suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #include "rust.h"
52 
53 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
54 
55 static DetectParseRegex parse_regex;
56 
57 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
58  Flow *f, uint8_t flags, void *state, void *txv,
59  const Signature *s, const SigMatchCtx *m);
60 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
61 static void DetectDceOpnumFree(DetectEngineCtx *, void *);
62 #ifdef UNITTESTS
63 static void DetectDceOpnumRegisterTests(void);
64 #endif
65 static int g_dce_generic_list_id = 0;
66 
67 /**
68  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
69  */
70 void DetectDceOpnumRegister(void)
71 {
72  sigmatch_table[DETECT_DCE_OPNUM].name = "dcerpc.opnum";
73  sigmatch_table[DETECT_DCE_OPNUM].alias = "dce_opnum";
74  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
75  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
76  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
79 #endif
80  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
81 
82  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
83 }
84 
85 /**
86  * \brief App layer match function for the "dce_opnum" keyword.
87  *
88  * \param t Pointer to the ThreadVars instance.
89  * \param det_ctx Pointer to the DetectEngineThreadCtx.
90  * \param f Pointer to the flow.
91  * \param flags Pointer to the flags indicating the flow direction.
92  * \param state Pointer to the app layer state data.
93  * \param s Pointer to the Signature instance.
94  * \param m Pointer to the SigMatch.
95  *
96  * \retval 1 On Match.
97  * \retval 0 On no match.
98  */
99 static int DetectDceOpnumMatchRust(DetectEngineThreadCtx *det_ctx,
100  Flow *f, uint8_t flags, void *state, void *txv,
101  const Signature *s, const SigMatchCtx *m)
102 {
103  SCEnter();
104 
105  if (f->alproto == ALPROTO_DCERPC) {
106  return rs_dcerpc_opnum_match(txv, (void *)m);
107  }
108 
109  if (rs_smb_tx_match_dce_opnum(txv, (void *)m) != 1)
110  SCReturnInt(0);
111 
112  SCReturnInt(1);
113 }
114 
115 /**
116  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
117  * and appends it to the rs_dcerpc_opnum_matchSignature(s).
118  *
119  * \param de_ctx Pointer to the detection engine context.
120  * \param s Pointer to signature for the current Signature being parsed
121  * from the rules.
122  * \param arg Pointer to the string holding the keyword value.
123  *
124  * \retval 0 on success, -1 on failure
125  */
126 
127 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
128 {
129  if (arg == NULL) {
130  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
131  "signature, option needs a value");
132  return -1;
133  }
134 
135  if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
136  s->alproto != ALPROTO_SMB) {
137  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
138  return -1;
139  }
140  void *dod = rs_dcerpc_opnum_parse(arg);
141  if (dod == NULL) {
142  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
143  "signature");
144  return -1;
145  }
146 
147  SigMatch *sm = SigMatchAlloc();
148  if (sm == NULL) {
149  DetectDceOpnumFree(de_ctx, dod);
150  return -1;
151  }
152 
153  sm->type = DETECT_DCE_OPNUM;
154  sm->ctx = (void *)dod;
155 
156  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
157  return 0;
158 }
159 
160 static void DetectDceOpnumFree(DetectEngineCtx *de_ctx, void *ptr)
161 {
162  SCEnter();
163  if (ptr != NULL) {
164  rs_dcerpc_opnum_free(ptr);
165  }
166  SCReturn;
167 }
168 
169 /************************************Unittests*********************************/
170 
171 #ifdef UNITTESTS
172 
173 /**
174  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
175  */
176 static int DetectDceOpnumTestParse01(void)
177 {
178  int result = 0;
179  Signature *s = NULL;
180  ThreadVars th_v;
181  Packet *p = NULL;
182  Flow f;
183  TcpSession ssn;
184  DetectEngineThreadCtx *det_ctx = NULL;
185  DetectEngineCtx *de_ctx = NULL;
186  DCERPCState *dcerpc_state = NULL;
187  int r = 0;
188 
189  uint8_t dcerpc_bind[] = {
190  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
191  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
192  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
193  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
194  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
195  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
196  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
197  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
198  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
199  };
200 
201  uint8_t dcerpc_bindack[] = {
202  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
203  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
204  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
205  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
206  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
207  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
208  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
209  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
210  0x02, 0x00, 0x00, 0x00
211  };
212 
213  /* todo chop the request frag length and change the
214  * length related parameters in the frag */
215  uint8_t dcerpc_request[] = {
216  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
217  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
218  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
219  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
220  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
221  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
222  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
223  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
224  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
225  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
226  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
227  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
228  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
229  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
230  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
231  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
232  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
233  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
234  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
235  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
236  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
237  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
238  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
239  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
240  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
241  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
242  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
243  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
244  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
245  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
246  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
247  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
248  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
249  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
250  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
251  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
252  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
253  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
254  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
255  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
256  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
257  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
258  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
259  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
260  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
261  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
262  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
263  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
264  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
265  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
266  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
267  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
268  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
269  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
270  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
271  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
272  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
273  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
274  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
275  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
276  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
277  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
278  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
279  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
280  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
281  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
282  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
283  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
284  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
285  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
286  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
287  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
288  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
289  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
290  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
291  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
292  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
293  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
294  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
295  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
296  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
297  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
298  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
299  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
300  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
301  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
302  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
463  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
464  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
465  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
466  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
467  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
468  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
469  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
470  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
471  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
472  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
473  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
474  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
475  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
476  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
477  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
478  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
479  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
480  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
481  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
482  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
483  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
484  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
485  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
486  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
487  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
488  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
489  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
490  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
491  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
492  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
493  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
494  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
496  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
564  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
565  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
566  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x01, 0x02, 0x03, 0x04
630  };
631 
632  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
633  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
634  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
635 
636  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
637 
638  memset(&th_v, 0, sizeof(th_v));
639  memset(&f, 0, sizeof(f));
640  memset(&ssn, 0, sizeof(ssn));
641 
642  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
643 
644  FLOW_INITIALIZE(&f);
645  f.protoctx = (void *)&ssn;
646  f.proto = IPPROTO_TCP;
647  p->flow = &f;
648  p->flowflags |= FLOW_PKT_TOSERVER;
649  p->flowflags |= FLOW_PKT_ESTABLISHED;
650  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
651  f.alproto = ALPROTO_DCERPC;
652 
653  StreamTcpInitConfig(TRUE);
654 
655  de_ctx = DetectEngineCtxInit();
656  if (de_ctx == NULL)
657  goto end;
658 
659  de_ctx->flags |= DE_QUIET;
660 
661  s = de_ctx->sig_list = SigInit(de_ctx,
662  "alert tcp any any -> any any "
663  "(msg:\"DCERPC\"; "
664  "dce_opnum:9; "
665  "sid:1;)");
666  if (s == NULL)
667  goto end;
668 
669  SigGroupBuild(de_ctx);
670  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
671 
672  FLOWLOCK_WRLOCK(&f);
673  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
674  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
675  dcerpc_bind_len);
676  if (r != 0) {
677  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
678  FLOWLOCK_UNLOCK(&f);
679  goto end;
680  }
681  FLOWLOCK_UNLOCK(&f);
682 
683  dcerpc_state = f.alstate;
684  if (dcerpc_state == NULL) {
685  SCLogDebug("no dcerpc state: ");
686  goto end;
687  }
688 
689  FLOWLOCK_WRLOCK(&f);
690  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
691  STREAM_TOCLIENT, dcerpc_bindack,
692  dcerpc_bindack_len);
693  if (r != 0) {
694  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
695  FLOWLOCK_UNLOCK(&f);
696  goto end;
697  }
698  FLOWLOCK_UNLOCK(&f);
699 
700  FLOWLOCK_WRLOCK(&f);
701  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
702  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
703  dcerpc_request_len);
704  if (r != 0) {
705  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
706  FLOWLOCK_UNLOCK(&f);
707  goto end;
708  }
709  FLOWLOCK_UNLOCK(&f);
710 
711  dcerpc_state = f.alstate;
712  if (dcerpc_state == NULL) {
713  SCLogDebug("no dcerpc state: ");
714  goto end;
715  }
716 
717  /* do detect */
718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
719 
720  if (!PacketAlertCheck(p, 1))
721  goto end;
722 
723  result = 1;
724 
725  end:
726  if (alp_tctx != NULL)
727  AppLayerParserThreadCtxFree(alp_tctx);
728  SigGroupCleanup(de_ctx);
729  SigCleanSignatures(de_ctx);
730 
731  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
732  DetectEngineCtxFree(de_ctx);
733 
734  StreamTcpFreeConfig(TRUE);
735  FLOW_DESTROY(&f);
736 
737  UTHFreePackets(&p, 1);
738  return result;
739 }
740 
741 /**
742  * \test Test a valid dce_opnum entry with only a request frag.
743  */
744 static int DetectDceOpnumTestParse02(void)
745 {
746  int result = 0;
747  Signature *s = NULL;
748  ThreadVars th_v;
749  Packet *p = NULL;
750  Flow f;
751  TcpSession ssn;
752  DetectEngineThreadCtx *det_ctx = NULL;
753  DetectEngineCtx *de_ctx = NULL;
754  DCERPCState *dcerpc_state = NULL;
755  int r = 0;
756 
757  /* todo chop the request frag length and change the
758  * length related parameters in the frag */
759  uint8_t dcerpc_request[] = {
760  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
761  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
762  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
763  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
764  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
765  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
766  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
767  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
768  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
769  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
770  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
771  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
772  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
773  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
774  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
775  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
776  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
777  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
778  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
779  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
780  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
781  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
782  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
783  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
784  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
785  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
786  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
787  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
788  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
789  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
790  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
791  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
792  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
793  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
794  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
795  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
796  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
797  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
798  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
799  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
800  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
801  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
802  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
803  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
804  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
805  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
806  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
807  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
808  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
809  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
810  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
811  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
812  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
813  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
814  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
815  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
816  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
817  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
818  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
819  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
820  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
821  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
822  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
823  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
824  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
825  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
826  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
827  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
828  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
829  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
830  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
831  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
832  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
833  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
834  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
835  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
836  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
837  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
838  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
839  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
840  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
841  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
842  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
843  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1007  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1008  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1009  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1010  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1011  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1012  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1013  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1014  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1015  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1016  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1017  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1018  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1019  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1020  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1021  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1022  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1023  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1024  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1025  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1026  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1027  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1028  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1029  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1031  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1032  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1033  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1034  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1036  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1037  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1038  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1040  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1041  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x01, 0x02, 0x03, 0x04
1174  };
1175 
1176  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1177 
1178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1179 
1180  memset(&th_v, 0, sizeof(th_v));
1181  memset(&f, 0, sizeof(f));
1182  memset(&ssn, 0, sizeof(ssn));
1183 
1184  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1185 
1186  FLOW_INITIALIZE(&f);
1187  f.protoctx = (void *)&ssn;
1188  f.proto = IPPROTO_TCP;
1189  p->flow = &f;
1190  p->flowflags |= FLOW_PKT_TOSERVER;
1191  p->flowflags |= FLOW_PKT_ESTABLISHED;
1192  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1193  f.alproto = ALPROTO_DCERPC;
1194 
1195  StreamTcpInitConfig(TRUE);
1196 
1197  de_ctx = DetectEngineCtxInit();
1198  if (de_ctx == NULL)
1199  goto end;
1200 
1201  de_ctx->flags |= DE_QUIET;
1202 
1203  s = de_ctx->sig_list = SigInit(de_ctx,
1204  "alert tcp any any -> any any "
1205  "(msg:\"DCERPC\"; "
1206  "dce_opnum:9; "
1207  "sid:1;)");
1208  if (s == NULL)
1209  goto end;
1210 
1211  SigGroupBuild(de_ctx);
1212  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1213 
1214  FLOWLOCK_WRLOCK(&f);
1215  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1216  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1217  dcerpc_request_len);
1218  if (r != 0) {
1219  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1220  FLOWLOCK_UNLOCK(&f);
1221  goto end;
1222  }
1223  FLOWLOCK_UNLOCK(&f);
1224 
1225  dcerpc_state = f.alstate;
1226  if (dcerpc_state == NULL) {
1227  SCLogDebug("no dcerpc state: ");
1228  goto end;
1229  }
1230 
1231  /* do detect */
1232  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1233 
1234  if (!PacketAlertCheck(p, 1))
1235  goto end;
1236 
1237  result = 1;
1238 
1239  end:
1240  if (alp_tctx != NULL)
1241  AppLayerParserThreadCtxFree(alp_tctx);
1242  SigGroupCleanup(de_ctx);
1243  SigCleanSignatures(de_ctx);
1244 
1245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1246  DetectEngineCtxFree(de_ctx);
1247 
1248  StreamTcpFreeConfig(TRUE);
1249  FLOW_DESTROY(&f);
1250 
1251  UTHFreePackets(&p, 1);
1252  return result;
1253 }
1254 
1255 /* Disabled because of bug_753. Would be enabled, once we rewrite
1256  * dce parser */
1257 #if 0
1258 
1259 /**
1260  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1261  * and multiple request/responses with a match test after each frag parsing.
1262  */
1263 static int DetectDceOpnumTestParse10(void)
1264 {
1265  int result = 0;
1266  Signature *s = NULL;
1267  ThreadVars th_v;
1268  Packet *p = NULL;
1269  Flow f;
1270  TcpSession ssn;
1271  DetectEngineThreadCtx *det_ctx = NULL;
1272  DetectEngineCtx *de_ctx = NULL;
1273  DCERPCState *dcerpc_state = NULL;
1274  int r = 0;
1275 
1276  uint8_t dcerpc_bind[] = {
1277  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1278  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1279  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1280  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1281  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1282  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1283  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1284  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1285  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1286  };
1287 
1288  uint8_t dcerpc_bindack[] = {
1289  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1290  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1291  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1292  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1293  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1294  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1295  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1296  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1297  0x02, 0x00, 0x00, 0x00,
1298  };
1299 
1300  uint8_t dcerpc_request1[] = {
1301  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1302  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1303  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1304  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1305  0x00, 0x00, 0x00, 0x02,
1306  };
1307 
1308  uint8_t dcerpc_response1[] = {
1309  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1310  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1311  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1312  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1313  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1314  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1315  };
1316 
1317  uint8_t dcerpc_request2[] = {
1318  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1319  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1320  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1321  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1322  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1323  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1324  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1325  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1326  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1327  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1328  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1329  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1330  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1331  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1332  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1333  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1334  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1335  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1336  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1337  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338  0x03, 0x00, 0x00, 0x00,
1339  };
1340 
1341  uint8_t dcerpc_response2[] = {
1342  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1343  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1344  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1345  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1346  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1347  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1348  };
1349 
1350  uint8_t dcerpc_request3[] = {
1351  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1352  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1353  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1354  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1355  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1356  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1357  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1358  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1359  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1360  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1361  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1362  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1363  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1364  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1365  };
1366 
1367  uint8_t dcerpc_response3[] = {
1368  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1369  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1370  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371  0x00, 0x00, 0x00, 0x00,
1372  };
1373 
1374  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1375  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1376 
1377  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1378  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1379 
1380  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1381  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1382 
1383  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1384  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1385 
1386  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1387 
1388  memset(&th_v, 0, sizeof(th_v));
1389  memset(&f, 0, sizeof(f));
1390  memset(&ssn, 0, sizeof(ssn));
1391 
1392  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1393 
1394  FLOW_INITIALIZE(&f);
1395  f.protoctx = (void *)&ssn;
1396  f.proto = IPPROTO_TCP;
1397  p->flow = &f;
1398  p->flowflags |= FLOW_PKT_TOSERVER;
1399  p->flowflags |= FLOW_PKT_ESTABLISHED;
1400  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1401  f.alproto = ALPROTO_DCERPC;
1402 
1403  StreamTcpInitConfig(TRUE);
1404 
1405  de_ctx = DetectEngineCtxInit();
1406  if (de_ctx == NULL) {
1407  goto end;
1408  }
1409 
1410  de_ctx->flags |= DE_QUIET;
1411 
1412  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1413  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1414  if (s == NULL) {
1415  goto end;
1416  }
1417 
1418  SigGroupBuild(de_ctx);
1419  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1420 
1421  SCLogDebug("sending bind");
1422 
1423  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1424  dcerpc_bind, dcerpc_bind_len);
1425  if (r != 0) {
1426  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1427  goto end;
1428  }
1429 
1430  dcerpc_state = f.alstate;
1431  if (dcerpc_state == NULL) {
1432  SCLogDebug("no dcerpc state: ");
1433  goto end;
1434  }
1435  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1436  p->flowflags |= FLOW_PKT_TOSERVER;
1437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1438 
1439  SCLogDebug("sending bind_ack");
1440 
1441  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1442  dcerpc_bindack, dcerpc_bindack_len);
1443  if (r != 0) {
1444  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1445  goto end;
1446  }
1447  p->flowflags &=~ FLOW_PKT_TOSERVER;
1448  p->flowflags |= FLOW_PKT_TOCLIENT;
1449  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1450 
1451  SCLogDebug("sending request1");
1452 
1453  /* request1 */
1454  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1455  dcerpc_request1, dcerpc_request1_len);
1456  if (r != 0) {
1457  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1458  goto end;
1459  }
1460 
1461  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1462  p->flowflags |= FLOW_PKT_TOSERVER;
1463  /* do detect */
1464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1465 
1466  if (!PacketAlertCheck(p, 1)) {
1467  printf("sig 1 didn't match, but should have: ");
1468  goto end;
1469  }
1470 
1471  SCLogDebug("sending response1");
1472 
1473  /* response1 */
1474  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1475  dcerpc_response1, dcerpc_response1_len);
1476  if (r != 0) {
1477  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1478  goto end;
1479  }
1480 
1481  p->flowflags &=~ FLOW_PKT_TOSERVER;
1482  p->flowflags |= FLOW_PKT_TOCLIENT;
1483  /* do detect */
1484  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1485 
1486  if (PacketAlertCheck(p, 1)) {
1487  printf("sig 1 did match, shouldn't have on response1: ");
1488  goto end;
1489  }
1490 
1491  /* request2 */
1492  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1493  dcerpc_request2, dcerpc_request2_len);
1494  if (r != 0) {
1495  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1496  goto end;
1497  }
1498 
1499  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1500  p->flowflags |= FLOW_PKT_TOSERVER;
1501  /* do detect */
1502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1503 
1504  if (!PacketAlertCheck(p, 1)) {
1505  printf("sig 1 didn't match, but should have on request2: ");
1506  goto end;
1507  }
1508 
1509  /* response2 */
1510  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1511  dcerpc_response2, dcerpc_response2_len);
1512  if (r != 0) {
1513  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1514  goto end;
1515  }
1516 
1517  p->flowflags &=~ FLOW_PKT_TOSERVER;
1518  p->flowflags |= FLOW_PKT_TOCLIENT;
1519  /* do detect */
1520  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1521 
1522  if (PacketAlertCheck(p, 1)) {
1523  printf("sig 1 did match, shouldn't have on response2: ");
1524  goto end;
1525  }
1526 
1527  /* request3 */
1528  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1529  dcerpc_request3, dcerpc_request3_len);
1530  if (r != 0) {
1531  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1532  goto end;
1533  }
1534 
1535  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1536  p->flowflags |= FLOW_PKT_TOSERVER;
1537  /* do detect */
1538  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1539 
1540  if (!PacketAlertCheck(p, 1)) {
1541  printf("sig 1 didn't match, but should have on request3: ");
1542  goto end;
1543  }
1544 
1545  /* response3 */
1546  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
1547  dcerpc_response3, dcerpc_response3_len);
1548  if (r != 0) {
1549  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1550  goto end;
1551  }
1552 
1553  p->flowflags &=~ FLOW_PKT_TOSERVER;
1554  p->flowflags |= FLOW_PKT_TOCLIENT;
1555  /* do detect */
1556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1557 
1558  if (PacketAlertCheck(p, 1)) {
1559  printf("sig 1 did match, shouldn't have on response2: ");
1560  goto end;
1561  }
1562 
1563  result = 1;
1564 
1565  end:
1566  if (alp_tctx != NULL)
1567  AppLayerDestroyCtxThread(alp_tctx);
1568  SigGroupCleanup(de_ctx);
1569  SigCleanSignatures(de_ctx);
1570 
1571  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1572  DetectEngineCtxFree(de_ctx);
1573 
1574  StreamTcpFreeConfig(TRUE);
1575  FLOW_DESTROY(&f);
1576 
1577  UTHFreePackets(&p, 1);
1578  return result;
1579 }
1580 
1581 /**
1582  * \test Test a valid dce_opnum entry(with multiple values) with multiple
1583  * request/responses.
1584  */
1585 static int DetectDceOpnumTestParse11(void)
1586 {
1587  int result = 0;
1588  Signature *s = NULL;
1589  ThreadVars th_v;
1590  Packet *p = NULL;
1591  Flow f;
1592  TcpSession ssn;
1593  DetectEngineThreadCtx *det_ctx = NULL;
1594  DetectEngineCtx *de_ctx = NULL;
1595  DCERPCState *dcerpc_state = NULL;
1596  int r = 0;
1597 
1598  uint8_t dcerpc_request1[] = {
1599  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1600  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1601  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1602  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1603  0x00, 0x00, 0x00, 0x02,
1604  };
1605 
1606  uint8_t dcerpc_response1[] = {
1607  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1608  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1609  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1610  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1611  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1612  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1613  };
1614 
1615  uint8_t dcerpc_request2[] = {
1616  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1617  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1618  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1619  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1620  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1621  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1622  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1623  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1624  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1625  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1626  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1627  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1628  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1629  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1630  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1631  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1632  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1633  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1634  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1635  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1636  0x03, 0x00, 0x00, 0x00,
1637  };
1638 
1639  uint8_t dcerpc_response2[] = {
1640  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1641  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1642  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1644  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1645  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1646  };
1647 
1648  uint8_t dcerpc_request3[] = {
1649  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1650  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1651  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1652  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1653  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1654  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1655  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1656  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1657  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1658  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1659  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1660  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1661  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1662  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1663  };
1664 
1665  uint8_t dcerpc_response3[] = {
1666  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1667  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1668  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669  0x00, 0x00, 0x00, 0x00,
1670  };
1671 
1672  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1673  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1674 
1675  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1676  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1677 
1678  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1679  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1680 
1681  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1682 
1683  memset(&th_v, 0, sizeof(th_v));
1684  memset(&f, 0, sizeof(f));
1685  memset(&ssn, 0, sizeof(ssn));
1686 
1687  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1688 
1689  FLOW_INITIALIZE(&f);
1690  f.protoctx = (void *)&ssn;
1691  f.proto = IPPROTO_TCP;
1692  p->flow = &f;
1693  p->flowflags |= FLOW_PKT_TOSERVER;
1694  p->flowflags |= FLOW_PKT_ESTABLISHED;
1695  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1696  f.alproto = ALPROTO_DCERPC;
1697 
1698  StreamTcpInitConfig(TRUE);
1699 
1700  de_ctx = DetectEngineCtxInit();
1701  if (de_ctx == NULL)
1702  goto end;
1703 
1704  de_ctx->flags |= DE_QUIET;
1705 
1706  s = de_ctx->sig_list = SigInit(de_ctx,
1707  "alert tcp any any -> any any "
1708  "(msg:\"DCERPC\"; "
1709  "dce_opnum:2-22; "
1710  "sid:1;)");
1711  if (s == NULL)
1712  goto end;
1713 
1714  SigGroupBuild(de_ctx);
1715  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1716 
1717  /* request1 */
1718  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1719  dcerpc_request1, dcerpc_request1_len);
1720  if (r != 0) {
1721  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1722  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
1723  goto end;
1724  }
1725 
1726  dcerpc_state = f.alstate;
1727  if (dcerpc_state == NULL) {
1728  SCLogDebug("no dcerpc state: ");
1729  printf("no dcerpc state: ");
1730  goto end;
1731  }
1732 
1733  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1734  p->flowflags |= FLOW_PKT_TOSERVER;
1735  /* do detect */
1736  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1737 
1738  if (!PacketAlertCheck(p, 1))
1739  goto end;
1740 
1741  /* response1 */
1742  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1743  dcerpc_response1, dcerpc_response1_len);
1744  if (r != 0) {
1745  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1746  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
1747  goto end;
1748  }
1749 
1750  p->flowflags &=~ FLOW_PKT_TOSERVER;
1751  p->flowflags |= FLOW_PKT_TOCLIENT;
1752  /* do detect */
1753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1754 
1755  if (PacketAlertCheck(p, 1))
1756  goto end;
1757 
1758  /* request2 */
1759  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1760  dcerpc_request2, dcerpc_request2_len);
1761  if (r != 0) {
1762  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1763  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
1764  goto end;
1765  }
1766 
1767  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1768  p->flowflags |= FLOW_PKT_TOSERVER;
1769  /* do detect */
1770  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1771 
1772  if (!PacketAlertCheck(p, 1))
1773  goto end;
1774 
1775  /* response2 */
1776  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1777  dcerpc_response2, dcerpc_response2_len);
1778  if (r != 0) {
1779  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1780  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
1781  goto end;
1782  }
1783 
1784  p->flowflags &=~ FLOW_PKT_TOSERVER;
1785  p->flowflags |= FLOW_PKT_TOCLIENT;
1786  /* do detect */
1787  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1788 
1789  if (PacketAlertCheck(p, 1))
1790  goto end;
1791 
1792  /* request3 */
1793  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1794  dcerpc_request3, dcerpc_request3_len);
1795  if (r != 0) {
1796  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1797  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
1798  goto end;
1799  }
1800 
1801  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1802  p->flowflags |= FLOW_PKT_TOSERVER;
1803  /* do detect */
1804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1805 
1806  if (!PacketAlertCheck(p, 1))
1807  goto end;
1808 
1809  /* response3 */
1810  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
1811  dcerpc_response3, dcerpc_response3_len);
1812  if (r != 0) {
1813  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1814  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
1815  goto end;
1816  }
1817 
1818  p->flowflags &=~ FLOW_PKT_TOSERVER;
1819  p->flowflags |= FLOW_PKT_TOCLIENT;
1820  /* do detect */
1821  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1822 
1823  if (PacketAlertCheck(p, 1))
1824  goto end;
1825 
1826  result = 1;
1827 
1828  end:
1829  if (alp_tctx != NULL)
1830  AppLayerDestroyCtxThread(alp_tctx);
1831  SigGroupCleanup(de_ctx);
1832  SigCleanSignatures(de_ctx);
1833 
1834  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1835  DetectEngineCtxFree(de_ctx);
1836 
1837  StreamTcpFreeConfig(TRUE);
1838  FLOW_DESTROY(&f);
1839 
1840  UTHFreePackets(&p, 1);
1841  return result;
1842 }
1843 
1844 /**
1845  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1846  * and multiple request/responses with a match test after each frag parsing.
1847  */
1848 static int DetectDceOpnumTestParse12(void)
1849 {
1850  int result = 0;
1851  Signature *s = NULL;
1852  ThreadVars th_v;
1853  Packet *p = NULL;
1854  Flow f;
1855  TcpSession ssn;
1856  DetectEngineThreadCtx *det_ctx = NULL;
1857  DetectEngineCtx *de_ctx = NULL;
1858  DCERPCState *dcerpc_state = NULL;
1859  int r = 0;
1860 
1861  uint8_t dcerpc_bind[] = {
1862  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1863  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1864  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
1865  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1866  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
1867  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
1868  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1869  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1870  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1871  };
1872 
1873  uint8_t dcerpc_bindack[] = {
1874  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1875  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1876  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
1877  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
1878  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
1879  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1880  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1881  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1882  0x02, 0x00, 0x00, 0x00,
1883  };
1884 
1885  uint8_t dcerpc_request1[] = {
1886  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1887  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1888  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
1889  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1890  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
1891  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
1892  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
1893  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
1894  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1895  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
1896  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
1897  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
1898  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1899  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
1900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1905  0x00, 0x00
1906  };
1907 
1908  uint8_t dcerpc_response1[] = {
1909  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1910  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1911  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1912  0x00, 0x00, 0x00, 0x00,
1913  };
1914 
1915  uint8_t dcerpc_request2[] = {
1916  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1917  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1918  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
1919  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
1920  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
1921  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
1922  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1923  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1924  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
1925  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1926  0x4e, 0x6f, 0x6e, 0x65
1927  };
1928 
1929  uint8_t dcerpc_response2[] = {
1930  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1931  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1932  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1933  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
1934  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
1935  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1936  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1937  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1938  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
1939  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
1940  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
1941  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
1942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1946  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
1947  0x00, 0x00, 0x00, 0x00,
1948  };
1949 
1950  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1951  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1952 
1953  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1954  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1955 
1956  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1957  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1958 
1959  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1960 
1961  memset(&th_v, 0, sizeof(th_v));
1962  memset(&f, 0, sizeof(f));
1963  memset(&ssn, 0, sizeof(ssn));
1964 
1965  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1966 
1967  FLOW_INITIALIZE(&f);
1968  f.protoctx = (void *)&ssn;
1969  f.proto = IPPROTO_TCP;
1970  p->flow = &f;
1971  p->flowflags |= FLOW_PKT_TOSERVER;
1972  p->flowflags |= FLOW_PKT_ESTABLISHED;
1973  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1974  f.alproto = ALPROTO_DCERPC;
1975 
1976  StreamTcpInitConfig(TRUE);
1977 
1978  de_ctx = DetectEngineCtxInit();
1979  if (de_ctx == NULL)
1980  goto end;
1981 
1982  de_ctx->flags |= DE_QUIET;
1983 
1984  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1985  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
1986  if (s == NULL)
1987  goto end;
1988 
1989  SigGroupBuild(de_ctx);
1990  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1991 
1992  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1993  dcerpc_bind, dcerpc_bind_len);
1994  if (r != 0) {
1995  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1996  goto end;
1997  }
1998  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1999  p->flowflags |= FLOW_PKT_TOSERVER;
2000  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2001 
2002  dcerpc_state = f.alstate;
2003  if (dcerpc_state == NULL) {
2004  printf("no dcerpc state: ");
2005  goto end;
2006  }
2007 
2008  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2009  dcerpc_bindack_len);
2010  if (r != 0) {
2011  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2012  goto end;
2013  }
2014  p->flowflags &=~ FLOW_PKT_TOSERVER;
2015  p->flowflags |= FLOW_PKT_TOCLIENT;
2016  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2017 
2018  /* request1 */
2019  SCLogDebug("Sending request1");
2020 
2021  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2022  dcerpc_request1_len);
2023  if (r != 0) {
2024  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2025  goto end;
2026  }
2027 
2028  dcerpc_state = f.alstate;
2029  if (dcerpc_state == NULL) {
2030  printf("no dcerpc state: ");
2031  goto end;
2032  }
2033 
2034  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2035  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2036  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2037  goto end;
2038  }
2039 
2040  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2041  p->flowflags |= FLOW_PKT_TOSERVER;
2042  /* do detect */
2043  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2044 
2045  if (!PacketAlertCheck(p, 1)) {
2046  printf("signature 1 didn't match, should have: ");
2047  goto end;
2048  }
2049 
2050  /* response1 */
2051  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2052  dcerpc_response1_len);
2053  if (r != 0) {
2054  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2055  goto end;
2056  }
2057 
2058  dcerpc_state = f.alstate;
2059  if (dcerpc_state == NULL) {
2060  printf("no dcerpc state: ");
2061  goto end;
2062  }
2063 
2064  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2065  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2066  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2067  goto end;
2068  }
2069 
2070  p->flowflags &=~ FLOW_PKT_TOSERVER;
2071  p->flowflags |= FLOW_PKT_TOCLIENT;
2072  /* do detect */
2073  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2074 
2075  if (PacketAlertCheck(p, 1)) {
2076  printf("sig 1 matched on response 1, but shouldn't: ");
2077  goto end;
2078  }
2079 
2080  /* request2 */
2081  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2082  dcerpc_request2_len);
2083  if (r != 0) {
2084  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2085  goto end;
2086  }
2087 
2088  dcerpc_state = f.alstate;
2089  if (dcerpc_state == NULL) {
2090  printf("no dcerpc state: ");
2091  goto end;
2092  }
2093 
2094  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2095  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2096  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2097  goto end;
2098  }
2099 
2100  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2101  p->flowflags |= FLOW_PKT_TOSERVER;
2102  /* do detect */
2103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2104 
2105  if (!PacketAlertCheck(p, 1)) {
2106  printf("sig 1 didn't match on request 2: ");
2107  goto end;
2108  }
2109 
2110  /* response2 */
2111  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2112  dcerpc_response2_len);
2113  if (r != 0) {
2114  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2115  goto end;
2116  }
2117 
2118  dcerpc_state = f.alstate;
2119  if (dcerpc_state == NULL) {
2120  printf("no dcerpc state: ");
2121  goto end;
2122  }
2123 
2124  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2125  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2126  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2127  goto end;
2128  }
2129 
2130  p->flowflags &=~ FLOW_PKT_TOSERVER;
2131  p->flowflags |= FLOW_PKT_TOCLIENT;
2132  /* do detect */
2133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2134 
2135  if (PacketAlertCheck(p, 1)) {
2136  printf("sig 1 matched on response2, but shouldn't: ");
2137  goto end;
2138  }
2139 
2140  result = 1;
2141 
2142 end:
2143  if (alp_tctx != NULL)
2144  AppLayerDestroyCtxThread(alp_tctx);
2145  SigGroupCleanup(de_ctx);
2146  SigCleanSignatures(de_ctx);
2147 
2148  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2149  DetectEngineCtxFree(de_ctx);
2150 
2151  StreamTcpFreeConfig(TRUE);
2152  FLOW_DESTROY(&f);
2153 
2154  UTHFreePackets(&p, 1);
2155  return result;
2156 }
2157 
2158 /**
2159  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2160  * and multiple request/responses with a match test after each frag parsing.
2161  */
2162 static int DetectDceOpnumTestParse13(void)
2163 {
2164  int result = 0;
2165  Signature *s = NULL;
2166  ThreadVars th_v;
2167  Packet *p = NULL;
2168  Flow f;
2169  TcpSession ssn;
2170  DetectEngineThreadCtx *det_ctx = NULL;
2171  DetectEngineCtx *de_ctx = NULL;
2172  DCERPCState *dcerpc_state = NULL;
2173  int r = 0;
2174 
2175  uint8_t dcerpc_request1[] = {
2176  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2177  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2178  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2179  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2180  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2181  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2182  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2183  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2184  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2185  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2186  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2187  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2188  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2189  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2190  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2191  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2192  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2193  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2194  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2195  0x00, 0x00
2196  };
2197 
2198  uint8_t dcerpc_response1[] = {
2199  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2200  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2201  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2202  0x00, 0x00, 0x00, 0x00,
2203  };
2204 
2205  uint8_t dcerpc_request2[] = {
2206  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2207  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2208  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2209  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2210  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2211  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2212  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2213  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2214  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2215  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2216  0x4e, 0x6f, 0x6e, 0x65
2217  };
2218 
2219  uint8_t dcerpc_response2[] = {
2220  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2221  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2222  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2223  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2224  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2225  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2226  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2227  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2228  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2229  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2230  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2231  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2232  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2233  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2234  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2235  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2236  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2237  0x00, 0x00, 0x00, 0x00,
2238  };
2239 
2240  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2241  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2242 
2243  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2244  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2245 
2246  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2247 
2248  memset(&th_v, 0, sizeof(th_v));
2249  memset(&f, 0, sizeof(f));
2250  memset(&ssn, 0, sizeof(ssn));
2251 
2252  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2253 
2254  FLOW_INITIALIZE(&f);
2255  f.protoctx = (void *)&ssn;
2256  f.proto = IPPROTO_TCP;
2257  p->flow = &f;
2258  p->flowflags |= FLOW_PKT_TOSERVER;
2259  p->flowflags |= FLOW_PKT_ESTABLISHED;
2260  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2261  f.alproto = ALPROTO_DCERPC;
2262 
2263  StreamTcpInitConfig(TRUE);
2264 
2265  de_ctx = DetectEngineCtxInit();
2266  if (de_ctx == NULL)
2267  goto end;
2268 
2269  de_ctx->flags |= DE_QUIET;
2270 
2271  s = de_ctx->sig_list = SigInit(de_ctx,
2272  "alert tcp any any -> any any "
2273  "(msg:\"DCERPC\"; "
2274  "dce_opnum:30, 40; "
2275  "sid:1;)");
2276  if (s == NULL)
2277  goto end;
2278 
2279  SigGroupBuild(de_ctx);
2280  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2281 
2282  /* request1 */
2283  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2284  dcerpc_request1_len);
2285  if (r != 0) {
2286  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2287  goto end;
2288  }
2289 
2290  dcerpc_state = f.alstate;
2291  if (dcerpc_state == NULL) {
2292  printf("no dcerpc state: ");
2293  goto end;
2294  }
2295 
2296  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2297  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2298  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2299  goto end;
2300  }
2301 
2302  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2303  p->flowflags |= FLOW_PKT_TOSERVER;
2304  /* do detect */
2305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2306 
2307  if (!PacketAlertCheck(p, 1))
2308  goto end;
2309 
2310  /* response1 */
2311  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2312  dcerpc_response1_len);
2313  if (r != 0) {
2314  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2315  goto end;
2316  }
2317 
2318  dcerpc_state = f.alstate;
2319  if (dcerpc_state == NULL) {
2320  printf("no dcerpc state: ");
2321  goto end;
2322  }
2323 
2324  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2325  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2326  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2327  goto end;
2328  }
2329 
2330  p->flowflags &=~ FLOW_PKT_TOSERVER;
2331  p->flowflags |= FLOW_PKT_TOCLIENT;
2332  /* do detect */
2333  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2334 
2335  if (PacketAlertCheck(p, 1))
2336  goto end;
2337 
2338  /* request2 */
2339  printf("Sending Request2\n");
2340  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2341  dcerpc_request2_len);
2342  if (r != 0) {
2343  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2344  goto end;
2345  }
2346 
2347  dcerpc_state = f.alstate;
2348  if (dcerpc_state == NULL) {
2349  printf("no dcerpc state: ");
2350  goto end;
2351  }
2352 
2353  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2354  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2355  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2356  goto end;
2357  }
2358 
2359  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2360  p->flowflags |= FLOW_PKT_TOSERVER;
2361  /* do detect */
2362  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2363 
2364  if (!PacketAlertCheck(p, 1))
2365  goto end;
2366 
2367  /* response2 */
2368  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2369  dcerpc_response2_len);
2370  if (r != 0) {
2371  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2372  goto end;
2373  }
2374 
2375  dcerpc_state = f.alstate;
2376  if (dcerpc_state == NULL) {
2377  printf("no dcerpc state: ");
2378  goto end;
2379  }
2380 
2381  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2382  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2383  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2384  goto end;
2385  }
2386 
2387  p->flowflags &=~ FLOW_PKT_TOSERVER;
2388  p->flowflags |= FLOW_PKT_TOCLIENT;
2389  /* do detect */
2390  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2391 
2392  if (PacketAlertCheck(p, 1))
2393  goto end;
2394 
2395  result = 1;
2396 
2397  end:
2398  if (alp_tctx != NULL)
2399  AppLayerDestroyCtxThread(alp_tctx);
2400  SigGroupCleanup(de_ctx);
2401  SigCleanSignatures(de_ctx);
2402 
2403  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2404  DetectEngineCtxFree(de_ctx);
2405 
2406  StreamTcpFreeConfig(TRUE);
2407  FLOW_DESTROY(&f);
2408 
2409  UTHFreePackets(&p, 1);
2410  return result;
2411 }
2412 #endif
2413 
2414 static void DetectDceOpnumRegisterTests(void)
2415 {
2416  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2417  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2418  /* Disabled because of bug_753. Would be enabled, once we rewrite
2419  * dce parser */
2420 #if 0
2421  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2422  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2423  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2424  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2425 #endif
2426 }
2427 #endif /* UNITTESTS */
app-layer-dcerpc.h
detect-engine.h
detect-dce-iface.h
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1104
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1210
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:531
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:447
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1181
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
m
SCMutex m
Definition: flow-hash.h:6
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:443
Flow_::protoctx
void * protoctx
Definition: flow.h:441
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:53
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2476
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
SCReturn
#define SCReturn
Definition: util-debug.h:302
Packet_
Definition: decode.h:412
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2344
Packet_::flow
struct Flow_ * flow
Definition: decode.h:449
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1211
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:70
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1179
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DETECT_DCE_OPNUM
@ DETECT_DCE_OPNUM
Definition: detect-engine-register.h:185
Flow_::alstate
void * alstate
Definition: flow.h:476
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:854
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
TcpSession_
Definition: stream-tcp-private.h:261
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
detect-dce-opnum.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1102
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468