suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-dce-iface.h"
35 
36 #include "flow.h"
37 #include "flow-var.h"
38 #include "flow-util.h"
39 
40 #include "app-layer.h"
41 #include "app-layer-dcerpc.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #include "rust.h"
51 #include "rust-smb-detect-gen.h"
52 
53 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,(<|>|=|!)([0-9]{1,5}))?(?:\\s*,(any_frag))?\\s*$"
54 
55 static pcre *parse_regex = NULL;
56 static pcre_extra *parse_regex_study = NULL;
57 
58 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
59  Flow *f, uint8_t flags, void *state, void *txv,
60  const Signature *s, const SigMatchCtx *m);
61 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
62 static void DetectDceIfaceFree(void *);
63 static void DetectDceIfaceRegisterTests(void);
64 static int g_dce_generic_list_id = 0;
65 
66 static int InspectDceGeneric(ThreadVars *tv,
67  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
68  const Signature *s, const SigMatchData *smd,
69  Flow *f, uint8_t flags, void *alstate,
70  void *txv, uint64_t tx_id);
71 
72 /**
73  * \brief Registers the keyword handlers for the "dce_iface" keyword.
74  */
76 {
77  sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface";
78  sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface";
79  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
80  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
81  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
82  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
83 
84  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
85 
86  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
87 
89  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
91  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
92 
94  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
96  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
97 }
98 
99 static int InspectDceGeneric(ThreadVars *tv,
100  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
101  const Signature *s, const SigMatchData *smd,
102  Flow *f, uint8_t flags, void *alstate,
103  void *txv, uint64_t tx_id)
104 {
105  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
106  f, flags, alstate, txv, tx_id);
107 }
108 
109 
110 /**
111  * \internal
112  * \brief Parses the argument sent along with the "dce_iface" keyword.
113  *
114  * \param arg Pointer to the string containing the argument to be parsed.
115  *
116  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
117  * from the parsed arg.
118  */
119 static DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg)
120 {
121  DetectDceIfaceData *did = NULL;
122 #define MAX_SUBSTRINGS 30
123  int ret = 0, res = 0;
124  int ov[MAX_SUBSTRINGS];
125  uint8_t hex_value;
126  char copy_str[128] = "";
127  int i = 0, j = 0;
128  int len = 0;
129  char temp_str[3] = "";
130  int version;
131 
132  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
134  if (ret < 2) {
135  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
136  goto error;
137  }
138 
139  if ( (did = SCMalloc(sizeof(DetectDceIfaceData))) == NULL)
140  goto error;
141  memset(did, 0, sizeof(DetectDceIfaceData));
142 
143  /* retrieve the iface uuid string. iface uuid is a compulsion in the keyword */
144  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 1, copy_str, sizeof(copy_str));
145  if (res < 0) {
146  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
147  goto error;
148  }
149 
150  /* parse the iface uuid string */
151  len = strlen(copy_str);
152  j = 0;
153  temp_str[2] = '\0';
154  for (i = 0; i < len; ) {
155  if (copy_str[i] == '-') {
156  i++;
157  continue;
158  }
159 
160  temp_str[0] = copy_str[i];
161  temp_str[1] = copy_str[i + 1];
162 
163  hex_value = strtol(temp_str, NULL, 16);
164  did->uuid[j] = hex_value;
165  i += 2;
166  j++;
167  }
168 
169  /* if the regex has 3 or 5, any_frag option is present in the signature */
170  if (ret == 3 || ret == 5)
171  did->any_frag = 1;
172 
173  /* if the regex has 4 or 5, version/operator is present in the signature */
174  if (ret == 4 || ret == 5) {
175  /* first handle the version number, so that we can do some additional
176  * validations of the version number, wrt. the operator */
177  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 3, copy_str, sizeof(copy_str));
178  if (res < 0) {
179  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
180  goto error;
181  }
182 
183  version = atoi(copy_str);
184  if (version > UINT16_MAX) {
185  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version "
186  "invalid: %d\n", version);
187  goto error;
188  }
189  did->version = version;
190 
191  /* now let us handle the operator supplied with the version number */
192  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 2, copy_str, sizeof(copy_str));
193  if (res < 0) {
194  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
195  goto error;
196  }
197 
198  switch (copy_str[0]) {
199  case '<':
200  if (version == 0) {
201  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
202  "version invalid: %d. Version can't be less"
203  "than 0, with \"<\" operator", version);
204  goto error;
205  }
206 
207  did->op = DETECT_DCE_IFACE_OP_LT;
208  break;
209  case '>':
210  if (version == UINT16_MAX) {
211  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
212  "version invalid: %d. Version can't be greater"
213  "than %d, with \">\" operator", version,
214  UINT16_MAX);
215  goto error;
216  }
217 
218  did->op = DETECT_DCE_IFACE_OP_GT;
219  break;
220  case '=':
221  did->op = DETECT_DCE_IFACE_OP_EQ;
222  break;
223  case '!':
224  did->op = DETECT_DCE_IFACE_OP_NE;
225  break;
226  }
227  }
228 
229  return did;
230 
231  error:
232  if (did != NULL)
233  SCFree(did);
234  return NULL;
235 }
236 
237 /**
238  * \internal
239  * \brief Internal function that compares the dce interface version for this
240  * flow, to the signature's interface version specified using the
241  * dce_iface keyword.
242  *
243  * \param version The dce interface version for this flow.
244  * \param dce_data Pointer to the Signature's dce_iface keyword
245  * state(DetectDceIfaceData *).
246  */
247 static inline int DetectDceIfaceMatchIfaceVersion(const uint16_t version,
248  const DetectDceIfaceData *dce_data)
249 {
250  switch (dce_data->op) {
252  return (version < dce_data->version);
254  return (version > dce_data->version);
256  return (version == dce_data->version);
258  return (version != dce_data->version);
259  default:
260  return 1;
261  }
262 }
263 
264 /**
265  * \brief App layer match function for the "dce_iface" keyword.
266  *
267  * \param t Pointer to the ThreadVars instance.
268  * \param det_ctx Pointer to the DetectEngineThreadCtx.
269  * \param f Pointer to the flow.
270  * \param flags Pointer to the flags indicating the flow direction.
271  * \param state Pointer to the app layer state data.
272  * \param s Pointer to the Signature instance.
273  * \param m Pointer to the SigMatch.
274  *
275  * \retval 1 On Match.
276  * \retval 0 On no match.
277  */
278 static int DetectDceIfaceMatch(DetectEngineThreadCtx *det_ctx,
279  Flow *f, uint8_t flags, void *state, void *txv,
280  const Signature *s, const SigMatchCtx *m)
281 {
282  SCEnter();
283 
284  int ret = 0;
285  const DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
286 
287  DCERPCUuidEntry *item = NULL;
288  const DCERPCState *dcerpc_state = state;
289  if (dcerpc_state == NULL) {
290  SCLogDebug("No DCERPCState for the flow");
291  SCReturnInt(0);
292  }
293 
294  /* we still haven't seen a request */
295  if (!dcerpc_state->dcerpc.dcerpcrequest.first_request_seen)
296  goto end;
297 
298  if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST ||
299  dcerpc_state->dcerpc.dcerpchdr.type == RESPONSE))
300  goto end;
301 
303  SCLogDebug("item %p", item);
304  ret = 1;
305 
306  /* if any_frag is not enabled, we need to match only against the first
307  * fragment */
308  if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF))
309  continue;
310 
311  /* if the uuid has been rejected(item->result == 1), we skip to the
312  * next uuid */
313  if (item->result != 0)
314  continue;
315 
316  /* check the interface uuid */
317  for (int i = 0; i < 16; i++) {
318  if (dce_data->uuid[i] != item->uuid[i]) {
319  ret = 0;
320  break;
321  }
322  }
323  ret &= (item->ctxid == dcerpc_state->dcerpc.dcerpcrequest.ctxid);
324  if (ret == 0)
325  continue;
326 
327  /* check the interface version */
328  if (dce_data->op != DETECT_DCE_IFACE_OP_NONE &&
329  !DetectDceIfaceMatchIfaceVersion(item->version, dce_data)) {
330  ret &= 0;
331  }
332 
333  /* we have a match. Time to leave with a match */
334  if (ret == 1)
335  goto end;
336  }
337 
338 end:
339  SCReturnInt(ret);
340 }
341 
342 static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx,
343  Flow *f, uint8_t flags, void *state, void *txv,
344  const Signature *s, const SigMatchCtx *m)
345 {
346  SCEnter();
347 
348  if (f->alproto == ALPROTO_DCERPC) {
349  return DetectDceIfaceMatch(det_ctx, f, flags,
350  state, txv, s, m);
351  }
352 
353  int ret = 0;
354  DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
355 
356  if (rs_smb_tx_get_dce_iface(f->alstate, txv, dce_data->uuid, 16, dce_data->op, dce_data->version) != 1) {
357  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
358  } else {
359  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
360  ret = 1;
361  // TODO validate frag
362  }
363  SCReturnInt(ret);
364 }
365 
366 /**
367  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
368  * and appends it to the Signature(s).
369  *
370  * \param de_ctx Pointer to the detection engine context.
371  * \param s Pointer to signature for the current Signature being parsed
372  * from the rules.
373  * \param arg Pointer to the string holding the keyword value.
374  *
375  * \retval 0 on success, -1 on failure.
376  */
377 
378 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
379 {
380  DetectDceIfaceData *did = DetectDceIfaceArgParse(arg);
381  if (did == NULL) {
382  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dec_iface option in "
383  "signature");
384  return -1;
385  }
386 
387  SigMatch *sm = SigMatchAlloc();
388  if (sm == NULL) {
389  DetectDceIfaceFree(did);
390  return -1;
391  }
392 
393  sm->type = DETECT_DCE_IFACE;
394  sm->ctx = (void *)did;
395 
396  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
397  return 0;
398 }
399 
400 static void DetectDceIfaceFree(void *ptr)
401 {
402  SCFree(ptr);
403 
404  return;
405 }
406 
407 /************************************Unittests*********************************/
408 
409 #ifdef UNITTESTS
410 
411 static int DetectDceIfaceTestParse01(void)
412 {
413  SCEnter();
414 
415  Signature *s = SigAlloc();
416  if (s == NULL)
417  return 0;
418 
419  int result = 0;
420  DetectDceIfaceData *did = NULL;
421  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
422  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
423  SigMatch *temp = NULL;
424  int i = 0;
425 
426  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC") == 0);
427 
428  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
429  SCReturnInt(0);
430  }
431 
432  temp = s->sm_lists[g_dce_generic_list_id];
433  did = (DetectDceIfaceData *)temp->ctx;
434  if (did == NULL) {
435  SCReturnInt(0);
436  }
437 
438  result &= 1;
439  for (i = 0; i < 16; i++) {
440  if (did->uuid[i] != test_uuid[i]) {
441  result = 0;
442  break;
443  }
444  }
445 
446  result &= (did->version == 0);
447  result &= (did->op == 0);
448  result &= (did->any_frag == 0);
449 
450  SigFree(s);
451  SCReturnInt(result);
452 }
453 
454 static int DetectDceIfaceTestParse02(void)
455 {
456  SCEnter();
457 
458  Signature *s = SigAlloc();
459  if (s == NULL)
460  return 0;
461 
462  int result = 0;
463  DetectDceIfaceData *did = NULL;
464  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
465  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
466  SigMatch *temp = NULL;
467  int i = 0;
468 
469  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1") == 0);
470 
471  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
472  SCReturnInt(0);
473  }
474 
475  temp = s->sm_lists[g_dce_generic_list_id];
476  did = (DetectDceIfaceData *)temp->ctx;
477  if (did == NULL) {
478  SCReturnInt(0);
479  }
480 
481  result &= 1;
482  for (i = 0; i < 16; i++) {
483  if (did->uuid[i] != test_uuid[i]) {
484  result = 0;
485  break;
486  }
487  }
488 
489  result &= (did->version == 1);
490  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
491  result &= (did->any_frag == 0);
492 
493  SigFree(s);
494  SCReturnInt(result);
495 }
496 
497 static int DetectDceIfaceTestParse03(void)
498 {
499  SCEnter();
500 
501  Signature *s = SigAlloc();
502  if (s == NULL)
503  return 0;
504 
505  int result = 0;
506  DetectDceIfaceData *did = NULL;
507  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
508  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
509  SigMatch *temp = NULL;
510  int i = 0;
511 
512  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<10") == 0);
513 
514  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
515  SCReturnInt(0);
516  }
517 
518  temp = s->sm_lists[g_dce_generic_list_id];
519  did = (DetectDceIfaceData *)temp->ctx;
520  result &= 1;
521  for (i = 0; i < 16; i++) {
522  if (did->uuid[i] != test_uuid[i]) {
523  result = 0;
524  break;
525  }
526  }
527 
528  result &= (did->version == 10);
529  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
530  result &= (did->any_frag == 0);
531 
532  SigFree(s);
533  SCReturnInt(result);
534 }
535 
536 static int DetectDceIfaceTestParse04(void)
537 {
538  SCEnter();
539 
540  Signature *s = SigAlloc();
541  if (s == NULL)
542  return 0;
543 
544  int result = 0;
545  DetectDceIfaceData *did = NULL;
546  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
547  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
548  SigMatch *temp = NULL;
549  int i = 0;
550 
551  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!10") == 0);
552 
553  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
554  SCReturnInt(0);
555  }
556 
557  temp = s->sm_lists[g_dce_generic_list_id];
558  did = (DetectDceIfaceData *)temp->ctx;
559  if (did == NULL) {
560  SCReturnInt(0);
561  }
562 
563  result &= 1;
564  for (i = 0; i < 16; i++) {
565  if (did->uuid[i] != test_uuid[i]) {
566  result = 0;
567  break;
568  }
569  }
570 
571  result &= (did->version == 10);
572  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
573  result &= (did->any_frag == 0);
574 
575  SigFree(s);
576  SCReturnInt(result);
577 }
578 
579 static int DetectDceIfaceTestParse05(void)
580 {
581  SCEnter();
582 
583  Signature *s = SigAlloc();
584  int result = 0;
585  DetectDceIfaceData *did = NULL;
586  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
587  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
588  SigMatch *temp = NULL;
589  int i = 0;
590 
591  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=10") == 0);
592 
593  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
594  SCReturnInt(0);
595  }
596 
597  temp = s->sm_lists[g_dce_generic_list_id];
598  did = (DetectDceIfaceData *)temp->ctx;
599  if (did == NULL) {
600  SCReturnInt(0);
601  }
602 
603  result &= 1;
604  for (i = 0; i < 16; i++) {
605  if (did->uuid[i] != test_uuid[i]) {
606  result = 0;
607  break;
608  }
609  }
610 
611  result &= (did->version == 10);
612  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
613  result &= (did->any_frag == 0);
614 
615  SigFree(s);
616  SCReturnInt(result);
617 }
618 
619 static int DetectDceIfaceTestParse06(void)
620 {
621  SCEnter();
622 
623  Signature *s = SigAlloc();
624  if (s == NULL)
625  return 0;
626 
627  int result = 0;
628  DetectDceIfaceData *did = NULL;
629  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
630  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
631  SigMatch *temp = NULL;
632  int i = 0;
633 
634  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,any_frag") == 0);
635 
636  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
637  SCReturnInt(0);
638  }
639 
640  temp = s->sm_lists[g_dce_generic_list_id];
641  did = (DetectDceIfaceData *)temp->ctx;
642  if (did == NULL) {
643  SCReturnInt(0);
644  }
645 
646  result &= 1;
647  for (i = 0; i < 16; i++) {
648  if (did->uuid[i] != test_uuid[i]) {
649  result = 0;
650  break;
651  }
652  }
653 
654  result &= (did->version == 0);
655  result &= (did->op == 0);
656  result &= (did->any_frag == 1);
657 
658  SigFree(s);
659  SCReturnInt(result);
660 }
661 
662 static int DetectDceIfaceTestParse07(void)
663 {
664  SCEnter();
665 
666  Signature *s = SigAlloc();
667  if (s == NULL)
668  return 0;
669 
670  int result = 0;
671  DetectDceIfaceData *did = NULL;
672  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
673  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
674  SigMatch *temp = NULL;
675  int i = 0;
676 
677  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,any_frag") == 0);
678 
679  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
680  SCReturnInt(0);
681  }
682 
683  temp = s->sm_lists[g_dce_generic_list_id];
684  did = (DetectDceIfaceData *)temp->ctx;
685  if (did == NULL) {
686  SCReturnInt(0);
687  }
688 
689  result &= 1;
690  for (i = 0; i < 16; i++) {
691  if (did->uuid[i] != test_uuid[i]) {
692  result = 0;
693  break;
694  }
695  }
696 
697  result &= (did->version == 1);
698  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
699  result &= (did->any_frag == 1);
700 
701  SigFree(s);
702  SCReturnInt(result);
703 }
704 
705 static int DetectDceIfaceTestParse08(void)
706 {
707  Signature *s = SigAlloc();
708  if (s == NULL)
709  return 0;
710 
711  int result = 0;
712  DetectDceIfaceData *did = NULL;
713  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
714  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
715  SigMatch *temp = NULL;
716  int i = 0;
717 
718  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<1,any_frag") == 0);
719 
720  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
721  SCReturnInt(0);
722  }
723 
724  temp = s->sm_lists[g_dce_generic_list_id];
725  did = (DetectDceIfaceData *)temp->ctx;
726  if (did == NULL) {
727  SCReturnInt(0);
728  }
729 
730  result &= 1;
731  for (i = 0; i < 16; i++) {
732  if (did->uuid[i] != test_uuid[i]) {
733  result = 0;
734  break;
735  }
736  }
737 
738  result &= (did->version == 1);
739  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
740  result &= (did->any_frag == 1);
741 
742  SigFree(s);
743  SCReturnInt(result);
744 }
745 
746 static int DetectDceIfaceTestParse09(void)
747 {
748  SCEnter();
749 
750  Signature *s = SigAlloc();
751  if (s == NULL)
752  return 0;
753 
754  int result = 0;
755  DetectDceIfaceData *did = NULL;
756  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
757  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
758  SigMatch *temp = NULL;
759  int i = 0;
760 
761  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=1,any_frag") == 0);
762 
763  temp = s->sm_lists[g_dce_generic_list_id];
764  did = (DetectDceIfaceData *)temp->ctx;
765  if (did == NULL) {
766  SCReturnInt(0);
767  }
768 
769  result &= 1;
770  for (i = 0; i < 16; i++) {
771  if (did->uuid[i] != test_uuid[i]) {
772  result = 0;
773  break;
774  }
775  }
776 
777  result &= (did->version == 1);
778  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
779  result &= (did->any_frag == 1);
780 
781  SigFree(s);
782  SCReturnInt(result);
783 }
784 
785 static int DetectDceIfaceTestParse10(void)
786 {
787  SCEnter();
788 
789  Signature *s = SigAlloc();
790  if (s == NULL)
791  return 0;
792 
793  int result = 0;
794  DetectDceIfaceData *did = NULL;
795  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
796  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
797  SigMatch *temp = NULL;
798  int i = 0;
799 
800  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!1,any_frag") == 0);
801 
802  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
803  SCReturnInt(0);
804  }
805 
806  temp = s->sm_lists[g_dce_generic_list_id];
807  did = (DetectDceIfaceData *)temp->ctx;
808  if (did == NULL) {
809  SCReturnInt(0);
810  }
811 
812  result &= 1;
813  for (i = 0; i < 16; i++) {
814  if (did->uuid[i] != test_uuid[i]) {
815  result = 0;
816  break;
817  }
818  }
819 
820  result &= (did->version == 1);
821  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
822  result &= (did->any_frag == 1);
823 
824  SigFree(s);
825  SCReturnInt(result);
826 }
827 
828 static int DetectDceIfaceTestParse11(void)
829 {
830  SCEnter();
831 
832  Signature *s = SigAlloc();
833  if (s == NULL)
834  return 0;
835 
836  int result = 1;
837 
838  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,ay_frag") == -1);
839  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-12345679ABC,>1,any_frag") == -1);
840  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-134-123456789ABC,>1,any_frag") == -1);
841  result &= (DetectDceIfaceSetup(NULL, s, "12345678-123-124-1234-123456789ABC,>1,any_frag") == -1);
842  result &= (DetectDceIfaceSetup(NULL, s, "1234568-1234-1234-1234-123456789ABC,>1,any_frag") == -1);
843  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65536,any_frag") == -1);
844  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>=1,any_frag") == -1);
845  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<0,any_frag") == -1);
846  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65535,any_frag") == -1);
847 
848  SigFree(s);
849  return result;
850 }
851 
852 /**
853  * \test Test a valid dce_iface entry for a bind and bind_ack
854  */
855 static int DetectDceIfaceTestParse12(void)
856 {
857  Signature *s = NULL;
858  ThreadVars th_v;
859  Packet *p = NULL;
860  Flow f;
861  TcpSession ssn;
862  DetectEngineThreadCtx *det_ctx = NULL;
863  DetectEngineCtx *de_ctx = NULL;
864  DCERPCState *dcerpc_state = NULL;
865  int r = 0;
866 
867  uint8_t dcerpc_bind[] = {
868  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
869  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
870  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
871  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
872  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
873  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
874  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
875  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
876  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
877  };
878 
879  uint8_t dcerpc_bindack[] = {
880  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
881  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
882  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
883  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
884  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
885  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
886  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
887  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
888  0x02, 0x00, 0x00, 0x00
889  };
890 
891  uint8_t dcerpc_request[] = {
892  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
893  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
894  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
895  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
896  };
897 
898  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
899  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
900  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
901 
903 
904  memset(&th_v, 0, sizeof(th_v));
905  memset(&f, 0, sizeof(f));
906  memset(&ssn, 0, sizeof(ssn));
907 
908  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
909 
910  FLOW_INITIALIZE(&f);
911  f.protoctx = (void *)&ssn;
912  f.proto = IPPROTO_TCP;
913  p->flow = &f;
918 
920 
921  de_ctx = DetectEngineCtxInit();
922  FAIL_IF(de_ctx == NULL);
923  de_ctx->flags |= DE_QUIET;
924 
925  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
926  "(msg:\"DCERPC\"; "
927  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; "
928  "sid:1;)");
929  FAIL_IF(s == NULL);
930 
931  SigGroupBuild(de_ctx);
932  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
933 
934  SCLogDebug("handling to_server chunk");
935 
936  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
937  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
938  dcerpc_bind_len);
939  FAIL_IF(r != 0);
940 
941  dcerpc_state = f.alstate;
942  FAIL_IF(dcerpc_state == NULL);
943 
944  /* do detect */
945  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
946  FAIL_IF(PacketAlertCheck(p, 1));
947 
948  SCLogDebug("handling to_client chunk");
949 
950  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
951  STREAM_TOCLIENT, dcerpc_bindack,
952  dcerpc_bindack_len);
953  FAIL_IF(r != 0);
954 
955  /* do detect */
956  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
957  FAIL_IF(PacketAlertCheck(p, 1));
958 
959  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
960  STREAM_TOCLIENT, dcerpc_request,
961  dcerpc_request_len);
962  FAIL_IF(r != 0);
963 
964  /* do detect */
965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
966 
967  FAIL_IF(!PacketAlertCheck(p, 1));
968  if (alp_tctx != NULL)
969  AppLayerParserThreadCtxFree(alp_tctx);
970  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
971  DetectEngineCtxFree(de_ctx);
973  FLOW_DESTROY(&f);
974  UTHFreePackets(&p, 1);
975  PASS;
976 }
977 
978 /* Disabled because of bug_753. Would be enabled, once we rewrite
979  * dce parser */
980 #if 0
981 
982 /**
983  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
984  */
985 static int DetectDceIfaceTestParse13(void)
986 {
987  int result = 0;
988  Signature *s = NULL;
989  ThreadVars th_v;
990  Packet *p = NULL;
991  Flow f;
992  TcpSession ssn;
993  DetectEngineThreadCtx *det_ctx = NULL;
994  DetectEngineCtx *de_ctx = NULL;
995  DCERPCState *dcerpc_state = NULL;
996  int r = 0;
997 
998  uint8_t dcerpc_bind[] = {
999  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1000  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1001  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1002  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1003  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1004  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1005  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1006  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1007  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1008  };
1009 
1010  uint8_t dcerpc_bindack[] = {
1011  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1012  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1013  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1014  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1015  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1016  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1017  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1018  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1019  0x02, 0x00, 0x00, 0x00,
1020  };
1021 
1022  uint8_t dcerpc_request1[] = {
1023  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1024  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1025  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1026  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1027  0x00, 0x00, 0x00, 0x02,
1028  };
1029 
1030  uint8_t dcerpc_response1[] = {
1031  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1032  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1033  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1035  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1036  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1037  };
1038 
1039  uint8_t dcerpc_request2[] = {
1040  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1041  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1042  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1043  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1044  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1045  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1046  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1047  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1048  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1049  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1050  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1051  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1052  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1053  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1054  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1055  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1056  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1057  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1058  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1059  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1060  0x03, 0x00, 0x00, 0x00,
1061  };
1062 
1063  uint8_t dcerpc_response2[] = {
1064  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1065  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1066  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1067  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1068  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1069  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1070  };
1071 
1072  uint8_t dcerpc_request3[] = {
1073  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1074  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1075  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1076  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1077  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1078  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1079  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1080  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1081  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1082  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1083  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1084  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1085  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1086  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1087  };
1088 
1089  uint8_t dcerpc_response3[] = {
1090  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1091  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1092  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1093  0x00, 0x00, 0x00, 0x00,
1094  };
1095 
1096  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1097  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1098 
1099  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1100  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1101 
1102  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1103  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1104 
1105  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1106  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1107 
1109 
1110  memset(&th_v, 0, sizeof(th_v));
1111  memset(&p, 0, sizeof(p));
1112  memset(&f, 0, sizeof(f));
1113  memset(&ssn, 0, sizeof(ssn));
1114 
1115  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1116 
1117  FLOW_INITIALIZE(&f);
1118  f.protoctx = (void *)&ssn;
1119  f.proto = IPPROTO_TCP;
1120  p->flow = &f;
1124  f.alproto = ALPROTO_DCERPC;
1125 
1127 
1128  de_ctx = DetectEngineCtxInit();
1129  if (de_ctx == NULL)
1130  goto end;
1131 
1132  de_ctx->flags |= DE_QUIET;
1133 
1134  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
1135  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
1136  if (s == NULL)
1137  goto end;
1138 
1139  SigGroupBuild(de_ctx);
1140  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1141 
1142  SCLogDebug("chunk 1, bind");
1143 
1145  dcerpc_bind, dcerpc_bind_len);
1146  if (r != 0) {
1147  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1148  goto end;
1149  }
1150 
1151  dcerpc_state = f.alstate;
1152  if (dcerpc_state == NULL) {
1153  SCLogDebug("no dcerpc state: ");
1154  goto end;
1155  }
1156 
1159  /* do detect */
1160  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1161 
1162  if (PacketAlertCheck(p, 1)) {
1163  printf("sig 1 didn't match after bind request: ");
1164  goto end;
1165  }
1166 
1167  SCLogDebug("chunk 2, bind_ack");
1168 
1169  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
1170  dcerpc_bindack_len);
1171  if (r != 0) {
1172  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1173  goto end;
1174  }
1175 
1178  /* do detect */
1179  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1180 
1181  if (PacketAlertCheck(p, 1)) {
1182  printf("sig 1 matched again after bind ack: ");
1183  goto end;
1184  }
1185 
1186  SCLogDebug("chunk 3, request 1");
1187 
1188  /* request1 */
1189  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
1190  dcerpc_request1_len);
1191  if (r != 0) {
1192  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1193  goto end;
1194  }
1195 
1198  /* do detect */
1199  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1200 
1201  if (!(PacketAlertCheck(p, 1))) {
1202  printf("sig 1 didn't match after request1: ");
1203  goto end;
1204  }
1205 
1206  SCLogDebug("sending response1");
1207 
1208  /* response1 */
1209  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
1210  dcerpc_response1_len);
1211  if (r != 0) {
1212  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1213  goto end;
1214  }
1215 
1218  /* do detect */
1219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1220 
1221  if (PacketAlertCheck(p, 1)) {
1222  printf("sig 1 matched after response1, but shouldn't: ");
1223  goto end;
1224  }
1225 
1226  SCLogDebug("sending request2");
1227 
1228  /* request2 */
1229  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
1230  dcerpc_request2_len);
1231  if (r != 0) {
1232  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1233  goto end;
1234  }
1235 
1238  /* do detect */
1239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1240 
1241  if (!(PacketAlertCheck(p, 1))) {
1242  printf("sig 1 didn't match after request2: ");
1243  goto end;
1244  }
1245 
1246  /* response2 */
1247  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
1248  dcerpc_response2_len);
1249  if (r != 0) {
1250  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1251  goto end;
1252  }
1253 
1256  /* do detect */
1257  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1258 
1259  if (PacketAlertCheck(p, 1)) {
1260  printf("sig 1 matched after response2, but shouldn't have: ");
1261  goto end;
1262  }
1263 
1264  /* request3 */
1265  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
1266  dcerpc_request3_len);
1267  if (r != 0) {
1268  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1269  goto end;
1270  }
1271 
1274  /* do detect */
1275  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1276 
1277  if (!(PacketAlertCheck(p, 1))) {
1278  printf("sig 1 didn't match after request3: ");
1279  goto end;
1280  }
1281 
1282  /* response3 */
1284  dcerpc_response3, dcerpc_response3_len);
1285  if (r != 0) {
1286  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1287  goto end;
1288  }
1289 
1292  /* do detect */
1293  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1294 
1295  if (PacketAlertCheck(p, 1)) {
1296  printf("sig 1 matched after response3, but shouldn't have: ");
1297  goto end;
1298  }
1299 
1300  result = 1;
1301 
1302  end:
1303  if (alp_tctx != NULL)
1304  AppLayerParserThreadCtxFree(alp_tctx);
1305  SigGroupCleanup(de_ctx);
1306  SigCleanSignatures(de_ctx);
1307 
1308  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1309  DetectEngineCtxFree(de_ctx);
1310 
1312  UTHFreePackets(&p, 1);
1313  return result;
1314 }
1315 
1316 #endif
1317 
1318 /**
1319  * \test Test a valid dce_iface entry for a bind and bind_ack
1320  */
1321 static int DetectDceIfaceTestParse14(void)
1322 {
1323  int result = 0;
1324  Signature *s = NULL;
1325  ThreadVars th_v;
1326  Packet *p = NULL;
1327  Flow f;
1328  TcpSession ssn;
1329  DetectEngineThreadCtx *det_ctx = NULL;
1330  DetectEngineCtx *de_ctx = NULL;
1331  DCERPCState *dcerpc_state = NULL;
1332  int r = 0;
1333 
1334  uint8_t dcerpc_bind[] = {
1335  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1336  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1337  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1338  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1339  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
1340  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
1341  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1342  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1343  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1344  };
1345 
1346  uint8_t dcerpc_bindack[] = {
1347  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1348  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1349  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
1350  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1351  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
1352  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1353  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1354  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1355  0x02, 0x00, 0x00, 0x00
1356  };
1357 
1358  uint8_t dcerpc_request[] = {
1359  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
1360  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1362  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1363  };
1364 
1365  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1366  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1367  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1368 
1370 
1371  memset(&th_v, 0, sizeof(th_v));
1372  memset(&p, 0, sizeof(p));
1373  memset(&f, 0, sizeof(f));
1374  memset(&ssn, 0, sizeof(ssn));
1375 
1376  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1377 
1378  FLOW_INITIALIZE(&f);
1379  f.protoctx = (void *)&ssn;
1380  f.proto = IPPROTO_TCP;
1381  p->flow = &f;
1385  f.alproto = ALPROTO_DCERPC;
1386 
1388 
1389  de_ctx = DetectEngineCtxInit();
1390  if (de_ctx == NULL)
1391  goto end;
1392 
1393  de_ctx->flags |= DE_QUIET;
1394 
1395  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1396  "(msg:\"DCERPC\"; "
1397  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; "
1398  "sid:1;)");
1399  if (s == NULL)
1400  goto end;
1401 
1402  SigGroupBuild(de_ctx);
1403  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1404 
1405  FLOWLOCK_WRLOCK(&f);
1406  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1407  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1408  dcerpc_bind_len);
1409  if (r != 0) {
1410  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1411  FLOWLOCK_UNLOCK(&f);
1412  goto end;
1413  }
1414  FLOWLOCK_UNLOCK(&f);
1415 
1416  dcerpc_state = f.alstate;
1417  if (dcerpc_state == NULL) {
1418  SCLogDebug("no dcerpc state: ");
1419  goto end;
1420  }
1421 
1422  /* do detect */
1423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1424 
1425  if (PacketAlertCheck(p, 1))
1426  goto end;
1427 
1428  FLOWLOCK_WRLOCK(&f);
1429  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1430  STREAM_TOCLIENT, dcerpc_bindack,
1431  dcerpc_bindack_len);
1432  if (r != 0) {
1433  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1434  FLOWLOCK_UNLOCK(&f);
1435  goto end;
1436  }
1437  FLOWLOCK_UNLOCK(&f);
1438 
1439  /* do detect */
1440  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1441 
1442  if (PacketAlertCheck(p, 1)) {
1443  printf("sig 1 matched but shouldn't have: ");
1444  goto end;
1445  }
1446 
1447  FLOWLOCK_WRLOCK(&f);
1448  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1449  STREAM_TOCLIENT, dcerpc_request,
1450  dcerpc_request_len);
1451  if (r != 0) {
1452  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1453  FLOWLOCK_UNLOCK(&f);
1454  goto end;
1455  }
1456  FLOWLOCK_UNLOCK(&f);
1457 
1458  /* do detect */
1459  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1460 
1461  if (!PacketAlertCheck(p, 1)) {
1462  printf("sig 1 matched but shouldn't have: ");
1463  goto end;
1464  }
1465 
1466  result = 1;
1467 
1468  end:
1469  if (alp_tctx != NULL)
1470  AppLayerParserThreadCtxFree(alp_tctx);
1471  SigGroupCleanup(de_ctx);
1472  SigCleanSignatures(de_ctx);
1473 
1474  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1475  DetectEngineCtxFree(de_ctx);
1476 
1478  FLOW_DESTROY(&f);
1479  UTHFreePackets(&p, 1);
1480  return result;
1481 }
1482 
1483 /**
1484  * \test Test a valid dce_iface entry for a bind and bind_ack
1485  */
1486 static int DetectDceIfaceTestParse15(void)
1487 {
1488  int result = 0;
1489  Signature *s = NULL;
1490  ThreadVars th_v;
1491  Packet *p = NULL;
1492  Flow f;
1493  TcpSession ssn;
1494  DetectEngineThreadCtx *det_ctx = NULL;
1495  DetectEngineCtx *de_ctx = NULL;
1496  DCERPCState *dcerpc_state = NULL;
1497  int r = 0;
1498 
1499  uint8_t dcerpc_bind[] = {
1500  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1501  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1502  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1503  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1504  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
1505  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1506  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1507  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1508  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1509  };
1510  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1511 
1512  uint8_t dcerpc_bindack[] = {
1513  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1514  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1515  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1516  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
1517  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
1518  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1519  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1520  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1521  0x02, 0x00, 0x00, 0x00
1522  };
1523  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1524 
1525  uint8_t dcerpc_alter_context[] = {
1526  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
1527  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1528  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1529  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
1530  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
1531  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1532  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1533  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1534  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1535  };
1536  uint32_t dcerpc_alter_context_len = sizeof(dcerpc_alter_context);
1537 
1538  uint8_t dcerpc_alter_context_resp[] = {
1539  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
1540  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1541  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1542  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
1543  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1544  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1545  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1546  };
1547  uint32_t dcerpc_alter_context_resp_len = sizeof(dcerpc_alter_context_resp);
1548 
1549  uint8_t dcerpc_request1[] = {
1550  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1551  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1552  0x20, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1553  0xdd, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1554  };
1555  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1556 
1557  uint8_t dcerpc_response1[] = {
1558  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1559  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1560  0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1561  0x00, 0x00, 0x00, 0x00, 0xf5, 0x66, 0xbf, 0x54,
1562  0xc4, 0xdb, 0xdb, 0x4f, 0xa0, 0x01, 0x6d, 0xf4,
1563  0xf6, 0xa8, 0x44, 0xb3, 0x00, 0x00, 0x00, 0x00
1564  };
1565  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1566 
1567  uint8_t dcerpc_request2[] = {
1568  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1569  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1570  0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
1571  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1572  };
1573  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1574 
1576 
1577  memset(&th_v, 0, sizeof(th_v));
1578  memset(&p, 0, sizeof(p));
1579  memset(&f, 0, sizeof(f));
1580  memset(&ssn, 0, sizeof(ssn));
1581 
1582  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1583 
1584  FLOW_INITIALIZE(&f);
1585  f.protoctx = (void *)&ssn;
1586  f.proto = IPPROTO_TCP;
1587  p->flow = &f;
1591  f.alproto = ALPROTO_DCERPC;
1592 
1594 
1595  de_ctx = DetectEngineCtxInit();
1596  if (de_ctx == NULL)
1597  goto end;
1598 
1599  de_ctx->flags |= DE_QUIET;
1600 
1601  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1602  "(msg:\"DCERPC\"; "
1603  "dce_iface:57674cd0-5200-11ce-a897-08002b2e9c6d; "
1604  "sid:1;)");
1605  if (s == NULL)
1606  goto end;
1607 
1608  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1609  "(msg:\"DCERPC\"; "
1610  "dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; "
1611  "sid:2;)");
1612  if (s == NULL)
1613  goto end;
1614 
1615  SigGroupBuild(de_ctx);
1616  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1617 
1618  FLOWLOCK_WRLOCK(&f);
1619  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1620  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1621  dcerpc_bind_len);
1622  if (r != 0) {
1623  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1624  FLOWLOCK_UNLOCK(&f);
1625  goto end;
1626  }
1627  FLOWLOCK_UNLOCK(&f);
1628 
1629  dcerpc_state = f.alstate;
1630  if (dcerpc_state == NULL) {
1631  SCLogDebug("no dcerpc state: ");
1632  goto end;
1633  }
1634 
1635  /* do detect */
1636  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1637 
1638  if (PacketAlertCheck(p, 1))
1639  goto end;
1640  if (PacketAlertCheck(p, 2))
1641  goto end;
1642 
1643  FLOWLOCK_WRLOCK(&f);
1644  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1645  STREAM_TOCLIENT, dcerpc_bindack,
1646  dcerpc_bindack_len);
1647  if (r != 0) {
1648  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1649  FLOWLOCK_UNLOCK(&f);
1650  goto end;
1651  }
1652  FLOWLOCK_UNLOCK(&f);
1653 
1654  /* do detect */
1655  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1656 
1657  if (PacketAlertCheck(p, 1)) {
1658  printf("sig 1 matched but shouldn't have: ");
1659  goto end;
1660  }
1661  if (PacketAlertCheck(p, 2)) {
1662  printf("sig 1 matched but shouldn't have: ");
1663  goto end;
1664  }
1665 
1666  FLOWLOCK_WRLOCK(&f);
1667  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1668  STREAM_TOSERVER, dcerpc_alter_context,
1669  dcerpc_alter_context_len);
1670  if (r != 0) {
1671  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1672  FLOWLOCK_UNLOCK(&f);
1673  goto end;
1674  }
1675  FLOWLOCK_UNLOCK(&f);
1676 
1677  /* do detect */
1678  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1679 
1680  if (PacketAlertCheck(p, 1)) {
1681  printf("sig 1 matched but shouldn't have: ");
1682  goto end;
1683  }
1684  if (PacketAlertCheck(p, 2)) {
1685  printf("sig 1 matched but shouldn't have: ");
1686  goto end;
1687  }
1688 
1689  FLOWLOCK_WRLOCK(&f);
1690  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1691  STREAM_TOCLIENT, dcerpc_alter_context_resp,
1692  dcerpc_alter_context_resp_len);
1693  if (r != 0) {
1694  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1695  FLOWLOCK_UNLOCK(&f);
1696  goto end;
1697  }
1698  FLOWLOCK_UNLOCK(&f);
1699 
1700  /* do detect */
1701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1702 
1703  if (PacketAlertCheck(p, 1)) {
1704  printf("sig 1 matched but shouldn't have: ");
1705  goto end;
1706  }
1707  if (PacketAlertCheck(p, 2)) {
1708  printf("sig 1 matched but shouldn't have: ");
1709  goto end;
1710  }
1711 
1712  FLOWLOCK_WRLOCK(&f);
1713  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1714  STREAM_TOSERVER, dcerpc_request1,
1715  dcerpc_request1_len);
1716  if (r != 0) {
1717  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1718  FLOWLOCK_UNLOCK(&f);
1719  goto end;
1720  }
1721  FLOWLOCK_UNLOCK(&f);
1722 
1723  /* do detect */
1724  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1725 
1726  if (!PacketAlertCheck(p, 1)) {
1727  printf("sig 1 matched but shouldn't have: ");
1728  goto end;
1729  }
1730  if (PacketAlertCheck(p, 2)) {
1731  printf("sig 1 matched but shouldn't have: ");
1732  goto end;
1733  }
1734 
1735  FLOWLOCK_WRLOCK(&f);
1736  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1737  STREAM_TOCLIENT, dcerpc_response1,
1738  dcerpc_response1_len);
1739  if (r != 0) {
1740  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1741  FLOWLOCK_UNLOCK(&f);
1742  goto end;
1743  }
1744  FLOWLOCK_UNLOCK(&f);
1745 
1746  /* do detect */
1747  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1748 
1749  if (PacketAlertCheck(p, 1)) {
1750  printf("sig 1 matched but shouldn't have: ");
1751  goto end;
1752  }
1753  if (PacketAlertCheck(p, 2)) {
1754  printf("sig 1 matched but shouldn't have: ");
1755  goto end;
1756  }
1757 
1758  FLOWLOCK_WRLOCK(&f);
1759  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1760  STREAM_TOSERVER, dcerpc_request2,
1761  dcerpc_request2_len);
1762  if (r != 0) {
1763  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1764  FLOWLOCK_UNLOCK(&f);
1765  goto end;
1766  }
1767  FLOWLOCK_UNLOCK(&f);
1768 
1769  /* do detect */
1770  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1771 
1772  if (PacketAlertCheck(p, 1)) {
1773  printf("sig 1 matched but shouldn't have: ");
1774  goto end;
1775  }
1776  if (!PacketAlertCheck(p, 2)) {
1777  printf("sig 1 matched but shouldn't have: ");
1778  goto end;
1779  }
1780 
1781  result = 1;
1782 
1783  end:
1784  if (alp_tctx != NULL)
1785  AppLayerParserThreadCtxFree(alp_tctx);
1786  SigGroupCleanup(de_ctx);
1787  SigCleanSignatures(de_ctx);
1788 
1789  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1790  DetectEngineCtxFree(de_ctx);
1791 
1793  FLOW_DESTROY(&f);
1794  UTHFreePackets(&p, 1);
1795  return result;
1796 }
1797 
1798 #endif
1799 
1800 static void DetectDceIfaceRegisterTests(void)
1801 {
1802 #ifdef UNITTESTS
1803  UtRegisterTest("DetectDceIfaceTestParse01", DetectDceIfaceTestParse01);
1804  UtRegisterTest("DetectDceIfaceTestParse02", DetectDceIfaceTestParse02);
1805  UtRegisterTest("DetectDceIfaceTestParse03", DetectDceIfaceTestParse03);
1806  UtRegisterTest("DetectDceIfaceTestParse04", DetectDceIfaceTestParse04);
1807  UtRegisterTest("DetectDceIfaceTestParse05", DetectDceIfaceTestParse05);
1808  UtRegisterTest("DetectDceIfaceTestParse06", DetectDceIfaceTestParse06);
1809  UtRegisterTest("DetectDceIfaceTestParse07", DetectDceIfaceTestParse07);
1810  UtRegisterTest("DetectDceIfaceTestParse08", DetectDceIfaceTestParse08);
1811  UtRegisterTest("DetectDceIfaceTestParse09", DetectDceIfaceTestParse09);
1812  UtRegisterTest("DetectDceIfaceTestParse10", DetectDceIfaceTestParse10);
1813  UtRegisterTest("DetectDceIfaceTestParse11", DetectDceIfaceTestParse11);
1814  UtRegisterTest("DetectDceIfaceTestParse12", DetectDceIfaceTestParse12);
1815  /* Disabled because of bug_753. Would be enabled, once we rewrite
1816  * dce parser */
1817 #if 0
1818  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
1819 #endif
1820  UtRegisterTest("DetectDceIfaceTestParse14", DetectDceIfaceTestParse14);
1821  UtRegisterTest("DetectDceIfaceTestParse15", DetectDceIfaceTestParse15);
1822 #endif
1823 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
DCERPCRequest dcerpcrequest
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define PASS
Pass the test.
#define DCERPC_UUID_ENTRY_FLAG_FF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
Data needed for Match()
Definition: detect.h:322
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1193
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:517
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:756
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define MAX_SUBSTRINGS
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:287
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233
uint8_t flags
Definition: detect.h:757
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1184
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void SigFree(Signature *)
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIG_FLAG_TOSERVER
Definition: detect.h:232
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
#define REQUEST
uint8_t flowflags
Definition: decode.h:439
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
DCERPCBindBindAck dcerpcbindbindack
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:314
#define SCReturnInt(x)
Definition: util-debug.h:341
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
int DetectBufferTypeRegister(const char *name)
Signature * SigAlloc(void)
SigMatchCtx * ctx
Definition: detect.h:316
const char * alias
Definition: detect.h:1194
#define SCMalloc(a)
Definition: util-mem.h:222
uint8_t version
Definition: decode-gre.h:405
#define SCFree(a)
Definition: util-mem.h:322
PoolThreadReserved res
uint16_t tx_id
#define PARSE_REGEX
#define RESPONSE
#define STREAM_START
Definition: stream.h:29
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1166
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
SCMutex m
Definition: flow-hash.h:105
DCERPCUuidEntryList accepted_uuid_list
#define PKT_HAS_FLOW
Definition: decode.h:1090
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:443
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:325
#define PKT_STREAM_EST
Definition: decode.h:1088
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1185
a single match condition for a signature
Definition: detect.h:313
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)