suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #include "rust.h"
52 #include "rust-smb-detect-gen.h"
53 
54 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
55 
56 static pcre *parse_regex = NULL;
57 static pcre_extra *parse_regex_study = NULL;
58 
59 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
60  Flow *f, uint8_t flags, void *state, void *txv,
61  const Signature *s, const SigMatchCtx *m);
62 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
63 static void DetectDceOpnumFree(void *);
64 static void DetectDceOpnumRegisterTests(void);
65 static int g_dce_generic_list_id = 0;
66 
67 /**
68  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
69  */
70 void DetectDceOpnumRegister(void)
71 {
72  sigmatch_table[DETECT_DCE_OPNUM].name = "dcerpc.opnum";
73  sigmatch_table[DETECT_DCE_OPNUM].alias = "dce_opnum";
74  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
75  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
76  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
77  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
80 
81  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
82 }
83 
84 /**
85  * \internal
86  * \brief Creates and returns a new instance of DetectDceOpnumRange.
87  *
88  * \retval dor Pointer to the new instance DetectDceOpnumRange.
89  */
90 static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
91 {
92  DetectDceOpnumRange *dor = NULL;
93 
94  if ( (dor = SCCalloc(1, sizeof(DetectDceOpnumRange))) == NULL)
95  return NULL;
96  dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
97  return dor;
98 }
99 
100 /**
101  * \internal
102  * \brief Parses the argument sent along with the "dce_opnum" keyword.
103  *
104  * \param arg Pointer to the string containing the argument to be parsed.
105  *
106  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
107  * from the parsed arg.
108  */
109 static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
110 {
111  DetectDceOpnumData *dod = NULL;
112 
113  DetectDceOpnumRange *dor = NULL;
114  DetectDceOpnumRange *prev_dor = NULL;
115 
116 #define MAX_SUBSTRINGS 30
117  int ret = 0, res = 0;
118  int ov[MAX_SUBSTRINGS];
119  const char *pcre_sub_str = NULL;
120 
121  char *dup_str = NULL;
122  char *dup_str_temp = NULL;
123  char *dup_str_head = NULL;
124  char *comma_token = NULL;
125  char *hyphen_token = NULL;
126 
127  if (arg == NULL) {
128  goto error;
129  }
130 
131  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
132  MAX_SUBSTRINGS);
133  if (ret < 2) {
134  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
135  goto error;
136  }
137 
138  res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
139  if (res < 0) {
140  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
141  goto error;
142  }
143 
144  if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
145  goto error;
146  memset(dod, 0, sizeof(DetectDceOpnumData));
147 
148  if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
149  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
150  goto error;
151  }
152 
153  /* free the substring */
154  pcre_free_substring(pcre_sub_str);
155 
156  /* keep a copy of the strdup string in dup_str_head so that we can free it
157  * once we are done using it */
158  dup_str_head = dup_str;
159  dup_str_temp = dup_str;
160  while ( (comma_token = index(dup_str, ',')) != NULL) {
161  comma_token[0] = '\0';
162  dup_str = comma_token + 1;
163 
164  dor = DetectDceOpnumAllocDetectDceOpnumRange();
165  if (dor == NULL)
166  goto error;
167  if (prev_dor == NULL) {
168  prev_dor = dor;
169  dod->range = dor;
170  } else {
171  prev_dor->next = dor;
172  prev_dor = dor;
173  }
174 
175  if ((hyphen_token = index(dup_str_temp, '-')) != NULL) {
176  hyphen_token[0] = '\0';
177  hyphen_token++;
178  dor->range1 = atoi(dup_str_temp);
179  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
180  goto error;
181  dor->range2 = atoi(hyphen_token);
182  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
183  goto error;
184  if (dor->range1 > dor->range2)
185  goto error;
186  }
187  dor->range1 = atoi(dup_str_temp);
188  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
189  goto error;
190 
191  dup_str_temp = dup_str;
192  }
193 
194  dor = DetectDceOpnumAllocDetectDceOpnumRange();
195  if (dor == NULL)
196  goto error;
197  if (prev_dor == NULL) {
198  dod->range = dor;
199  } else {
200  prev_dor->next = dor;
201  }
202 
203  if ( (hyphen_token = index(dup_str, '-')) != NULL) {
204  hyphen_token[0] = '\0';
205  hyphen_token++;
206  dor->range1 = atoi(dup_str);
207  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
208  goto error;
209  dor->range2 = atoi(hyphen_token);
210  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
211  goto error;
212  if (dor->range1 > dor->range2)
213  goto error;
214  }
215  dor->range1 = atoi(dup_str);
216  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
217  goto error;
218 
219  if (dup_str_head != NULL)
220  SCFree(dup_str_head);
221 
222  return dod;
223 
224  error:
225  if (dup_str_head != NULL)
226  SCFree(dup_str_head);
227  DetectDceOpnumFree(dod);
228  return NULL;
229 }
230 
231 /**
232  * \brief App layer match function for the "dce_opnum" keyword.
233  *
234  * \param t Pointer to the ThreadVars instance.
235  * \param det_ctx Pointer to the DetectEngineThreadCtx.
236  * \param f Pointer to the flow.
237  * \param flags Pointer to the flags indicating the flow direction.
238  * \param state Pointer to the app layer state data.
239  * \param s Pointer to the Signature instance.
240  * \param m Pointer to the SigMatch.
241  *
242  * \retval 1 On Match.
243  * \retval 0 On no match.
244  */
245 static int DetectDceOpnumMatch(DetectEngineThreadCtx *det_ctx,
246  Flow *f, uint8_t flags, void *state, void *txv,
247  const Signature *s, const SigMatchCtx *m)
248 {
249  SCEnter();
250 
251  DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
252 
253  DCERPCState *dcerpc_state = state;
254  if (dcerpc_state == NULL) {
255  SCLogDebug("No DCERPCState for the flow");
256  SCReturnInt(0);
257  }
258 
259  uint16_t opnum = dcerpc_state->dcerpc.dcerpcrequest.opnum;
260  DetectDceOpnumRange *dor = dce_data->range;
261  for ( ; dor != NULL; dor = dor->next) {
262  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
263  if (dor->range1 == opnum) {
264  SCReturnInt(1);
265  }
266  } else {
267  if (dor->range1 <= opnum && dor->range2 >= opnum)
268  {
269  SCReturnInt(1);
270  }
271  }
272  }
273 
274  SCReturnInt(0);
275 }
276 
277 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
278  Flow *f, uint8_t flags, void *state, void *txv,
279  const Signature *s, const SigMatchCtx *m)
280 {
281  SCEnter();
282 
283  if (f->alproto == ALPROTO_DCERPC) {
284  return DetectDceOpnumMatch(det_ctx, f, flags,
285  state, txv, s, m);
286  }
287 
288  const DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
289  const DetectDceOpnumRange *dor = dce_data->range;
290 
291  uint16_t opnum;
292  if (rs_smb_tx_get_dce_opnum(txv, &opnum) != 1)
293  SCReturnInt(0);
294  SCLogDebug("(rust) opnum %u", opnum);
295 
296  for ( ; dor != NULL; dor = dor->next) {
297  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
298  if (dor->range1 == opnum) {
299  SCReturnInt(1);
300  }
301  } else {
302  if (dor->range1 <= opnum && dor->range2 >= opnum) {
303  SCReturnInt(1);
304  }
305  }
306  }
307 
308  SCReturnInt(0);
309 }
310 
311 /**
312  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
313  * and appends it to the Signature(s).
314  *
315  * \param de_ctx Pointer to the detection engine context.
316  * \param s Pointer to signature for the current Signature being parsed
317  * from the rules.
318  * \param arg Pointer to the string holding the keyword value.
319  *
320  * \retval 0 on success, -1 on failure
321  */
322 
323 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
324 {
325  if (arg == NULL) {
326  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
327  "signature, option needs a value");
328  return -1;
329  }
330 
331  DetectDceOpnumData *dod = DetectDceOpnumArgParse(arg);
332  if (dod == NULL) {
333  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
334  "signature");
335  return -1;
336  }
337 
338  SigMatch *sm = SigMatchAlloc();
339  if (sm == NULL) {
340  DetectDceOpnumFree(dod);
341  return -1;
342  }
343 
344  sm->type = DETECT_DCE_OPNUM;
345  sm->ctx = (void *)dod;
346 
347  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
348  return 0;
349 }
350 
351 static void DetectDceOpnumFree(void *ptr)
352 {
353  DetectDceOpnumData *dod = ptr;
354  DetectDceOpnumRange *dor = NULL;
355  DetectDceOpnumRange *dor_temp = NULL;
356 
357  if (dod != NULL) {
358  dor = dod->range;
359  while (dor != NULL) {
360  dor_temp = dor;
361  dor = dor->next;
362  SCFree(dor_temp);
363  }
364  SCFree(dod);
365  }
366 
367  return;
368 }
369 
370 /************************************Unittests*********************************/
371 
372 #ifdef UNITTESTS
373 
374 static int DetectDceOpnumTestParse01(void)
375 {
376  Signature *s = SigAlloc();
377  int result = 0;
378 
379  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
380  result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
381  result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
382  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
383  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
384  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
385  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
386 
387  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
388  SigFree(s);
389  result &= 1;
390  }
391 
392  return result;
393 }
394 
395 static int DetectDceOpnumTestParse02(void)
396 {
397  Signature *s = SigAlloc();
398  int result = 0;
399  DetectDceOpnumData *dod = NULL;
400  DetectDceOpnumRange *dor = NULL;
401  SigMatch *temp = NULL;
402 
403  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
404 
405  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
406  temp = s->sm_lists[g_dce_generic_list_id];
407  dod = (DetectDceOpnumData *)temp->ctx;
408  if (dod == NULL)
409  goto end;
410  dor = dod->range;
411  result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
412  result &= (dor->next == NULL);
413  } else {
414  result = 0;
415  }
416 
417  end:
418  SigFree(s);
419  return result;
420 }
421 
422 static int DetectDceOpnumTestParse03(void)
423 {
424  Signature *s = SigAlloc();
425  int result = 0;
426  DetectDceOpnumData *dod = NULL;
427  DetectDceOpnumRange *dor = NULL;
428  SigMatch *temp = NULL;
429 
430  result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
431 
432  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
433  temp = s->sm_lists[g_dce_generic_list_id];
434  dod = (DetectDceOpnumData *)temp->ctx;
435  if (dod == NULL)
436  goto end;
437  dor = dod->range;
438  result &= (dor->range1 == 12 && dor->range2 == 24);
439  result &= (dor->next == NULL);
440  } else {
441  result = 0;
442  }
443 
444  end:
445  SigFree(s);
446  return result;
447 }
448 
449 static int DetectDceOpnumTestParse04(void)
450 {
451  Signature *s = SigAlloc();
452  int result = 0;
453  DetectDceOpnumData *dod = NULL;
454  DetectDceOpnumRange *dor = NULL;
455  SigMatch *temp = NULL;
456 
457  result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
458 
459  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
460  temp = s->sm_lists[g_dce_generic_list_id];
461  dod = (DetectDceOpnumData *)temp->ctx;
462  if (dod == NULL)
463  goto end;
464  dor = dod->range;
465  result &= (dor->range1 == 12 && dor->range2 == 24);
466  result &= (dor->next != NULL);
467  if (result == 0)
468  goto end;
469 
470  dor = dor->next;
471  result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
472  result &= (dor->next != NULL);
473  if (result == 0)
474  goto end;
475 
476  dor = dor->next;
477  result &= (dor->range1 == 62 && dor->range2 == 72);
478  result &= (dor->next != NULL);
479  if (result == 0)
480  goto end;
481 
482  dor = dor->next;
483  result &= (dor->range1 == 623 && dor->range2 == 635);
484  result &= (dor->next != NULL);
485  if (result == 0)
486  goto end;
487 
488  dor = dor->next;
489  result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
490  result &= (dor->next != NULL);
491  if (result == 0)
492  goto end;
493 
494  dor = dor->next;
495  result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
496  result &= (dor->next != NULL);
497  if (result == 0)
498  goto end;
499 
500  dor = dor->next;
501  result &= (dor->range1 == 213 && dor->range2 == 235);
502  if (result == 0)
503  goto end;
504  } else {
505  result = 0;
506  }
507 
508  end:
509  SigFree(s);
510  return result;
511 }
512 
513 static int DetectDceOpnumTestParse05(void)
514 {
515  Signature *s = SigAlloc();
516  int result = 0;
517  DetectDceOpnumData *dod = NULL;
518  DetectDceOpnumRange *dor = NULL;
519  SigMatch *temp = NULL;
520 
521  result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
522 
523  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
524  temp = s->sm_lists[g_dce_generic_list_id];
525  dod = (DetectDceOpnumData *)temp->ctx;
526  if (dod == NULL)
527  goto end;
528  dor = dod->range;
529  result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
530  result &= (dor->next != NULL);
531  if (result == 0)
532  goto end;
533 
534  dor = dor->next;
535  result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
536  result &= (dor->next != NULL);
537  if (result == 0)
538  goto end;
539 
540  dor = dor->next;
541  result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
542  result &= (dor->next != NULL);
543  if (result == 0)
544  goto end;
545 
546  dor = dor->next;
547  result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
548  result &= (dor->next != NULL);
549  if (result == 0)
550  goto end;
551 
552  dor = dor->next;
553  result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
554  result &= (dor->next != NULL);
555  if (result == 0)
556  goto end;
557 
558  dor = dor->next;
559  result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
560  result &= (dor->next != NULL);
561  if (result == 0)
562  goto end;
563 
564  dor = dor->next;
565  result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
566  if (result == 0)
567  goto end;
568  } else {
569  result = 0;
570  }
571 
572  end:
573  SigFree(s);
574  return result;
575 }
576 
577 static int DetectDceOpnumTestParse06(void)
578 {
579  Signature *s = SigAlloc();
580  int result = 0;
581  DetectDceOpnumData *dod = NULL;
582  DetectDceOpnumRange *dor = NULL;
583  SigMatch *temp = NULL;
584 
585  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
586 
587  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
588  temp = s->sm_lists[g_dce_generic_list_id];
589  dod = (DetectDceOpnumData *)temp->ctx;
590  if (dod == NULL)
591  goto end;
592  dor = dod->range;
593  result &= (dor->range1 == 1 && dor->range2 == 2);
594  result &= (dor->next != NULL);
595  if (result == 0)
596  goto end;
597 
598  dor = dor->next;
599  result &= (dor->range1 == 3 && dor->range2 == 4);
600  result &= (dor->next != NULL);
601  if (result == 0)
602  goto end;
603 
604  dor = dor->next;
605  result &= (dor->range1 == 5 && dor->range2 == 6);
606  result &= (dor->next != NULL);
607  if (result == 0)
608  goto end;
609 
610  dor = dor->next;
611  result &= (dor->range1 == 7 && dor->range2 == 8);
612  if (result == 0)
613  goto end;
614  } else {
615  result = 0;
616  }
617 
618  end:
619  SigFree(s);
620  return result;
621 }
622 
623 static int DetectDceOpnumTestParse07(void)
624 {
625  Signature *s = SigAlloc();
626  int result = 0;
627  DetectDceOpnumData *dod = NULL;
628  DetectDceOpnumRange *dor = NULL;
629  SigMatch *temp = NULL;
630 
631  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
632 
633  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
634  temp = s->sm_lists[g_dce_generic_list_id];
635  dod = (DetectDceOpnumData *)temp->ctx;
636  if (dod == NULL)
637  goto end;
638  dor = dod->range;
639  result &= (dor->range1 == 1 && dor->range2 == 2);
640  result &= (dor->next != NULL);
641  if (result == 0)
642  goto end;
643 
644  dor = dor->next;
645  result &= (dor->range1 == 3 && dor->range2 == 4);
646  result &= (dor->next != NULL);
647  if (result == 0)
648  goto end;
649 
650  dor = dor->next;
651  result &= (dor->range1 == 5 && dor->range2 == 6);
652  result &= (dor->next != NULL);
653  if (result == 0)
654  goto end;
655 
656  dor = dor->next;
657  result &= (dor->range1 == 7 && dor->range2 == 8);
658  if (result == 0)
659  goto end;
660 
661  dor = dor->next;
662  result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
663  if (result == 0)
664  goto end;
665  } else {
666  result = 0;
667  }
668 
669  end:
670  SigFree(s);
671  return result;
672 }
673 
674 /**
675  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
676  */
677 static int DetectDceOpnumTestParse08(void)
678 {
679  int result = 0;
680  Signature *s = NULL;
681  ThreadVars th_v;
682  Packet *p = NULL;
683  Flow f;
684  TcpSession ssn;
685  DetectEngineThreadCtx *det_ctx = NULL;
686  DetectEngineCtx *de_ctx = NULL;
687  DCERPCState *dcerpc_state = NULL;
688  int r = 0;
689 
690  uint8_t dcerpc_bind[] = {
691  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
692  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
693  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
694  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
695  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
696  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
697  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
698  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
699  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
700  };
701 
702  uint8_t dcerpc_bindack[] = {
703  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
704  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
705  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
706  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
707  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
708  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
710  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
711  0x02, 0x00, 0x00, 0x00
712  };
713 
714  /* todo chop the request frag length and change the
715  * length related parameters in the frag */
716  uint8_t dcerpc_request[] = {
717  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
718  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
719  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
720  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
721  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
722  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
723  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
724  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
725  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
726  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
727  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
728  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
729  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
730  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
731  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
732  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
733  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
734  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
735  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
736  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
737  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
738  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
739  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
740  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
741  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
742  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
743  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
744  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
745  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
746  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
747  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
748  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
749  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
750  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
751  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
752  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
753  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
754  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
755  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
756  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
757  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
758  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
759  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
760  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
761  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
762  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
763  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
764  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
765  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
766  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
767  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
768  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
769  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
770  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
771  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
772  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
773  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
774  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
775  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
776  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
777  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
778  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
779  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
780  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
781  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
782  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
783  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
784  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
785  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
786  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
787  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
788  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
789  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
790  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
791  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
792  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
793  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
794  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
795  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
796  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
797  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
798  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
799  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
800  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
801  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
802  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
803  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
804  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
805  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
806  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
807  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
808  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
809  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
810  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
811  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
812  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
813  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
814  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
815  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
816  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
817  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
818  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
819  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
820  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
821  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
822  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
823  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
824  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
825  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
826  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
827  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
828  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
829  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
830  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
831  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
832  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
833  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
834  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
835  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
836  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
837  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
838  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
839  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
840  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
841  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
842  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
843  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
964  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
965  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
966  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
967  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
968  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
969  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
970  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
971  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
972  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
973  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
974  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
975  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
976  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
977  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
978  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
979  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
980  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
981  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
982  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
983  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
984  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
985  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
986  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
987  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
988  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
989  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
990  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
991  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
993  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
994  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
995  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
996  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
997  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
998  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1065  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1066  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1067  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1068  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1069  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1070  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1071  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1072  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1073  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1074  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1075  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1076  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1077  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1078  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1079  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1080  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1081  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1082  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1083  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1084  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1085  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1086  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1087  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1088  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1089  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1090  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1091  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1092  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1093  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1094  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1095  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1096  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1097  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1098  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1099  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1100  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1101  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1102  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1103  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1104  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1105  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1106  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1107  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x01, 0x02, 0x03, 0x04
1131  };
1132 
1133  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1134  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1135  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1136 
1137  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1138 
1139  memset(&th_v, 0, sizeof(th_v));
1140  memset(&f, 0, sizeof(f));
1141  memset(&ssn, 0, sizeof(ssn));
1142 
1143  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1144 
1145  FLOW_INITIALIZE(&f);
1146  f.protoctx = (void *)&ssn;
1147  f.proto = IPPROTO_TCP;
1148  p->flow = &f;
1149  p->flowflags |= FLOW_PKT_TOSERVER;
1150  p->flowflags |= FLOW_PKT_ESTABLISHED;
1151  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1152  f.alproto = ALPROTO_DCERPC;
1153 
1154  StreamTcpInitConfig(TRUE);
1155 
1156  de_ctx = DetectEngineCtxInit();
1157  if (de_ctx == NULL)
1158  goto end;
1159 
1160  de_ctx->flags |= DE_QUIET;
1161 
1162  s = de_ctx->sig_list = SigInit(de_ctx,
1163  "alert tcp any any -> any any "
1164  "(msg:\"DCERPC\"; "
1165  "dce_opnum:9; "
1166  "sid:1;)");
1167  if (s == NULL)
1168  goto end;
1169 
1170  SigGroupBuild(de_ctx);
1171  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1172 
1173  FLOWLOCK_WRLOCK(&f);
1174  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1175  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1176  dcerpc_bind_len);
1177  if (r != 0) {
1178  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1179  FLOWLOCK_UNLOCK(&f);
1180  goto end;
1181  }
1182  FLOWLOCK_UNLOCK(&f);
1183 
1184  dcerpc_state = f.alstate;
1185  if (dcerpc_state == NULL) {
1186  SCLogDebug("no dcerpc state: ");
1187  goto end;
1188  }
1189 
1190  FLOWLOCK_WRLOCK(&f);
1191  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1192  STREAM_TOCLIENT, dcerpc_bindack,
1193  dcerpc_bindack_len);
1194  if (r != 0) {
1195  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1196  FLOWLOCK_UNLOCK(&f);
1197  goto end;
1198  }
1199  FLOWLOCK_UNLOCK(&f);
1200 
1201  FLOWLOCK_WRLOCK(&f);
1202  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1203  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
1204  dcerpc_request_len);
1205  if (r != 0) {
1206  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1207  FLOWLOCK_UNLOCK(&f);
1208  goto end;
1209  }
1210  FLOWLOCK_UNLOCK(&f);
1211 
1212  dcerpc_state = f.alstate;
1213  if (dcerpc_state == NULL) {
1214  SCLogDebug("no dcerpc state: ");
1215  goto end;
1216  }
1217 
1218  /* do detect */
1219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1220 
1221  if (!PacketAlertCheck(p, 1))
1222  goto end;
1223 
1224  result = 1;
1225 
1226  end:
1227  if (alp_tctx != NULL)
1228  AppLayerParserThreadCtxFree(alp_tctx);
1229  SigGroupCleanup(de_ctx);
1230  SigCleanSignatures(de_ctx);
1231 
1232  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1233  DetectEngineCtxFree(de_ctx);
1234 
1235  StreamTcpFreeConfig(TRUE);
1236  FLOW_DESTROY(&f);
1237 
1238  UTHFreePackets(&p, 1);
1239  return result;
1240 }
1241 
1242 /**
1243  * \test Test a valid dce_opnum entry with only a request frag.
1244  */
1245 static int DetectDceOpnumTestParse09(void)
1246 {
1247  int result = 0;
1248  Signature *s = NULL;
1249  ThreadVars th_v;
1250  Packet *p = NULL;
1251  Flow f;
1252  TcpSession ssn;
1253  DetectEngineThreadCtx *det_ctx = NULL;
1254  DetectEngineCtx *de_ctx = NULL;
1255  DCERPCState *dcerpc_state = NULL;
1256  int r = 0;
1257 
1258  /* todo chop the request frag length and change the
1259  * length related parameters in the frag */
1260  uint8_t dcerpc_request[] = {
1261  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1262  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1263  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1264  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1265  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
1266  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
1267  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
1268  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
1269  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
1270  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
1271  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
1272  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
1273  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
1274  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
1275  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
1276  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
1277  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
1278  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
1279  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
1280  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
1281  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
1282  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
1283  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
1284  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
1285  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
1286  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
1287  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
1288  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
1289  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
1290  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
1291  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
1292  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
1293  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
1294  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
1295  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
1296  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
1297  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
1298  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
1299  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
1300  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
1301  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
1302  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
1303  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
1304  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
1305  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
1306  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
1307  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
1308  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
1309  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
1310  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
1311  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
1312  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
1313  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
1314  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
1315  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
1316  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
1317  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
1318  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
1319  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
1320  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
1321  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
1322  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
1323  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
1324  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
1325  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
1326  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
1327  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
1328  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
1329  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
1330  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
1331  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
1332  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
1333  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
1334  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
1335  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
1336  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
1337  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
1338  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
1339  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
1340  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
1341  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
1342  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
1343  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
1344  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
1345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1508  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1509  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1510  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1511  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1512  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1513  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1514  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1515  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1516  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1517  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1518  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1519  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1520  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1521  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1522  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1523  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1524  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1525  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1526  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1527  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1528  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1529  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1530  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1531  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1532  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1533  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1534  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1535  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1537  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1538  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1539  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1541  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1542  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1594  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1595  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1596  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1597  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1598  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1599  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1600  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1601  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1602  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1603  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1604  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1605  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1606  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1607  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1608  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1659  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1660  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1661  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1662  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1663  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1664  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1665  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1666  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1667  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1668  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1669  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1670  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1671  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1672  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1673  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1674  0x01, 0x02, 0x03, 0x04
1675  };
1676 
1677  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1678 
1679  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1680 
1681  memset(&th_v, 0, sizeof(th_v));
1682  memset(&f, 0, sizeof(f));
1683  memset(&ssn, 0, sizeof(ssn));
1684 
1685  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1686 
1687  FLOW_INITIALIZE(&f);
1688  f.protoctx = (void *)&ssn;
1689  f.proto = IPPROTO_TCP;
1690  p->flow = &f;
1691  p->flowflags |= FLOW_PKT_TOSERVER;
1692  p->flowflags |= FLOW_PKT_ESTABLISHED;
1693  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1694  f.alproto = ALPROTO_DCERPC;
1695 
1696  StreamTcpInitConfig(TRUE);
1697 
1698  de_ctx = DetectEngineCtxInit();
1699  if (de_ctx == NULL)
1700  goto end;
1701 
1702  de_ctx->flags |= DE_QUIET;
1703 
1704  s = de_ctx->sig_list = SigInit(de_ctx,
1705  "alert tcp any any -> any any "
1706  "(msg:\"DCERPC\"; "
1707  "dce_opnum:9; "
1708  "sid:1;)");
1709  if (s == NULL)
1710  goto end;
1711 
1712  SigGroupBuild(de_ctx);
1713  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1714 
1715  FLOWLOCK_WRLOCK(&f);
1716  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1717  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1718  dcerpc_request_len);
1719  if (r != 0) {
1720  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1721  FLOWLOCK_UNLOCK(&f);
1722  goto end;
1723  }
1724  FLOWLOCK_UNLOCK(&f);
1725 
1726  dcerpc_state = f.alstate;
1727  if (dcerpc_state == NULL) {
1728  SCLogDebug("no dcerpc state: ");
1729  goto end;
1730  }
1731 
1732  /* do detect */
1733  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1734 
1735  if (!PacketAlertCheck(p, 1))
1736  goto end;
1737 
1738  result = 1;
1739 
1740  end:
1741  if (alp_tctx != NULL)
1742  AppLayerParserThreadCtxFree(alp_tctx);
1743  SigGroupCleanup(de_ctx);
1744  SigCleanSignatures(de_ctx);
1745 
1746  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1747  DetectEngineCtxFree(de_ctx);
1748 
1749  StreamTcpFreeConfig(TRUE);
1750  FLOW_DESTROY(&f);
1751 
1752  UTHFreePackets(&p, 1);
1753  return result;
1754 }
1755 
1756 /* Disabled because of bug_753. Would be enabled, once we rewrite
1757  * dce parser */
1758 #if 0
1759 
1760 /**
1761  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1762  * and multiple request/responses with a match test after each frag parsing.
1763  */
1764 static int DetectDceOpnumTestParse10(void)
1765 {
1766  int result = 0;
1767  Signature *s = NULL;
1768  ThreadVars th_v;
1769  Packet *p = NULL;
1770  Flow f;
1771  TcpSession ssn;
1772  DetectEngineThreadCtx *det_ctx = NULL;
1773  DetectEngineCtx *de_ctx = NULL;
1774  DCERPCState *dcerpc_state = NULL;
1775  int r = 0;
1776 
1777  uint8_t dcerpc_bind[] = {
1778  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1779  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1780  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1781  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1782  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1783  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1784  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1785  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1786  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1787  };
1788 
1789  uint8_t dcerpc_bindack[] = {
1790  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1791  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1792  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1793  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1794  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1795  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1796  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1797  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1798  0x02, 0x00, 0x00, 0x00,
1799  };
1800 
1801  uint8_t dcerpc_request1[] = {
1802  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1803  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1804  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1805  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1806  0x00, 0x00, 0x00, 0x02,
1807  };
1808 
1809  uint8_t dcerpc_response1[] = {
1810  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1811  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1812  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1813  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1814  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1815  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1816  };
1817 
1818  uint8_t dcerpc_request2[] = {
1819  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1820  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1821  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1822  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1823  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1824  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1825  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1826  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1827  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1828  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1829  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1830  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1831  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1832  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1833  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1834  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1835  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1836  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1837  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1838  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1839  0x03, 0x00, 0x00, 0x00,
1840  };
1841 
1842  uint8_t dcerpc_response2[] = {
1843  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1844  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1845  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1846  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1847  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1848  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1849  };
1850 
1851  uint8_t dcerpc_request3[] = {
1852  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1853  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1854  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1855  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1856  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1857  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1858  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1859  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1860  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1861  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1862  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1863  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1864  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1865  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1866  };
1867 
1868  uint8_t dcerpc_response3[] = {
1869  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1870  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1871  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1872  0x00, 0x00, 0x00, 0x00,
1873  };
1874 
1875  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1876  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1877 
1878  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1879  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1880 
1881  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1882  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1883 
1884  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1885  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1886 
1887  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1888 
1889  memset(&th_v, 0, sizeof(th_v));
1890  memset(&f, 0, sizeof(f));
1891  memset(&ssn, 0, sizeof(ssn));
1892 
1893  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1894 
1895  FLOW_INITIALIZE(&f);
1896  f.protoctx = (void *)&ssn;
1897  f.proto = IPPROTO_TCP;
1898  p->flow = &f;
1899  p->flowflags |= FLOW_PKT_TOSERVER;
1900  p->flowflags |= FLOW_PKT_ESTABLISHED;
1901  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1902  f.alproto = ALPROTO_DCERPC;
1903 
1904  StreamTcpInitConfig(TRUE);
1905 
1906  de_ctx = DetectEngineCtxInit();
1907  if (de_ctx == NULL) {
1908  goto end;
1909  }
1910 
1911  de_ctx->flags |= DE_QUIET;
1912 
1913  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1914  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1915  if (s == NULL) {
1916  goto end;
1917  }
1918 
1919  SigGroupBuild(de_ctx);
1920  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1921 
1922  SCLogDebug("sending bind");
1923 
1924  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1925  dcerpc_bind, dcerpc_bind_len);
1926  if (r != 0) {
1927  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1928  goto end;
1929  }
1930 
1931  dcerpc_state = f.alstate;
1932  if (dcerpc_state == NULL) {
1933  SCLogDebug("no dcerpc state: ");
1934  goto end;
1935  }
1936  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1937  p->flowflags |= FLOW_PKT_TOSERVER;
1938  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1939 
1940  SCLogDebug("sending bind_ack");
1941 
1942  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1943  dcerpc_bindack, dcerpc_bindack_len);
1944  if (r != 0) {
1945  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1946  goto end;
1947  }
1948  p->flowflags &=~ FLOW_PKT_TOSERVER;
1949  p->flowflags |= FLOW_PKT_TOCLIENT;
1950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1951 
1952  SCLogDebug("sending request1");
1953 
1954  /* request1 */
1955  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1956  dcerpc_request1, dcerpc_request1_len);
1957  if (r != 0) {
1958  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1959  goto end;
1960  }
1961 
1962  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1963  p->flowflags |= FLOW_PKT_TOSERVER;
1964  /* do detect */
1965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966 
1967  if (!PacketAlertCheck(p, 1)) {
1968  printf("sig 1 didn't match, but should have: ");
1969  goto end;
1970  }
1971 
1972  SCLogDebug("sending response1");
1973 
1974  /* response1 */
1975  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1976  dcerpc_response1, dcerpc_response1_len);
1977  if (r != 0) {
1978  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1979  goto end;
1980  }
1981 
1982  p->flowflags &=~ FLOW_PKT_TOSERVER;
1983  p->flowflags |= FLOW_PKT_TOCLIENT;
1984  /* do detect */
1985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1986 
1987  if (PacketAlertCheck(p, 1)) {
1988  printf("sig 1 did match, shouldn't have on response1: ");
1989  goto end;
1990  }
1991 
1992  /* request2 */
1993  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1994  dcerpc_request2, dcerpc_request2_len);
1995  if (r != 0) {
1996  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1997  goto end;
1998  }
1999 
2000  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2001  p->flowflags |= FLOW_PKT_TOSERVER;
2002  /* do detect */
2003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2004 
2005  if (!PacketAlertCheck(p, 1)) {
2006  printf("sig 1 didn't match, but should have on request2: ");
2007  goto end;
2008  }
2009 
2010  /* response2 */
2011  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2012  dcerpc_response2, dcerpc_response2_len);
2013  if (r != 0) {
2014  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2015  goto end;
2016  }
2017 
2018  p->flowflags &=~ FLOW_PKT_TOSERVER;
2019  p->flowflags |= FLOW_PKT_TOCLIENT;
2020  /* do detect */
2021  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2022 
2023  if (PacketAlertCheck(p, 1)) {
2024  printf("sig 1 did match, shouldn't have on response2: ");
2025  goto end;
2026  }
2027 
2028  /* request3 */
2029  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2030  dcerpc_request3, dcerpc_request3_len);
2031  if (r != 0) {
2032  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2033  goto end;
2034  }
2035 
2036  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2037  p->flowflags |= FLOW_PKT_TOSERVER;
2038  /* do detect */
2039  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2040 
2041  if (!PacketAlertCheck(p, 1)) {
2042  printf("sig 1 didn't match, but should have on request3: ");
2043  goto end;
2044  }
2045 
2046  /* response3 */
2047  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2048  dcerpc_response3, dcerpc_response3_len);
2049  if (r != 0) {
2050  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2051  goto end;
2052  }
2053 
2054  p->flowflags &=~ FLOW_PKT_TOSERVER;
2055  p->flowflags |= FLOW_PKT_TOCLIENT;
2056  /* do detect */
2057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2058 
2059  if (PacketAlertCheck(p, 1)) {
2060  printf("sig 1 did match, shouldn't have on response2: ");
2061  goto end;
2062  }
2063 
2064  result = 1;
2065 
2066  end:
2067  if (alp_tctx != NULL)
2068  AppLayerDestroyCtxThread(alp_tctx);
2069  SigGroupCleanup(de_ctx);
2070  SigCleanSignatures(de_ctx);
2071 
2072  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2073  DetectEngineCtxFree(de_ctx);
2074 
2075  StreamTcpFreeConfig(TRUE);
2076  FLOW_DESTROY(&f);
2077 
2078  UTHFreePackets(&p, 1);
2079  return result;
2080 }
2081 
2082 /**
2083  * \test Test a valid dce_opnum entry(with multiple values) with multiple
2084  * request/responses.
2085  */
2086 static int DetectDceOpnumTestParse11(void)
2087 {
2088  int result = 0;
2089  Signature *s = NULL;
2090  ThreadVars th_v;
2091  Packet *p = NULL;
2092  Flow f;
2093  TcpSession ssn;
2094  DetectEngineThreadCtx *det_ctx = NULL;
2095  DetectEngineCtx *de_ctx = NULL;
2096  DCERPCState *dcerpc_state = NULL;
2097  int r = 0;
2098 
2099  uint8_t dcerpc_request1[] = {
2100  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2101  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2102  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2103  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
2104  0x00, 0x00, 0x00, 0x02,
2105  };
2106 
2107  uint8_t dcerpc_response1[] = {
2108  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2109  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2110  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2111  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2112  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2113  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2114  };
2115 
2116  uint8_t dcerpc_request2[] = {
2117  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2118  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2119  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
2120  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2121  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2122  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
2123  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
2124  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
2125  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
2126  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
2127  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
2128  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
2129  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
2130  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
2131  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
2132  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
2133  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
2134  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
2135  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
2136  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2137  0x03, 0x00, 0x00, 0x00,
2138  };
2139 
2140  uint8_t dcerpc_response2[] = {
2141  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2142  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2143  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2144  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2145  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2146  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2147  };
2148 
2149  uint8_t dcerpc_request3[] = {
2150  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2151  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2152  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
2153  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2154  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2155  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
2156  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
2157  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
2158  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
2159  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2160  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
2161  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
2162  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
2163  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
2164  };
2165 
2166  uint8_t dcerpc_response3[] = {
2167  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2168  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2169  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2170  0x00, 0x00, 0x00, 0x00,
2171  };
2172 
2173  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2174  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2175 
2176  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2177  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2178 
2179  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
2180  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
2181 
2182  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2183 
2184  memset(&th_v, 0, sizeof(th_v));
2185  memset(&f, 0, sizeof(f));
2186  memset(&ssn, 0, sizeof(ssn));
2187 
2188  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2189 
2190  FLOW_INITIALIZE(&f);
2191  f.protoctx = (void *)&ssn;
2192  f.proto = IPPROTO_TCP;
2193  p->flow = &f;
2194  p->flowflags |= FLOW_PKT_TOSERVER;
2195  p->flowflags |= FLOW_PKT_ESTABLISHED;
2196  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2197  f.alproto = ALPROTO_DCERPC;
2198 
2199  StreamTcpInitConfig(TRUE);
2200 
2201  de_ctx = DetectEngineCtxInit();
2202  if (de_ctx == NULL)
2203  goto end;
2204 
2205  de_ctx->flags |= DE_QUIET;
2206 
2207  s = de_ctx->sig_list = SigInit(de_ctx,
2208  "alert tcp any any -> any any "
2209  "(msg:\"DCERPC\"; "
2210  "dce_opnum:2-22; "
2211  "sid:1;)");
2212  if (s == NULL)
2213  goto end;
2214 
2215  SigGroupBuild(de_ctx);
2216  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2217 
2218  /* request1 */
2219  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2220  dcerpc_request1, dcerpc_request1_len);
2221  if (r != 0) {
2222  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2223  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
2224  goto end;
2225  }
2226 
2227  dcerpc_state = f.alstate;
2228  if (dcerpc_state == NULL) {
2229  SCLogDebug("no dcerpc state: ");
2230  printf("no dcerpc state: ");
2231  goto end;
2232  }
2233 
2234  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2235  p->flowflags |= FLOW_PKT_TOSERVER;
2236  /* do detect */
2237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2238 
2239  if (!PacketAlertCheck(p, 1))
2240  goto end;
2241 
2242  /* response1 */
2243  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2244  dcerpc_response1, dcerpc_response1_len);
2245  if (r != 0) {
2246  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2247  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
2248  goto end;
2249  }
2250 
2251  p->flowflags &=~ FLOW_PKT_TOSERVER;
2252  p->flowflags |= FLOW_PKT_TOCLIENT;
2253  /* do detect */
2254  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2255 
2256  if (PacketAlertCheck(p, 1))
2257  goto end;
2258 
2259  /* request2 */
2260  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2261  dcerpc_request2, dcerpc_request2_len);
2262  if (r != 0) {
2263  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2264  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
2265  goto end;
2266  }
2267 
2268  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2269  p->flowflags |= FLOW_PKT_TOSERVER;
2270  /* do detect */
2271  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2272 
2273  if (!PacketAlertCheck(p, 1))
2274  goto end;
2275 
2276  /* response2 */
2277  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2278  dcerpc_response2, dcerpc_response2_len);
2279  if (r != 0) {
2280  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2281  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
2282  goto end;
2283  }
2284 
2285  p->flowflags &=~ FLOW_PKT_TOSERVER;
2286  p->flowflags |= FLOW_PKT_TOCLIENT;
2287  /* do detect */
2288  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2289 
2290  if (PacketAlertCheck(p, 1))
2291  goto end;
2292 
2293  /* request3 */
2294  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2295  dcerpc_request3, dcerpc_request3_len);
2296  if (r != 0) {
2297  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2298  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
2299  goto end;
2300  }
2301 
2302  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2303  p->flowflags |= FLOW_PKT_TOSERVER;
2304  /* do detect */
2305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2306 
2307  if (!PacketAlertCheck(p, 1))
2308  goto end;
2309 
2310  /* response3 */
2311  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2312  dcerpc_response3, dcerpc_response3_len);
2313  if (r != 0) {
2314  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2315  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
2316  goto end;
2317  }
2318 
2319  p->flowflags &=~ FLOW_PKT_TOSERVER;
2320  p->flowflags |= FLOW_PKT_TOCLIENT;
2321  /* do detect */
2322  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2323 
2324  if (PacketAlertCheck(p, 1))
2325  goto end;
2326 
2327  result = 1;
2328 
2329  end:
2330  if (alp_tctx != NULL)
2331  AppLayerDestroyCtxThread(alp_tctx);
2332  SigGroupCleanup(de_ctx);
2333  SigCleanSignatures(de_ctx);
2334 
2335  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2336  DetectEngineCtxFree(de_ctx);
2337 
2338  StreamTcpFreeConfig(TRUE);
2339  FLOW_DESTROY(&f);
2340 
2341  UTHFreePackets(&p, 1);
2342  return result;
2343 }
2344 
2345 /**
2346  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2347  * and multiple request/responses with a match test after each frag parsing.
2348  */
2349 static int DetectDceOpnumTestParse12(void)
2350 {
2351  int result = 0;
2352  Signature *s = NULL;
2353  ThreadVars th_v;
2354  Packet *p = NULL;
2355  Flow f;
2356  TcpSession ssn;
2357  DetectEngineThreadCtx *det_ctx = NULL;
2358  DetectEngineCtx *de_ctx = NULL;
2359  DCERPCState *dcerpc_state = NULL;
2360  int r = 0;
2361 
2362  uint8_t dcerpc_bind[] = {
2363  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2364  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2365  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2366  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2367  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
2368  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
2369  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2370  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2371  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2372  };
2373 
2374  uint8_t dcerpc_bindack[] = {
2375  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
2376  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2377  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
2378  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
2379  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
2380  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2381  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2382  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2383  0x02, 0x00, 0x00, 0x00,
2384  };
2385 
2386  uint8_t dcerpc_request1[] = {
2387  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2388  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2389  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
2390  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2391  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2392  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2393  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2394  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2395  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2396  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2397  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2398  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2399  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2400  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2406  0x00, 0x00
2407  };
2408 
2409  uint8_t dcerpc_response1[] = {
2410  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2411  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2412  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2413  0x00, 0x00, 0x00, 0x00,
2414  };
2415 
2416  uint8_t dcerpc_request2[] = {
2417  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2418  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2419  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2420  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2421  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2422  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2423  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2424  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2425  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2426  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2427  0x4e, 0x6f, 0x6e, 0x65
2428  };
2429 
2430  uint8_t dcerpc_response2[] = {
2431  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2432  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2433  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2434  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2435  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2436  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2437  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2438  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2439  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2440  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2441  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2442  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2447  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2448  0x00, 0x00, 0x00, 0x00,
2449  };
2450 
2451  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
2452  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
2453 
2454  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2455  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2456 
2457  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2458  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2459 
2460  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2461 
2462  memset(&th_v, 0, sizeof(th_v));
2463  memset(&f, 0, sizeof(f));
2464  memset(&ssn, 0, sizeof(ssn));
2465 
2466  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2467 
2468  FLOW_INITIALIZE(&f);
2469  f.protoctx = (void *)&ssn;
2470  f.proto = IPPROTO_TCP;
2471  p->flow = &f;
2472  p->flowflags |= FLOW_PKT_TOSERVER;
2473  p->flowflags |= FLOW_PKT_ESTABLISHED;
2474  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2475  f.alproto = ALPROTO_DCERPC;
2476 
2477  StreamTcpInitConfig(TRUE);
2478 
2479  de_ctx = DetectEngineCtxInit();
2480  if (de_ctx == NULL)
2481  goto end;
2482 
2483  de_ctx->flags |= DE_QUIET;
2484 
2485  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
2486  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
2487  if (s == NULL)
2488  goto end;
2489 
2490  SigGroupBuild(de_ctx);
2491  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2492 
2493  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2494  dcerpc_bind, dcerpc_bind_len);
2495  if (r != 0) {
2496  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2497  goto end;
2498  }
2499  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2500  p->flowflags |= FLOW_PKT_TOSERVER;
2501  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2502 
2503  dcerpc_state = f.alstate;
2504  if (dcerpc_state == NULL) {
2505  printf("no dcerpc state: ");
2506  goto end;
2507  }
2508 
2509  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2510  dcerpc_bindack_len);
2511  if (r != 0) {
2512  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2513  goto end;
2514  }
2515  p->flowflags &=~ FLOW_PKT_TOSERVER;
2516  p->flowflags |= FLOW_PKT_TOCLIENT;
2517  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2518 
2519  /* request1 */
2520  SCLogDebug("Sending request1");
2521 
2522  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2523  dcerpc_request1_len);
2524  if (r != 0) {
2525  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2526  goto end;
2527  }
2528 
2529  dcerpc_state = f.alstate;
2530  if (dcerpc_state == NULL) {
2531  printf("no dcerpc state: ");
2532  goto end;
2533  }
2534 
2535  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2536  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2537  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2538  goto end;
2539  }
2540 
2541  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2542  p->flowflags |= FLOW_PKT_TOSERVER;
2543  /* do detect */
2544  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2545 
2546  if (!PacketAlertCheck(p, 1)) {
2547  printf("signature 1 didn't match, should have: ");
2548  goto end;
2549  }
2550 
2551  /* response1 */
2552  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2553  dcerpc_response1_len);
2554  if (r != 0) {
2555  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2556  goto end;
2557  }
2558 
2559  dcerpc_state = f.alstate;
2560  if (dcerpc_state == NULL) {
2561  printf("no dcerpc state: ");
2562  goto end;
2563  }
2564 
2565  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2566  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2567  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2568  goto end;
2569  }
2570 
2571  p->flowflags &=~ FLOW_PKT_TOSERVER;
2572  p->flowflags |= FLOW_PKT_TOCLIENT;
2573  /* do detect */
2574  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2575 
2576  if (PacketAlertCheck(p, 1)) {
2577  printf("sig 1 matched on response 1, but shouldn't: ");
2578  goto end;
2579  }
2580 
2581  /* request2 */
2582  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2583  dcerpc_request2_len);
2584  if (r != 0) {
2585  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2586  goto end;
2587  }
2588 
2589  dcerpc_state = f.alstate;
2590  if (dcerpc_state == NULL) {
2591  printf("no dcerpc state: ");
2592  goto end;
2593  }
2594 
2595  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2596  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2597  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2598  goto end;
2599  }
2600 
2601  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2602  p->flowflags |= FLOW_PKT_TOSERVER;
2603  /* do detect */
2604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2605 
2606  if (!PacketAlertCheck(p, 1)) {
2607  printf("sig 1 didn't match on request 2: ");
2608  goto end;
2609  }
2610 
2611  /* response2 */
2612  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2613  dcerpc_response2_len);
2614  if (r != 0) {
2615  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2616  goto end;
2617  }
2618 
2619  dcerpc_state = f.alstate;
2620  if (dcerpc_state == NULL) {
2621  printf("no dcerpc state: ");
2622  goto end;
2623  }
2624 
2625  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2626  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2627  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2628  goto end;
2629  }
2630 
2631  p->flowflags &=~ FLOW_PKT_TOSERVER;
2632  p->flowflags |= FLOW_PKT_TOCLIENT;
2633  /* do detect */
2634  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2635 
2636  if (PacketAlertCheck(p, 1)) {
2637  printf("sig 1 matched on response2, but shouldn't: ");
2638  goto end;
2639  }
2640 
2641  result = 1;
2642 
2643 end:
2644  if (alp_tctx != NULL)
2645  AppLayerDestroyCtxThread(alp_tctx);
2646  SigGroupCleanup(de_ctx);
2647  SigCleanSignatures(de_ctx);
2648 
2649  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2650  DetectEngineCtxFree(de_ctx);
2651 
2652  StreamTcpFreeConfig(TRUE);
2653  FLOW_DESTROY(&f);
2654 
2655  UTHFreePackets(&p, 1);
2656  return result;
2657 }
2658 
2659 /**
2660  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2661  * and multiple request/responses with a match test after each frag parsing.
2662  */
2663 static int DetectDceOpnumTestParse13(void)
2664 {
2665  int result = 0;
2666  Signature *s = NULL;
2667  ThreadVars th_v;
2668  Packet *p = NULL;
2669  Flow f;
2670  TcpSession ssn;
2671  DetectEngineThreadCtx *det_ctx = NULL;
2672  DetectEngineCtx *de_ctx = NULL;
2673  DCERPCState *dcerpc_state = NULL;
2674  int r = 0;
2675 
2676  uint8_t dcerpc_request1[] = {
2677  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2678  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2679  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2680  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2681  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2682  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2683  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2684  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2685  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2686  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2687  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2688  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2689  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2690  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2691  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2692  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2693  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2694  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2695  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2696  0x00, 0x00
2697  };
2698 
2699  uint8_t dcerpc_response1[] = {
2700  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2701  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2702  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2703  0x00, 0x00, 0x00, 0x00,
2704  };
2705 
2706  uint8_t dcerpc_request2[] = {
2707  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2708  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2709  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2710  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2711  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2712  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2713  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2714  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2715  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2716  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2717  0x4e, 0x6f, 0x6e, 0x65
2718  };
2719 
2720  uint8_t dcerpc_response2[] = {
2721  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2722  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2723  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2724  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2725  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2726  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2727  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2728  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2729  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2730  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2731  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2732  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2733  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2734  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2735  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2736  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2737  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2738  0x00, 0x00, 0x00, 0x00,
2739  };
2740 
2741  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2742  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2743 
2744  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2745  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2746 
2747  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2748 
2749  memset(&th_v, 0, sizeof(th_v));
2750  memset(&f, 0, sizeof(f));
2751  memset(&ssn, 0, sizeof(ssn));
2752 
2753  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2754 
2755  FLOW_INITIALIZE(&f);
2756  f.protoctx = (void *)&ssn;
2757  f.proto = IPPROTO_TCP;
2758  p->flow = &f;
2759  p->flowflags |= FLOW_PKT_TOSERVER;
2760  p->flowflags |= FLOW_PKT_ESTABLISHED;
2761  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2762  f.alproto = ALPROTO_DCERPC;
2763 
2764  StreamTcpInitConfig(TRUE);
2765 
2766  de_ctx = DetectEngineCtxInit();
2767  if (de_ctx == NULL)
2768  goto end;
2769 
2770  de_ctx->flags |= DE_QUIET;
2771 
2772  s = de_ctx->sig_list = SigInit(de_ctx,
2773  "alert tcp any any -> any any "
2774  "(msg:\"DCERPC\"; "
2775  "dce_opnum:30, 40; "
2776  "sid:1;)");
2777  if (s == NULL)
2778  goto end;
2779 
2780  SigGroupBuild(de_ctx);
2781  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2782 
2783  /* request1 */
2784  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2785  dcerpc_request1_len);
2786  if (r != 0) {
2787  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2788  goto end;
2789  }
2790 
2791  dcerpc_state = f.alstate;
2792  if (dcerpc_state == NULL) {
2793  printf("no dcerpc state: ");
2794  goto end;
2795  }
2796 
2797  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2798  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2799  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2800  goto end;
2801  }
2802 
2803  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2804  p->flowflags |= FLOW_PKT_TOSERVER;
2805  /* do detect */
2806  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2807 
2808  if (!PacketAlertCheck(p, 1))
2809  goto end;
2810 
2811  /* response1 */
2812  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2813  dcerpc_response1_len);
2814  if (r != 0) {
2815  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2816  goto end;
2817  }
2818 
2819  dcerpc_state = f.alstate;
2820  if (dcerpc_state == NULL) {
2821  printf("no dcerpc state: ");
2822  goto end;
2823  }
2824 
2825  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2826  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2827  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2828  goto end;
2829  }
2830 
2831  p->flowflags &=~ FLOW_PKT_TOSERVER;
2832  p->flowflags |= FLOW_PKT_TOCLIENT;
2833  /* do detect */
2834  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2835 
2836  if (PacketAlertCheck(p, 1))
2837  goto end;
2838 
2839  /* request2 */
2840  printf("Sending Request2\n");
2841  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2842  dcerpc_request2_len);
2843  if (r != 0) {
2844  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2845  goto end;
2846  }
2847 
2848  dcerpc_state = f.alstate;
2849  if (dcerpc_state == NULL) {
2850  printf("no dcerpc state: ");
2851  goto end;
2852  }
2853 
2854  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2855  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2856  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2857  goto end;
2858  }
2859 
2860  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2861  p->flowflags |= FLOW_PKT_TOSERVER;
2862  /* do detect */
2863  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2864 
2865  if (!PacketAlertCheck(p, 1))
2866  goto end;
2867 
2868  /* response2 */
2869  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2870  dcerpc_response2_len);
2871  if (r != 0) {
2872  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2873  goto end;
2874  }
2875 
2876  dcerpc_state = f.alstate;
2877  if (dcerpc_state == NULL) {
2878  printf("no dcerpc state: ");
2879  goto end;
2880  }
2881 
2882  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2883  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2884  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2885  goto end;
2886  }
2887 
2888  p->flowflags &=~ FLOW_PKT_TOSERVER;
2889  p->flowflags |= FLOW_PKT_TOCLIENT;
2890  /* do detect */
2891  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2892 
2893  if (PacketAlertCheck(p, 1))
2894  goto end;
2895 
2896  result = 1;
2897 
2898  end:
2899  if (alp_tctx != NULL)
2900  AppLayerDestroyCtxThread(alp_tctx);
2901  SigGroupCleanup(de_ctx);
2902  SigCleanSignatures(de_ctx);
2903 
2904  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2905  DetectEngineCtxFree(de_ctx);
2906 
2907  StreamTcpFreeConfig(TRUE);
2908  FLOW_DESTROY(&f);
2909 
2910  UTHFreePackets(&p, 1);
2911  return result;
2912 }
2913 #endif
2914 #endif /* UNITTESTS */
2915 
2916 static void DetectDceOpnumRegisterTests(void)
2917 {
2918 #ifdef UNITTESTS
2919  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2920  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2921  UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
2922  UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
2923  UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
2924  UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
2925  UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
2926  UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
2927  UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
2928  /* Disabled because of bug_753. Would be enabled, once we rewrite
2929  * dce parser */
2930 #if 0
2931  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2932  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2933  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2934  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2935 #endif
2936 #endif
2937 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2216
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:54
DetectDceOpnumData_
Definition: detect-dce-opnum.h:36
Packet_::flow
struct Flow_ * flow
Definition: decode.h:445
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DetectDceOpnumRange_::next
struct DetectDceOpnumRange_ * next
Definition: detect-dce-opnum.h:33
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
DetectDceOpnumRange_
Definition: detect-dce-opnum.h:30
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1936
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:762
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:274
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DCE_OPNUM_RANGE_MAX
#define DCE_OPNUM_RANGE_MAX
Definition: detect-dce-opnum.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2761
SigTableElmt_::name
const char * name
Definition: detect.h:1193
Signature_
Signature container.
Definition: detect.h:517
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::protoctx
void * protoctx
Definition: flow.h:400
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:756
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2969
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
DetectDceOpnumData_::range
DetectDceOpnumRange * range
Definition: detect-dce-opnum.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:757
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1184
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1310
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1882
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2302
DetectDceOpnumRange_::range1
uint32_t range1
Definition: detect-dce-opnum.h:31
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:439
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:248
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:70
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
DCERPCRequest_::opnum
uint16_t opnum
Definition: app-layer-dcerpc-common.h:171
SigMatch_::type
uint8_t type
Definition: detect.h:314
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
index
#define index
Definition: win32-misc.h:29
Packet_
Definition: decode.h:407
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:808
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1187
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigTableElmt_::alias
const char * alias
Definition: detect.h:1194
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SCFree
#define SCFree(a)
Definition: util-mem.h:322
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:842
DetectDceOpnumRange_::range2
uint32_t range2
Definition: detect-dce-opnum.h:32
STREAM_START
#define STREAM_START
Definition: stream.h:29
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1166
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1090
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:996
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:443
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2065
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:325
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1088
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1185
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DCE_OPNUM_RANGE_UNINITIALIZED
#define DCE_OPNUM_RANGE_UNINITIALIZED
Definition: detect-dce-opnum.h:28
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1155
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2020