suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #include "rust.h"
52 
53 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
54 
55 static DetectParseRegex parse_regex;
56 
57 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
58  Flow *f, uint8_t flags, void *state, void *txv,
59  const Signature *s, const SigMatchCtx *m);
60 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
61 static void DetectDceOpnumFree(void *);
62 static void DetectDceOpnumRegisterTests(void);
63 static int g_dce_generic_list_id = 0;
64 
65 /**
66  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
67  */
68 void DetectDceOpnumRegister(void)
69 {
70  sigmatch_table[DETECT_DCE_OPNUM].name = "dcerpc.opnum";
71  sigmatch_table[DETECT_DCE_OPNUM].alias = "dce_opnum";
72  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
73  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
74  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
75  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
76 
77  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
78 
79  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
80 }
81 
82 /**
83  * \internal
84  * \brief Creates and returns a new instance of DetectDceOpnumRange.
85  *
86  * \retval dor Pointer to the new instance DetectDceOpnumRange.
87  */
88 static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
89 {
90  DetectDceOpnumRange *dor = NULL;
91 
92  if ( (dor = SCCalloc(1, sizeof(DetectDceOpnumRange))) == NULL)
93  return NULL;
94  dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
95  return dor;
96 }
97 
98 /**
99  * \internal
100  * \brief Parses the argument sent along with the "dce_opnum" keyword.
101  *
102  * \param arg Pointer to the string containing the argument to be parsed.
103  *
104  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
105  * from the parsed arg.
106  */
107 static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
108 {
109  DetectDceOpnumData *dod = NULL;
110 
111  DetectDceOpnumRange *dor = NULL;
112  DetectDceOpnumRange *prev_dor = NULL;
113 
114  int ret = 0, res = 0;
115  int ov[MAX_SUBSTRINGS];
116  const char *pcre_sub_str = NULL;
117 
118  char *dup_str = NULL;
119  char *dup_str_temp = NULL;
120  char *dup_str_head = NULL;
121  char *comma_token = NULL;
122  char *hyphen_token = NULL;
123 
124  if (arg == NULL) {
125  goto error;
126  }
127 
128  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0, ov, MAX_SUBSTRINGS);
129  if (ret < 2) {
130  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
131  goto error;
132  }
133 
134  res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
135  if (res < 0) {
136  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
137  goto error;
138  }
139 
140  if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
141  goto error;
142  memset(dod, 0, sizeof(DetectDceOpnumData));
143 
144  if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
145  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
146  goto error;
147  }
148 
149  /* free the substring */
150  pcre_free_substring(pcre_sub_str);
151 
152  /* keep a copy of the strdup string in dup_str_head so that we can free it
153  * once we are done using it */
154  dup_str_head = dup_str;
155  dup_str_temp = dup_str;
156  while ( (comma_token = strchr(dup_str, ',')) != NULL) {
157  comma_token[0] = '\0';
158  dup_str = comma_token + 1;
159 
160  dor = DetectDceOpnumAllocDetectDceOpnumRange();
161  if (dor == NULL)
162  goto error;
163  if (prev_dor == NULL) {
164  prev_dor = dor;
165  dod->range = dor;
166  } else {
167  prev_dor->next = dor;
168  prev_dor = dor;
169  }
170 
171  if ((hyphen_token = strchr(dup_str_temp, '-')) != NULL) {
172  hyphen_token[0] = '\0';
173  hyphen_token++;
174  dor->range1 = atoi(dup_str_temp);
175  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
176  goto error;
177  dor->range2 = atoi(hyphen_token);
178  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
179  goto error;
180  if (dor->range1 > dor->range2)
181  goto error;
182  }
183  dor->range1 = atoi(dup_str_temp);
184  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
185  goto error;
186 
187  dup_str_temp = dup_str;
188  }
189 
190  dor = DetectDceOpnumAllocDetectDceOpnumRange();
191  if (dor == NULL)
192  goto error;
193  if (prev_dor == NULL) {
194  dod->range = dor;
195  } else {
196  prev_dor->next = dor;
197  }
198 
199  if ( (hyphen_token = strchr(dup_str, '-')) != NULL) {
200  hyphen_token[0] = '\0';
201  hyphen_token++;
202  dor->range1 = atoi(dup_str);
203  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
204  goto error;
205  dor->range2 = atoi(hyphen_token);
206  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
207  goto error;
208  if (dor->range1 > dor->range2)
209  goto error;
210  }
211  dor->range1 = atoi(dup_str);
212  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
213  goto error;
214 
215  if (dup_str_head != NULL)
216  SCFree(dup_str_head);
217 
218  return dod;
219 
220  error:
221  if (dup_str_head != NULL)
222  SCFree(dup_str_head);
223  DetectDceOpnumFree(dod);
224  return NULL;
225 }
226 
227 /**
228  * \brief App layer match function for the "dce_opnum" keyword.
229  *
230  * \param t Pointer to the ThreadVars instance.
231  * \param det_ctx Pointer to the DetectEngineThreadCtx.
232  * \param f Pointer to the flow.
233  * \param flags Pointer to the flags indicating the flow direction.
234  * \param state Pointer to the app layer state data.
235  * \param s Pointer to the Signature instance.
236  * \param m Pointer to the SigMatch.
237  *
238  * \retval 1 On Match.
239  * \retval 0 On no match.
240  */
241 static int DetectDceOpnumMatch(DetectEngineThreadCtx *det_ctx,
242  Flow *f, uint8_t flags, void *state, void *txv,
243  const Signature *s, const SigMatchCtx *m)
244 {
245  SCEnter();
246 
247  DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
248 
249  DCERPCState *dcerpc_state = state;
250  if (dcerpc_state == NULL) {
251  SCLogDebug("No DCERPCState for the flow");
252  SCReturnInt(0);
253  }
254 
255  uint16_t opnum = dcerpc_state->dcerpc.dcerpcrequest.opnum;
256  DetectDceOpnumRange *dor = dce_data->range;
257  for ( ; dor != NULL; dor = dor->next) {
258  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
259  if (dor->range1 == opnum) {
260  SCReturnInt(1);
261  }
262  } else {
263  if (dor->range1 <= opnum && dor->range2 >= opnum)
264  {
265  SCReturnInt(1);
266  }
267  }
268  }
269 
270  SCReturnInt(0);
271 }
272 
273 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
274  Flow *f, uint8_t flags, void *state, void *txv,
275  const Signature *s, const SigMatchCtx *m)
276 {
277  SCEnter();
278 
279  if (f->alproto == ALPROTO_DCERPC) {
280  return DetectDceOpnumMatch(det_ctx, f, flags,
281  state, txv, s, m);
282  }
283 
284  const DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
285  const DetectDceOpnumRange *dor = dce_data->range;
286 
287  uint16_t opnum;
288  if (rs_smb_tx_get_dce_opnum(txv, &opnum) != 1)
289  SCReturnInt(0);
290  SCLogDebug("(rust) opnum %u", opnum);
291 
292  for ( ; dor != NULL; dor = dor->next) {
293  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
294  if (dor->range1 == opnum) {
295  SCReturnInt(1);
296  }
297  } else {
298  if (dor->range1 <= opnum && dor->range2 >= opnum) {
299  SCReturnInt(1);
300  }
301  }
302  }
303 
304  SCReturnInt(0);
305 }
306 
307 /**
308  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
309  * and appends it to the Signature(s).
310  *
311  * \param de_ctx Pointer to the detection engine context.
312  * \param s Pointer to signature for the current Signature being parsed
313  * from the rules.
314  * \param arg Pointer to the string holding the keyword value.
315  *
316  * \retval 0 on success, -1 on failure
317  */
318 
319 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
320 {
321  if (arg == NULL) {
322  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
323  "signature, option needs a value");
324  return -1;
325  }
326 
327  DetectDceOpnumData *dod = DetectDceOpnumArgParse(arg);
328  if (dod == NULL) {
329  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
330  "signature");
331  return -1;
332  }
333 
334  SigMatch *sm = SigMatchAlloc();
335  if (sm == NULL) {
336  DetectDceOpnumFree(dod);
337  return -1;
338  }
339 
340  sm->type = DETECT_DCE_OPNUM;
341  sm->ctx = (void *)dod;
342 
343  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
344  return 0;
345 }
346 
347 static void DetectDceOpnumFree(void *ptr)
348 {
349  DetectDceOpnumData *dod = ptr;
350  DetectDceOpnumRange *dor = NULL;
351  DetectDceOpnumRange *dor_temp = NULL;
352 
353  if (dod != NULL) {
354  dor = dod->range;
355  while (dor != NULL) {
356  dor_temp = dor;
357  dor = dor->next;
358  SCFree(dor_temp);
359  }
360  SCFree(dod);
361  }
362 
363  return;
364 }
365 
366 /************************************Unittests*********************************/
367 
368 #ifdef UNITTESTS
369 
370 static int DetectDceOpnumTestParse01(void)
371 {
372  Signature *s = SigAlloc();
373  int result = 0;
374 
375  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
376  result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
377  result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
378  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
379  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
380  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
381  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
382 
383  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
384  SigFree(s);
385  result &= 1;
386  }
387 
388  return result;
389 }
390 
391 static int DetectDceOpnumTestParse02(void)
392 {
393  Signature *s = SigAlloc();
394  int result = 0;
395  DetectDceOpnumData *dod = NULL;
396  DetectDceOpnumRange *dor = NULL;
397  SigMatch *temp = NULL;
398 
399  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
400 
401  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
402  temp = s->sm_lists[g_dce_generic_list_id];
403  dod = (DetectDceOpnumData *)temp->ctx;
404  if (dod == NULL)
405  goto end;
406  dor = dod->range;
407  result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
408  result &= (dor->next == NULL);
409  } else {
410  result = 0;
411  }
412 
413  end:
414  SigFree(s);
415  return result;
416 }
417 
418 static int DetectDceOpnumTestParse03(void)
419 {
420  Signature *s = SigAlloc();
421  int result = 0;
422  DetectDceOpnumData *dod = NULL;
423  DetectDceOpnumRange *dor = NULL;
424  SigMatch *temp = NULL;
425 
426  result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
427 
428  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
429  temp = s->sm_lists[g_dce_generic_list_id];
430  dod = (DetectDceOpnumData *)temp->ctx;
431  if (dod == NULL)
432  goto end;
433  dor = dod->range;
434  result &= (dor->range1 == 12 && dor->range2 == 24);
435  result &= (dor->next == NULL);
436  } else {
437  result = 0;
438  }
439 
440  end:
441  SigFree(s);
442  return result;
443 }
444 
445 static int DetectDceOpnumTestParse04(void)
446 {
447  Signature *s = SigAlloc();
448  int result = 0;
449  DetectDceOpnumData *dod = NULL;
450  DetectDceOpnumRange *dor = NULL;
451  SigMatch *temp = NULL;
452 
453  result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
454 
455  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
456  temp = s->sm_lists[g_dce_generic_list_id];
457  dod = (DetectDceOpnumData *)temp->ctx;
458  if (dod == NULL)
459  goto end;
460  dor = dod->range;
461  result &= (dor->range1 == 12 && dor->range2 == 24);
462  result &= (dor->next != NULL);
463  if (result == 0)
464  goto end;
465 
466  dor = dor->next;
467  result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
468  result &= (dor->next != NULL);
469  if (result == 0)
470  goto end;
471 
472  dor = dor->next;
473  result &= (dor->range1 == 62 && dor->range2 == 72);
474  result &= (dor->next != NULL);
475  if (result == 0)
476  goto end;
477 
478  dor = dor->next;
479  result &= (dor->range1 == 623 && dor->range2 == 635);
480  result &= (dor->next != NULL);
481  if (result == 0)
482  goto end;
483 
484  dor = dor->next;
485  result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
486  result &= (dor->next != NULL);
487  if (result == 0)
488  goto end;
489 
490  dor = dor->next;
491  result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
492  result &= (dor->next != NULL);
493  if (result == 0)
494  goto end;
495 
496  dor = dor->next;
497  result &= (dor->range1 == 213 && dor->range2 == 235);
498  if (result == 0)
499  goto end;
500  } else {
501  result = 0;
502  }
503 
504  end:
505  SigFree(s);
506  return result;
507 }
508 
509 static int DetectDceOpnumTestParse05(void)
510 {
511  Signature *s = SigAlloc();
512  int result = 0;
513  DetectDceOpnumData *dod = NULL;
514  DetectDceOpnumRange *dor = NULL;
515  SigMatch *temp = NULL;
516 
517  result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
518 
519  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
520  temp = s->sm_lists[g_dce_generic_list_id];
521  dod = (DetectDceOpnumData *)temp->ctx;
522  if (dod == NULL)
523  goto end;
524  dor = dod->range;
525  result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
526  result &= (dor->next != NULL);
527  if (result == 0)
528  goto end;
529 
530  dor = dor->next;
531  result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
532  result &= (dor->next != NULL);
533  if (result == 0)
534  goto end;
535 
536  dor = dor->next;
537  result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
538  result &= (dor->next != NULL);
539  if (result == 0)
540  goto end;
541 
542  dor = dor->next;
543  result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
544  result &= (dor->next != NULL);
545  if (result == 0)
546  goto end;
547 
548  dor = dor->next;
549  result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
550  result &= (dor->next != NULL);
551  if (result == 0)
552  goto end;
553 
554  dor = dor->next;
555  result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
556  result &= (dor->next != NULL);
557  if (result == 0)
558  goto end;
559 
560  dor = dor->next;
561  result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
562  if (result == 0)
563  goto end;
564  } else {
565  result = 0;
566  }
567 
568  end:
569  SigFree(s);
570  return result;
571 }
572 
573 static int DetectDceOpnumTestParse06(void)
574 {
575  Signature *s = SigAlloc();
576  int result = 0;
577  DetectDceOpnumData *dod = NULL;
578  DetectDceOpnumRange *dor = NULL;
579  SigMatch *temp = NULL;
580 
581  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
582 
583  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
584  temp = s->sm_lists[g_dce_generic_list_id];
585  dod = (DetectDceOpnumData *)temp->ctx;
586  if (dod == NULL)
587  goto end;
588  dor = dod->range;
589  result &= (dor->range1 == 1 && dor->range2 == 2);
590  result &= (dor->next != NULL);
591  if (result == 0)
592  goto end;
593 
594  dor = dor->next;
595  result &= (dor->range1 == 3 && dor->range2 == 4);
596  result &= (dor->next != NULL);
597  if (result == 0)
598  goto end;
599 
600  dor = dor->next;
601  result &= (dor->range1 == 5 && dor->range2 == 6);
602  result &= (dor->next != NULL);
603  if (result == 0)
604  goto end;
605 
606  dor = dor->next;
607  result &= (dor->range1 == 7 && dor->range2 == 8);
608  if (result == 0)
609  goto end;
610  } else {
611  result = 0;
612  }
613 
614  end:
615  SigFree(s);
616  return result;
617 }
618 
619 static int DetectDceOpnumTestParse07(void)
620 {
621  Signature *s = SigAlloc();
622  int result = 0;
623  DetectDceOpnumData *dod = NULL;
624  DetectDceOpnumRange *dor = NULL;
625  SigMatch *temp = NULL;
626 
627  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
628 
629  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
630  temp = s->sm_lists[g_dce_generic_list_id];
631  dod = (DetectDceOpnumData *)temp->ctx;
632  if (dod == NULL)
633  goto end;
634  dor = dod->range;
635  result &= (dor->range1 == 1 && dor->range2 == 2);
636  result &= (dor->next != NULL);
637  if (result == 0)
638  goto end;
639 
640  dor = dor->next;
641  result &= (dor->range1 == 3 && dor->range2 == 4);
642  result &= (dor->next != NULL);
643  if (result == 0)
644  goto end;
645 
646  dor = dor->next;
647  result &= (dor->range1 == 5 && dor->range2 == 6);
648  result &= (dor->next != NULL);
649  if (result == 0)
650  goto end;
651 
652  dor = dor->next;
653  result &= (dor->range1 == 7 && dor->range2 == 8);
654  if (result == 0)
655  goto end;
656 
657  dor = dor->next;
658  result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
659  if (result == 0)
660  goto end;
661  } else {
662  result = 0;
663  }
664 
665  end:
666  SigFree(s);
667  return result;
668 }
669 
670 /**
671  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
672  */
673 static int DetectDceOpnumTestParse08(void)
674 {
675  int result = 0;
676  Signature *s = NULL;
677  ThreadVars th_v;
678  Packet *p = NULL;
679  Flow f;
680  TcpSession ssn;
681  DetectEngineThreadCtx *det_ctx = NULL;
682  DetectEngineCtx *de_ctx = NULL;
683  DCERPCState *dcerpc_state = NULL;
684  int r = 0;
685 
686  uint8_t dcerpc_bind[] = {
687  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
688  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
689  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
690  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
691  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
692  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
693  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
694  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
695  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
696  };
697 
698  uint8_t dcerpc_bindack[] = {
699  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
700  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
701  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
702  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
703  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
704  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
706  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
707  0x02, 0x00, 0x00, 0x00
708  };
709 
710  /* todo chop the request frag length and change the
711  * length related parameters in the frag */
712  uint8_t dcerpc_request[] = {
713  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
714  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
715  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
716  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
717  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
718  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
719  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
720  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
721  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
722  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
723  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
724  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
725  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
726  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
727  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
728  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
729  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
730  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
731  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
732  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
733  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
734  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
735  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
736  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
737  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
738  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
739  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
740  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
741  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
742  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
743  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
744  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
745  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
746  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
747  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
748  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
749  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
750  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
751  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
752  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
753  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
754  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
755  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
756  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
757  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
758  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
759  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
760  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
761  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
762  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
763  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
764  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
765  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
766  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
767  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
768  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
769  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
770  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
771  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
772  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
773  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
774  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
775  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
776  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
777  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
778  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
779  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
780  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
781  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
782  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
783  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
784  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
785  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
786  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
787  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
788  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
789  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
790  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
791  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
792  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
793  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
794  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
795  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
796  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
797  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
798  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
799  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
800  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
801  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
802  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
803  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
804  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
805  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
806  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
807  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
808  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
809  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
810  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
811  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
812  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
813  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
814  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
815  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
816  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
817  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
818  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
819  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
820  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
821  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
822  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
823  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
824  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
825  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
826  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
827  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
828  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
829  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
830  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
831  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
832  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
833  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
834  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
835  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
836  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
837  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
838  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
839  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
840  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
841  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
842  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
843  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
960  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
961  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
962  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
963  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
964  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
965  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
966  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
967  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
968  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
969  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
970  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
971  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
972  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
973  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
974  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
975  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
976  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
977  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
978  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
979  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
980  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
981  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
982  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
983  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
984  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
985  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
986  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
987  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
988  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
989  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
990  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
991  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
993  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
994  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1061  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1062  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1063  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1064  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1065  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1066  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1067  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1068  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1069  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1070  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1071  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1072  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1073  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1074  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1075  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1076  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1077  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1078  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1079  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1080  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1081  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1082  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1083  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1084  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1085  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1086  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1087  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1088  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1089  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1090  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1091  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1092  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1093  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1094  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1095  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1096  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1097  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1098  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1099  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1100  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1101  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1102  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1103  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1104  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1105  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1106  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1107  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x01, 0x02, 0x03, 0x04
1127  };
1128 
1129  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1130  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1131  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1132 
1133  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1134 
1135  memset(&th_v, 0, sizeof(th_v));
1136  memset(&f, 0, sizeof(f));
1137  memset(&ssn, 0, sizeof(ssn));
1138 
1139  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1140 
1141  FLOW_INITIALIZE(&f);
1142  f.protoctx = (void *)&ssn;
1143  f.proto = IPPROTO_TCP;
1144  p->flow = &f;
1145  p->flowflags |= FLOW_PKT_TOSERVER;
1146  p->flowflags |= FLOW_PKT_ESTABLISHED;
1147  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1148  f.alproto = ALPROTO_DCERPC;
1149 
1150  StreamTcpInitConfig(TRUE);
1151 
1152  de_ctx = DetectEngineCtxInit();
1153  if (de_ctx == NULL)
1154  goto end;
1155 
1156  de_ctx->flags |= DE_QUIET;
1157 
1158  s = de_ctx->sig_list = SigInit(de_ctx,
1159  "alert tcp any any -> any any "
1160  "(msg:\"DCERPC\"; "
1161  "dce_opnum:9; "
1162  "sid:1;)");
1163  if (s == NULL)
1164  goto end;
1165 
1166  SigGroupBuild(de_ctx);
1167  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1168 
1169  FLOWLOCK_WRLOCK(&f);
1170  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1171  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1172  dcerpc_bind_len);
1173  if (r != 0) {
1174  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1175  FLOWLOCK_UNLOCK(&f);
1176  goto end;
1177  }
1178  FLOWLOCK_UNLOCK(&f);
1179 
1180  dcerpc_state = f.alstate;
1181  if (dcerpc_state == NULL) {
1182  SCLogDebug("no dcerpc state: ");
1183  goto end;
1184  }
1185 
1186  FLOWLOCK_WRLOCK(&f);
1187  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1188  STREAM_TOCLIENT, dcerpc_bindack,
1189  dcerpc_bindack_len);
1190  if (r != 0) {
1191  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1192  FLOWLOCK_UNLOCK(&f);
1193  goto end;
1194  }
1195  FLOWLOCK_UNLOCK(&f);
1196 
1197  FLOWLOCK_WRLOCK(&f);
1198  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1199  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
1200  dcerpc_request_len);
1201  if (r != 0) {
1202  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1203  FLOWLOCK_UNLOCK(&f);
1204  goto end;
1205  }
1206  FLOWLOCK_UNLOCK(&f);
1207 
1208  dcerpc_state = f.alstate;
1209  if (dcerpc_state == NULL) {
1210  SCLogDebug("no dcerpc state: ");
1211  goto end;
1212  }
1213 
1214  /* do detect */
1215  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1216 
1217  if (!PacketAlertCheck(p, 1))
1218  goto end;
1219 
1220  result = 1;
1221 
1222  end:
1223  if (alp_tctx != NULL)
1224  AppLayerParserThreadCtxFree(alp_tctx);
1225  SigGroupCleanup(de_ctx);
1226  SigCleanSignatures(de_ctx);
1227 
1228  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1229  DetectEngineCtxFree(de_ctx);
1230 
1231  StreamTcpFreeConfig(TRUE);
1232  FLOW_DESTROY(&f);
1233 
1234  UTHFreePackets(&p, 1);
1235  return result;
1236 }
1237 
1238 /**
1239  * \test Test a valid dce_opnum entry with only a request frag.
1240  */
1241 static int DetectDceOpnumTestParse09(void)
1242 {
1243  int result = 0;
1244  Signature *s = NULL;
1245  ThreadVars th_v;
1246  Packet *p = NULL;
1247  Flow f;
1248  TcpSession ssn;
1249  DetectEngineThreadCtx *det_ctx = NULL;
1250  DetectEngineCtx *de_ctx = NULL;
1251  DCERPCState *dcerpc_state = NULL;
1252  int r = 0;
1253 
1254  /* todo chop the request frag length and change the
1255  * length related parameters in the frag */
1256  uint8_t dcerpc_request[] = {
1257  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1258  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1259  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1260  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1261  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
1262  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
1263  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
1264  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
1265  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
1266  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
1267  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
1268  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
1269  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
1270  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
1271  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
1272  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
1273  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
1274  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
1275  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
1276  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
1277  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
1278  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
1279  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
1280  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
1281  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
1282  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
1283  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
1284  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
1285  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
1286  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
1287  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
1288  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
1289  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
1290  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
1291  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
1292  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
1293  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
1294  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
1295  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
1296  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
1297  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
1298  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
1299  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
1300  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
1301  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
1302  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
1303  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
1304  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
1305  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
1306  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
1307  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
1308  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
1309  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
1310  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
1311  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
1312  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
1313  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
1314  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
1315  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
1316  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
1317  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
1318  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
1319  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
1320  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
1321  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
1322  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
1323  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
1324  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
1325  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
1326  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
1327  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
1328  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
1329  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
1330  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
1331  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
1332  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
1333  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
1334  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
1335  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
1336  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
1337  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
1338  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
1339  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
1340  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
1341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1504  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1505  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1506  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1507  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1508  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1509  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1510  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1511  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1512  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1513  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1514  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1515  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1516  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1517  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1518  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1519  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1520  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1521  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1522  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1523  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1524  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1525  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1526  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1527  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1528  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1529  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1530  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1531  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1533  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1534  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1535  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1537  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1538  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1594  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1595  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1596  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1597  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1598  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1599  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1600  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1601  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1602  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1603  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1604  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1659  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1660  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1661  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1662  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1663  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1664  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1665  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1666  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1667  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1668  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1669  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1670  0x01, 0x02, 0x03, 0x04
1671  };
1672 
1673  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1674 
1675  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1676 
1677  memset(&th_v, 0, sizeof(th_v));
1678  memset(&f, 0, sizeof(f));
1679  memset(&ssn, 0, sizeof(ssn));
1680 
1681  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1682 
1683  FLOW_INITIALIZE(&f);
1684  f.protoctx = (void *)&ssn;
1685  f.proto = IPPROTO_TCP;
1686  p->flow = &f;
1687  p->flowflags |= FLOW_PKT_TOSERVER;
1688  p->flowflags |= FLOW_PKT_ESTABLISHED;
1689  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1690  f.alproto = ALPROTO_DCERPC;
1691 
1692  StreamTcpInitConfig(TRUE);
1693 
1694  de_ctx = DetectEngineCtxInit();
1695  if (de_ctx == NULL)
1696  goto end;
1697 
1698  de_ctx->flags |= DE_QUIET;
1699 
1700  s = de_ctx->sig_list = SigInit(de_ctx,
1701  "alert tcp any any -> any any "
1702  "(msg:\"DCERPC\"; "
1703  "dce_opnum:9; "
1704  "sid:1;)");
1705  if (s == NULL)
1706  goto end;
1707 
1708  SigGroupBuild(de_ctx);
1709  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1710 
1711  FLOWLOCK_WRLOCK(&f);
1712  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1713  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1714  dcerpc_request_len);
1715  if (r != 0) {
1716  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1717  FLOWLOCK_UNLOCK(&f);
1718  goto end;
1719  }
1720  FLOWLOCK_UNLOCK(&f);
1721 
1722  dcerpc_state = f.alstate;
1723  if (dcerpc_state == NULL) {
1724  SCLogDebug("no dcerpc state: ");
1725  goto end;
1726  }
1727 
1728  /* do detect */
1729  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1730 
1731  if (!PacketAlertCheck(p, 1))
1732  goto end;
1733 
1734  result = 1;
1735 
1736  end:
1737  if (alp_tctx != NULL)
1738  AppLayerParserThreadCtxFree(alp_tctx);
1739  SigGroupCleanup(de_ctx);
1740  SigCleanSignatures(de_ctx);
1741 
1742  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1743  DetectEngineCtxFree(de_ctx);
1744 
1745  StreamTcpFreeConfig(TRUE);
1746  FLOW_DESTROY(&f);
1747 
1748  UTHFreePackets(&p, 1);
1749  return result;
1750 }
1751 
1752 /* Disabled because of bug_753. Would be enabled, once we rewrite
1753  * dce parser */
1754 #if 0
1755 
1756 /**
1757  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1758  * and multiple request/responses with a match test after each frag parsing.
1759  */
1760 static int DetectDceOpnumTestParse10(void)
1761 {
1762  int result = 0;
1763  Signature *s = NULL;
1764  ThreadVars th_v;
1765  Packet *p = NULL;
1766  Flow f;
1767  TcpSession ssn;
1768  DetectEngineThreadCtx *det_ctx = NULL;
1769  DetectEngineCtx *de_ctx = NULL;
1770  DCERPCState *dcerpc_state = NULL;
1771  int r = 0;
1772 
1773  uint8_t dcerpc_bind[] = {
1774  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1775  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1776  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1777  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1778  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1779  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1780  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1781  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1782  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1783  };
1784 
1785  uint8_t dcerpc_bindack[] = {
1786  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1787  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1788  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1789  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1790  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1791  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1793  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1794  0x02, 0x00, 0x00, 0x00,
1795  };
1796 
1797  uint8_t dcerpc_request1[] = {
1798  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1799  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1800  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1801  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1802  0x00, 0x00, 0x00, 0x02,
1803  };
1804 
1805  uint8_t dcerpc_response1[] = {
1806  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1807  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1808  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1809  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1810  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1811  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1812  };
1813 
1814  uint8_t dcerpc_request2[] = {
1815  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1816  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1817  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1818  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1819  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1820  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1821  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1822  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1823  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1824  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1825  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1826  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1827  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1828  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1829  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1830  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1831  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1832  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1833  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1834  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1835  0x03, 0x00, 0x00, 0x00,
1836  };
1837 
1838  uint8_t dcerpc_response2[] = {
1839  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1840  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1841  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1842  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1843  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1844  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1845  };
1846 
1847  uint8_t dcerpc_request3[] = {
1848  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1849  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1850  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1851  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1852  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1853  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1854  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1855  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1856  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1857  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1858  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1859  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1860  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1861  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1862  };
1863 
1864  uint8_t dcerpc_response3[] = {
1865  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1866  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1867  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1868  0x00, 0x00, 0x00, 0x00,
1869  };
1870 
1871  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1872  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1873 
1874  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1875  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1876 
1877  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1878  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1879 
1880  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1881  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1882 
1883  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1884 
1885  memset(&th_v, 0, sizeof(th_v));
1886  memset(&f, 0, sizeof(f));
1887  memset(&ssn, 0, sizeof(ssn));
1888 
1889  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1890 
1891  FLOW_INITIALIZE(&f);
1892  f.protoctx = (void *)&ssn;
1893  f.proto = IPPROTO_TCP;
1894  p->flow = &f;
1895  p->flowflags |= FLOW_PKT_TOSERVER;
1896  p->flowflags |= FLOW_PKT_ESTABLISHED;
1897  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1898  f.alproto = ALPROTO_DCERPC;
1899 
1900  StreamTcpInitConfig(TRUE);
1901 
1902  de_ctx = DetectEngineCtxInit();
1903  if (de_ctx == NULL) {
1904  goto end;
1905  }
1906 
1907  de_ctx->flags |= DE_QUIET;
1908 
1909  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1910  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1911  if (s == NULL) {
1912  goto end;
1913  }
1914 
1915  SigGroupBuild(de_ctx);
1916  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1917 
1918  SCLogDebug("sending bind");
1919 
1920  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1921  dcerpc_bind, dcerpc_bind_len);
1922  if (r != 0) {
1923  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1924  goto end;
1925  }
1926 
1927  dcerpc_state = f.alstate;
1928  if (dcerpc_state == NULL) {
1929  SCLogDebug("no dcerpc state: ");
1930  goto end;
1931  }
1932  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1933  p->flowflags |= FLOW_PKT_TOSERVER;
1934  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1935 
1936  SCLogDebug("sending bind_ack");
1937 
1938  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1939  dcerpc_bindack, dcerpc_bindack_len);
1940  if (r != 0) {
1941  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1942  goto end;
1943  }
1944  p->flowflags &=~ FLOW_PKT_TOSERVER;
1945  p->flowflags |= FLOW_PKT_TOCLIENT;
1946  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1947 
1948  SCLogDebug("sending request1");
1949 
1950  /* request1 */
1951  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1952  dcerpc_request1, dcerpc_request1_len);
1953  if (r != 0) {
1954  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1955  goto end;
1956  }
1957 
1958  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1959  p->flowflags |= FLOW_PKT_TOSERVER;
1960  /* do detect */
1961  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1962 
1963  if (!PacketAlertCheck(p, 1)) {
1964  printf("sig 1 didn't match, but should have: ");
1965  goto end;
1966  }
1967 
1968  SCLogDebug("sending response1");
1969 
1970  /* response1 */
1971  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1972  dcerpc_response1, dcerpc_response1_len);
1973  if (r != 0) {
1974  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1975  goto end;
1976  }
1977 
1978  p->flowflags &=~ FLOW_PKT_TOSERVER;
1979  p->flowflags |= FLOW_PKT_TOCLIENT;
1980  /* do detect */
1981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1982 
1983  if (PacketAlertCheck(p, 1)) {
1984  printf("sig 1 did match, shouldn't have on response1: ");
1985  goto end;
1986  }
1987 
1988  /* request2 */
1989  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1990  dcerpc_request2, dcerpc_request2_len);
1991  if (r != 0) {
1992  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1993  goto end;
1994  }
1995 
1996  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1997  p->flowflags |= FLOW_PKT_TOSERVER;
1998  /* do detect */
1999  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2000 
2001  if (!PacketAlertCheck(p, 1)) {
2002  printf("sig 1 didn't match, but should have on request2: ");
2003  goto end;
2004  }
2005 
2006  /* response2 */
2007  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2008  dcerpc_response2, dcerpc_response2_len);
2009  if (r != 0) {
2010  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2011  goto end;
2012  }
2013 
2014  p->flowflags &=~ FLOW_PKT_TOSERVER;
2015  p->flowflags |= FLOW_PKT_TOCLIENT;
2016  /* do detect */
2017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2018 
2019  if (PacketAlertCheck(p, 1)) {
2020  printf("sig 1 did match, shouldn't have on response2: ");
2021  goto end;
2022  }
2023 
2024  /* request3 */
2025  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2026  dcerpc_request3, dcerpc_request3_len);
2027  if (r != 0) {
2028  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2029  goto end;
2030  }
2031 
2032  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2033  p->flowflags |= FLOW_PKT_TOSERVER;
2034  /* do detect */
2035  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2036 
2037  if (!PacketAlertCheck(p, 1)) {
2038  printf("sig 1 didn't match, but should have on request3: ");
2039  goto end;
2040  }
2041 
2042  /* response3 */
2043  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2044  dcerpc_response3, dcerpc_response3_len);
2045  if (r != 0) {
2046  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2047  goto end;
2048  }
2049 
2050  p->flowflags &=~ FLOW_PKT_TOSERVER;
2051  p->flowflags |= FLOW_PKT_TOCLIENT;
2052  /* do detect */
2053  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2054 
2055  if (PacketAlertCheck(p, 1)) {
2056  printf("sig 1 did match, shouldn't have on response2: ");
2057  goto end;
2058  }
2059 
2060  result = 1;
2061 
2062  end:
2063  if (alp_tctx != NULL)
2064  AppLayerDestroyCtxThread(alp_tctx);
2065  SigGroupCleanup(de_ctx);
2066  SigCleanSignatures(de_ctx);
2067 
2068  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2069  DetectEngineCtxFree(de_ctx);
2070 
2071  StreamTcpFreeConfig(TRUE);
2072  FLOW_DESTROY(&f);
2073 
2074  UTHFreePackets(&p, 1);
2075  return result;
2076 }
2077 
2078 /**
2079  * \test Test a valid dce_opnum entry(with multiple values) with multiple
2080  * request/responses.
2081  */
2082 static int DetectDceOpnumTestParse11(void)
2083 {
2084  int result = 0;
2085  Signature *s = NULL;
2086  ThreadVars th_v;
2087  Packet *p = NULL;
2088  Flow f;
2089  TcpSession ssn;
2090  DetectEngineThreadCtx *det_ctx = NULL;
2091  DetectEngineCtx *de_ctx = NULL;
2092  DCERPCState *dcerpc_state = NULL;
2093  int r = 0;
2094 
2095  uint8_t dcerpc_request1[] = {
2096  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2097  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2098  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2099  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
2100  0x00, 0x00, 0x00, 0x02,
2101  };
2102 
2103  uint8_t dcerpc_response1[] = {
2104  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2105  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2106  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2107  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2108  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2109  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2110  };
2111 
2112  uint8_t dcerpc_request2[] = {
2113  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2114  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2115  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
2116  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2117  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2118  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
2119  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
2120  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
2121  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
2122  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
2123  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
2124  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
2125  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
2126  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
2127  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
2128  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
2129  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
2130  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
2131  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
2132  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2133  0x03, 0x00, 0x00, 0x00,
2134  };
2135 
2136  uint8_t dcerpc_response2[] = {
2137  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2138  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2139  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2140  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2141  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2142  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2143  };
2144 
2145  uint8_t dcerpc_request3[] = {
2146  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2147  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2148  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
2149  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2150  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2151  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
2152  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
2153  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
2154  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
2155  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2156  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
2157  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
2158  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
2159  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
2160  };
2161 
2162  uint8_t dcerpc_response3[] = {
2163  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2164  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2165  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2166  0x00, 0x00, 0x00, 0x00,
2167  };
2168 
2169  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2170  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2171 
2172  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2173  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2174 
2175  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
2176  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
2177 
2178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2179 
2180  memset(&th_v, 0, sizeof(th_v));
2181  memset(&f, 0, sizeof(f));
2182  memset(&ssn, 0, sizeof(ssn));
2183 
2184  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2185 
2186  FLOW_INITIALIZE(&f);
2187  f.protoctx = (void *)&ssn;
2188  f.proto = IPPROTO_TCP;
2189  p->flow = &f;
2190  p->flowflags |= FLOW_PKT_TOSERVER;
2191  p->flowflags |= FLOW_PKT_ESTABLISHED;
2192  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2193  f.alproto = ALPROTO_DCERPC;
2194 
2195  StreamTcpInitConfig(TRUE);
2196 
2197  de_ctx = DetectEngineCtxInit();
2198  if (de_ctx == NULL)
2199  goto end;
2200 
2201  de_ctx->flags |= DE_QUIET;
2202 
2203  s = de_ctx->sig_list = SigInit(de_ctx,
2204  "alert tcp any any -> any any "
2205  "(msg:\"DCERPC\"; "
2206  "dce_opnum:2-22; "
2207  "sid:1;)");
2208  if (s == NULL)
2209  goto end;
2210 
2211  SigGroupBuild(de_ctx);
2212  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2213 
2214  /* request1 */
2215  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2216  dcerpc_request1, dcerpc_request1_len);
2217  if (r != 0) {
2218  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2219  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
2220  goto end;
2221  }
2222 
2223  dcerpc_state = f.alstate;
2224  if (dcerpc_state == NULL) {
2225  SCLogDebug("no dcerpc state: ");
2226  printf("no dcerpc state: ");
2227  goto end;
2228  }
2229 
2230  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2231  p->flowflags |= FLOW_PKT_TOSERVER;
2232  /* do detect */
2233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2234 
2235  if (!PacketAlertCheck(p, 1))
2236  goto end;
2237 
2238  /* response1 */
2239  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2240  dcerpc_response1, dcerpc_response1_len);
2241  if (r != 0) {
2242  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2243  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
2244  goto end;
2245  }
2246 
2247  p->flowflags &=~ FLOW_PKT_TOSERVER;
2248  p->flowflags |= FLOW_PKT_TOCLIENT;
2249  /* do detect */
2250  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2251 
2252  if (PacketAlertCheck(p, 1))
2253  goto end;
2254 
2255  /* request2 */
2256  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2257  dcerpc_request2, dcerpc_request2_len);
2258  if (r != 0) {
2259  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2260  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
2261  goto end;
2262  }
2263 
2264  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2265  p->flowflags |= FLOW_PKT_TOSERVER;
2266  /* do detect */
2267  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2268 
2269  if (!PacketAlertCheck(p, 1))
2270  goto end;
2271 
2272  /* response2 */
2273  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2274  dcerpc_response2, dcerpc_response2_len);
2275  if (r != 0) {
2276  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2277  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
2278  goto end;
2279  }
2280 
2281  p->flowflags &=~ FLOW_PKT_TOSERVER;
2282  p->flowflags |= FLOW_PKT_TOCLIENT;
2283  /* do detect */
2284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2285 
2286  if (PacketAlertCheck(p, 1))
2287  goto end;
2288 
2289  /* request3 */
2290  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2291  dcerpc_request3, dcerpc_request3_len);
2292  if (r != 0) {
2293  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2294  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
2295  goto end;
2296  }
2297 
2298  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2299  p->flowflags |= FLOW_PKT_TOSERVER;
2300  /* do detect */
2301  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2302 
2303  if (!PacketAlertCheck(p, 1))
2304  goto end;
2305 
2306  /* response3 */
2307  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2308  dcerpc_response3, dcerpc_response3_len);
2309  if (r != 0) {
2310  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2311  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
2312  goto end;
2313  }
2314 
2315  p->flowflags &=~ FLOW_PKT_TOSERVER;
2316  p->flowflags |= FLOW_PKT_TOCLIENT;
2317  /* do detect */
2318  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2319 
2320  if (PacketAlertCheck(p, 1))
2321  goto end;
2322 
2323  result = 1;
2324 
2325  end:
2326  if (alp_tctx != NULL)
2327  AppLayerDestroyCtxThread(alp_tctx);
2328  SigGroupCleanup(de_ctx);
2329  SigCleanSignatures(de_ctx);
2330 
2331  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2332  DetectEngineCtxFree(de_ctx);
2333 
2334  StreamTcpFreeConfig(TRUE);
2335  FLOW_DESTROY(&f);
2336 
2337  UTHFreePackets(&p, 1);
2338  return result;
2339 }
2340 
2341 /**
2342  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2343  * and multiple request/responses with a match test after each frag parsing.
2344  */
2345 static int DetectDceOpnumTestParse12(void)
2346 {
2347  int result = 0;
2348  Signature *s = NULL;
2349  ThreadVars th_v;
2350  Packet *p = NULL;
2351  Flow f;
2352  TcpSession ssn;
2353  DetectEngineThreadCtx *det_ctx = NULL;
2354  DetectEngineCtx *de_ctx = NULL;
2355  DCERPCState *dcerpc_state = NULL;
2356  int r = 0;
2357 
2358  uint8_t dcerpc_bind[] = {
2359  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2360  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2361  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2362  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2363  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
2364  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
2365  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2366  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2367  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2368  };
2369 
2370  uint8_t dcerpc_bindack[] = {
2371  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
2372  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2373  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
2374  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
2375  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
2376  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2377  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2378  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2379  0x02, 0x00, 0x00, 0x00,
2380  };
2381 
2382  uint8_t dcerpc_request1[] = {
2383  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2384  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2385  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
2386  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2387  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2388  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2389  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2390  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2391  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2392  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2393  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2394  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2395  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2396  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2402  0x00, 0x00
2403  };
2404 
2405  uint8_t dcerpc_response1[] = {
2406  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2407  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2408  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2409  0x00, 0x00, 0x00, 0x00,
2410  };
2411 
2412  uint8_t dcerpc_request2[] = {
2413  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2414  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2415  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2416  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2417  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2418  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2419  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2420  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2421  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2422  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2423  0x4e, 0x6f, 0x6e, 0x65
2424  };
2425 
2426  uint8_t dcerpc_response2[] = {
2427  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2428  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2429  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2430  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2431  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2432  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2433  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2434  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2435  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2436  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2437  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2438  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2443  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2444  0x00, 0x00, 0x00, 0x00,
2445  };
2446 
2447  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
2448  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
2449 
2450  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2451  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2452 
2453  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2454  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2455 
2456  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2457 
2458  memset(&th_v, 0, sizeof(th_v));
2459  memset(&f, 0, sizeof(f));
2460  memset(&ssn, 0, sizeof(ssn));
2461 
2462  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2463 
2464  FLOW_INITIALIZE(&f);
2465  f.protoctx = (void *)&ssn;
2466  f.proto = IPPROTO_TCP;
2467  p->flow = &f;
2468  p->flowflags |= FLOW_PKT_TOSERVER;
2469  p->flowflags |= FLOW_PKT_ESTABLISHED;
2470  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2471  f.alproto = ALPROTO_DCERPC;
2472 
2473  StreamTcpInitConfig(TRUE);
2474 
2475  de_ctx = DetectEngineCtxInit();
2476  if (de_ctx == NULL)
2477  goto end;
2478 
2479  de_ctx->flags |= DE_QUIET;
2480 
2481  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
2482  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
2483  if (s == NULL)
2484  goto end;
2485 
2486  SigGroupBuild(de_ctx);
2487  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2488 
2489  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2490  dcerpc_bind, dcerpc_bind_len);
2491  if (r != 0) {
2492  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2493  goto end;
2494  }
2495  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2496  p->flowflags |= FLOW_PKT_TOSERVER;
2497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2498 
2499  dcerpc_state = f.alstate;
2500  if (dcerpc_state == NULL) {
2501  printf("no dcerpc state: ");
2502  goto end;
2503  }
2504 
2505  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2506  dcerpc_bindack_len);
2507  if (r != 0) {
2508  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2509  goto end;
2510  }
2511  p->flowflags &=~ FLOW_PKT_TOSERVER;
2512  p->flowflags |= FLOW_PKT_TOCLIENT;
2513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2514 
2515  /* request1 */
2516  SCLogDebug("Sending request1");
2517 
2518  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2519  dcerpc_request1_len);
2520  if (r != 0) {
2521  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2522  goto end;
2523  }
2524 
2525  dcerpc_state = f.alstate;
2526  if (dcerpc_state == NULL) {
2527  printf("no dcerpc state: ");
2528  goto end;
2529  }
2530 
2531  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2532  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2533  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2534  goto end;
2535  }
2536 
2537  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2538  p->flowflags |= FLOW_PKT_TOSERVER;
2539  /* do detect */
2540  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2541 
2542  if (!PacketAlertCheck(p, 1)) {
2543  printf("signature 1 didn't match, should have: ");
2544  goto end;
2545  }
2546 
2547  /* response1 */
2548  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2549  dcerpc_response1_len);
2550  if (r != 0) {
2551  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2552  goto end;
2553  }
2554 
2555  dcerpc_state = f.alstate;
2556  if (dcerpc_state == NULL) {
2557  printf("no dcerpc state: ");
2558  goto end;
2559  }
2560 
2561  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2562  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2563  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2564  goto end;
2565  }
2566 
2567  p->flowflags &=~ FLOW_PKT_TOSERVER;
2568  p->flowflags |= FLOW_PKT_TOCLIENT;
2569  /* do detect */
2570  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2571 
2572  if (PacketAlertCheck(p, 1)) {
2573  printf("sig 1 matched on response 1, but shouldn't: ");
2574  goto end;
2575  }
2576 
2577  /* request2 */
2578  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2579  dcerpc_request2_len);
2580  if (r != 0) {
2581  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2582  goto end;
2583  }
2584 
2585  dcerpc_state = f.alstate;
2586  if (dcerpc_state == NULL) {
2587  printf("no dcerpc state: ");
2588  goto end;
2589  }
2590 
2591  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2592  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2593  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2594  goto end;
2595  }
2596 
2597  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2598  p->flowflags |= FLOW_PKT_TOSERVER;
2599  /* do detect */
2600  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2601 
2602  if (!PacketAlertCheck(p, 1)) {
2603  printf("sig 1 didn't match on request 2: ");
2604  goto end;
2605  }
2606 
2607  /* response2 */
2608  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2609  dcerpc_response2_len);
2610  if (r != 0) {
2611  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2612  goto end;
2613  }
2614 
2615  dcerpc_state = f.alstate;
2616  if (dcerpc_state == NULL) {
2617  printf("no dcerpc state: ");
2618  goto end;
2619  }
2620 
2621  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2622  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2623  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2624  goto end;
2625  }
2626 
2627  p->flowflags &=~ FLOW_PKT_TOSERVER;
2628  p->flowflags |= FLOW_PKT_TOCLIENT;
2629  /* do detect */
2630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2631 
2632  if (PacketAlertCheck(p, 1)) {
2633  printf("sig 1 matched on response2, but shouldn't: ");
2634  goto end;
2635  }
2636 
2637  result = 1;
2638 
2639 end:
2640  if (alp_tctx != NULL)
2641  AppLayerDestroyCtxThread(alp_tctx);
2642  SigGroupCleanup(de_ctx);
2643  SigCleanSignatures(de_ctx);
2644 
2645  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2646  DetectEngineCtxFree(de_ctx);
2647 
2648  StreamTcpFreeConfig(TRUE);
2649  FLOW_DESTROY(&f);
2650 
2651  UTHFreePackets(&p, 1);
2652  return result;
2653 }
2654 
2655 /**
2656  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2657  * and multiple request/responses with a match test after each frag parsing.
2658  */
2659 static int DetectDceOpnumTestParse13(void)
2660 {
2661  int result = 0;
2662  Signature *s = NULL;
2663  ThreadVars th_v;
2664  Packet *p = NULL;
2665  Flow f;
2666  TcpSession ssn;
2667  DetectEngineThreadCtx *det_ctx = NULL;
2668  DetectEngineCtx *de_ctx = NULL;
2669  DCERPCState *dcerpc_state = NULL;
2670  int r = 0;
2671 
2672  uint8_t dcerpc_request1[] = {
2673  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2674  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2675  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2676  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2677  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2678  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2679  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2680  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2681  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2682  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2683  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2684  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2685  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2686  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2687  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2688  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2689  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2690  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2691  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2692  0x00, 0x00
2693  };
2694 
2695  uint8_t dcerpc_response1[] = {
2696  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2697  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2698  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2699  0x00, 0x00, 0x00, 0x00,
2700  };
2701 
2702  uint8_t dcerpc_request2[] = {
2703  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2704  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2705  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2706  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2707  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2708  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2709  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2710  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2711  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2712  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2713  0x4e, 0x6f, 0x6e, 0x65
2714  };
2715 
2716  uint8_t dcerpc_response2[] = {
2717  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2718  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2719  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2720  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2721  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2722  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2723  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2724  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2725  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2726  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2727  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2728  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2729  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2730  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2731  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2732  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2733  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2734  0x00, 0x00, 0x00, 0x00,
2735  };
2736 
2737  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2738  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2739 
2740  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2741  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2742 
2743  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2744 
2745  memset(&th_v, 0, sizeof(th_v));
2746  memset(&f, 0, sizeof(f));
2747  memset(&ssn, 0, sizeof(ssn));
2748 
2749  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2750 
2751  FLOW_INITIALIZE(&f);
2752  f.protoctx = (void *)&ssn;
2753  f.proto = IPPROTO_TCP;
2754  p->flow = &f;
2755  p->flowflags |= FLOW_PKT_TOSERVER;
2756  p->flowflags |= FLOW_PKT_ESTABLISHED;
2757  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2758  f.alproto = ALPROTO_DCERPC;
2759 
2760  StreamTcpInitConfig(TRUE);
2761 
2762  de_ctx = DetectEngineCtxInit();
2763  if (de_ctx == NULL)
2764  goto end;
2765 
2766  de_ctx->flags |= DE_QUIET;
2767 
2768  s = de_ctx->sig_list = SigInit(de_ctx,
2769  "alert tcp any any -> any any "
2770  "(msg:\"DCERPC\"; "
2771  "dce_opnum:30, 40; "
2772  "sid:1;)");
2773  if (s == NULL)
2774  goto end;
2775 
2776  SigGroupBuild(de_ctx);
2777  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2778 
2779  /* request1 */
2780  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2781  dcerpc_request1_len);
2782  if (r != 0) {
2783  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2784  goto end;
2785  }
2786 
2787  dcerpc_state = f.alstate;
2788  if (dcerpc_state == NULL) {
2789  printf("no dcerpc state: ");
2790  goto end;
2791  }
2792 
2793  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2794  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2795  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2796  goto end;
2797  }
2798 
2799  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2800  p->flowflags |= FLOW_PKT_TOSERVER;
2801  /* do detect */
2802  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2803 
2804  if (!PacketAlertCheck(p, 1))
2805  goto end;
2806 
2807  /* response1 */
2808  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2809  dcerpc_response1_len);
2810  if (r != 0) {
2811  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2812  goto end;
2813  }
2814 
2815  dcerpc_state = f.alstate;
2816  if (dcerpc_state == NULL) {
2817  printf("no dcerpc state: ");
2818  goto end;
2819  }
2820 
2821  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2822  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2823  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2824  goto end;
2825  }
2826 
2827  p->flowflags &=~ FLOW_PKT_TOSERVER;
2828  p->flowflags |= FLOW_PKT_TOCLIENT;
2829  /* do detect */
2830  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2831 
2832  if (PacketAlertCheck(p, 1))
2833  goto end;
2834 
2835  /* request2 */
2836  printf("Sending Request2\n");
2837  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2838  dcerpc_request2_len);
2839  if (r != 0) {
2840  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2841  goto end;
2842  }
2843 
2844  dcerpc_state = f.alstate;
2845  if (dcerpc_state == NULL) {
2846  printf("no dcerpc state: ");
2847  goto end;
2848  }
2849 
2850  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2851  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2852  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2853  goto end;
2854  }
2855 
2856  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2857  p->flowflags |= FLOW_PKT_TOSERVER;
2858  /* do detect */
2859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2860 
2861  if (!PacketAlertCheck(p, 1))
2862  goto end;
2863 
2864  /* response2 */
2865  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2866  dcerpc_response2_len);
2867  if (r != 0) {
2868  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2869  goto end;
2870  }
2871 
2872  dcerpc_state = f.alstate;
2873  if (dcerpc_state == NULL) {
2874  printf("no dcerpc state: ");
2875  goto end;
2876  }
2877 
2878  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2879  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2880  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2881  goto end;
2882  }
2883 
2884  p->flowflags &=~ FLOW_PKT_TOSERVER;
2885  p->flowflags |= FLOW_PKT_TOCLIENT;
2886  /* do detect */
2887  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2888 
2889  if (PacketAlertCheck(p, 1))
2890  goto end;
2891 
2892  result = 1;
2893 
2894  end:
2895  if (alp_tctx != NULL)
2896  AppLayerDestroyCtxThread(alp_tctx);
2897  SigGroupCleanup(de_ctx);
2898  SigCleanSignatures(de_ctx);
2899 
2900  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2901  DetectEngineCtxFree(de_ctx);
2902 
2903  StreamTcpFreeConfig(TRUE);
2904  FLOW_DESTROY(&f);
2905 
2906  UTHFreePackets(&p, 1);
2907  return result;
2908 }
2909 #endif
2910 #endif /* UNITTESTS */
2911 
2912 static void DetectDceOpnumRegisterTests(void)
2913 {
2914 #ifdef UNITTESTS
2915  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2916  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2917  UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
2918  UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
2919  UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
2920  UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
2921  UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
2922  UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
2923  UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
2924  /* Disabled because of bug_753. Would be enabled, once we rewrite
2925  * dce parser */
2926 #if 0
2927  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2928  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2929  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2930  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2931 #endif
2932 #endif
2933 }
DetectDceOpnumRange_::range2
uint32_t range2
Definition: detect-dce-opnum.h:32
DCERPCRequest_::opnum
uint16_t opnum
Definition: app-layer-dcerpc-common.h:170
app-layer-dcerpc.h
detect-engine.h
detect-dce-iface.h
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
DCE_OPNUM_RANGE_MAX
#define DCE_OPNUM_RANGE_MAX
Definition: detect-dce-opnum.h:27
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:444
Flow_
Flow data structure.
Definition: flow.h:342
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1377
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:190
DCE_OPNUM_RANGE_UNINITIALIZED
#define DCE_OPNUM_RANGE_UNINITIALIZED
Definition: detect-dce-opnum.h:28
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1174
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
m
SCMutex m
Definition: flow-hash.h:5
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
Flow_::protoctx
void * protoctx
Definition: flow.h:416
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:53
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
util-unittest.h
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
STREAM_START
#define STREAM_START
Definition: stream.h:29
DetectDceOpnumRange_::range1
uint32_t range1
Definition: detect-dce-opnum.h:31
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DetectDceOpnumRange_
Definition: detect-dce-opnum.h:30
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2316
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:816
flags
uint8_t flags
Definition: decode-gre.h:2
SigTableElmt_::alias
const char * alias
Definition: detect.h:1202
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:68
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1181
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DETECT_DCE_OPNUM
@ DETECT_DCE_OPNUM
Definition: detect-engine-register.h:171
Flow_::alstate
void * alstate
Definition: flow.h:454
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:847
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
DetectDceOpnumData_::range
DetectDceOpnumRange * range
Definition: detect-dce-opnum.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1254
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
DetectDceOpnumData_
Definition: detect-dce-opnum.h:36
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DCERPCState_
Definition: app-layer-dcerpc.h:34
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DetectDceOpnumRange_::next
struct DetectDceOpnumRange_ * next
Definition: detect-dce-opnum.h:33
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
detect-dce-opnum.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1075
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393