suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #include "rust.h"
52 #include "rust-smb-detect-gen.h"
53 
54 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
55 
56 static pcre *parse_regex = NULL;
57 static pcre_extra *parse_regex_study = NULL;
58 
59 static int DetectDceOpnumMatchRust(ThreadVars *t,
60  DetectEngineThreadCtx *det_ctx,
61  Flow *f, uint8_t flags, void *state, void *txv,
62  const Signature *s, const SigMatchCtx *m);
63 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectDceOpnumFree(void *);
65 static void DetectDceOpnumRegisterTests(void);
66 static int g_dce_generic_list_id = 0;
67 
68 /**
69  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
70  */
71 void DetectDceOpnumRegister(void)
72 {
73  sigmatch_table[DETECT_DCE_OPNUM].name = "dce_opnum";
74  sigmatch_table[DETECT_DCE_OPNUM].Match = NULL;
75  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
76  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
77  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
78  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
79 
80  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
81 
82  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
83 }
84 
85 /**
86  * \internal
87  * \brief Creates and returns a new instance of DetectDceOpnumRange.
88  *
89  * \retval dor Pointer to the new instance DetectDceOpnumRange.
90  */
91 static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
92 {
93  DetectDceOpnumRange *dor = NULL;
94 
95  if ( (dor = SCMalloc(sizeof(DetectDceOpnumRange))) == NULL)
96  return NULL;
97  memset(dor, 0, sizeof(DetectDceOpnumRange));
98  dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
99 
100  return dor;
101 }
102 
103 /**
104  * \internal
105  * \brief Parses the argument sent along with the "dce_opnum" keyword.
106  *
107  * \param arg Pointer to the string containing the argument to be parsed.
108  *
109  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
110  * from the parsed arg.
111  */
112 static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
113 {
114  DetectDceOpnumData *dod = NULL;
115 
116  DetectDceOpnumRange *dor = NULL;
117  DetectDceOpnumRange *prev_dor = NULL;
118 
119 #define MAX_SUBSTRINGS 30
120  int ret = 0, res = 0;
121  int ov[MAX_SUBSTRINGS];
122  const char *pcre_sub_str = NULL;
123 
124  char *dup_str = NULL;
125  char *dup_str_temp = NULL;
126  char *dup_str_head = NULL;
127  char *comma_token = NULL;
128  char *hyphen_token = NULL;
129 
130  if (arg == NULL) {
131  goto error;
132  }
133 
134  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
135  MAX_SUBSTRINGS);
136  if (ret < 2) {
137  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
138  goto error;
139  }
140 
141  res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
142  if (res < 0) {
143  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
144  goto error;
145  }
146 
147  if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
148  goto error;
149  memset(dod, 0, sizeof(DetectDceOpnumData));
150 
151  if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
152  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
153  goto error;
154  }
155 
156  /* free the substring */
157  pcre_free_substring(pcre_sub_str);
158 
159  /* keep a copy of the strdup string in dup_str_head so that we can free it
160  * once we are done using it */
161  dup_str_head = dup_str;
162  dup_str_temp = dup_str;
163  while ( (comma_token = index(dup_str, ',')) != NULL) {
164  comma_token[0] = '\0';
165  dup_str = comma_token + 1;
166 
167  dor = DetectDceOpnumAllocDetectDceOpnumRange();
168  if (dor == NULL)
169  goto error;
170  if (prev_dor == NULL) {
171  prev_dor = dor;
172  dod->range = dor;
173  } else {
174  prev_dor->next = dor;
175  prev_dor = dor;
176  }
177 
178  if ((hyphen_token = index(dup_str_temp, '-')) != NULL) {
179  hyphen_token[0] = '\0';
180  hyphen_token++;
181  dor->range1 = atoi(dup_str_temp);
182  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
183  goto error;
184  dor->range2 = atoi(hyphen_token);
185  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
186  goto error;
187  if (dor->range1 > dor->range2)
188  goto error;
189  }
190  dor->range1 = atoi(dup_str_temp);
191  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
192  goto error;
193 
194  dup_str_temp = dup_str;
195  }
196 
197  dor = DetectDceOpnumAllocDetectDceOpnumRange();
198  if (dor == NULL)
199  goto error;
200  if (prev_dor == NULL) {
201  dod->range = dor;
202  } else {
203  prev_dor->next = dor;
204  }
205 
206  if ( (hyphen_token = index(dup_str, '-')) != NULL) {
207  hyphen_token[0] = '\0';
208  hyphen_token++;
209  dor->range1 = atoi(dup_str);
210  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
211  goto error;
212  dor->range2 = atoi(hyphen_token);
213  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
214  goto error;
215  if (dor->range1 > dor->range2)
216  goto error;
217  }
218  dor->range1 = atoi(dup_str);
219  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
220  goto error;
221 
222  if (dup_str_head != NULL)
223  SCFree(dup_str_head);
224 
225  return dod;
226 
227  error:
228  if (dup_str_head != NULL)
229  SCFree(dup_str_head);
230  DetectDceOpnumFree(dod);
231  return NULL;
232 }
233 
234 /**
235  * \brief App layer match function for the "dce_opnum" keyword.
236  *
237  * \param t Pointer to the ThreadVars instance.
238  * \param det_ctx Pointer to the DetectEngineThreadCtx.
239  * \param f Pointer to the flow.
240  * \param flags Pointer to the flags indicating the flow direction.
241  * \param state Pointer to the app layer state data.
242  * \param s Pointer to the Signature instance.
243  * \param m Pointer to the SigMatch.
244  *
245  * \retval 1 On Match.
246  * \retval 0 On no match.
247  */
248 static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
249  Flow *f, uint8_t flags, void *state, void *txv,
250  const Signature *s, const SigMatchCtx *m)
251 {
252  SCEnter();
253 
254  DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
255  DetectDceOpnumRange *dor = dce_data->range;
256 
257  DCERPCState *dcerpc_state = state;
258  if (dcerpc_state == NULL) {
259  SCLogDebug("No DCERPCState for the flow");
260  SCReturnInt(0);
261  }
262  uint16_t opnum = dcerpc_state->dcerpc.dcerpcrequest.opnum;
263 
264  for ( ; dor != NULL; dor = dor->next) {
265  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
266  if (dor->range1 == opnum) {
267  SCReturnInt(1);
268  }
269  } else {
270  if (dor->range1 <= opnum && dor->range2 >= opnum)
271  {
272  SCReturnInt(1);
273  }
274  }
275  }
276 
277  SCReturnInt(0);
278 }
279 
280 static int DetectDceOpnumMatchRust(ThreadVars *t,
281  DetectEngineThreadCtx *det_ctx,
282  Flow *f, uint8_t flags, void *state, void *txv,
283  const Signature *s, const SigMatchCtx *m)
284 {
285  SCEnter();
286 
287  if (f->alproto == ALPROTO_DCERPC) {
288  return DetectDceOpnumMatch(t, det_ctx, f, flags,
289  state, txv, s, m);
290  }
291 
292  const DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
293  const DetectDceOpnumRange *dor = dce_data->range;
294 
295  uint16_t opnum;
296  if (rs_smb_tx_get_dce_opnum(txv, &opnum) != 1)
297  SCReturnInt(0);
298  SCLogDebug("(rust) opnum %u", opnum);
299 
300  for ( ; dor != NULL; dor = dor->next) {
301  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
302  if (dor->range1 == opnum) {
303  SCReturnInt(1);
304  }
305  } else {
306  if (dor->range1 <= opnum && dor->range2 >= opnum)
307  {
308  SCReturnInt(1);
309  }
310  }
311  }
312 
313  SCReturnInt(0);
314 }
315 
316 /**
317  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
318  * and appends it to the Signature(s).
319  *
320  * \param de_ctx Pointer to the detection engine context.
321  * \param s Pointer to signature for the current Signature being parsed
322  * from the rules.
323  * \param arg Pointer to the string holding the keyword value.
324  *
325  * \retval 0 on success, -1 on failure
326  */
327 
328 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
329 {
330  if (arg == NULL) {
331  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
332  "signature, option needs a value");
333  return -1;
334  }
335 
336  DetectDceOpnumData *dod = DetectDceOpnumArgParse(arg);
337  if (dod == NULL) {
338  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
339  "signature");
340  return -1;
341  }
342 
343  SigMatch *sm = SigMatchAlloc();
344  if (sm == NULL) {
345  DetectDceOpnumFree(dod);
346  return -1;
347  }
348 
349  sm->type = DETECT_DCE_OPNUM;
350  sm->ctx = (void *)dod;
351 
352  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
353  return 0;
354 }
355 
356 static void DetectDceOpnumFree(void *ptr)
357 {
358  DetectDceOpnumData *dod = ptr;
359  DetectDceOpnumRange *dor = NULL;
360  DetectDceOpnumRange *dor_temp = NULL;
361 
362  if (dod != NULL) {
363  dor = dod->range;
364  while (dor != NULL) {
365  dor_temp = dor;
366  dor = dor->next;
367  SCFree(dor_temp);
368  }
369  SCFree(dod);
370  }
371 
372  return;
373 }
374 
375 /************************************Unittests*********************************/
376 
377 #ifdef UNITTESTS
378 
379 static int DetectDceOpnumTestParse01(void)
380 {
381  Signature *s = SigAlloc();
382  int result = 0;
383 
384  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
385  result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
386  result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
387  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
388  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
389  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
390  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
391 
392  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
393  SigFree(s);
394  result &= 1;
395  }
396 
397  return result;
398 }
399 
400 static int DetectDceOpnumTestParse02(void)
401 {
402  Signature *s = SigAlloc();
403  int result = 0;
404  DetectDceOpnumData *dod = NULL;
405  DetectDceOpnumRange *dor = NULL;
406  SigMatch *temp = NULL;
407 
408  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
409 
410  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
411  temp = s->sm_lists[g_dce_generic_list_id];
412  dod = (DetectDceOpnumData *)temp->ctx;
413  if (dod == NULL)
414  goto end;
415  dor = dod->range;
416  result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
417  result &= (dor->next == NULL);
418  } else {
419  result = 0;
420  }
421 
422  end:
423  SigFree(s);
424  return result;
425 }
426 
427 static int DetectDceOpnumTestParse03(void)
428 {
429  Signature *s = SigAlloc();
430  int result = 0;
431  DetectDceOpnumData *dod = NULL;
432  DetectDceOpnumRange *dor = NULL;
433  SigMatch *temp = NULL;
434 
435  result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
436 
437  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
438  temp = s->sm_lists[g_dce_generic_list_id];
439  dod = (DetectDceOpnumData *)temp->ctx;
440  if (dod == NULL)
441  goto end;
442  dor = dod->range;
443  result &= (dor->range1 == 12 && dor->range2 == 24);
444  result &= (dor->next == NULL);
445  } else {
446  result = 0;
447  }
448 
449  end:
450  SigFree(s);
451  return result;
452 }
453 
454 static int DetectDceOpnumTestParse04(void)
455 {
456  Signature *s = SigAlloc();
457  int result = 0;
458  DetectDceOpnumData *dod = NULL;
459  DetectDceOpnumRange *dor = NULL;
460  SigMatch *temp = NULL;
461 
462  result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
463 
464  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
465  temp = s->sm_lists[g_dce_generic_list_id];
466  dod = (DetectDceOpnumData *)temp->ctx;
467  if (dod == NULL)
468  goto end;
469  dor = dod->range;
470  result &= (dor->range1 == 12 && dor->range2 == 24);
471  result &= (dor->next != NULL);
472  if (result == 0)
473  goto end;
474 
475  dor = dor->next;
476  result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
477  result &= (dor->next != NULL);
478  if (result == 0)
479  goto end;
480 
481  dor = dor->next;
482  result &= (dor->range1 == 62 && dor->range2 == 72);
483  result &= (dor->next != NULL);
484  if (result == 0)
485  goto end;
486 
487  dor = dor->next;
488  result &= (dor->range1 == 623 && dor->range2 == 635);
489  result &= (dor->next != NULL);
490  if (result == 0)
491  goto end;
492 
493  dor = dor->next;
494  result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
495  result &= (dor->next != NULL);
496  if (result == 0)
497  goto end;
498 
499  dor = dor->next;
500  result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
501  result &= (dor->next != NULL);
502  if (result == 0)
503  goto end;
504 
505  dor = dor->next;
506  result &= (dor->range1 == 213 && dor->range2 == 235);
507  if (result == 0)
508  goto end;
509  } else {
510  result = 0;
511  }
512 
513  end:
514  SigFree(s);
515  return result;
516 }
517 
518 static int DetectDceOpnumTestParse05(void)
519 {
520  Signature *s = SigAlloc();
521  int result = 0;
522  DetectDceOpnumData *dod = NULL;
523  DetectDceOpnumRange *dor = NULL;
524  SigMatch *temp = NULL;
525 
526  result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
527 
528  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
529  temp = s->sm_lists[g_dce_generic_list_id];
530  dod = (DetectDceOpnumData *)temp->ctx;
531  if (dod == NULL)
532  goto end;
533  dor = dod->range;
534  result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
535  result &= (dor->next != NULL);
536  if (result == 0)
537  goto end;
538 
539  dor = dor->next;
540  result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
541  result &= (dor->next != NULL);
542  if (result == 0)
543  goto end;
544 
545  dor = dor->next;
546  result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
547  result &= (dor->next != NULL);
548  if (result == 0)
549  goto end;
550 
551  dor = dor->next;
552  result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
553  result &= (dor->next != NULL);
554  if (result == 0)
555  goto end;
556 
557  dor = dor->next;
558  result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
559  result &= (dor->next != NULL);
560  if (result == 0)
561  goto end;
562 
563  dor = dor->next;
564  result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
565  result &= (dor->next != NULL);
566  if (result == 0)
567  goto end;
568 
569  dor = dor->next;
570  result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
571  if (result == 0)
572  goto end;
573  } else {
574  result = 0;
575  }
576 
577  end:
578  SigFree(s);
579  return result;
580 }
581 
582 static int DetectDceOpnumTestParse06(void)
583 {
584  Signature *s = SigAlloc();
585  int result = 0;
586  DetectDceOpnumData *dod = NULL;
587  DetectDceOpnumRange *dor = NULL;
588  SigMatch *temp = NULL;
589 
590  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
591 
592  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
593  temp = s->sm_lists[g_dce_generic_list_id];
594  dod = (DetectDceOpnumData *)temp->ctx;
595  if (dod == NULL)
596  goto end;
597  dor = dod->range;
598  result &= (dor->range1 == 1 && dor->range2 == 2);
599  result &= (dor->next != NULL);
600  if (result == 0)
601  goto end;
602 
603  dor = dor->next;
604  result &= (dor->range1 == 3 && dor->range2 == 4);
605  result &= (dor->next != NULL);
606  if (result == 0)
607  goto end;
608 
609  dor = dor->next;
610  result &= (dor->range1 == 5 && dor->range2 == 6);
611  result &= (dor->next != NULL);
612  if (result == 0)
613  goto end;
614 
615  dor = dor->next;
616  result &= (dor->range1 == 7 && dor->range2 == 8);
617  if (result == 0)
618  goto end;
619  } else {
620  result = 0;
621  }
622 
623  end:
624  SigFree(s);
625  return result;
626 }
627 
628 static int DetectDceOpnumTestParse07(void)
629 {
630  Signature *s = SigAlloc();
631  int result = 0;
632  DetectDceOpnumData *dod = NULL;
633  DetectDceOpnumRange *dor = NULL;
634  SigMatch *temp = NULL;
635 
636  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
637 
638  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
639  temp = s->sm_lists[g_dce_generic_list_id];
640  dod = (DetectDceOpnumData *)temp->ctx;
641  if (dod == NULL)
642  goto end;
643  dor = dod->range;
644  result &= (dor->range1 == 1 && dor->range2 == 2);
645  result &= (dor->next != NULL);
646  if (result == 0)
647  goto end;
648 
649  dor = dor->next;
650  result &= (dor->range1 == 3 && dor->range2 == 4);
651  result &= (dor->next != NULL);
652  if (result == 0)
653  goto end;
654 
655  dor = dor->next;
656  result &= (dor->range1 == 5 && dor->range2 == 6);
657  result &= (dor->next != NULL);
658  if (result == 0)
659  goto end;
660 
661  dor = dor->next;
662  result &= (dor->range1 == 7 && dor->range2 == 8);
663  if (result == 0)
664  goto end;
665 
666  dor = dor->next;
667  result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
668  if (result == 0)
669  goto end;
670  } else {
671  result = 0;
672  }
673 
674  end:
675  SigFree(s);
676  return result;
677 }
678 
679 /**
680  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
681  */
682 static int DetectDceOpnumTestParse08(void)
683 {
684  int result = 0;
685  Signature *s = NULL;
686  ThreadVars th_v;
687  Packet *p = NULL;
688  Flow f;
689  TcpSession ssn;
690  DetectEngineThreadCtx *det_ctx = NULL;
691  DetectEngineCtx *de_ctx = NULL;
692  DCERPCState *dcerpc_state = NULL;
693  int r = 0;
694 
695  uint8_t dcerpc_bind[] = {
696  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
697  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
698  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
699  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
700  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
701  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
702  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
703  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
704  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
705  };
706 
707  uint8_t dcerpc_bindack[] = {
708  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
709  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
710  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
711  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
712  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
713  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
714  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
715  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
716  0x02, 0x00, 0x00, 0x00
717  };
718 
719  /* todo chop the request frag length and change the
720  * length related parameters in the frag */
721  uint8_t dcerpc_request[] = {
722  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
723  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
724  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
725  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
726  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
727  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
728  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
729  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
730  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
731  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
732  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
733  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
734  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
735  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
736  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
737  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
738  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
739  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
740  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
741  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
742  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
743  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
744  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
745  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
746  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
747  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
748  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
749  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
750  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
751  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
752  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
753  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
754  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
755  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
756  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
757  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
758  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
759  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
760  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
761  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
762  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
763  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
764  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
765  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
766  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
767  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
768  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
769  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
770  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
771  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
772  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
773  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
774  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
775  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
776  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
777  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
778  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
779  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
780  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
781  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
782  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
783  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
784  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
785  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
786  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
787  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
788  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
789  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
790  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
791  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
792  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
793  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
794  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
795  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
796  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
797  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
798  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
799  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
800  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
801  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
802  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
803  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
804  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
805  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
806  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
807  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
808  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
809  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
810  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
811  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
812  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
813  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
814  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
815  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
816  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
817  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
818  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
819  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
820  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
821  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
822  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
823  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
824  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
825  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
826  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
827  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
828  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
829  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
830  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
831  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
832  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
833  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
834  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
835  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
836  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
837  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
838  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
839  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
840  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
841  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
842  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
843  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
969  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
970  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
971  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
972  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
973  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
974  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
975  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
976  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
977  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
978  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
979  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
980  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
981  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
982  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
983  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
984  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
985  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
986  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
987  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
988  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
989  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
990  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
991  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
993  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
994  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
995  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
996  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
997  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
998  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
999  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1000  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1001  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1002  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1003  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1070  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1071  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1072  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1073  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1074  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1075  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1076  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1077  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1078  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1079  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1080  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1081  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1082  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1083  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1084  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1085  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1086  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1087  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1088  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1089  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1090  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1091  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1092  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1093  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1094  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1095  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1096  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1097  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1098  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1099  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1100  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1101  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1102  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1103  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1104  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1105  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1106  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1107  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x01, 0x02, 0x03, 0x04
1136  };
1137 
1138  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1139  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1140  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1141 
1142  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1143 
1144  memset(&th_v, 0, sizeof(th_v));
1145  memset(&f, 0, sizeof(f));
1146  memset(&ssn, 0, sizeof(ssn));
1147 
1148  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1149 
1150  FLOW_INITIALIZE(&f);
1151  f.protoctx = (void *)&ssn;
1152  f.proto = IPPROTO_TCP;
1153  p->flow = &f;
1154  p->flowflags |= FLOW_PKT_TOSERVER;
1155  p->flowflags |= FLOW_PKT_ESTABLISHED;
1156  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1157  f.alproto = ALPROTO_DCERPC;
1158 
1159  StreamTcpInitConfig(TRUE);
1160 
1161  de_ctx = DetectEngineCtxInit();
1162  if (de_ctx == NULL)
1163  goto end;
1164 
1165  de_ctx->flags |= DE_QUIET;
1166 
1167  s = de_ctx->sig_list = SigInit(de_ctx,
1168  "alert tcp any any -> any any "
1169  "(msg:\"DCERPC\"; "
1170  "dce_opnum:9; "
1171  "sid:1;)");
1172  if (s == NULL)
1173  goto end;
1174 
1175  SigGroupBuild(de_ctx);
1176  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1177 
1178  FLOWLOCK_WRLOCK(&f);
1179  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1180  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1181  dcerpc_bind_len);
1182  if (r != 0) {
1183  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1184  FLOWLOCK_UNLOCK(&f);
1185  goto end;
1186  }
1187  FLOWLOCK_UNLOCK(&f);
1188 
1189  dcerpc_state = f.alstate;
1190  if (dcerpc_state == NULL) {
1191  SCLogDebug("no dcerpc state: ");
1192  goto end;
1193  }
1194 
1195  FLOWLOCK_WRLOCK(&f);
1196  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1197  STREAM_TOCLIENT, dcerpc_bindack,
1198  dcerpc_bindack_len);
1199  if (r != 0) {
1200  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1201  FLOWLOCK_UNLOCK(&f);
1202  goto end;
1203  }
1204  FLOWLOCK_UNLOCK(&f);
1205 
1206  FLOWLOCK_WRLOCK(&f);
1207  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1208  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
1209  dcerpc_request_len);
1210  if (r != 0) {
1211  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1212  FLOWLOCK_UNLOCK(&f);
1213  goto end;
1214  }
1215  FLOWLOCK_UNLOCK(&f);
1216 
1217  dcerpc_state = f.alstate;
1218  if (dcerpc_state == NULL) {
1219  SCLogDebug("no dcerpc state: ");
1220  goto end;
1221  }
1222 
1223  /* do detect */
1224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1225 
1226  if (!PacketAlertCheck(p, 1))
1227  goto end;
1228 
1229  result = 1;
1230 
1231  end:
1232  if (alp_tctx != NULL)
1233  AppLayerParserThreadCtxFree(alp_tctx);
1234  SigGroupCleanup(de_ctx);
1235  SigCleanSignatures(de_ctx);
1236 
1237  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1238  DetectEngineCtxFree(de_ctx);
1239 
1240  StreamTcpFreeConfig(TRUE);
1241  FLOW_DESTROY(&f);
1242 
1243  UTHFreePackets(&p, 1);
1244  return result;
1245 }
1246 
1247 /**
1248  * \test Test a valid dce_opnum entry with only a request frag.
1249  */
1250 static int DetectDceOpnumTestParse09(void)
1251 {
1252  int result = 0;
1253  Signature *s = NULL;
1254  ThreadVars th_v;
1255  Packet *p = NULL;
1256  Flow f;
1257  TcpSession ssn;
1258  DetectEngineThreadCtx *det_ctx = NULL;
1259  DetectEngineCtx *de_ctx = NULL;
1260  DCERPCState *dcerpc_state = NULL;
1261  int r = 0;
1262 
1263  /* todo chop the request frag length and change the
1264  * length related parameters in the frag */
1265  uint8_t dcerpc_request[] = {
1266  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1267  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1268  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1269  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1270  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
1271  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
1272  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
1273  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
1274  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
1275  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
1276  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
1277  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
1278  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
1279  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
1280  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
1281  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
1282  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
1283  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
1284  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
1285  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
1286  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
1287  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
1288  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
1289  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
1290  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
1291  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
1292  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
1293  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
1294  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
1295  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
1296  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
1297  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
1298  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
1299  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
1300  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
1301  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
1302  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
1303  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
1304  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
1305  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
1306  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
1307  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
1308  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
1309  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
1310  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
1311  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
1312  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
1313  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
1314  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
1315  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
1316  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
1317  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
1318  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
1319  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
1320  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
1321  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
1322  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
1323  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
1324  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
1325  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
1326  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
1327  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
1328  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
1329  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
1330  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
1331  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
1332  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
1333  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
1334  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
1335  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
1336  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
1337  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
1338  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
1339  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
1340  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
1341  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
1342  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
1343  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
1344  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
1345  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
1346  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
1347  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
1348  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
1349  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
1350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1513  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1514  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1515  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1516  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1517  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1518  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1519  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1520  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1521  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1522  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1523  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1524  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1525  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1526  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1527  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1528  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1529  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1530  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1531  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1532  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1533  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1534  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1535  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1537  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1538  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1539  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1540  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1542  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1543  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1544  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1545  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1546  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1547  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1594  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1595  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1596  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1597  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1598  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1599  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1600  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1601  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1602  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1603  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1604  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1605  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1606  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1607  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1608  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1609  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1610  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1611  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1612  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1613  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1659  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1660  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1661  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1662  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1663  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1664  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1665  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1666  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1667  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1668  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1669  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1670  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1671  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1672  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1673  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1674  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1675  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1676  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1677  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1678  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1679  0x01, 0x02, 0x03, 0x04
1680  };
1681 
1682  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1683 
1684  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1685 
1686  memset(&th_v, 0, sizeof(th_v));
1687  memset(&f, 0, sizeof(f));
1688  memset(&ssn, 0, sizeof(ssn));
1689 
1690  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1691 
1692  FLOW_INITIALIZE(&f);
1693  f.protoctx = (void *)&ssn;
1694  f.proto = IPPROTO_TCP;
1695  p->flow = &f;
1696  p->flowflags |= FLOW_PKT_TOSERVER;
1697  p->flowflags |= FLOW_PKT_ESTABLISHED;
1698  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1699  f.alproto = ALPROTO_DCERPC;
1700 
1701  StreamTcpInitConfig(TRUE);
1702 
1703  de_ctx = DetectEngineCtxInit();
1704  if (de_ctx == NULL)
1705  goto end;
1706 
1707  de_ctx->flags |= DE_QUIET;
1708 
1709  s = de_ctx->sig_list = SigInit(de_ctx,
1710  "alert tcp any any -> any any "
1711  "(msg:\"DCERPC\"; "
1712  "dce_opnum:9; "
1713  "sid:1;)");
1714  if (s == NULL)
1715  goto end;
1716 
1717  SigGroupBuild(de_ctx);
1718  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1719 
1720  FLOWLOCK_WRLOCK(&f);
1721  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1722  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1723  dcerpc_request_len);
1724  if (r != 0) {
1725  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1726  FLOWLOCK_UNLOCK(&f);
1727  goto end;
1728  }
1729  FLOWLOCK_UNLOCK(&f);
1730 
1731  dcerpc_state = f.alstate;
1732  if (dcerpc_state == NULL) {
1733  SCLogDebug("no dcerpc state: ");
1734  goto end;
1735  }
1736 
1737  /* do detect */
1738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1739 
1740  if (!PacketAlertCheck(p, 1))
1741  goto end;
1742 
1743  result = 1;
1744 
1745  end:
1746  if (alp_tctx != NULL)
1747  AppLayerParserThreadCtxFree(alp_tctx);
1748  SigGroupCleanup(de_ctx);
1749  SigCleanSignatures(de_ctx);
1750 
1751  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1752  DetectEngineCtxFree(de_ctx);
1753 
1754  StreamTcpFreeConfig(TRUE);
1755  FLOW_DESTROY(&f);
1756 
1757  UTHFreePackets(&p, 1);
1758  return result;
1759 }
1760 
1761 /* Disabled because of bug_753. Would be enabled, once we rewrite
1762  * dce parser */
1763 #if 0
1764 
1765 /**
1766  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1767  * and multiple request/responses with a match test after each frag parsing.
1768  */
1769 static int DetectDceOpnumTestParse10(void)
1770 {
1771  int result = 0;
1772  Signature *s = NULL;
1773  ThreadVars th_v;
1774  Packet *p = NULL;
1775  Flow f;
1776  TcpSession ssn;
1777  DetectEngineThreadCtx *det_ctx = NULL;
1778  DetectEngineCtx *de_ctx = NULL;
1779  DCERPCState *dcerpc_state = NULL;
1780  int r = 0;
1781 
1782  uint8_t dcerpc_bind[] = {
1783  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1784  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1785  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1786  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1787  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1788  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1789  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1790  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1791  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1792  };
1793 
1794  uint8_t dcerpc_bindack[] = {
1795  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1796  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1797  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1798  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1799  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1800  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1801  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1802  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1803  0x02, 0x00, 0x00, 0x00,
1804  };
1805 
1806  uint8_t dcerpc_request1[] = {
1807  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1808  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1809  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1810  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1811  0x00, 0x00, 0x00, 0x02,
1812  };
1813 
1814  uint8_t dcerpc_response1[] = {
1815  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1816  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1817  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1818  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1819  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1820  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1821  };
1822 
1823  uint8_t dcerpc_request2[] = {
1824  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1825  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1826  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1827  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1828  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1829  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1830  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1831  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1832  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1833  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1834  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1835  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1836  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1837  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1838  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1839  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1840  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1841  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1842  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1843  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1844  0x03, 0x00, 0x00, 0x00,
1845  };
1846 
1847  uint8_t dcerpc_response2[] = {
1848  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1849  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1850  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1851  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1852  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1853  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1854  };
1855 
1856  uint8_t dcerpc_request3[] = {
1857  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1858  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1859  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1860  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1861  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1862  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1863  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1864  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1865  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1866  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1867  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1868  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1869  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1870  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1871  };
1872 
1873  uint8_t dcerpc_response3[] = {
1874  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1875  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1876  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1877  0x00, 0x00, 0x00, 0x00,
1878  };
1879 
1880  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1881  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1882 
1883  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1884  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1885 
1886  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1887  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1888 
1889  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1890  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1891 
1892  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1893 
1894  memset(&th_v, 0, sizeof(th_v));
1895  memset(&f, 0, sizeof(f));
1896  memset(&ssn, 0, sizeof(ssn));
1897 
1898  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1899 
1900  FLOW_INITIALIZE(&f);
1901  f.protoctx = (void *)&ssn;
1902  f.proto = IPPROTO_TCP;
1903  p->flow = &f;
1904  p->flowflags |= FLOW_PKT_TOSERVER;
1905  p->flowflags |= FLOW_PKT_ESTABLISHED;
1906  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1907  f.alproto = ALPROTO_DCERPC;
1908 
1909  StreamTcpInitConfig(TRUE);
1910 
1911  de_ctx = DetectEngineCtxInit();
1912  if (de_ctx == NULL) {
1913  goto end;
1914  }
1915 
1916  de_ctx->flags |= DE_QUIET;
1917 
1918  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1919  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1920  if (s == NULL) {
1921  goto end;
1922  }
1923 
1924  SigGroupBuild(de_ctx);
1925  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1926 
1927  SCLogDebug("sending bind");
1928 
1929  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1930  dcerpc_bind, dcerpc_bind_len);
1931  if (r != 0) {
1932  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1933  goto end;
1934  }
1935 
1936  dcerpc_state = f.alstate;
1937  if (dcerpc_state == NULL) {
1938  SCLogDebug("no dcerpc state: ");
1939  goto end;
1940  }
1941  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1942  p->flowflags |= FLOW_PKT_TOSERVER;
1943  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1944 
1945  SCLogDebug("sending bind_ack");
1946 
1947  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1948  dcerpc_bindack, dcerpc_bindack_len);
1949  if (r != 0) {
1950  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1951  goto end;
1952  }
1953  p->flowflags &=~ FLOW_PKT_TOSERVER;
1954  p->flowflags |= FLOW_PKT_TOCLIENT;
1955  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1956 
1957  SCLogDebug("sending request1");
1958 
1959  /* request1 */
1960  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1961  dcerpc_request1, dcerpc_request1_len);
1962  if (r != 0) {
1963  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1964  goto end;
1965  }
1966 
1967  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1968  p->flowflags |= FLOW_PKT_TOSERVER;
1969  /* do detect */
1970  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1971 
1972  if (!PacketAlertCheck(p, 1)) {
1973  printf("sig 1 didn't match, but should have: ");
1974  goto end;
1975  }
1976 
1977  SCLogDebug("sending response1");
1978 
1979  /* response1 */
1980  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1981  dcerpc_response1, dcerpc_response1_len);
1982  if (r != 0) {
1983  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1984  goto end;
1985  }
1986 
1987  p->flowflags &=~ FLOW_PKT_TOSERVER;
1988  p->flowflags |= FLOW_PKT_TOCLIENT;
1989  /* do detect */
1990  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1991 
1992  if (PacketAlertCheck(p, 1)) {
1993  printf("sig 1 did match, shouldn't have on response1: ");
1994  goto end;
1995  }
1996 
1997  /* request2 */
1998  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1999  dcerpc_request2, dcerpc_request2_len);
2000  if (r != 0) {
2001  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2002  goto end;
2003  }
2004 
2005  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2006  p->flowflags |= FLOW_PKT_TOSERVER;
2007  /* do detect */
2008  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2009 
2010  if (!PacketAlertCheck(p, 1)) {
2011  printf("sig 1 didn't match, but should have on request2: ");
2012  goto end;
2013  }
2014 
2015  /* response2 */
2016  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2017  dcerpc_response2, dcerpc_response2_len);
2018  if (r != 0) {
2019  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2020  goto end;
2021  }
2022 
2023  p->flowflags &=~ FLOW_PKT_TOSERVER;
2024  p->flowflags |= FLOW_PKT_TOCLIENT;
2025  /* do detect */
2026  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2027 
2028  if (PacketAlertCheck(p, 1)) {
2029  printf("sig 1 did match, shouldn't have on response2: ");
2030  goto end;
2031  }
2032 
2033  /* request3 */
2034  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2035  dcerpc_request3, dcerpc_request3_len);
2036  if (r != 0) {
2037  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2038  goto end;
2039  }
2040 
2041  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2042  p->flowflags |= FLOW_PKT_TOSERVER;
2043  /* do detect */
2044  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2045 
2046  if (!PacketAlertCheck(p, 1)) {
2047  printf("sig 1 didn't match, but should have on request3: ");
2048  goto end;
2049  }
2050 
2051  /* response3 */
2052  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2053  dcerpc_response3, dcerpc_response3_len);
2054  if (r != 0) {
2055  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2056  goto end;
2057  }
2058 
2059  p->flowflags &=~ FLOW_PKT_TOSERVER;
2060  p->flowflags |= FLOW_PKT_TOCLIENT;
2061  /* do detect */
2062  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2063 
2064  if (PacketAlertCheck(p, 1)) {
2065  printf("sig 1 did match, shouldn't have on response2: ");
2066  goto end;
2067  }
2068 
2069  result = 1;
2070 
2071  end:
2072  if (alp_tctx != NULL)
2073  AppLayerDestroyCtxThread(alp_tctx);
2074  SigGroupCleanup(de_ctx);
2075  SigCleanSignatures(de_ctx);
2076 
2077  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2078  DetectEngineCtxFree(de_ctx);
2079 
2080  StreamTcpFreeConfig(TRUE);
2081  FLOW_DESTROY(&f);
2082 
2083  UTHFreePackets(&p, 1);
2084  return result;
2085 }
2086 
2087 /**
2088  * \test Test a valid dce_opnum entry(with multiple values) with multiple
2089  * request/responses.
2090  */
2091 static int DetectDceOpnumTestParse11(void)
2092 {
2093  int result = 0;
2094  Signature *s = NULL;
2095  ThreadVars th_v;
2096  Packet *p = NULL;
2097  Flow f;
2098  TcpSession ssn;
2099  DetectEngineThreadCtx *det_ctx = NULL;
2100  DetectEngineCtx *de_ctx = NULL;
2101  DCERPCState *dcerpc_state = NULL;
2102  int r = 0;
2103 
2104  uint8_t dcerpc_request1[] = {
2105  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2106  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2107  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2108  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
2109  0x00, 0x00, 0x00, 0x02,
2110  };
2111 
2112  uint8_t dcerpc_response1[] = {
2113  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2114  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2115  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2116  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2117  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2118  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2119  };
2120 
2121  uint8_t dcerpc_request2[] = {
2122  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2123  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2124  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
2125  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2126  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2127  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
2128  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
2129  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
2130  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
2131  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
2132  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
2133  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
2134  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
2135  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
2136  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
2137  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
2138  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
2139  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
2140  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
2141  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2142  0x03, 0x00, 0x00, 0x00,
2143  };
2144 
2145  uint8_t dcerpc_response2[] = {
2146  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2147  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2148  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2149  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2150  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2151  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2152  };
2153 
2154  uint8_t dcerpc_request3[] = {
2155  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2156  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2157  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
2158  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2159  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2160  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
2161  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
2162  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
2163  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
2164  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2165  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
2166  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
2167  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
2168  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
2169  };
2170 
2171  uint8_t dcerpc_response3[] = {
2172  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2173  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2174  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2175  0x00, 0x00, 0x00, 0x00,
2176  };
2177 
2178  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2179  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2180 
2181  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2182  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2183 
2184  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
2185  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
2186 
2187  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2188 
2189  memset(&th_v, 0, sizeof(th_v));
2190  memset(&f, 0, sizeof(f));
2191  memset(&ssn, 0, sizeof(ssn));
2192 
2193  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2194 
2195  FLOW_INITIALIZE(&f);
2196  f.protoctx = (void *)&ssn;
2197  f.proto = IPPROTO_TCP;
2198  p->flow = &f;
2199  p->flowflags |= FLOW_PKT_TOSERVER;
2200  p->flowflags |= FLOW_PKT_ESTABLISHED;
2201  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2202  f.alproto = ALPROTO_DCERPC;
2203 
2204  StreamTcpInitConfig(TRUE);
2205 
2206  de_ctx = DetectEngineCtxInit();
2207  if (de_ctx == NULL)
2208  goto end;
2209 
2210  de_ctx->flags |= DE_QUIET;
2211 
2212  s = de_ctx->sig_list = SigInit(de_ctx,
2213  "alert tcp any any -> any any "
2214  "(msg:\"DCERPC\"; "
2215  "dce_opnum:2-22; "
2216  "sid:1;)");
2217  if (s == NULL)
2218  goto end;
2219 
2220  SigGroupBuild(de_ctx);
2221  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2222 
2223  /* request1 */
2224  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2225  dcerpc_request1, dcerpc_request1_len);
2226  if (r != 0) {
2227  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2228  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
2229  goto end;
2230  }
2231 
2232  dcerpc_state = f.alstate;
2233  if (dcerpc_state == NULL) {
2234  SCLogDebug("no dcerpc state: ");
2235  printf("no dcerpc state: ");
2236  goto end;
2237  }
2238 
2239  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2240  p->flowflags |= FLOW_PKT_TOSERVER;
2241  /* do detect */
2242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2243 
2244  if (!PacketAlertCheck(p, 1))
2245  goto end;
2246 
2247  /* response1 */
2248  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2249  dcerpc_response1, dcerpc_response1_len);
2250  if (r != 0) {
2251  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2252  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
2253  goto end;
2254  }
2255 
2256  p->flowflags &=~ FLOW_PKT_TOSERVER;
2257  p->flowflags |= FLOW_PKT_TOCLIENT;
2258  /* do detect */
2259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2260 
2261  if (PacketAlertCheck(p, 1))
2262  goto end;
2263 
2264  /* request2 */
2265  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2266  dcerpc_request2, dcerpc_request2_len);
2267  if (r != 0) {
2268  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2269  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
2270  goto end;
2271  }
2272 
2273  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2274  p->flowflags |= FLOW_PKT_TOSERVER;
2275  /* do detect */
2276  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2277 
2278  if (!PacketAlertCheck(p, 1))
2279  goto end;
2280 
2281  /* response2 */
2282  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2283  dcerpc_response2, dcerpc_response2_len);
2284  if (r != 0) {
2285  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2286  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
2287  goto end;
2288  }
2289 
2290  p->flowflags &=~ FLOW_PKT_TOSERVER;
2291  p->flowflags |= FLOW_PKT_TOCLIENT;
2292  /* do detect */
2293  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2294 
2295  if (PacketAlertCheck(p, 1))
2296  goto end;
2297 
2298  /* request3 */
2299  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2300  dcerpc_request3, dcerpc_request3_len);
2301  if (r != 0) {
2302  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2303  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
2304  goto end;
2305  }
2306 
2307  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2308  p->flowflags |= FLOW_PKT_TOSERVER;
2309  /* do detect */
2310  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2311 
2312  if (!PacketAlertCheck(p, 1))
2313  goto end;
2314 
2315  /* response3 */
2316  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2317  dcerpc_response3, dcerpc_response3_len);
2318  if (r != 0) {
2319  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2320  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
2321  goto end;
2322  }
2323 
2324  p->flowflags &=~ FLOW_PKT_TOSERVER;
2325  p->flowflags |= FLOW_PKT_TOCLIENT;
2326  /* do detect */
2327  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2328 
2329  if (PacketAlertCheck(p, 1))
2330  goto end;
2331 
2332  result = 1;
2333 
2334  end:
2335  if (alp_tctx != NULL)
2336  AppLayerDestroyCtxThread(alp_tctx);
2337  SigGroupCleanup(de_ctx);
2338  SigCleanSignatures(de_ctx);
2339 
2340  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2341  DetectEngineCtxFree(de_ctx);
2342 
2343  StreamTcpFreeConfig(TRUE);
2344  FLOW_DESTROY(&f);
2345 
2346  UTHFreePackets(&p, 1);
2347  return result;
2348 }
2349 
2350 /**
2351  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2352  * and multiple request/responses with a match test after each frag parsing.
2353  */
2354 static int DetectDceOpnumTestParse12(void)
2355 {
2356  int result = 0;
2357  Signature *s = NULL;
2358  ThreadVars th_v;
2359  Packet *p = NULL;
2360  Flow f;
2361  TcpSession ssn;
2362  DetectEngineThreadCtx *det_ctx = NULL;
2363  DetectEngineCtx *de_ctx = NULL;
2364  DCERPCState *dcerpc_state = NULL;
2365  int r = 0;
2366 
2367  uint8_t dcerpc_bind[] = {
2368  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2369  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2370  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2371  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2372  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
2373  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
2374  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2375  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2376  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2377  };
2378 
2379  uint8_t dcerpc_bindack[] = {
2380  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
2381  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2382  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
2383  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
2384  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
2385  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2386  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2387  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2388  0x02, 0x00, 0x00, 0x00,
2389  };
2390 
2391  uint8_t dcerpc_request1[] = {
2392  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2393  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2394  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
2395  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2396  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2397  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2398  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2399  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2400  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2401  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2402  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2403  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2404  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2405  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2411  0x00, 0x00
2412  };
2413 
2414  uint8_t dcerpc_response1[] = {
2415  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2416  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2417  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2418  0x00, 0x00, 0x00, 0x00,
2419  };
2420 
2421  uint8_t dcerpc_request2[] = {
2422  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2423  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2424  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2425  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2426  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2427  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2428  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2429  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2430  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2431  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2432  0x4e, 0x6f, 0x6e, 0x65
2433  };
2434 
2435  uint8_t dcerpc_response2[] = {
2436  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2437  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2438  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2439  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2440  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2441  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2442  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2443  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2444  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2445  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2446  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2447  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2452  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2453  0x00, 0x00, 0x00, 0x00,
2454  };
2455 
2456  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
2457  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
2458 
2459  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2460  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2461 
2462  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2463  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2464 
2465  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2466 
2467  memset(&th_v, 0, sizeof(th_v));
2468  memset(&f, 0, sizeof(f));
2469  memset(&ssn, 0, sizeof(ssn));
2470 
2471  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2472 
2473  FLOW_INITIALIZE(&f);
2474  f.protoctx = (void *)&ssn;
2475  f.proto = IPPROTO_TCP;
2476  p->flow = &f;
2477  p->flowflags |= FLOW_PKT_TOSERVER;
2478  p->flowflags |= FLOW_PKT_ESTABLISHED;
2479  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2480  f.alproto = ALPROTO_DCERPC;
2481 
2482  StreamTcpInitConfig(TRUE);
2483 
2484  de_ctx = DetectEngineCtxInit();
2485  if (de_ctx == NULL)
2486  goto end;
2487 
2488  de_ctx->flags |= DE_QUIET;
2489 
2490  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
2491  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
2492  if (s == NULL)
2493  goto end;
2494 
2495  SigGroupBuild(de_ctx);
2496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2497 
2498  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2499  dcerpc_bind, dcerpc_bind_len);
2500  if (r != 0) {
2501  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2502  goto end;
2503  }
2504  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2505  p->flowflags |= FLOW_PKT_TOSERVER;
2506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2507 
2508  dcerpc_state = f.alstate;
2509  if (dcerpc_state == NULL) {
2510  printf("no dcerpc state: ");
2511  goto end;
2512  }
2513 
2514  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2515  dcerpc_bindack_len);
2516  if (r != 0) {
2517  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2518  goto end;
2519  }
2520  p->flowflags &=~ FLOW_PKT_TOSERVER;
2521  p->flowflags |= FLOW_PKT_TOCLIENT;
2522  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2523 
2524  /* request1 */
2525  SCLogDebug("Sending request1");
2526 
2527  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2528  dcerpc_request1_len);
2529  if (r != 0) {
2530  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2531  goto end;
2532  }
2533 
2534  dcerpc_state = f.alstate;
2535  if (dcerpc_state == NULL) {
2536  printf("no dcerpc state: ");
2537  goto end;
2538  }
2539 
2540  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2541  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2542  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2543  goto end;
2544  }
2545 
2546  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2547  p->flowflags |= FLOW_PKT_TOSERVER;
2548  /* do detect */
2549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2550 
2551  if (!PacketAlertCheck(p, 1)) {
2552  printf("signature 1 didn't match, should have: ");
2553  goto end;
2554  }
2555 
2556  /* response1 */
2557  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2558  dcerpc_response1_len);
2559  if (r != 0) {
2560  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2561  goto end;
2562  }
2563 
2564  dcerpc_state = f.alstate;
2565  if (dcerpc_state == NULL) {
2566  printf("no dcerpc state: ");
2567  goto end;
2568  }
2569 
2570  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2571  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2572  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2573  goto end;
2574  }
2575 
2576  p->flowflags &=~ FLOW_PKT_TOSERVER;
2577  p->flowflags |= FLOW_PKT_TOCLIENT;
2578  /* do detect */
2579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2580 
2581  if (PacketAlertCheck(p, 1)) {
2582  printf("sig 1 matched on response 1, but shouldn't: ");
2583  goto end;
2584  }
2585 
2586  /* request2 */
2587  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2588  dcerpc_request2_len);
2589  if (r != 0) {
2590  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2591  goto end;
2592  }
2593 
2594  dcerpc_state = f.alstate;
2595  if (dcerpc_state == NULL) {
2596  printf("no dcerpc state: ");
2597  goto end;
2598  }
2599 
2600  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2601  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2602  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2603  goto end;
2604  }
2605 
2606  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2607  p->flowflags |= FLOW_PKT_TOSERVER;
2608  /* do detect */
2609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2610 
2611  if (!PacketAlertCheck(p, 1)) {
2612  printf("sig 1 didn't match on request 2: ");
2613  goto end;
2614  }
2615 
2616  /* response2 */
2617  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2618  dcerpc_response2_len);
2619  if (r != 0) {
2620  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2621  goto end;
2622  }
2623 
2624  dcerpc_state = f.alstate;
2625  if (dcerpc_state == NULL) {
2626  printf("no dcerpc state: ");
2627  goto end;
2628  }
2629 
2630  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2631  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2632  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2633  goto end;
2634  }
2635 
2636  p->flowflags &=~ FLOW_PKT_TOSERVER;
2637  p->flowflags |= FLOW_PKT_TOCLIENT;
2638  /* do detect */
2639  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2640 
2641  if (PacketAlertCheck(p, 1)) {
2642  printf("sig 1 matched on response2, but shouldn't: ");
2643  goto end;
2644  }
2645 
2646  result = 1;
2647 
2648 end:
2649  if (alp_tctx != NULL)
2650  AppLayerDestroyCtxThread(alp_tctx);
2651  SigGroupCleanup(de_ctx);
2652  SigCleanSignatures(de_ctx);
2653 
2654  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2655  DetectEngineCtxFree(de_ctx);
2656 
2657  StreamTcpFreeConfig(TRUE);
2658  FLOW_DESTROY(&f);
2659 
2660  UTHFreePackets(&p, 1);
2661  return result;
2662 }
2663 
2664 /**
2665  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2666  * and multiple request/responses with a match test after each frag parsing.
2667  */
2668 static int DetectDceOpnumTestParse13(void)
2669 {
2670  int result = 0;
2671  Signature *s = NULL;
2672  ThreadVars th_v;
2673  Packet *p = NULL;
2674  Flow f;
2675  TcpSession ssn;
2676  DetectEngineThreadCtx *det_ctx = NULL;
2677  DetectEngineCtx *de_ctx = NULL;
2678  DCERPCState *dcerpc_state = NULL;
2679  int r = 0;
2680 
2681  uint8_t dcerpc_request1[] = {
2682  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2683  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2684  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2685  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2686  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2687  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2688  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2689  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2690  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2691  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2692  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2693  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2694  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2695  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2696  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2697  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2698  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2699  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2700  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2701  0x00, 0x00
2702  };
2703 
2704  uint8_t dcerpc_response1[] = {
2705  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2706  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2707  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2708  0x00, 0x00, 0x00, 0x00,
2709  };
2710 
2711  uint8_t dcerpc_request2[] = {
2712  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2713  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2714  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2715  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2716  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2717  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2718  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2719  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2720  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2721  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2722  0x4e, 0x6f, 0x6e, 0x65
2723  };
2724 
2725  uint8_t dcerpc_response2[] = {
2726  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2727  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2728  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2729  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2730  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2731  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2732  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2733  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2734  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2735  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2736  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2737  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2738  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2739  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2740  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2741  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2742  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2743  0x00, 0x00, 0x00, 0x00,
2744  };
2745 
2746  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2747  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2748 
2749  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2750  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2751 
2752  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2753 
2754  memset(&th_v, 0, sizeof(th_v));
2755  memset(&f, 0, sizeof(f));
2756  memset(&ssn, 0, sizeof(ssn));
2757 
2758  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2759 
2760  FLOW_INITIALIZE(&f);
2761  f.protoctx = (void *)&ssn;
2762  f.proto = IPPROTO_TCP;
2763  p->flow = &f;
2764  p->flowflags |= FLOW_PKT_TOSERVER;
2765  p->flowflags |= FLOW_PKT_ESTABLISHED;
2766  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2767  f.alproto = ALPROTO_DCERPC;
2768 
2769  StreamTcpInitConfig(TRUE);
2770 
2771  de_ctx = DetectEngineCtxInit();
2772  if (de_ctx == NULL)
2773  goto end;
2774 
2775  de_ctx->flags |= DE_QUIET;
2776 
2777  s = de_ctx->sig_list = SigInit(de_ctx,
2778  "alert tcp any any -> any any "
2779  "(msg:\"DCERPC\"; "
2780  "dce_opnum:30, 40; "
2781  "sid:1;)");
2782  if (s == NULL)
2783  goto end;
2784 
2785  SigGroupBuild(de_ctx);
2786  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2787 
2788  /* request1 */
2789  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2790  dcerpc_request1_len);
2791  if (r != 0) {
2792  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2793  goto end;
2794  }
2795 
2796  dcerpc_state = f.alstate;
2797  if (dcerpc_state == NULL) {
2798  printf("no dcerpc state: ");
2799  goto end;
2800  }
2801 
2802  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2803  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2804  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2805  goto end;
2806  }
2807 
2808  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2809  p->flowflags |= FLOW_PKT_TOSERVER;
2810  /* do detect */
2811  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2812 
2813  if (!PacketAlertCheck(p, 1))
2814  goto end;
2815 
2816  /* response1 */
2817  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2818  dcerpc_response1_len);
2819  if (r != 0) {
2820  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2821  goto end;
2822  }
2823 
2824  dcerpc_state = f.alstate;
2825  if (dcerpc_state == NULL) {
2826  printf("no dcerpc state: ");
2827  goto end;
2828  }
2829 
2830  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2831  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2832  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2833  goto end;
2834  }
2835 
2836  p->flowflags &=~ FLOW_PKT_TOSERVER;
2837  p->flowflags |= FLOW_PKT_TOCLIENT;
2838  /* do detect */
2839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2840 
2841  if (PacketAlertCheck(p, 1))
2842  goto end;
2843 
2844  /* request2 */
2845  printf("Sending Request2\n");
2846  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2847  dcerpc_request2_len);
2848  if (r != 0) {
2849  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2850  goto end;
2851  }
2852 
2853  dcerpc_state = f.alstate;
2854  if (dcerpc_state == NULL) {
2855  printf("no dcerpc state: ");
2856  goto end;
2857  }
2858 
2859  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2860  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2861  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2862  goto end;
2863  }
2864 
2865  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2866  p->flowflags |= FLOW_PKT_TOSERVER;
2867  /* do detect */
2868  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2869 
2870  if (!PacketAlertCheck(p, 1))
2871  goto end;
2872 
2873  /* response2 */
2874  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2875  dcerpc_response2_len);
2876  if (r != 0) {
2877  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2878  goto end;
2879  }
2880 
2881  dcerpc_state = f.alstate;
2882  if (dcerpc_state == NULL) {
2883  printf("no dcerpc state: ");
2884  goto end;
2885  }
2886 
2887  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2888  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2889  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2890  goto end;
2891  }
2892 
2893  p->flowflags &=~ FLOW_PKT_TOSERVER;
2894  p->flowflags |= FLOW_PKT_TOCLIENT;
2895  /* do detect */
2896  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2897 
2898  if (PacketAlertCheck(p, 1))
2899  goto end;
2900 
2901  result = 1;
2902 
2903  end:
2904  if (alp_tctx != NULL)
2905  AppLayerDestroyCtxThread(alp_tctx);
2906  SigGroupCleanup(de_ctx);
2907  SigCleanSignatures(de_ctx);
2908 
2909  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2910  DetectEngineCtxFree(de_ctx);
2911 
2912  StreamTcpFreeConfig(TRUE);
2913  FLOW_DESTROY(&f);
2914 
2915  UTHFreePackets(&p, 1);
2916  return result;
2917 }
2918 #endif
2919 #endif /* UNITTESTS */
2920 
2921 static void DetectDceOpnumRegisterTests(void)
2922 {
2923 #ifdef UNITTESTS
2924  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2925  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2926  UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
2927  UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
2928  UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
2929  UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
2930  UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
2931  UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
2932  UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
2933  /* Disabled because of bug_753. Would be enabled, once we rewrite
2934  * dce parser */
2935 #if 0
2936  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2937  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2938  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2939  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2940 #endif
2941 #endif
2942 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2200
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:246
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1135
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:54
DetectDceOpnumData_
Definition: detect-dce-opnum.h:36
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DetectDceOpnumRange_::next
struct DetectDceOpnumRange_ * next
Definition: detect-dce-opnum.h:33
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:343
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
DetectDceOpnumRange_
Definition: detect-dce-opnum.h:30
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1920
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:729
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DCE_OPNUM_RANGE_MAX
#define DCE_OPNUM_RANGE_MAX
Definition: detect-dce-opnum.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::protoctx
void * protoctx
Definition: flow.h:395
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
Flow_::alstate
void * alstate
Definition: flow.h:433
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectDceOpnumData_::range
DetectDceOpnumRange * range
Definition: detect-dce-opnum.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1294
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2286
DetectDceOpnumRange_::range1
uint32_t range1
Definition: detect-dce-opnum.h:31
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:71
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
DCERPCRequest_::opnum
uint16_t opnum
Definition: app-layer-dcerpc-common.h:171
SigMatch_::type
uint8_t type
Definition: detect.h:323
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
index
#define index
Definition: win32-misc.h:29
Packet_
Definition: decode.h:405
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:654
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1171
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:825
DetectDceOpnumRange_::range2
uint32_t range2
Definition: detect-dce-opnum.h:32
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:212
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404
Packet_::flags
uint32_t flags
Definition: decode.h:441
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:324
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
SigMatch_
a single match condition for a signature
Definition: detect.h:322
DCE_OPNUM_RANGE_UNINITIALIZED
#define DCE_OPNUM_RANGE_UNINITIALIZED
Definition: detect-dce-opnum.h:28
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640