
256  case DETECT_DCE_IFACE_OP_EQ:
257  return (version == dce_data->version);
258  case DETECT_DCE_IFACE_OP_NE:
259  return (version != dce_data->version);
260  default:
261  return 1;
262  }
263 }
264 
265 /**
266  * \brief App layer match function for the "dce_iface" keyword.
267  *
268  * \param t Pointer to the ThreadVars instance.
269  * \param det_ctx Pointer to the DetectEngineThreadCtx.
270  * \param f Pointer to the flow.
271  * \param flags Pointer to the flags indicating the flow direction.
272  * \param state Pointer to the app layer state data.
273  * \param s Pointer to the Signature instance.
274  * \param m Pointer to the SigMatch.
275  *
276  * \retval 1 On Match.
277  * \retval 0 On no match.
278  */
279 static int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
280  Flow *f, uint8_t flags, void *state, void *txv,
281  const Signature *s, const SigMatchCtx *m)
282 {
283  SCEnter();
284 
285  int ret = 0;
286  const DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
287 
288  DCERPCUuidEntry *item = NULL;
289  const DCERPCState *dcerpc_state = state;
290  if (dcerpc_state == NULL) {
291  SCLogDebug("No DCERPCState for the flow");
292  SCReturnInt(0);
293  }
294 
295  /* we still haven't seen a request */
296  if (!dcerpc_state->dcerpc.dcerpcrequest.first_request_seen)
297  goto end;
298 
299  if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST ||
300  dcerpc_state->dcerpc.dcerpchdr.type == RESPONSE))
301  goto end;
302 
303  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.accepted_uuid_list, next) {
304  SCLogDebug("item %p", item);
305  ret = 1;
306 
307  /* if any_frag is not enabled, we need to match only against the first
308  * fragment */
309  if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF))
310  continue;
311 
312  /* if the uuid has been rejected(item->result == 1), we skip to the
313  * next uuid */
314  if (item->result != 0)
315  continue;
316 
317  /* check the interface uuid */
318  for (int i = 0; i < 16; i++) {
319  if (dce_data->uuid[i] != item->uuid[i]) {
320  ret = 0;
321  break;
322  }
323  }
324  ret &= (item->ctxid == dcerpc_state->dcerpc.dcerpcrequest.ctxid);
325  if (ret == 0)
326  continue;
327 
328  /* check the interface version */
329  if (dce_data->op != DETECT_DCE_IFACE_OP_NONE &&
330  !DetectDceIfaceMatchIfaceVersion(item->version, dce_data)) {
331  ret &= 0;
332  }
333 
334  /* we have a match. Time to leave with a match */
335  if (ret == 1)
336  goto end;
337  }
338 
339 end:
340  SCReturnInt(ret);
341 }
342 
343 static int DetectDceIfaceMatchRust(ThreadVars *t,
344  DetectEngineThreadCtx *det_ctx,
345  Flow *f, uint8_t flags, void *state, void *txv,
346  const Signature *s, const SigMatchCtx *m)
347 {
348  SCEnter();
349 
350  if (f->alproto == ALPROTO_DCERPC) {
351  return DetectDceIfaceMatch(t, det_ctx, f, flags,
352  state, txv, s, m);
353  }
354 
355  int ret = 0;
356  DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
357 
358  if (rs_smb_tx_get_dce_iface(f->alstate, txv, dce_data->uuid, 16, dce_data->op, dce_data->version) != 1) {
359  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
360  } else {
361  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
362  ret = 1;
363  // TODO validate frag
364  }
365  SCReturnInt(ret);
366 }
367 
368 /**
369  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
370  * and appends it to the Signature(s).
371  *
372  * \param de_ctx Pointer to the detection engine context.
373  * \param s Pointer to signature for the current Signature being parsed
374  * from the rules.
375  * \param arg Pointer to the string holding the keyword value.
376  *
377  * \retval 0 on success, -1 on failure.
378  */
379 
380 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
381 {
382  DetectDceIfaceData *did = DetectDceIfaceArgParse(arg);
383  if (did == NULL) {
384  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dec_iface option in "
385  "signature");
386  return -1;
387  }
388 
389  SigMatch *sm = SigMatchAlloc();
390  if (sm == NULL) {
391  DetectDceIfaceFree(did);
392  return -1;
393  }
394 
395  sm->type = DETECT_DCE_IFACE;
396  sm->ctx = (void *)did;
397 
398  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
399  return 0;
400 }
401 
402 static void DetectDceIfaceFree(void *ptr)
403 {
404  SCFree(ptr);
405 
406  return;
407 }
408 
409 /************************************Unittests*********************************/
410 
411 #ifdef UNITTESTS
412 
413 static int DetectDceIfaceTestParse01(void)
414 {
415  SCEnter();
416 
417  Signature *s = SigAlloc();
418  if (s == NULL)
419  return 0;
420 
421  int result = 0;
422  DetectDceIfaceData *did = NULL;
423  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
424  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
425  SigMatch *temp = NULL;
426  int i = 0;
427 
428  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC") == 0);
429 
430  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
431  SCReturnInt(0);
432  }
433 
434  temp = s->sm_lists[g_dce_generic_list_id];
435  did = (DetectDceIfaceData *)temp->ctx;
436  if (did == NULL) {
437  SCReturnInt(0);
438  }
439 
440  result &= 1;
441  for (i = 0; i < 16; i++) {
442  if (did->uuid[i] != test_uuid[i]) {
443  result = 0;
444  break;
445  }
446  }
447 
448  result &= (did->version == 0);
449  result &= (did->op == 0);
450  result &= (did->any_frag == 0);
451 
452  SigFree(s);
453  SCReturnInt(result);
454 }
455 
456 static int DetectDceIfaceTestParse02(void)
457 {
458  SCEnter();
459 
460  Signature *s = SigAlloc();
461  if (s == NULL)
462  return 0;
463 
464  int result = 0;
465  DetectDceIfaceData *did = NULL;
466  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
467  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
468  SigMatch *temp = NULL;
469  int i = 0;
470 
471  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1") == 0);
472 
473  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
474  SCReturnInt(0);
475  }
476 
477  temp = s->sm_lists[g_dce_generic_list_id];
478  did = (DetectDceIfaceData *)temp->ctx;
479  if (did == NULL) {
480  SCReturnInt(0);
481  }
482 
483  result &= 1;
484  for (i = 0; i < 16; i++) {
485  if (did->uuid[i] != test_uuid[i]) {
486  result = 0;
487  break;
488  }
489  }
490 
491  result &= (did->version == 1);
492  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
493  result &= (did->any_frag == 0);
494 
495  SigFree(s);
496  SCReturnInt(result);
497 }
498 
499 static int DetectDceIfaceTestParse03(void)
500 {
501  SCEnter();
502 
503  Signature *s = SigAlloc();
504  if (s == NULL)
505  return 0;
506 
507  int result = 0;
508  DetectDceIfaceData *did = NULL;
509  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
510  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
511  SigMatch *temp = NULL;
512  int i = 0;
513 
514  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<10") == 0);
515 
516  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
517  SCReturnInt(0);
518  }
519 
520  temp = s->sm_lists[g_dce_generic_list_id];
521  did = (DetectDceIfaceData *)temp->ctx;
522  result &= 1;
523  for (i = 0; i < 16; i++) {
524  if (did->uuid[i] != test_uuid[i]) {
525  result = 0;
526  break;
527  }
528  }
529 
530  result &= (did->version == 10);
531  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
532  result &= (did->any_frag == 0);
533 
534  SigFree(s);
535  SCReturnInt(result);
536 }
537 
538 static int DetectDceIfaceTestParse04(void)
539 {
540  SCEnter();
541 
542  Signature *s = SigAlloc();
543  if (s == NULL)
544  return 0;
545 
546  int result = 0;
547  DetectDceIfaceData *did = NULL;
548  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
549  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
550  SigMatch *temp = NULL;
551  int i = 0;
552 
553  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!10") == 0);
554 
555  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
556  SCReturnInt(0);
557  }
558 
559  temp = s->sm_lists[g_dce_generic_list_id];
560  did = (DetectDceIfaceData *)temp->ctx;
561  if (did == NULL) {
562  SCReturnInt(0);
563  }
564 
565  result &= 1;
566  for (i = 0; i < 16; i++) {
567  if (did->uuid[i] != test_uuid[i]) {
568  result = 0;
569  break;
570  }
571  }
572 
573  result &= (did->version == 10);
574  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
575  result &= (did->any_frag == 0);
576 
577  SigFree(s);
578  SCReturnInt(result);
579 }
580 
581 static int DetectDceIfaceTestParse05(void)
582 {
583  SCEnter();
584 
585  Signature *s = SigAlloc();
586  int result = 0;
587  DetectDceIfaceData *did = NULL;
588  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
589  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
590  SigMatch *temp = NULL;
591  int i = 0;
592 
593  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=10") == 0);
594 
595  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
596  SCReturnInt(0);
597  }
598 
599  temp = s->sm_lists[g_dce_generic_list_id];
600  did = (DetectDceIfaceData *)temp->ctx;
601  if (did == NULL) {
602  SCReturnInt(0);
603  }
604 
605  result &= 1;
606  for (i = 0; i < 16; i++) {
607  if (did->uuid[i] != test_uuid[i]) {
608  result = 0;
609  break;
610  }
611  }
612 
613  result &= (did->version == 10);
614  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
615  result &= (did->any_frag == 0);
616 
617  SigFree(s);
618  SCReturnInt(result);
619 }
620 
621 static int DetectDceIfaceTestParse06(void)
622 {
623  SCEnter();
624 
625  Signature *s = SigAlloc();
626  if (s == NULL)
627  return 0;
628 
629  int result = 0;
630  DetectDceIfaceData *did = NULL;
631  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
632  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
633  SigMatch *temp = NULL;
634  int i = 0;
635 
636  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,any_frag") == 0);
637 
638  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
639  SCReturnInt(0);
640  }
641 
642  temp = s->sm_lists[g_dce_generic_list_id];
643  did = (DetectDceIfaceData *)temp->ctx;
644  if (did == NULL) {
645  SCReturnInt(0);
646  }
647 
648  result &= 1;
649  for (i = 0; i < 16; i++) {
650  if (did->uuid[i] != test_uuid[i]) {
651  result = 0;
652  break;
653  }
654  }
655 
656  result &= (did->version == 0);
657  result &= (did->op == 0);
658  result &= (did->any_frag == 1);
659 
660  SigFree(s);
661  SCReturnInt(result);
662 }
663 
664 static int DetectDceIfaceTestParse07(void)
665 {
666  SCEnter();
667 
668  Signature *s = SigAlloc();
669  if (s == NULL)
670  return 0;
671 
672  int result = 0;
673  DetectDceIfaceData *did = NULL;
674  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
675  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
676  SigMatch *temp = NULL;
677  int i = 0;
678 
679  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,any_frag") == 0);
680 
681  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
682  SCReturnInt(0);
683  }
684 
685  temp = s->sm_lists[g_dce_generic_list_id];
686  did = (DetectDceIfaceData *)temp->ctx;
687  if (did == NULL) {
688  SCReturnInt(0);
689  }
690 
691  result &= 1;
692  for (i = 0; i < 16; i++) {
693  if (did->uuid[i] != test_uuid[i]) {
694  result = 0;
695  break;
696  }
697  }
698 
699  result &= (did->version == 1);
700  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
701  result &= (did->any_frag == 1);
702 
703  SigFree(s);
704  SCReturnInt(result);
705 }
706 
707 static int DetectDceIfaceTestParse08(void)
708 {
709  Signature *s = SigAlloc();
710  if (s == NULL)
711  return 0;
712 
713  int result = 0;
714  DetectDceIfaceData *did = NULL;
715  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
716  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
717  SigMatch *temp = NULL;
718  int i = 0;
719 
720  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<1,any_frag") == 0);
721 
722  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
723  SCReturnInt(0);
724  }
725 
726  temp = s->sm_lists[g_dce_generic_list_id];
727  did = (DetectDceIfaceData *)temp->ctx;
728  if (did == NULL) {
729  SCReturnInt(0);
730  }
731 
732  result &= 1;
733  for (i = 0; i < 16; i++) {
734  if (did->uuid[i] != test_uuid[i]) {
735  result = 0;
736  break;
737  }
738  }
739 
740  result &= (did->version == 1);
741  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
742  result &= (did->any_frag == 1);
743 
744  SigFree(s);
745  SCReturnInt(result);
746 }
747 
748 static int DetectDceIfaceTestParse09(void)
749 {
750  SCEnter();
751 
752  Signature *s = SigAlloc();
753  if (s == NULL)
754  return 0;
755 
756  int result = 0;
757  DetectDceIfaceData *did = NULL;
758  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
759  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
760  SigMatch *temp = NULL;
761  int i = 0;
762 
763  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=1,any_frag") == 0);
764 
765  temp = s->sm_lists[g_dce_generic_list_id];
766  did = (DetectDceIfaceData *)temp->ctx;
767  if (did == NULL) {
768  SCReturnInt(0);
769  }
770 
771  result &= 1;
772  for (i = 0; i < 16; i++) {
773  if (did->uuid[i] != test_uuid[i]) {
774  result = 0;
775  break;
776  }
777  }
778 
779  result &= (did->version == 1);
780  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
781  result &= (did->any_frag == 1);
782 
783  SigFree(s);
784  SCReturnInt(result);
785 }
786 
787 static int DetectDceIfaceTestParse10(void)
788 {
789  SCEnter();
790 
791  Signature *s = SigAlloc();
792  if (s == NULL)
793  return 0;
794 
795  int result = 0;
796  DetectDceIfaceData *did = NULL;
797  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
798  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
799  SigMatch *temp = NULL;
800  int i = 0;
801 
802  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!1,any_frag") == 0);
803 
804  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
805  SCReturnInt(0);
806  }
807 
808  temp = s->sm_lists[g_dce_generic_list_id];
809  did = (DetectDceIfaceData *)temp->ctx;
810  if (did == NULL) {
811  SCReturnInt(0);
812  }
813 
814  result &= 1;
815  for (i = 0; i < 16; i++) {
816  if (did->uuid[i] != test_uuid[i]) {
817  result = 0;
818  break;
819  }
820  }
821 
822  result &= (did->version == 1);
823  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
824  result &= (did->any_frag == 1);
825 
826  SigFree(s);
827  SCReturnInt(result);
828 }
829 
830 static int DetectDceIfaceTestParse11(void)
831 {
832  SCEnter();
833 
834  Signature *s = SigAlloc();
835  if (s == NULL)
836  return 0;
837 
838  int result = 1;
839 
840  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,ay_frag") == -1);
841  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-12345679ABC,>1,any_frag") == -1);
842  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-134-123456789ABC,>1,any_frag") == -1);
843  result &= (DetectDceIfaceSetup(NULL, s, "12345678-123-124-1234-123456789ABC,>1,any_frag") == -1);
844  result &= (DetectDceIfaceSetup(NULL, s, "1234568-1234-1234-1234-123456789ABC,>1,any_frag") == -1);
845  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65536,any_frag") == -1);
846  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>=1,any_frag") == -1);
847  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<0,any_frag") == -1);
848  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65535,any_frag") == -1);
849 
850  SigFree(s);
851  return result;
852 }
853 
854 /**
855  * \test Test a valid dce_iface entry for a bind and bind_ack
856  */
857 static int DetectDceIfaceTestParse12(void)
858 {
859  Signature *s = NULL;
860  ThreadVars th_v;
861  Packet *p = NULL;
862  Flow f;
863  TcpSession ssn;
864  DetectEngineThreadCtx *det_ctx = NULL;
865  DetectEngineCtx *de_ctx = NULL;
866  DCERPCState *dcerpc_state = NULL;
867  int r = 0;
868 
869  uint8_t dcerpc_bind[] = {
870  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
871  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
872  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
873  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
874  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
875  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
876  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
877  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
878  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
879  };
880 
881  uint8_t dcerpc_bindack[] = {
882  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
883  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
884  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
885  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
886  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
887  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
888  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
889  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
890  0x02, 0x00, 0x00, 0x00
891  };
892 
893  uint8_t dcerpc_request[] = {
894  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
895  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
896  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
897  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
898  };
899 
900  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
901  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
902  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
903 
904  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
905 
906  memset(&th_v, 0, sizeof(th_v));
907  memset(&f, 0, sizeof(f));
908  memset(&ssn, 0, sizeof(ssn));
909 
910  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
911 
912  FLOW_INITIALIZE(&f);
913  f.protoctx = (void *)&ssn;
914  f.proto = IPPROTO_TCP;
915  p->flow = &f;
916  p->flowflags |= FLOW_PKT_TOSERVER;
917  p->flowflags |= FLOW_PKT_ESTABLISHED;
918  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
919  f.alproto = ALPROTO_DCERPC;
920 
921  StreamTcpInitConfig(TRUE);
922 
923  de_ctx = DetectEngineCtxInit();
924  FAIL_IF(de_ctx == NULL);
925  de_ctx->flags |= DE_QUIET;
926 
927  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
928  "(msg:\"DCERPC\"; "
929  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; "
930  "sid:1;)");
931  FAIL_IF(s == NULL);
932 
933  SigGroupBuild(de_ctx);
934  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
935 
936  SCLogDebug("handling to_server chunk");
937 
938  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
939  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
940  dcerpc_bind_len);
941  FAIL_IF(r != 0);
942 
943  dcerpc_state = f.alstate;
944  FAIL_IF(dcerpc_state == NULL);
945 
946  /* do detect */
947  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
948  FAIL_IF(PacketAlertCheck(p, 1));
949 
950  SCLogDebug("handling to_client chunk");
951 
952  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
953  STREAM_TOCLIENT, dcerpc_bindack,
954  dcerpc_bindack_len);
955  FAIL_IF(r != 0);
956 
957  /* do detect */
958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
959  FAIL_IF(PacketAlertCheck(p, 1));
960 
961  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
962  STREAM_TOCLIENT, dcerpc_request,
963  dcerpc_request_len);
964  FAIL_IF(r != 0);
965 
966  /* do detect */
967  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
968 
969  FAIL_IF(!PacketAlertCheck(p, 1));
970  if (alp_tctx != NULL)
971  AppLayerParserThreadCtxFree(alp_tctx);
972  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
973  DetectEngineCtxFree(de_ctx);
974  StreamTcpFreeConfig(TRUE);
975  FLOW_DESTROY(&f);
976  UTHFreePackets(&p, 1);
977  PASS;
978 }
979 
980 /* Disabled because of bug_753. Would be enabled, once we rewrite
981  * dce parser */
982 #if 0
983 
984 /**
985  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
986  */
987 static int DetectDceIfaceTestParse13(void)
988 {
989  int result = 0;
990  Signature *s = NULL;
991  ThreadVars th_v;
992  Packet *p = NULL;
993  Flow f;
994  TcpSession ssn;
995  DetectEngineThreadCtx *det_ctx = NULL;
996  DetectEngineCtx *de_ctx = NULL;
997  DCERPCState *dcerpc_state = NULL;
998  int r = 0;
999 
1000  uint8_t dcerpc_bind[] = {
1001  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1002  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1003  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1004  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1005  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1006  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1007  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1008  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1009  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1010  };
1011 
1012  uint8_t dcerpc_bindack[] = {
1013  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1014  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1015  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1016  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1017  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1018  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1019  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1020  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1021  0x02, 0x00, 0x00, 0x00,
1022  };
1023 
1024  uint8_t dcerpc_request1[] = {
1025  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1026  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1027  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1028  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1029  0x00, 0x00, 0x00, 0x02,
1030  };
1031 
1032  uint8_t dcerpc_response1[] = {
1033  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1034  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1035  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1036  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1037  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1038  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1039  };
1040 
1041  uint8_t dcerpc_request2[] = {
1042  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1043  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1044  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1045  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1046  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1047  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1048  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1049  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1050  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1051  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1052  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1053  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1054  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1055  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1056  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1057  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1058  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1059  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1060  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1061  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1062  0x03, 0x00, 0x00, 0x00,
1063  };
1064 
1065  uint8_t dcerpc_response2[] = {
1066  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1067  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1068  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1070  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1071  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1072  };
1073 
1074  uint8_t dcerpc_request3[] = {
1075  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1076  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1077  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1078  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1079  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1080  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1081  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1082  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1083  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1084  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1085  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1086  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1087  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1088  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1089  };
1090 
1091  uint8_t dcerpc_response3[] = {
1092  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1093  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1094  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1095  0x00, 0x00, 0x00, 0x00,
1096  };
1097 
1098  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1099  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1100 
1101  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1102  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1103 
1104  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1105  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1106 
1107  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1108  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1109 
1110  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1111 
1112  memset(&th_v, 0, sizeof(th_v));
1113  memset(&p, 0, sizeof(p));
1114  memset(&f, 0, sizeof(f));
1115  memset(&ssn, 0, sizeof(ssn));
1116 
1117  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1118 
1119  FLOW_INITIALIZE(&f);
1120  f.protoctx = (void *)&ssn;
1121  f.proto = IPPROTO_TCP;
1122  p->flow = &f;
1123  p->flowflags |= FLOW_PKT_TOSERVER;
1124  p->flowflags |= FLOW_PKT_ESTABLISHED;
1125  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1126  f.alproto = ALPROTO_DCERPC;
1127 
1128  StreamTcpInitConfig(TRUE);
1129 
1130  de_ctx = DetectEngineCtxInit();
1131  if (de_ctx == NULL)
1132  goto end;
1133 
1134  de_ctx->flags |= DE_QUIET;
1135 
1136  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
1137  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
1138  if (s == NULL)
1139  goto end;
1140 
1141  SigGroupBuild(de_ctx);
1142  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1143 
1144  SCLogDebug("chunk 1, bind");
1145 
1146  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1147  dcerpc_bind, dcerpc_bind_len);
1148  if (r != 0) {
1149  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1150  goto end;
1151  }
1152 
1153  dcerpc_state = f.alstate;
1154  if (dcerpc_state == NULL) {
1155  SCLogDebug("no dcerpc state: ");
1156  goto end;
1157  }
1158 
1159  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1160  p->flowflags |= FLOW_PKT_TOSERVER;
1161  /* do detect */
1162  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1163 
1164  if (PacketAlertCheck(p, 1)) {
1165  printf("sig 1 didn't match after bind request: ");
1166  goto end;
1167  }
1168 
1169  SCLogDebug("chunk 2, bind_ack");
1170 
1171  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
1172  dcerpc_bindack_len);
1173  if (r != 0) {
1174  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1175  goto end;
1176  }
1177 
1178  p->flowflags &=~ FLOW_PKT_TOSERVER;
1179  p->flowflags |= FLOW_PKT_TOCLIENT;
1180  /* do detect */
1181  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1182 
1183  if (PacketAlertCheck(p, 1)) {
1184  printf("sig 1 matched again after bind ack: ");
1185  goto end;
1186  }
1187 
1188  SCLogDebug("chunk 3, request 1");
1189 
1190  /* request1 */
1191  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
1192  dcerpc_request1_len);
1193  if (r != 0) {
1194  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1195  goto end;
1196  }
1197 
1198  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1199  p->flowflags |= FLOW_PKT_TOSERVER;
1200  /* do detect */
1201  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1202 
1203  if (!(PacketAlertCheck(p, 1))) {
1204  printf("sig 1 didn't match after request1: ");
1205  goto end;
1206  }
1207 
1208  SCLogDebug("sending response1");
1209 
1210  /* response1 */
1211  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
1212  dcerpc_response1_len);
1213  if (r != 0) {
1214  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1215  goto end;
1216  }
1217 
1218  p->flowflags &=~ FLOW_PKT_TOSERVER;
1219  p->flowflags |= FLOW_PKT_TOCLIENT;
1220  /* do detect */
1221  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1222 
1223  if (PacketAlertCheck(p, 1)) {
1224  printf("sig 1 matched after response1, but shouldn't: ");
1225  goto end;
1226  }
1227 
1228  SCLogDebug("sending request2");
1229 
1230  /* request2 */
1231  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
1232  dcerpc_request2_len);
1233  if (r != 0) {
1234  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1235  goto end;
1236  }
1237 
1238  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1239  p->flowflags |= FLOW_PKT_TOSERVER;
1240  /* do detect */
1241  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1242 
1243  if (!(PacketAlertCheck(p, 1))) {
1244  printf("sig 1 didn't match after request2: ");
1245  goto end;
1246  }
1247 
1248  /* response2 */
1249  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
1250  dcerpc_response2_len);
1251  if (r != 0) {
1252  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1253  goto end;
1254  }
1255 
1256  p->flowflags &=~ FLOW_PKT_TOSERVER;
1257  p->flowflags |= FLOW_PKT_TOCLIENT;
1258  /* do detect */
1259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1260 
1261  if (PacketAlertCheck(p, 1)) {
1262  printf("sig 1 matched after response2, but shouldn't have: ");
1263  goto end;
1264  }
1265 
1266  /* request3 */
1267  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
1268  dcerpc_request3_len);
1269  if (r != 0) {
1270  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1271  goto end;
1272  }
1273 
1274  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1275  p->flowflags |= FLOW_PKT_TOSERVER;
1276  /* do detect */
1277  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1278 
1279  if (!(PacketAlertCheck(p, 1))) {
1280  printf("sig 1 didn't match after request3: ");
1281  goto end;
1282  }
1283 
1284  /* response3 */
1285  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
1286  dcerpc_response3, dcerpc_response3_len);
1287  if (r != 0) {
1288  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1289  goto end;
1290  }
1291 
1292  p->flowflags &=~ FLOW_PKT_TOSERVER;
1293  p->flowflags |= FLOW_PKT_TOCLIENT;
1294  /* do detect */
1295  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1296 
1297  if (PacketAlertCheck(p, 1)) {
1298  printf("sig 1 matched after response3, but shouldn't have: ");
1299  goto end;
1300  }
1301 
1302  result = 1;
1303 
1304  end:
1305  if (alp_tctx != NULL)
1306  AppLayerParserThreadCtxFree(alp_tctx);
1307  SigGroupCleanup(de_ctx);
1308  SigCleanSignatures(de_ctx);
1309 
1310  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1311  DetectEngineCtxFree(de_ctx);
1312 
1313  StreamTcpFreeConfig(TRUE);
1314  UTHFreePackets(&p, 1);
1315  return result;
1316 }
1317 
1318 #endif
1319 
1320 /**
1321  * \test Test a valid dce_iface entry for a bind and bind_ack
1322  */
1323 static int DetectDceIfaceTestParse14(void)
1324 {
1325  int result = 0;
1326  Signature *s = NULL;
1327  ThreadVars th_v;
1328  Packet *p = NULL;
1329  Flow f;
1330  TcpSession ssn;
1331  DetectEngineThreadCtx *det_ctx = NULL;
1332  DetectEngineCtx *de_ctx = NULL;
1333  DCERPCState *dcerpc_state = NULL;
1334  int r = 0;
1335 
1336  uint8_t dcerpc_bind[] = {
1337  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1338  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1339  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1340  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1341  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
1342  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
1343  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1344  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1345  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1346  };
1347 
1348  uint8_t dcerpc_bindack[] = {
1349  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1350  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1351  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
1352  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1353  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
1354  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1355  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1356  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1357  0x02, 0x00, 0x00, 0x00
1358  };
1359 
1360  uint8_t dcerpc_request[] = {
1361  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
1362  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1363  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1364  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1365  };
1366 
1367  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1368  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1369  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1370 
1371  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1372 
1373  memset(&th_v, 0, sizeof(th_v));
1374  memset(&p, 0, sizeof(p));
1375  memset(&f, 0, sizeof(f));
1376  memset(&ssn, 0, sizeof(ssn));
1377 
1378  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1379 
1380  FLOW_INITIALIZE(&f);
1381  f.protoctx = (void *)&ssn;
1382  f.proto = IPPROTO_TCP;
1383  p->flow = &f;
1384  p->flowflags |= FLOW_PKT_TOSERVER;
1385  p->flowflags |= FLOW_PKT_ESTABLISHED;
1386  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1387  f.alproto = ALPROTO_DCERPC;
1388 
1389  StreamTcpInitConfig(TRUE);
1390 
1391  de_ctx = DetectEngineCtxInit();
1392  if (de_ctx == NULL)
1393  goto end;
1394 
1395  de_ctx->flags |= DE_QUIET;
1396 
1397  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1398  "(msg:\"DCERPC\"; "
1399  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; "
1400  "sid:1;)");
1401  if (s == NULL)
1402  goto end;
1403 
1404  SigGroupBuild(de_ctx);
1405  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1406 
1407  FLOWLOCK_WRLOCK(&f);
1408  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1409  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1410  dcerpc_bind_len);
1411  if (r != 0) {
1412  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1413  FLOWLOCK_UNLOCK(&f);
1414  goto end;
1415  }
1416  FLOWLOCK_UNLOCK(&f);
1417 
1418  dcerpc_state = f.alstate;
1419  if (dcerpc_state == NULL) {
1420  SCLogDebug("no dcerpc state: ");
1421  goto end;
1422  }
1423 
1424  /* do detect */
1425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1426 
1427  if (PacketAlertCheck(p, 1))
1428  goto end;
1429 
1430  FLOWLOCK_WRLOCK(&f);
1431  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1432  STREAM_TOCLIENT, dcerpc_bindack,
1433  dcerpc_bindack_len);
1434  if (r != 0) {
1435  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1436  FLOWLOCK_UNLOCK(&f);
1437  goto end;
1438  }
1439  FLOWLOCK_UNLOCK(&f);
1440 
1441  /* do detect */
1442  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1443 
1444  if (PacketAlertCheck(p, 1)) {
1445  printf("sig 1 matched but shouldn't have: ");
1446  goto end;
1447  }
1448 
1449  FLOWLOCK_WRLOCK(&f);
1450  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1451  STREAM_TOCLIENT, dcerpc_request,
1452  dcerpc_request_len);
1453  if (r != 0) {
1454  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1455  FLOWLOCK_UNLOCK(&f);
1456  goto end;
1457  }
1458  FLOWLOCK_UNLOCK(&f);
1459 
1460  /* do detect */
1461  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1462 
1463  if (!PacketAlertCheck(p, 1)) {
1464  printf("sig 1 matched but shouldn't have: ");
1465  goto end;
1466  }
1467 
1468  result = 1;
1469 
1470  end:
1471  if (alp_tctx != NULL)
1472  AppLayerParserThreadCtxFree(alp_tctx);
1473  SigGroupCleanup(de_ctx);
1474  SigCleanSignatures(de_ctx);
1475 
1476  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1477  DetectEngineCtxFree(de_ctx);
1478 
1479  StreamTcpFreeConfig(TRUE);
1480  FLOW_DESTROY(&f);
1481  UTHFreePackets(&p, 1);
1482  return result;
1483 }
1484 
1485 /**
1486  * \test Test a valid dce_iface entry for a bind and bind_ack
1487  */
1488 static int DetectDceIfaceTestParse15(void)
1489 {
1490  int result = 0;
1491  Signature *s = NULL;
1492  ThreadVars th_v;
1493  Packet *p = NULL;
1494  Flow f;
1495  TcpSession ssn;
1496  DetectEngineThreadCtx *det_ctx = NULL;
1497  DetectEngineCtx *de_ctx = NULL;
1498  DCERPCState *dcerpc_state = NULL;
1499  int r = 0;
1500 
1501  uint8_t dcerpc_bind[] = {
1502  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1503  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1504  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1505  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1506  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
1507  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1508  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1509  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1510  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1511  };
1512  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1513 
1514  uint8_t dcerpc_bindack[] = {
1515  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1516  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1517  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1518  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
1519  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
1520  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1521  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1522  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1523  0x02, 0x00, 0x00, 0x00
1524  };
1525  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1526 
1527  uint8_t dcerpc_alter_context[] = {
1528  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
1529  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1530  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1531  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
1532  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
1533  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1534  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1535  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1536  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1537  };
1538  uint32_t dcerpc_alter_context_len = sizeof(dcerpc_alter_context);
1539 
1540  uint8_t dcerpc_alter_context_resp[] = {
1541  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
1542  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1543  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1544  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
1545  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1546  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1547  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1548  };
1549  uint32_t dcerpc_alter_context_resp_len = sizeof(dcerpc_alter_context_resp);
1550 
1551  uint8_t dcerpc_request1[] = {
1552  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1553  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1554  0x20, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1555  0xdd, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1556  };
1557  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1558 
1559  uint8_t dcerpc_response1[] = {
1560  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1561  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1562  0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1563  0x00, 0x00, 0x00, 0x00, 0xf5, 0x66, 0xbf, 0x54,
1564  0xc4, 0xdb, 0xdb, 0x4f, 0xa0, 0x01, 0x6d, 0xf4,
1565  0xf6, 0xa8, 0x44, 0xb3, 0x00, 0x00, 0x00, 0x00
1566  };
1567  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1568 
1569  uint8_t dcerpc_request2[] = {
1570  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1571  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1572  0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
1573  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1574  };
1575  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1576 
1577  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1578 
1579  memset(&th_v, 0, sizeof(th_v));
1580  memset(&p, 0, sizeof(p));
1581  memset(&f, 0, sizeof(f));
1582  memset(&ssn, 0, sizeof(ssn));
1583 
1584  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1585 
1586  FLOW_INITIALIZE(&f);
1587  f.protoctx = (void *)&ssn;
1588  f.proto = IPPROTO_TCP;
1589  p->flow = &f;
1590  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1591  p->flowflags |= FLOW_PKT_TOSERVER;
1592  p->flowflags |= FLOW_PKT_ESTABLISHED;
1593  f.alproto = ALPROTO_DCERPC;
1594 
1595  StreamTcpInitConfig(TRUE);
1596 
1597  de_ctx = DetectEngineCtxInit();
1598  if (de_ctx == NULL)
1599  goto end;
1600 
1601  de_ctx->flags |= DE_QUIET;
1602 
1603  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1604  "(msg:\"DCERPC\"; "
1605  "dce_iface:57674cd0-5200-11ce-a897-08002b2e9c6d; "
1606  "sid:1;)");
1607  if (s == NULL)
1608  goto end;
1609 
1610  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1611  "(msg:\"DCERPC\"; "
1612  "dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; "
1613  "sid:2;)");
1614  if (s == NULL)
1615  goto end;
1616 
1617  SigGroupBuild(de_ctx);
1618  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1619 
1620  FLOWLOCK_WRLOCK(&f);
1621  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1622  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1623  dcerpc_bind_len);
1624  if (r != 0) {
1625  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1626  FLOWLOCK_UNLOCK(&f);
1627  goto end;
1628  }
1629  FLOWLOCK_UNLOCK(&f);
1630 
1631  dcerpc_state = f.alstate;
1632  if (dcerpc_state == NULL) {
1633  SCLogDebug("no dcerpc state: ");
1634  goto end;
1635  }
1636 
1637  /* do detect */
1638  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1639 
1640  if (PacketAlertCheck(p, 1))
1641  goto end;
1642  if (PacketAlertCheck(p, 2))
1643  goto end;
1644 
1645  FLOWLOCK_WRLOCK(&f);
1646  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1647  STREAM_TOCLIENT, dcerpc_bindack,
1648  dcerpc_bindack_len);
1649  if (r != 0) {
1650  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1651  FLOWLOCK_UNLOCK(&f);
1652  goto end;
1653  }
1654  FLOWLOCK_UNLOCK(&f);
1655 
1656  /* do detect */
1657  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1658 
1659  if (PacketAlertCheck(p, 1)) {
1660  printf("sig 1 matched but shouldn't have: ");
1661  goto end;
1662  }
1663  if (PacketAlertCheck(p, 2)) {
1664  printf("sig 1 matched but shouldn't have: ");
1665  goto end;
1666  }
1667 
1668  FLOWLOCK_WRLOCK(&f);
1669  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1670  STREAM_TOSERVER, dcerpc_alter_context,
1671  dcerpc_alter_context_len);
1672  if (r != 0) {
1673  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1674  FLOWLOCK_UNLOCK(&f);
1675  goto end;
1676  }
1677  FLOWLOCK_UNLOCK(&f);
1678 
1679  /* do detect */
1680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1681 
1682  if (PacketAlertCheck(p, 1)) {
1683  printf("sig 1 matched but shouldn't have: ");
1684  goto end;
1685  }
1686  if (PacketAlertCheck(p, 2)) {
1687  printf("sig 1 matched but shouldn't have: ");
1688  goto end;
1689  }
1690 
1691  FLOWLOCK_WRLOCK(&f);
1692  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1693  STREAM_TOCLIENT, dcerpc_alter_context_resp,
1694  dcerpc_alter_context_resp_len);
1695  if (r != 0) {
1696  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1697  FLOWLOCK_UNLOCK(&f);
1698  goto end;
1699  }
1700  FLOWLOCK_UNLOCK(&f);
1701 
1702  /* do detect */
1703  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1704 
1705  if (PacketAlertCheck(p, 1)) {
1706  printf("sig 1 matched but shouldn't have: ");
1707  goto end;
1708  }
1709  if (PacketAlertCheck(p, 2)) {
1710  printf("sig 1 matched but shouldn't have: ");
1711  goto end;
1712  }
1713 
1714  FLOWLOCK_WRLOCK(&f);
1715  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1716  STREAM_TOSERVER, dcerpc_request1,
1717  dcerpc_request1_len);
1718  if (r != 0) {
1719  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1720  FLOWLOCK_UNLOCK(&f);
1721  goto end;
1722  }
1723  FLOWLOCK_UNLOCK(&f);
1724 
1725  /* do detect */
1726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1727 
1728  if (!PacketAlertCheck(p, 1)) {
1729  printf("sig 1 matched but shouldn't have: ");
1730  goto end;
1731  }
1732  if (PacketAlertCheck(p, 2)) {
1733  printf("sig 1 matched but shouldn't have: ");
1734  goto end;
1735  }
1736 
1737  FLOWLOCK_WRLOCK(&f);
1738  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1739  STREAM_TOCLIENT, dcerpc_response1,
1740  dcerpc_response1_len);
1741  if (r != 0) {
1742  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1743  FLOWLOCK_UNLOCK(&f);
1744  goto end;
1745  }
1746  FLOWLOCK_UNLOCK(&f);
1747 
1748  /* do detect */
1749  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1750 
1751  if (PacketAlertCheck(p, 1)) {
1752  printf("sig 1 matched but shouldn't have: ");
1753  goto end;
1754  }
1755  if (PacketAlertCheck(p, 2)) {
1756  printf("sig 1 matched but shouldn't have: ");
1757  goto end;
1758  }
1759 
1760  FLOWLOCK_WRLOCK(&f);
1761  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1762  STREAM_TOSERVER, dcerpc_request2,
1763  dcerpc_request2_len);
1764  if (r != 0) {
1765  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1766  FLOWLOCK_UNLOCK(&f);
1767  goto end;
1768  }
1769  FLOWLOCK_UNLOCK(&f);
1770 
1771  /* do detect */
1772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1773 
1774  if (PacketAlertCheck(p, 1)) {
1775  printf("sig 1 matched but shouldn't have: ");
1776  goto end;
1777  }
1778  if (!PacketAlertCheck(p, 2)) {
1779  printf("sig 1 matched but shouldn't have: ");
1780  goto end;
1781  }
1782 
1783  result = 1;
1784 
1785  end:
1786  if (alp_tctx != NULL)
1787  AppLayerParserThreadCtxFree(alp_tctx);
1788  SigGroupCleanup(de_ctx);
1789  SigCleanSignatures(de_ctx);
1790 
1791  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1792  DetectEngineCtxFree(de_ctx);
1793 
1794  StreamTcpFreeConfig(TRUE);
1795  FLOW_DESTROY(&f);
1796  UTHFreePackets(&p, 1);
1797  return result;
1798 }
1799 
1800 #endif
1801 
1802 static void DetectDceIfaceRegisterTests(void)
1803 {
1804 #ifdef UNITTESTS
1805  UtRegisterTest("DetectDceIfaceTestParse01", DetectDceIfaceTestParse01);
1806  UtRegisterTest("DetectDceIfaceTestParse02", DetectDceIfaceTestParse02);
1807  UtRegisterTest("DetectDceIfaceTestParse03", DetectDceIfaceTestParse03);
1808  UtRegisterTest("DetectDceIfaceTestParse04", DetectDceIfaceTestParse04);
1809  UtRegisterTest("DetectDceIfaceTestParse05", DetectDceIfaceTestParse05);
1810  UtRegisterTest("DetectDceIfaceTestParse06", DetectDceIfaceTestParse06);
1811  UtRegisterTest("DetectDceIfaceTestParse07", DetectDceIfaceTestParse07);
1812  UtRegisterTest("DetectDceIfaceTestParse08", DetectDceIfaceTestParse08);
1813  UtRegisterTest("DetectDceIfaceTestParse09", DetectDceIfaceTestParse09);
1814  UtRegisterTest("DetectDceIfaceTestParse10", DetectDceIfaceTestParse10);
1815  UtRegisterTest("DetectDceIfaceTestParse11", DetectDceIfaceTestParse11);
1816  UtRegisterTest("DetectDceIfaceTestParse12", DetectDceIfaceTestParse12);
1817  /* Disabled because of bug_753. Would be enabled, once we rewrite
1818  * dce parser */
1819 #if 0
1820  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
1821 #endif
1822  UtRegisterTest("DetectDceIfaceTestParse14", DetectDceIfaceTestParse14);
1823  UtRegisterTest("DetectDceIfaceTestParse15", DetectDceIfaceTestParse15);
1824 #endif
1825 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2225
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:76
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1170
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1156
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectDceIfaceData_::any_frag
uint8_t any_frag
Definition: detect-dce-iface.h:41
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
DetectDceIfaceData_::op
uint8_t op
Definition: detect-dce-iface.h:39
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:515
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DCERPCRequest_::first_request_seen
uint8_t first_request_seen
Definition: app-layer-dcerpc-common.h:176
DetectDceIfaceData_::uuid
uint8_t uuid[16]
Definition: detect-dce-iface.h:38
DCERPC_UUID_ENTRY_FLAG_FF
#define DCERPC_UUID_ENTRY_FLAG_FF
Definition: app-layer-dcerpc-common.h:134
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:274
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
SigMatchData_
Data needed for Match()
Definition: detect.h:332
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2533
SigTableElmt_::name
const char * name
Definition: detect.h:1184
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1342
Signature_
Signature container.
Definition: detect.h:514
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:318
Flow_::protoctx
void * protoctx
Definition: flow.h:400
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:743
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2741
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
DCERPC_::dcerpchdr
DCERPCHdr dcerpchdr
Definition: app-layer-dcerpc-common.h:189
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:243
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:744
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1175
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1310
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1887
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2311
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:242
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
REQUEST
#define REQUEST
Definition: app-layer-dcerpc-common.h:38
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
DCERPCUuidEntry_::result
uint16_t result
Definition: app-layer-dcerpc-common.h:141
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
DCERPC_::dcerpcbindbindack
DCERPCBindBindAck dcerpcbindbindack
Definition: app-layer-dcerpc-common.h:190
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:248
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1959
SigMatch_::type
uint8_t type
Definition: detect.h:324
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:405
DetectDceIfaceData_::version
uint16_t version
Definition: detect-dce-iface.h:40
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:652
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1187
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
SigTableElmt_::alias
const char * alias
Definition: detect.h:1185
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
DCERPCUuidEntry_::flags
uint16_t flags
Definition: app-layer-dcerpc-common.h:145
version
uint8_t version
Definition: decode-gre.h:405
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DCERPCUuidEntry_::version
uint16_t version
Definition: app-layer-dcerpc-common.h:143
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:268
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:53
RESPONSE
#define RESPONSE
Definition: app-layer-dcerpc-common.h:40
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
DCERPCRequest_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:170
DCERPCBindBindAck_::accepted_uuid_list
DCERPCUuidEntryList accepted_uuid_list
Definition: app-layer-dcerpc-common.h:162
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
DCERPCUuidEntry_::uuid
uint8_t uuid[16]
Definition: app-layer-dcerpc-common.h:142
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
len
uint8_t len
Definition: app-layer-dnp3.h:2649
DCERPCHdr_::type
uint8_t type
Definition: app-layer-dcerpc-common.h:100
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectDceIfaceData_
Definition: detect-dce-iface.h:37
DetectEngineThreadCtx_
Definition: detect.h:986
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
DCERPCUuidEntry_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:139
Packet_::flags
uint32_t flags
Definition: decode.h:441
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1835
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:325
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:127
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1176
SigMatch_
a single match condition for a signature
Definition: detect.h:323
DCERPCUuidEntry_
Definition: app-layer-dcerpc-common.h:138
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1155
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1790