suricata
detect-dce-iface.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_iface keyword.
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 #include "detect-dce-iface.h"
35 
36 #include "flow.h"
37 #include "flow-var.h"
38 #include "flow-util.h"
39 
40 #include "app-layer.h"
41 #include "app-layer-dcerpc.h"
42 #include "queue.h"
43 #include "stream-tcp-reassemble.h"
44 
45 #include "util-debug.h"
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "stream-tcp.h"
49 
50 #ifdef HAVE_RUST
51 #include "rust.h"
52 #include "rust-smb-detect-gen.h"
53 #endif
54 
55 #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,(<|>|=|!)([0-9]{1,5}))?(?:\\s*,(any_frag))?\\s*$"
56 
57 static pcre *parse_regex = NULL;
58 static pcre_extra *parse_regex_study = NULL;
59 
60 static int DetectDceIfaceMatch(ThreadVars *, DetectEngineThreadCtx *,
61  Flow *, uint8_t, void *, void *,
62  const Signature *, const SigMatchCtx *);
63 #ifdef HAVE_RUST
64 static int DetectDceIfaceMatchRust(ThreadVars *t,
65  DetectEngineThreadCtx *det_ctx,
66  Flow *f, uint8_t flags, void *state, void *txv,
67  const Signature *s, const SigMatchCtx *m);
68 #endif
69 static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *);
70 static void DetectDceIfaceFree(void *);
71 static void DetectDceIfaceRegisterTests(void);
72 static int g_dce_generic_list_id = 0;
73 
74 static int InspectDceGeneric(ThreadVars *tv,
75  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
76  const Signature *s, const SigMatchData *smd,
77  Flow *f, uint8_t flags, void *alstate,
78  void *txv, uint64_t tx_id);
79 
80 /**
81  * \brief Registers the keyword handlers for the "dce_iface" keyword.
82  */
83 void DetectDceIfaceRegister(void)
84 {
85  sigmatch_table[DETECT_DCE_IFACE].name = "dce_iface";
86  sigmatch_table[DETECT_DCE_IFACE].Match = NULL;
87 #ifdef HAVE_RUST
88  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust;
89 #else
90  sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatch;
91 #endif
92  sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup;
93  sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree;
94  sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests;
95 
96  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
97 
98  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
99 
100  DetectAppLayerInspectEngineRegister("dce_generic",
101  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
102  DetectAppLayerInspectEngineRegister("dce_generic",
103  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, InspectDceGeneric);
104 
105  DetectAppLayerInspectEngineRegister("dce_generic",
106  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
107  DetectAppLayerInspectEngineRegister("dce_generic",
108  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, InspectDceGeneric);
109 }
110 
111 static int InspectDceGeneric(ThreadVars *tv,
112  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
113  const Signature *s, const SigMatchData *smd,
114  Flow *f, uint8_t flags, void *alstate,
115  void *txv, uint64_t tx_id)
116 {
117  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
118  f, flags, alstate, txv, tx_id);
119 }
120 
121 
122 /**
123  * \internal
124  * \brief Parses the argument sent along with the "dce_iface" keyword.
125  *
126  * \param arg Pointer to the string containing the argument to be parsed.
127  *
128  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
129  * from the parsed arg.
130  */
131 static DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg)
132 {
133  DetectDceIfaceData *did = NULL;
134 #define MAX_SUBSTRINGS 30
135  int ret = 0, res = 0;
136  int ov[MAX_SUBSTRINGS];
137  uint8_t hex_value;
138  char copy_str[128] = "";
139  int i = 0, j = 0;
140  int len = 0;
141  char temp_str[3] = "";
142  int version;
143 
144  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
145  MAX_SUBSTRINGS);
146  if (ret < 2) {
147  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
148  goto error;
149  }
150 
151  if ( (did = SCMalloc(sizeof(DetectDceIfaceData))) == NULL)
152  goto error;
153  memset(did, 0, sizeof(DetectDceIfaceData));
154 
155  /* retrieve the iface uuid string. iface uuid is a compulsion in the keyword */
156  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 1, copy_str, sizeof(copy_str));
157  if (res < 0) {
158  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
159  goto error;
160  }
161 
162  /* parse the iface uuid string */
163  len = strlen(copy_str);
164  j = 0;
165  temp_str[2] = '\0';
166  for (i = 0; i < len; ) {
167  if (copy_str[i] == '-') {
168  i++;
169  continue;
170  }
171 
172  temp_str[0] = copy_str[i];
173  temp_str[1] = copy_str[i + 1];
174 
175  hex_value = strtol(temp_str, NULL, 16);
176  did->uuid[j] = hex_value;
177  i += 2;
178  j++;
179  }
180 
181  /* if the regex has 3 or 5, any_frag option is present in the signature */
182  if (ret == 3 || ret == 5)
183  did->any_frag = 1;
184 
185  /* if the regex has 4 or 5, version/operator is present in the signature */
186  if (ret == 4 || ret == 5) {
187  /* first handle the version number, so that we can do some additional
188  * validations of the version number, wrt. the operator */
189  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 3, copy_str, sizeof(copy_str));
190  if (res < 0) {
191  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
192  goto error;
193  }
194 
195  version = atoi(copy_str);
196  if (version > UINT16_MAX) {
197  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version "
198  "invalid: %d\n", version);
199  goto error;
200  }
201  did->version = version;
202 
203  /* now let us handle the operator supplied with the version number */
204  res = pcre_copy_substring(arg, ov, MAX_SUBSTRINGS, 2, copy_str, sizeof(copy_str));
205  if (res < 0) {
206  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
207  goto error;
208  }
209 
210  switch (copy_str[0]) {
211  case '<':
212  if (version == 0) {
213  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
214  "version invalid: %d. Version can't be less"
215  "than 0, with \"<\" operator", version);
216  goto error;
217  }
218 
219  did->op = DETECT_DCE_IFACE_OP_LT;
220  break;
221  case '>':
222  if (version == UINT16_MAX) {
223  SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface "
224  "version invalid: %d. Version can't be greater"
225  "than %d, with \">\" operator", version,
226  UINT16_MAX);
227  goto error;
228  }
229 
230  did->op = DETECT_DCE_IFACE_OP_GT;
231  break;
232  case '=':
233  did->op = DETECT_DCE_IFACE_OP_EQ;
234  break;
235  case '!':
236  did->op = DETECT_DCE_IFACE_OP_NE;
237  break;
238  }
239  }
240 
241  return did;
242 
243  error:
244  if (did != NULL)
245  SCFree(did);
246  return NULL;
247 }
248 
249 #include "app-layer-smb.h"
250 DCERPCState *DetectDceGetState(AppProto alproto, void *alstate)
251 {
252 #ifdef HAVE_RUST
253  return alstate;
254 #else
255  switch (alproto) {
256  case ALPROTO_DCERPC:
257  return alstate;
258  case ALPROTO_SMB: {
259  SMBState *smb_state = (SMBState *)alstate;
260  return &smb_state->ds;
261  }
262  case ALPROTO_SMB2:
263  // not implemented
264  return NULL;
265  }
266 
267  return NULL;
268 #endif
269 }
270 
271 /**
272  * \internal
273  * \brief Internal function that compares the dce interface version for this
274  * flow, to the signature's interface version specified using the
275  * dce_iface keyword.
276  *
277  * \param version The dce interface version for this flow.
278  * \param dce_data Pointer to the Signature's dce_iface keyword
279  * state(DetectDceIfaceData *).
280  */
281 static inline int DetectDceIfaceMatchIfaceVersion(const uint16_t version,
282  const DetectDceIfaceData *dce_data)
283 {
284  switch (dce_data->op) {
285  case DETECT_DCE_IFACE_OP_LT:
286  return (version < dce_data->version);
287  case DETECT_DCE_IFACE_OP_GT:
288  return (version > dce_data->version);
289  case DETECT_DCE_IFACE_OP_EQ:
290  return (version == dce_data->version);
291  case DETECT_DCE_IFACE_OP_NE:
292  return (version != dce_data->version);
293  default:
294  return 1;
295  }
296 }
297 
298 /**
299  * \brief App layer match function for the "dce_iface" keyword.
300  *
301  * \param t Pointer to the ThreadVars instance.
302  * \param det_ctx Pointer to the DetectEngineThreadCtx.
303  * \param f Pointer to the flow.
304  * \param flags Pointer to the flags indicating the flow direction.
305  * \param state Pointer to the app layer state data.
306  * \param s Pointer to the Signature instance.
307  * \param m Pointer to the SigMatch.
308  *
309  * \retval 1 On Match.
310  * \retval 0 On no match.
311  */
312 static int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
313  Flow *f, uint8_t flags, void *state, void *txv,
314  const Signature *s, const SigMatchCtx *m)
315 {
316  SCEnter();
317 
318  int ret = 0;
319  const DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
320 
321  DCERPCUuidEntry *item = NULL;
322  const DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
323  if (dcerpc_state == NULL) {
324  SCLogDebug("No DCERPCState for the flow");
325  SCReturnInt(0);
326  }
327 
328  /* we still haven't seen a request */
329  if (!dcerpc_state->dcerpc.dcerpcrequest.first_request_seen)
330  goto end;
331 
332  if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST ||
333  dcerpc_state->dcerpc.dcerpchdr.type == RESPONSE))
334  goto end;
335 
336  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.accepted_uuid_list, next) {
337  SCLogDebug("item %p", item);
338  ret = 1;
339 
340  /* if any_frag is not enabled, we need to match only against the first
341  * fragment */
342  if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF))
343  continue;
344 
345  /* if the uuid has been rejected(item->result == 1), we skip to the
346  * next uuid */
347  if (item->result != 0)
348  continue;
349 
350  /* check the interface uuid */
351  for (int i = 0; i < 16; i++) {
352  if (dce_data->uuid[i] != item->uuid[i]) {
353  ret = 0;
354  break;
355  }
356  }
357  ret &= (item->ctxid == dcerpc_state->dcerpc.dcerpcrequest.ctxid);
358  if (ret == 0)
359  continue;
360 
361  /* check the interface version */
362  if (dce_data->op != DETECT_DCE_IFACE_OP_NONE &&
363  !DetectDceIfaceMatchIfaceVersion(item->version, dce_data)) {
364  ret &= 0;
365  }
366 
367  /* we have a match. Time to leave with a match */
368  if (ret == 1)
369  goto end;
370  }
371 
372 end:
373  SCReturnInt(ret);
374 }
375 
376 #ifdef HAVE_RUST
377 static int DetectDceIfaceMatchRust(ThreadVars *t,
378  DetectEngineThreadCtx *det_ctx,
379  Flow *f, uint8_t flags, void *state, void *txv,
380  const Signature *s, const SigMatchCtx *m)
381 {
382  SCEnter();
383 
384  if (f->alproto == ALPROTO_DCERPC) {
385  return DetectDceIfaceMatch(t, det_ctx, f, flags,
386  state, txv, s, m);
387  }
388 
389  int ret = 0;
390  DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m;
391 
392  if (rs_smb_tx_get_dce_iface(f->alstate, txv, dce_data->uuid, 16, dce_data->op, dce_data->version) != 1) {
393  SCLogDebug("rs_smb_tx_get_dce_iface: didn't match");
394  } else {
395  SCLogDebug("rs_smb_tx_get_dce_iface: matched!");
396  ret = 1;
397  // TODO validate frag
398  }
399  SCReturnInt(ret);
400 }
401 #endif
402 
403 /**
404  * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument,
405  * and appends it to the Signature(s).
406  *
407  * \param de_ctx Pointer to the detection engine context.
408  * \param s Pointer to signature for the current Signature being parsed
409  * from the rules.
410  * \param arg Pointer to the string holding the keyword value.
411  *
412  * \retval 0 on success, -1 on failure.
413  */
414 
415 static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
416 {
417  DetectDceIfaceData *did = DetectDceIfaceArgParse(arg);
418  if (did == NULL) {
419  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dec_iface option in "
420  "signature");
421  return -1;
422  }
423 
424  SigMatch *sm = SigMatchAlloc();
425  if (sm == NULL) {
426  DetectDceIfaceFree(did);
427  return -1;
428  }
429 
430  sm->type = DETECT_DCE_IFACE;
431  sm->ctx = (void *)did;
432 
433  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
434  return 0;
435 }
436 
437 static void DetectDceIfaceFree(void *ptr)
438 {
439  SCFree(ptr);
440 
441  return;
442 }
443 
444 /************************************Unittests*********************************/
445 
446 #ifdef UNITTESTS
447 
448 static int DetectDceIfaceTestParse01(void)
449 {
450  SCEnter();
451 
452  Signature *s = SigAlloc();
453  if (s == NULL)
454  return 0;
455 
456  int result = 0;
457  DetectDceIfaceData *did = NULL;
458  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
459  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
460  SigMatch *temp = NULL;
461  int i = 0;
462 
463  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC") == 0);
464 
465  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
466  SCReturnInt(0);
467  }
468 
469  temp = s->sm_lists[g_dce_generic_list_id];
470  did = (DetectDceIfaceData *)temp->ctx;
471  if (did == NULL) {
472  SCReturnInt(0);
473  }
474 
475  result &= 1;
476  for (i = 0; i < 16; i++) {
477  if (did->uuid[i] != test_uuid[i]) {
478  result = 0;
479  break;
480  }
481  }
482 
483  result &= (did->version == 0);
484  result &= (did->op == 0);
485  result &= (did->any_frag == 0);
486 
487  SigFree(s);
488  SCReturnInt(result);
489 }
490 
491 static int DetectDceIfaceTestParse02(void)
492 {
493  SCEnter();
494 
495  Signature *s = SigAlloc();
496  if (s == NULL)
497  return 0;
498 
499  int result = 0;
500  DetectDceIfaceData *did = NULL;
501  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
502  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
503  SigMatch *temp = NULL;
504  int i = 0;
505 
506  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1") == 0);
507 
508  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
509  SCReturnInt(0);
510  }
511 
512  temp = s->sm_lists[g_dce_generic_list_id];
513  did = (DetectDceIfaceData *)temp->ctx;
514  if (did == NULL) {
515  SCReturnInt(0);
516  }
517 
518  result &= 1;
519  for (i = 0; i < 16; i++) {
520  if (did->uuid[i] != test_uuid[i]) {
521  result = 0;
522  break;
523  }
524  }
525 
526  result &= (did->version == 1);
527  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
528  result &= (did->any_frag == 0);
529 
530  SigFree(s);
531  SCReturnInt(result);
532 }
533 
534 static int DetectDceIfaceTestParse03(void)
535 {
536  SCEnter();
537 
538  Signature *s = SigAlloc();
539  if (s == NULL)
540  return 0;
541 
542  int result = 0;
543  DetectDceIfaceData *did = NULL;
544  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
545  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
546  SigMatch *temp = NULL;
547  int i = 0;
548 
549  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<10") == 0);
550 
551  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
552  SCReturnInt(0);
553  }
554 
555  temp = s->sm_lists[g_dce_generic_list_id];
556  did = (DetectDceIfaceData *)temp->ctx;
557  result &= 1;
558  for (i = 0; i < 16; i++) {
559  if (did->uuid[i] != test_uuid[i]) {
560  result = 0;
561  break;
562  }
563  }
564 
565  result &= (did->version == 10);
566  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
567  result &= (did->any_frag == 0);
568 
569  SigFree(s);
570  SCReturnInt(result);
571 }
572 
573 static int DetectDceIfaceTestParse04(void)
574 {
575  SCEnter();
576 
577  Signature *s = SigAlloc();
578  if (s == NULL)
579  return 0;
580 
581  int result = 0;
582  DetectDceIfaceData *did = NULL;
583  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
584  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
585  SigMatch *temp = NULL;
586  int i = 0;
587 
588  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!10") == 0);
589 
590  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
591  SCReturnInt(0);
592  }
593 
594  temp = s->sm_lists[g_dce_generic_list_id];
595  did = (DetectDceIfaceData *)temp->ctx;
596  if (did == NULL) {
597  SCReturnInt(0);
598  }
599 
600  result &= 1;
601  for (i = 0; i < 16; i++) {
602  if (did->uuid[i] != test_uuid[i]) {
603  result = 0;
604  break;
605  }
606  }
607 
608  result &= (did->version == 10);
609  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
610  result &= (did->any_frag == 0);
611 
612  SigFree(s);
613  SCReturnInt(result);
614 }
615 
616 static int DetectDceIfaceTestParse05(void)
617 {
618  SCEnter();
619 
620  Signature *s = SigAlloc();
621  int result = 0;
622  DetectDceIfaceData *did = NULL;
623  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
624  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
625  SigMatch *temp = NULL;
626  int i = 0;
627 
628  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=10") == 0);
629 
630  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
631  SCReturnInt(0);
632  }
633 
634  temp = s->sm_lists[g_dce_generic_list_id];
635  did = (DetectDceIfaceData *)temp->ctx;
636  if (did == NULL) {
637  SCReturnInt(0);
638  }
639 
640  result &= 1;
641  for (i = 0; i < 16; i++) {
642  if (did->uuid[i] != test_uuid[i]) {
643  result = 0;
644  break;
645  }
646  }
647 
648  result &= (did->version == 10);
649  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
650  result &= (did->any_frag == 0);
651 
652  SigFree(s);
653  SCReturnInt(result);
654 }
655 
656 static int DetectDceIfaceTestParse06(void)
657 {
658  SCEnter();
659 
660  Signature *s = SigAlloc();
661  if (s == NULL)
662  return 0;
663 
664  int result = 0;
665  DetectDceIfaceData *did = NULL;
666  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
667  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
668  SigMatch *temp = NULL;
669  int i = 0;
670 
671  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,any_frag") == 0);
672 
673  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
674  SCReturnInt(0);
675  }
676 
677  temp = s->sm_lists[g_dce_generic_list_id];
678  did = (DetectDceIfaceData *)temp->ctx;
679  if (did == NULL) {
680  SCReturnInt(0);
681  }
682 
683  result &= 1;
684  for (i = 0; i < 16; i++) {
685  if (did->uuid[i] != test_uuid[i]) {
686  result = 0;
687  break;
688  }
689  }
690 
691  result &= (did->version == 0);
692  result &= (did->op == 0);
693  result &= (did->any_frag == 1);
694 
695  SigFree(s);
696  SCReturnInt(result);
697 }
698 
699 static int DetectDceIfaceTestParse07(void)
700 {
701  SCEnter();
702 
703  Signature *s = SigAlloc();
704  if (s == NULL)
705  return 0;
706 
707  int result = 0;
708  DetectDceIfaceData *did = NULL;
709  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
710  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
711  SigMatch *temp = NULL;
712  int i = 0;
713 
714  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,any_frag") == 0);
715 
716  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
717  SCReturnInt(0);
718  }
719 
720  temp = s->sm_lists[g_dce_generic_list_id];
721  did = (DetectDceIfaceData *)temp->ctx;
722  if (did == NULL) {
723  SCReturnInt(0);
724  }
725 
726  result &= 1;
727  for (i = 0; i < 16; i++) {
728  if (did->uuid[i] != test_uuid[i]) {
729  result = 0;
730  break;
731  }
732  }
733 
734  result &= (did->version == 1);
735  result &= (did->op == DETECT_DCE_IFACE_OP_GT);
736  result &= (did->any_frag == 1);
737 
738  SigFree(s);
739  SCReturnInt(result);
740 }
741 
742 static int DetectDceIfaceTestParse08(void)
743 {
744  Signature *s = SigAlloc();
745  if (s == NULL)
746  return 0;
747 
748  int result = 0;
749  DetectDceIfaceData *did = NULL;
750  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
751  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
752  SigMatch *temp = NULL;
753  int i = 0;
754 
755  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<1,any_frag") == 0);
756 
757  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
758  SCReturnInt(0);
759  }
760 
761  temp = s->sm_lists[g_dce_generic_list_id];
762  did = (DetectDceIfaceData *)temp->ctx;
763  if (did == NULL) {
764  SCReturnInt(0);
765  }
766 
767  result &= 1;
768  for (i = 0; i < 16; i++) {
769  if (did->uuid[i] != test_uuid[i]) {
770  result = 0;
771  break;
772  }
773  }
774 
775  result &= (did->version == 1);
776  result &= (did->op == DETECT_DCE_IFACE_OP_LT);
777  result &= (did->any_frag == 1);
778 
779  SigFree(s);
780  SCReturnInt(result);
781 }
782 
783 static int DetectDceIfaceTestParse09(void)
784 {
785  SCEnter();
786 
787  Signature *s = SigAlloc();
788  if (s == NULL)
789  return 0;
790 
791  int result = 0;
792  DetectDceIfaceData *did = NULL;
793  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
794  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
795  SigMatch *temp = NULL;
796  int i = 0;
797 
798  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,=1,any_frag") == 0);
799 
800  temp = s->sm_lists[g_dce_generic_list_id];
801  did = (DetectDceIfaceData *)temp->ctx;
802  if (did == NULL) {
803  SCReturnInt(0);
804  }
805 
806  result &= 1;
807  for (i = 0; i < 16; i++) {
808  if (did->uuid[i] != test_uuid[i]) {
809  result = 0;
810  break;
811  }
812  }
813 
814  result &= (did->version == 1);
815  result &= (did->op == DETECT_DCE_IFACE_OP_EQ);
816  result &= (did->any_frag == 1);
817 
818  SigFree(s);
819  SCReturnInt(result);
820 }
821 
822 static int DetectDceIfaceTestParse10(void)
823 {
824  SCEnter();
825 
826  Signature *s = SigAlloc();
827  if (s == NULL)
828  return 0;
829 
830  int result = 0;
831  DetectDceIfaceData *did = NULL;
832  uint8_t test_uuid[] = {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x12, 0x34, 0x12, 0x34,
833  0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC};
834  SigMatch *temp = NULL;
835  int i = 0;
836 
837  result = (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,!1,any_frag") == 0);
838 
839  if (s->sm_lists[g_dce_generic_list_id] == NULL) {
840  SCReturnInt(0);
841  }
842 
843  temp = s->sm_lists[g_dce_generic_list_id];
844  did = (DetectDceIfaceData *)temp->ctx;
845  if (did == NULL) {
846  SCReturnInt(0);
847  }
848 
849  result &= 1;
850  for (i = 0; i < 16; i++) {
851  if (did->uuid[i] != test_uuid[i]) {
852  result = 0;
853  break;
854  }
855  }
856 
857  result &= (did->version == 1);
858  result &= (did->op == DETECT_DCE_IFACE_OP_NE);
859  result &= (did->any_frag == 1);
860 
861  SigFree(s);
862  SCReturnInt(result);
863 }
864 
865 static int DetectDceIfaceTestParse11(void)
866 {
867  SCEnter();
868 
869  Signature *s = SigAlloc();
870  if (s == NULL)
871  return 0;
872 
873  int result = 1;
874 
875  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>1,ay_frag") == -1);
876  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-12345679ABC,>1,any_frag") == -1);
877  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-134-123456789ABC,>1,any_frag") == -1);
878  result &= (DetectDceIfaceSetup(NULL, s, "12345678-123-124-1234-123456789ABC,>1,any_frag") == -1);
879  result &= (DetectDceIfaceSetup(NULL, s, "1234568-1234-1234-1234-123456789ABC,>1,any_frag") == -1);
880  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65536,any_frag") == -1);
881  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>=1,any_frag") == -1);
882  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,<0,any_frag") == -1);
883  result &= (DetectDceIfaceSetup(NULL, s, "12345678-1234-1234-1234-123456789ABC,>65535,any_frag") == -1);
884 
885  SigFree(s);
886  return result;
887 }
888 
889 /**
890  * \test Test a valid dce_iface entry for a bind and bind_ack
891  */
892 static int DetectDceIfaceTestParse12(void)
893 {
894  Signature *s = NULL;
895  ThreadVars th_v;
896  Packet *p = NULL;
897  Flow f;
898  TcpSession ssn;
899  DetectEngineThreadCtx *det_ctx = NULL;
900  DetectEngineCtx *de_ctx = NULL;
901  DCERPCState *dcerpc_state = NULL;
902  int r = 0;
903 
904  uint8_t dcerpc_bind[] = {
905  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
906  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
907  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
908  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
909  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
910  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
911  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
912  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
913  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
914  };
915 
916  uint8_t dcerpc_bindack[] = {
917  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
918  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
919  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
920  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
921  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
922  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
923  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
924  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
925  0x02, 0x00, 0x00, 0x00
926  };
927 
928  uint8_t dcerpc_request[] = {
929  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
930  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
931  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
932  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
933  };
934 
935  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
936  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
937  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
938 
939  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
940 
941  memset(&th_v, 0, sizeof(th_v));
942  memset(&f, 0, sizeof(f));
943  memset(&ssn, 0, sizeof(ssn));
944 
945  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
946 
947  FLOW_INITIALIZE(&f);
948  f.protoctx = (void *)&ssn;
949  f.proto = IPPROTO_TCP;
950  p->flow = &f;
951  p->flowflags |= FLOW_PKT_TOSERVER;
952  p->flowflags |= FLOW_PKT_ESTABLISHED;
953  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
954  f.alproto = ALPROTO_DCERPC;
955 
956  StreamTcpInitConfig(TRUE);
957 
958  de_ctx = DetectEngineCtxInit();
959  FAIL_IF(de_ctx == NULL);
960  de_ctx->flags |= DE_QUIET;
961 
962  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
963  "(msg:\"DCERPC\"; "
964  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; "
965  "sid:1;)");
966  FAIL_IF(s == NULL);
967 
968  SigGroupBuild(de_ctx);
969  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
970 
971  SCLogDebug("handling to_server chunk");
972 
973  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
974  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
975  dcerpc_bind_len);
976  FAIL_IF(r != 0);
977 
978  dcerpc_state = f.alstate;
979  FAIL_IF(dcerpc_state == NULL);
980 
981  /* do detect */
982  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
983  FAIL_IF(PacketAlertCheck(p, 1));
984 
985  SCLogDebug("handling to_client chunk");
986 
987  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
988  STREAM_TOCLIENT, dcerpc_bindack,
989  dcerpc_bindack_len);
990  FAIL_IF(r != 0);
991 
992  /* do detect */
993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
994  FAIL_IF(PacketAlertCheck(p, 1));
995 
996  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
997  STREAM_TOCLIENT, dcerpc_request,
998  dcerpc_request_len);
999  FAIL_IF(r != 0);
1000 
1001  /* do detect */
1002  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1003 
1004  FAIL_IF(!PacketAlertCheck(p, 1));
1005  if (alp_tctx != NULL)
1006  AppLayerParserThreadCtxFree(alp_tctx);
1007  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1008  DetectEngineCtxFree(de_ctx);
1009  StreamTcpFreeConfig(TRUE);
1010  FLOW_DESTROY(&f);
1011  UTHFreePackets(&p, 1);
1012  PASS;
1013 }
1014 
1015 /* Disabled because of bug_753. Would be enabled, once we rewrite
1016  * dce parser */
1017 #if 0
1018 
1019 /**
1020  * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses.
1021  */
1022 static int DetectDceIfaceTestParse13(void)
1023 {
1024  int result = 0;
1025  Signature *s = NULL;
1026  ThreadVars th_v;
1027  Packet *p = NULL;
1028  Flow f;
1029  TcpSession ssn;
1030  DetectEngineThreadCtx *det_ctx = NULL;
1031  DetectEngineCtx *de_ctx = NULL;
1032  DCERPCState *dcerpc_state = NULL;
1033  int r = 0;
1034 
1035  uint8_t dcerpc_bind[] = {
1036  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1037  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1038  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1039  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1040  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1041  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1042  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1043  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1044  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1045  };
1046 
1047  uint8_t dcerpc_bindack[] = {
1048  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1049  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1050  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1051  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1052  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1053  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1054  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1055  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1056  0x02, 0x00, 0x00, 0x00,
1057  };
1058 
1059  uint8_t dcerpc_request1[] = {
1060  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1061  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1062  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1063  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1064  0x00, 0x00, 0x00, 0x02,
1065  };
1066 
1067  uint8_t dcerpc_response1[] = {
1068  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1069  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1070  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1071  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1072  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1073  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1074  };
1075 
1076  uint8_t dcerpc_request2[] = {
1077  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1078  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1079  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1080  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1081  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1082  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1083  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1084  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1085  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1086  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1087  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1088  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1089  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1090  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1091  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1092  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1093  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1094  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1095  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1096  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1097  0x03, 0x00, 0x00, 0x00,
1098  };
1099 
1100  uint8_t dcerpc_response2[] = {
1101  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1102  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1103  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1104  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1105  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1106  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1107  };
1108 
1109  uint8_t dcerpc_request3[] = {
1110  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1111  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1112  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1113  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1114  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1115  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1116  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1117  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1118  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1119  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1120  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1121  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1122  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1123  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1124  };
1125 
1126  uint8_t dcerpc_response3[] = {
1127  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1128  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1129  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1130  0x00, 0x00, 0x00, 0x00,
1131  };
1132 
1133  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1134  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1135 
1136  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1137  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1138 
1139  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1140  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1141 
1142  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1143  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1144 
1145  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1146 
1147  memset(&th_v, 0, sizeof(th_v));
1148  memset(&p, 0, sizeof(p));
1149  memset(&f, 0, sizeof(f));
1150  memset(&ssn, 0, sizeof(ssn));
1151 
1152  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1153 
1154  FLOW_INITIALIZE(&f);
1155  f.protoctx = (void *)&ssn;
1156  f.proto = IPPROTO_TCP;
1157  p->flow = &f;
1158  p->flowflags |= FLOW_PKT_TOSERVER;
1159  p->flowflags |= FLOW_PKT_ESTABLISHED;
1160  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1161  f.alproto = ALPROTO_DCERPC;
1162 
1163  StreamTcpInitConfig(TRUE);
1164 
1165  de_ctx = DetectEngineCtxInit();
1166  if (de_ctx == NULL)
1167  goto end;
1168 
1169  de_ctx->flags |= DE_QUIET;
1170 
1171  s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any "
1172  "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)");
1173  if (s == NULL)
1174  goto end;
1175 
1176  SigGroupBuild(de_ctx);
1177  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1178 
1179  SCLogDebug("chunk 1, bind");
1180 
1181  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1182  dcerpc_bind, dcerpc_bind_len);
1183  if (r != 0) {
1184  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1185  goto end;
1186  }
1187 
1188  dcerpc_state = f.alstate;
1189  if (dcerpc_state == NULL) {
1190  SCLogDebug("no dcerpc state: ");
1191  goto end;
1192  }
1193 
1194  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1195  p->flowflags |= FLOW_PKT_TOSERVER;
1196  /* do detect */
1197  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1198 
1199  if (PacketAlertCheck(p, 1)) {
1200  printf("sig 1 didn't match after bind request: ");
1201  goto end;
1202  }
1203 
1204  SCLogDebug("chunk 2, bind_ack");
1205 
1206  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
1207  dcerpc_bindack_len);
1208  if (r != 0) {
1209  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1210  goto end;
1211  }
1212 
1213  p->flowflags &=~ FLOW_PKT_TOSERVER;
1214  p->flowflags |= FLOW_PKT_TOCLIENT;
1215  /* do detect */
1216  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1217 
1218  if (PacketAlertCheck(p, 1)) {
1219  printf("sig 1 matched again after bind ack: ");
1220  goto end;
1221  }
1222 
1223  SCLogDebug("chunk 3, request 1");
1224 
1225  /* request1 */
1226  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
1227  dcerpc_request1_len);
1228  if (r != 0) {
1229  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1230  goto end;
1231  }
1232 
1233  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1234  p->flowflags |= FLOW_PKT_TOSERVER;
1235  /* do detect */
1236  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1237 
1238  if (!(PacketAlertCheck(p, 1))) {
1239  printf("sig 1 didn't match after request1: ");
1240  goto end;
1241  }
1242 
1243  SCLogDebug("sending response1");
1244 
1245  /* response1 */
1246  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
1247  dcerpc_response1_len);
1248  if (r != 0) {
1249  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1250  goto end;
1251  }
1252 
1253  p->flowflags &=~ FLOW_PKT_TOSERVER;
1254  p->flowflags |= FLOW_PKT_TOCLIENT;
1255  /* do detect */
1256  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1257 
1258  if (PacketAlertCheck(p, 1)) {
1259  printf("sig 1 matched after response1, but shouldn't: ");
1260  goto end;
1261  }
1262 
1263  SCLogDebug("sending request2");
1264 
1265  /* request2 */
1266  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
1267  dcerpc_request2_len);
1268  if (r != 0) {
1269  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1270  goto end;
1271  }
1272 
1273  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1274  p->flowflags |= FLOW_PKT_TOSERVER;
1275  /* do detect */
1276  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1277 
1278  if (!(PacketAlertCheck(p, 1))) {
1279  printf("sig 1 didn't match after request2: ");
1280  goto end;
1281  }
1282 
1283  /* response2 */
1284  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2,
1285  dcerpc_response2_len);
1286  if (r != 0) {
1287  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1288  goto end;
1289  }
1290 
1291  p->flowflags &=~ FLOW_PKT_TOSERVER;
1292  p->flowflags |= FLOW_PKT_TOCLIENT;
1293  /* do detect */
1294  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1295 
1296  if (PacketAlertCheck(p, 1)) {
1297  printf("sig 1 matched after response2, but shouldn't have: ");
1298  goto end;
1299  }
1300 
1301  /* request3 */
1302  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3,
1303  dcerpc_request3_len);
1304  if (r != 0) {
1305  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1306  goto end;
1307  }
1308 
1309  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1310  p->flowflags |= FLOW_PKT_TOSERVER;
1311  /* do detect */
1312  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1313 
1314  if (!(PacketAlertCheck(p, 1))) {
1315  printf("sig 1 didn't match after request3: ");
1316  goto end;
1317  }
1318 
1319  /* response3 */
1320  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
1321  dcerpc_response3, dcerpc_response3_len);
1322  if (r != 0) {
1323  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1324  goto end;
1325  }
1326 
1327  p->flowflags &=~ FLOW_PKT_TOSERVER;
1328  p->flowflags |= FLOW_PKT_TOCLIENT;
1329  /* do detect */
1330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1331 
1332  if (PacketAlertCheck(p, 1)) {
1333  printf("sig 1 matched after response3, but shouldn't have: ");
1334  goto end;
1335  }
1336 
1337  result = 1;
1338 
1339  end:
1340  if (alp_tctx != NULL)
1341  AppLayerParserThreadCtxFree(alp_tctx);
1342  SigGroupCleanup(de_ctx);
1343  SigCleanSignatures(de_ctx);
1344 
1345  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1346  DetectEngineCtxFree(de_ctx);
1347 
1348  StreamTcpFreeConfig(TRUE);
1349  UTHFreePackets(&p, 1);
1350  return result;
1351 }
1352 
1353 #endif
1354 
1355 /**
1356  * \test Test a valid dce_iface entry for a bind and bind_ack
1357  */
1358 static int DetectDceIfaceTestParse14(void)
1359 {
1360  int result = 0;
1361  Signature *s = NULL;
1362  ThreadVars th_v;
1363  Packet *p = NULL;
1364  Flow f;
1365  TcpSession ssn;
1366  DetectEngineThreadCtx *det_ctx = NULL;
1367  DetectEngineCtx *de_ctx = NULL;
1368  DCERPCState *dcerpc_state = NULL;
1369  int r = 0;
1370 
1371  uint8_t dcerpc_bind[] = {
1372  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1373  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1374  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1375  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1376  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
1377  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
1378  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1379  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1380  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1381  };
1382 
1383  uint8_t dcerpc_bindack[] = {
1384  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1385  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1386  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
1387  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1388  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
1389  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1390  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1391  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1392  0x02, 0x00, 0x00, 0x00
1393  };
1394 
1395  uint8_t dcerpc_request[] = {
1396  0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00,
1397  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1398  0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1399  0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1400  };
1401 
1402  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1403  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1404  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1405 
1406  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1407 
1408  memset(&th_v, 0, sizeof(th_v));
1409  memset(&p, 0, sizeof(p));
1410  memset(&f, 0, sizeof(f));
1411  memset(&ssn, 0, sizeof(ssn));
1412 
1413  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1414 
1415  FLOW_INITIALIZE(&f);
1416  f.protoctx = (void *)&ssn;
1417  f.proto = IPPROTO_TCP;
1418  p->flow = &f;
1419  p->flowflags |= FLOW_PKT_TOSERVER;
1420  p->flowflags |= FLOW_PKT_ESTABLISHED;
1421  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1422  f.alproto = ALPROTO_DCERPC;
1423 
1424  StreamTcpInitConfig(TRUE);
1425 
1426  de_ctx = DetectEngineCtxInit();
1427  if (de_ctx == NULL)
1428  goto end;
1429 
1430  de_ctx->flags |= DE_QUIET;
1431 
1432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1433  "(msg:\"DCERPC\"; "
1434  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; "
1435  "sid:1;)");
1436  if (s == NULL)
1437  goto end;
1438 
1439  SigGroupBuild(de_ctx);
1440  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1441 
1442  FLOWLOCK_WRLOCK(&f);
1443  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1444  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1445  dcerpc_bind_len);
1446  if (r != 0) {
1447  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1448  FLOWLOCK_UNLOCK(&f);
1449  goto end;
1450  }
1451  FLOWLOCK_UNLOCK(&f);
1452 
1453  dcerpc_state = f.alstate;
1454  if (dcerpc_state == NULL) {
1455  SCLogDebug("no dcerpc state: ");
1456  goto end;
1457  }
1458 
1459  /* do detect */
1460  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1461 
1462  if (PacketAlertCheck(p, 1))
1463  goto end;
1464 
1465  FLOWLOCK_WRLOCK(&f);
1466  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1467  STREAM_TOCLIENT, dcerpc_bindack,
1468  dcerpc_bindack_len);
1469  if (r != 0) {
1470  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1471  FLOWLOCK_UNLOCK(&f);
1472  goto end;
1473  }
1474  FLOWLOCK_UNLOCK(&f);
1475 
1476  /* do detect */
1477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1478 
1479  if (PacketAlertCheck(p, 1)) {
1480  printf("sig 1 matched but shouldn't have: ");
1481  goto end;
1482  }
1483 
1484  FLOWLOCK_WRLOCK(&f);
1485  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1486  STREAM_TOCLIENT, dcerpc_request,
1487  dcerpc_request_len);
1488  if (r != 0) {
1489  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1490  FLOWLOCK_UNLOCK(&f);
1491  goto end;
1492  }
1493  FLOWLOCK_UNLOCK(&f);
1494 
1495  /* do detect */
1496  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1497 
1498  if (!PacketAlertCheck(p, 1)) {
1499  printf("sig 1 matched but shouldn't have: ");
1500  goto end;
1501  }
1502 
1503  result = 1;
1504 
1505  end:
1506  if (alp_tctx != NULL)
1507  AppLayerParserThreadCtxFree(alp_tctx);
1508  SigGroupCleanup(de_ctx);
1509  SigCleanSignatures(de_ctx);
1510 
1511  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1512  DetectEngineCtxFree(de_ctx);
1513 
1514  StreamTcpFreeConfig(TRUE);
1515  FLOW_DESTROY(&f);
1516  UTHFreePackets(&p, 1);
1517  return result;
1518 }
1519 
1520 /**
1521  * \test Test a valid dce_iface entry for a bind and bind_ack
1522  */
1523 static int DetectDceIfaceTestParse15(void)
1524 {
1525  int result = 0;
1526  Signature *s = NULL;
1527  ThreadVars th_v;
1528  Packet *p = NULL;
1529  Flow f;
1530  TcpSession ssn;
1531  DetectEngineThreadCtx *det_ctx = NULL;
1532  DetectEngineCtx *de_ctx = NULL;
1533  DCERPCState *dcerpc_state = NULL;
1534  int r = 0;
1535 
1536  uint8_t dcerpc_bind[] = {
1537  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1538  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1539  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1540  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1541  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
1542  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1543  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1544  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1545  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1546  };
1547  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1548 
1549  uint8_t dcerpc_bindack[] = {
1550  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1551  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1552  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1553  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
1554  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
1555  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1556  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1557  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1558  0x02, 0x00, 0x00, 0x00
1559  };
1560  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1561 
1562  uint8_t dcerpc_alter_context[] = {
1563  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
1564  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1565  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1566  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
1567  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
1568  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1569  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1570  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1571  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1572  };
1573  uint32_t dcerpc_alter_context_len = sizeof(dcerpc_alter_context);
1574 
1575  uint8_t dcerpc_alter_context_resp[] = {
1576  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
1577  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1578  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1579  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
1580  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1581  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1582  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
1583  };
1584  uint32_t dcerpc_alter_context_resp_len = sizeof(dcerpc_alter_context_resp);
1585 
1586  uint8_t dcerpc_request1[] = {
1587  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1588  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1589  0x20, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1590  0xdd, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1591  };
1592  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1593 
1594  uint8_t dcerpc_response1[] = {
1595  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1596  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1597  0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1598  0x00, 0x00, 0x00, 0x00, 0xf5, 0x66, 0xbf, 0x54,
1599  0xc4, 0xdb, 0xdb, 0x4f, 0xa0, 0x01, 0x6d, 0xf4,
1600  0xf6, 0xa8, 0x44, 0xb3, 0x00, 0x00, 0x00, 0x00
1601  };
1602  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1603 
1604  uint8_t dcerpc_request2[] = {
1605  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1606  0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1607  0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
1608  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1609  };
1610  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1611 
1612  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1613 
1614  memset(&th_v, 0, sizeof(th_v));
1615  memset(&p, 0, sizeof(p));
1616  memset(&f, 0, sizeof(f));
1617  memset(&ssn, 0, sizeof(ssn));
1618 
1619  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1620 
1621  FLOW_INITIALIZE(&f);
1622  f.protoctx = (void *)&ssn;
1623  f.proto = IPPROTO_TCP;
1624  p->flow = &f;
1625  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1626  p->flowflags |= FLOW_PKT_TOSERVER;
1627  p->flowflags |= FLOW_PKT_ESTABLISHED;
1628  f.alproto = ALPROTO_DCERPC;
1629 
1630  StreamTcpInitConfig(TRUE);
1631 
1632  de_ctx = DetectEngineCtxInit();
1633  if (de_ctx == NULL)
1634  goto end;
1635 
1636  de_ctx->flags |= DE_QUIET;
1637 
1638  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1639  "(msg:\"DCERPC\"; "
1640  "dce_iface:57674cd0-5200-11ce-a897-08002b2e9c6d; "
1641  "sid:1;)");
1642  if (s == NULL)
1643  goto end;
1644 
1645  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1646  "(msg:\"DCERPC\"; "
1647  "dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; "
1648  "sid:2;)");
1649  if (s == NULL)
1650  goto end;
1651 
1652  SigGroupBuild(de_ctx);
1653  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1654 
1655  FLOWLOCK_WRLOCK(&f);
1656  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1657  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1658  dcerpc_bind_len);
1659  if (r != 0) {
1660  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1661  FLOWLOCK_UNLOCK(&f);
1662  goto end;
1663  }
1664  FLOWLOCK_UNLOCK(&f);
1665 
1666  dcerpc_state = f.alstate;
1667  if (dcerpc_state == NULL) {
1668  SCLogDebug("no dcerpc state: ");
1669  goto end;
1670  }
1671 
1672  /* do detect */
1673  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1674 
1675  if (PacketAlertCheck(p, 1))
1676  goto end;
1677  if (PacketAlertCheck(p, 2))
1678  goto end;
1679 
1680  FLOWLOCK_WRLOCK(&f);
1681  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1682  STREAM_TOCLIENT, dcerpc_bindack,
1683  dcerpc_bindack_len);
1684  if (r != 0) {
1685  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1686  FLOWLOCK_UNLOCK(&f);
1687  goto end;
1688  }
1689  FLOWLOCK_UNLOCK(&f);
1690 
1691  /* do detect */
1692  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1693 
1694  if (PacketAlertCheck(p, 1)) {
1695  printf("sig 1 matched but shouldn't have: ");
1696  goto end;
1697  }
1698  if (PacketAlertCheck(p, 2)) {
1699  printf("sig 1 matched but shouldn't have: ");
1700  goto end;
1701  }
1702 
1703  FLOWLOCK_WRLOCK(&f);
1704  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1705  STREAM_TOSERVER, dcerpc_alter_context,
1706  dcerpc_alter_context_len);
1707  if (r != 0) {
1708  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1709  FLOWLOCK_UNLOCK(&f);
1710  goto end;
1711  }
1712  FLOWLOCK_UNLOCK(&f);
1713 
1714  /* do detect */
1715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1716 
1717  if (PacketAlertCheck(p, 1)) {
1718  printf("sig 1 matched but shouldn't have: ");
1719  goto end;
1720  }
1721  if (PacketAlertCheck(p, 2)) {
1722  printf("sig 1 matched but shouldn't have: ");
1723  goto end;
1724  }
1725 
1726  FLOWLOCK_WRLOCK(&f);
1727  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1728  STREAM_TOCLIENT, dcerpc_alter_context_resp,
1729  dcerpc_alter_context_resp_len);
1730  if (r != 0) {
1731  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1732  FLOWLOCK_UNLOCK(&f);
1733  goto end;
1734  }
1735  FLOWLOCK_UNLOCK(&f);
1736 
1737  /* do detect */
1738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1739 
1740  if (PacketAlertCheck(p, 1)) {
1741  printf("sig 1 matched but shouldn't have: ");
1742  goto end;
1743  }
1744  if (PacketAlertCheck(p, 2)) {
1745  printf("sig 1 matched but shouldn't have: ");
1746  goto end;
1747  }
1748 
1749  FLOWLOCK_WRLOCK(&f);
1750  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1751  STREAM_TOSERVER, dcerpc_request1,
1752  dcerpc_request1_len);
1753  if (r != 0) {
1754  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1755  FLOWLOCK_UNLOCK(&f);
1756  goto end;
1757  }
1758  FLOWLOCK_UNLOCK(&f);
1759 
1760  /* do detect */
1761  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1762 
1763  if (!PacketAlertCheck(p, 1)) {
1764  printf("sig 1 matched but shouldn't have: ");
1765  goto end;
1766  }
1767  if (PacketAlertCheck(p, 2)) {
1768  printf("sig 1 matched but shouldn't have: ");
1769  goto end;
1770  }
1771 
1772  FLOWLOCK_WRLOCK(&f);
1773  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1774  STREAM_TOCLIENT, dcerpc_response1,
1775  dcerpc_response1_len);
1776  if (r != 0) {
1777  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1778  FLOWLOCK_UNLOCK(&f);
1779  goto end;
1780  }
1781  FLOWLOCK_UNLOCK(&f);
1782 
1783  /* do detect */
1784  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1785 
1786  if (PacketAlertCheck(p, 1)) {
1787  printf("sig 1 matched but shouldn't have: ");
1788  goto end;
1789  }
1790  if (PacketAlertCheck(p, 2)) {
1791  printf("sig 1 matched but shouldn't have: ");
1792  goto end;
1793  }
1794 
1795  FLOWLOCK_WRLOCK(&f);
1796  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1797  STREAM_TOSERVER, dcerpc_request2,
1798  dcerpc_request2_len);
1799  if (r != 0) {
1800  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1801  FLOWLOCK_UNLOCK(&f);
1802  goto end;
1803  }
1804  FLOWLOCK_UNLOCK(&f);
1805 
1806  /* do detect */
1807  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1808 
1809  if (PacketAlertCheck(p, 1)) {
1810  printf("sig 1 matched but shouldn't have: ");
1811  goto end;
1812  }
1813  if (!PacketAlertCheck(p, 2)) {
1814  printf("sig 1 matched but shouldn't have: ");
1815  goto end;
1816  }
1817 
1818  result = 1;
1819 
1820  end:
1821  if (alp_tctx != NULL)
1822  AppLayerParserThreadCtxFree(alp_tctx);
1823  SigGroupCleanup(de_ctx);
1824  SigCleanSignatures(de_ctx);
1825 
1826  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1827  DetectEngineCtxFree(de_ctx);
1828 
1829  StreamTcpFreeConfig(TRUE);
1830  FLOW_DESTROY(&f);
1831  UTHFreePackets(&p, 1);
1832  return result;
1833 }
1834 
1835 #endif
1836 
1837 static void DetectDceIfaceRegisterTests(void)
1838 {
1839 #ifdef UNITTESTS
1840  UtRegisterTest("DetectDceIfaceTestParse01", DetectDceIfaceTestParse01);
1841  UtRegisterTest("DetectDceIfaceTestParse02", DetectDceIfaceTestParse02);
1842  UtRegisterTest("DetectDceIfaceTestParse03", DetectDceIfaceTestParse03);
1843  UtRegisterTest("DetectDceIfaceTestParse04", DetectDceIfaceTestParse04);
1844  UtRegisterTest("DetectDceIfaceTestParse05", DetectDceIfaceTestParse05);
1845  UtRegisterTest("DetectDceIfaceTestParse06", DetectDceIfaceTestParse06);
1846  UtRegisterTest("DetectDceIfaceTestParse07", DetectDceIfaceTestParse07);
1847  UtRegisterTest("DetectDceIfaceTestParse08", DetectDceIfaceTestParse08);
1848  UtRegisterTest("DetectDceIfaceTestParse09", DetectDceIfaceTestParse09);
1849  UtRegisterTest("DetectDceIfaceTestParse10", DetectDceIfaceTestParse10);
1850  UtRegisterTest("DetectDceIfaceTestParse11", DetectDceIfaceTestParse11);
1851  UtRegisterTest("DetectDceIfaceTestParse12", DetectDceIfaceTestParse12);
1852  /* Disabled because of bug_753. Would be enabled, once we rewrite
1853  * dce parser */
1854 #if 0
1855  UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1);
1856 #endif
1857  UtRegisterTest("DetectDceIfaceTestParse14", DetectDceIfaceTestParse14);
1858  UtRegisterTest("DetectDceIfaceTestParse15", DetectDceIfaceTestParse15);
1859 #endif
1860 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
DetectDceIfaceRegister
void DetectDceIfaceRegister(void)
Registers the keyword handlers for the "dce_iface" keyword.
Definition: detect-dce-iface.c:83
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectDceIfaceData_::any_frag
uint8_t any_frag
Definition: detect-dce-iface.h:41
Packet_::flow
struct Flow_ * flow
Definition: decode.h:444
DetectDceIfaceData_::op
uint8_t op
Definition: detect-dce-iface.h:39
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:493
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:346
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DCERPCRequest_::first_request_seen
uint8_t first_request_seen
Definition: app-layer-dcerpc-common.h:176
DetectDceIfaceData_::uuid
uint8_t uuid[16]
Definition: detect-dce-iface.h:38
DCERPC_UUID_ENTRY_FLAG_FF
#define DCERPC_UUID_ENTRY_FLAG_FF
Definition: app-layer-dcerpc-common.h:134
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
SigMatchData_
Data needed for Match()
Definition: detect.h:333
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:69
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1193
Signature_
Signature container.
Definition: detect.h:492
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
Flow_::protoctx
void * protoctx
Definition: flow.h:398
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::alstate
void * alstate
Definition: flow.h:436
DE_QUIET
#define DE_QUIET
Definition: detect.h:298
DCERPC_::dcerpchdr
DCERPCHdr dcerpchdr
Definition: app-layer-dcerpc-common.h:189
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:244
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:721
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1151
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1291
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2276
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:243
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
REQUEST
#define REQUEST
Definition: app-layer-dcerpc-common.h:38
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
DCERPCUuidEntry_::result
uint16_t result
Definition: app-layer-dcerpc-common.h:141
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
DCERPC_::dcerpcbindbindack
DCERPCBindBindAck dcerpcbindbindack
Definition: app-layer-dcerpc-common.h:190
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
SMBState_
Definition: app-layer-smb.h:81
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1965
SigMatch_::type
uint8_t type
Definition: detect.h:325
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:406
DetectDceIfaceData_::version
uint16_t version
Definition: detect-dce-iface.h:40
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:654
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1168
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:174
DCERPCUuidEntry_::flags
uint16_t flags
Definition: app-layer-dcerpc-common.h:145
version
uint8_t version
Definition: decode-gre.h:405
SCFree
#define SCFree(a)
Definition: util-mem.h:236
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DCERPCUuidEntry_::version
uint16_t version
Definition: app-layer-dcerpc-common.h:143
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:38
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-iface.c:55
RESPONSE
#define RESPONSE
Definition: app-layer-dcerpc-common.h:40
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
DCERPCRequest_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:170
DCERPCBindBindAck_::accepted_uuid_list
DCERPCUuidEntryList accepted_uuid_list
Definition: app-layer-dcerpc-common.h:162
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1101
DCERPCUuidEntry_::uuid
uint8_t uuid[16]
Definition: app-layer-dcerpc-common.h:142
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
len
uint8_t len
Definition: app-layer-dnp3.h:2617
DCERPCHdr_::type
uint8_t type
Definition: app-layer-dcerpc-common.h:100
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectDceIfaceData_
Definition: detect-dce-iface.h:37
DetectDceGetState
DCERPCState * DetectDceGetState(AppProto alproto, void *alstate)
Definition: detect-dce-iface.c:250
DetectEngineThreadCtx_
Definition: detect.h:962
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:407
DCERPCUuidEntry_::ctxid
uint16_t ctxid
Definition: app-layer-dcerpc-common.h:139
Packet_::flags
uint32_t flags
Definition: decode.h:442
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:327
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1099
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:129
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
SMBState_::ds
DCERPCState ds
Definition: app-layer-smb.h:89
SigMatch_
a single match condition for a signature
Definition: detect.h:324
DCERPCUuidEntry_
Definition: app-layer-dcerpc-common.h:138
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640