suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #ifdef HAVE_RUST
52 #include "rust.h"
53 #include "rust-smb-detect-gen.h"
54 #endif
55 
56 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
57 
58 static pcre *parse_regex = NULL;
59 static pcre_extra *parse_regex_study = NULL;
60 
61 static int DetectDceOpnumMatch(ThreadVars *, DetectEngineThreadCtx *,
62  Flow *, uint8_t, void *, void *,
63  const Signature *, const SigMatchCtx *);
64 #ifdef HAVE_RUST
65 static int DetectDceOpnumMatchRust(ThreadVars *t,
66  DetectEngineThreadCtx *det_ctx,
67  Flow *f, uint8_t flags, void *state, void *txv,
68  const Signature *s, const SigMatchCtx *m);
69 #endif
70 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
71 static void DetectDceOpnumFree(void *);
72 static void DetectDceOpnumRegisterTests(void);
73 static int g_dce_generic_list_id = 0;
74 
75 /**
76  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
77  */
78 void DetectDceOpnumRegister(void)
79 {
80  sigmatch_table[DETECT_DCE_OPNUM].name = "dce_opnum";
81  sigmatch_table[DETECT_DCE_OPNUM].Match = NULL;
82 #ifdef HAVE_RUST
83  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
84 #else
85  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatch;
86 #endif
87  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
88  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
89  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
90 
91  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
92 
93  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
94 }
95 
96 /**
97  * \internal
98  * \brief Creates and returns a new instance of DetectDceOpnumRange.
99  *
100  * \retval dor Pointer to the new instance DetectDceOpnumRange.
101  */
102 static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
103 {
104  DetectDceOpnumRange *dor = NULL;
105 
106  if ( (dor = SCMalloc(sizeof(DetectDceOpnumRange))) == NULL)
107  return NULL;
108  memset(dor, 0, sizeof(DetectDceOpnumRange));
109  dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
110 
111  return dor;
112 }
113 
114 /**
115  * \internal
116  * \brief Parses the argument sent along with the "dce_opnum" keyword.
117  *
118  * \param arg Pointer to the string containing the argument to be parsed.
119  *
120  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
121  * from the parsed arg.
122  */
123 static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
124 {
125  DetectDceOpnumData *dod = NULL;
126 
127  DetectDceOpnumRange *dor = NULL;
128  DetectDceOpnumRange *prev_dor = NULL;
129 
130 #define MAX_SUBSTRINGS 30
131  int ret = 0, res = 0;
132  int ov[MAX_SUBSTRINGS];
133  const char *pcre_sub_str = NULL;
134 
135  char *dup_str = NULL;
136  char *dup_str_temp = NULL;
137  char *dup_str_head = NULL;
138  char *comma_token = NULL;
139  char *hyphen_token = NULL;
140 
141  if (arg == NULL) {
142  goto error;
143  }
144 
145  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
146  MAX_SUBSTRINGS);
147  if (ret < 2) {
148  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
149  goto error;
150  }
151 
152  res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
153  if (res < 0) {
154  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
155  goto error;
156  }
157 
158  if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
159  goto error;
160  memset(dod, 0, sizeof(DetectDceOpnumData));
161 
162  if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
163  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
164  goto error;
165  }
166 
167  /* free the substring */
168  pcre_free_substring(pcre_sub_str);
169 
170  /* keep a copy of the strdup string in dup_str_head so that we can free it
171  * once we are done using it */
172  dup_str_head = dup_str;
173  dup_str_temp = dup_str;
174  while ( (comma_token = index(dup_str, ',')) != NULL) {
175  comma_token[0] = '\0';
176  dup_str = comma_token + 1;
177 
178  dor = DetectDceOpnumAllocDetectDceOpnumRange();
179  if (dor == NULL)
180  goto error;
181  if (prev_dor == NULL) {
182  prev_dor = dor;
183  dod->range = dor;
184  } else {
185  prev_dor->next = dor;
186  prev_dor = dor;
187  }
188 
189  if ((hyphen_token = index(dup_str_temp, '-')) != NULL) {
190  hyphen_token[0] = '\0';
191  hyphen_token++;
192  dor->range1 = atoi(dup_str_temp);
193  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
194  goto error;
195  dor->range2 = atoi(hyphen_token);
196  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
197  goto error;
198  if (dor->range1 > dor->range2)
199  goto error;
200  }
201  dor->range1 = atoi(dup_str_temp);
202  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
203  goto error;
204 
205  dup_str_temp = dup_str;
206  }
207 
208  dor = DetectDceOpnumAllocDetectDceOpnumRange();
209  if (dor == NULL)
210  goto error;
211  if (prev_dor == NULL) {
212  dod->range = dor;
213  } else {
214  prev_dor->next = dor;
215  }
216 
217  if ( (hyphen_token = index(dup_str, '-')) != NULL) {
218  hyphen_token[0] = '\0';
219  hyphen_token++;
220  dor->range1 = atoi(dup_str);
221  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
222  goto error;
223  dor->range2 = atoi(hyphen_token);
224  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
225  goto error;
226  if (dor->range1 > dor->range2)
227  goto error;
228  }
229  dor->range1 = atoi(dup_str);
230  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
231  goto error;
232 
233  if (dup_str_head != NULL)
234  SCFree(dup_str_head);
235 
236  return dod;
237 
238  error:
239  if (dup_str_head != NULL)
240  SCFree(dup_str_head);
241  DetectDceOpnumFree(dod);
242  return NULL;
243 }
244 
245 /**
246  * \brief App layer match function for the "dce_opnum" keyword.
247  *
248  * \param t Pointer to the ThreadVars instance.
249  * \param det_ctx Pointer to the DetectEngineThreadCtx.
250  * \param f Pointer to the flow.
251  * \param flags Pointer to the flags indicating the flow direction.
252  * \param state Pointer to the app layer state data.
253  * \param s Pointer to the Signature instance.
254  * \param m Pointer to the SigMatch.
255  *
256  * \retval 1 On Match.
257  * \retval 0 On no match.
258  */
259 static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
260  Flow *f, uint8_t flags, void *state, void *txv,
261  const Signature *s, const SigMatchCtx *m)
262 {
263  SCEnter();
264 
265  DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
266  DetectDceOpnumRange *dor = dce_data->range;
267 
268  DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
269  if (dcerpc_state == NULL) {
270  SCLogDebug("No DCERPCState for the flow");
271  SCReturnInt(0);
272  }
273  uint16_t opnum = dcerpc_state->dcerpc.dcerpcrequest.opnum;
274 
275  for ( ; dor != NULL; dor = dor->next) {
276  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
277  if (dor->range1 == opnum) {
278  SCReturnInt(1);
279  }
280  } else {
281  if (dor->range1 <= opnum && dor->range2 >= opnum)
282  {
283  SCReturnInt(1);
284  }
285  }
286  }
287 
288  SCReturnInt(0);
289 }
290 
291 #ifdef HAVE_RUST
292 static int DetectDceOpnumMatchRust(ThreadVars *t,
293  DetectEngineThreadCtx *det_ctx,
294  Flow *f, uint8_t flags, void *state, void *txv,
295  const Signature *s, const SigMatchCtx *m)
296 {
297  SCEnter();
298 
299  if (f->alproto == ALPROTO_DCERPC) {
300  return DetectDceOpnumMatch(t, det_ctx, f, flags,
301  state, txv, s, m);
302  }
303 
304  const DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
305  const DetectDceOpnumRange *dor = dce_data->range;
306 
307  uint16_t opnum;
308  if (rs_smb_tx_get_dce_opnum(txv, &opnum) != 1)
309  SCReturnInt(0);
310  SCLogDebug("(rust) opnum %u", opnum);
311 
312  for ( ; dor != NULL; dor = dor->next) {
313  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
314  if (dor->range1 == opnum) {
315  SCReturnInt(1);
316  }
317  } else {
318  if (dor->range1 <= opnum && dor->range2 >= opnum)
319  {
320  SCReturnInt(1);
321  }
322  }
323  }
324 
325  SCReturnInt(0);
326 }
327 #endif
328 
329 /**
330  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
331  * and appends it to the Signature(s).
332  *
333  * \param de_ctx Pointer to the detection engine context.
334  * \param s Pointer to signature for the current Signature being parsed
335  * from the rules.
336  * \param arg Pointer to the string holding the keyword value.
337  *
338  * \retval 0 on success, -1 on failure
339  */
340 
341 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
342 {
343  if (arg == NULL) {
344  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
345  "signature, option needs a value");
346  return -1;
347  }
348 
349  DetectDceOpnumData *dod = DetectDceOpnumArgParse(arg);
350  if (dod == NULL) {
351  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
352  "signature");
353  return -1;
354  }
355 
356  SigMatch *sm = SigMatchAlloc();
357  if (sm == NULL) {
358  DetectDceOpnumFree(dod);
359  return -1;
360  }
361 
362  sm->type = DETECT_DCE_OPNUM;
363  sm->ctx = (void *)dod;
364 
365  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
366  return 0;
367 }
368 
369 static void DetectDceOpnumFree(void *ptr)
370 {
371  DetectDceOpnumData *dod = ptr;
372  DetectDceOpnumRange *dor = NULL;
373  DetectDceOpnumRange *dor_temp = NULL;
374 
375  if (dod != NULL) {
376  dor = dod->range;
377  while (dor != NULL) {
378  dor_temp = dor;
379  dor = dor->next;
380  SCFree(dor_temp);
381  }
382  SCFree(dod);
383  }
384 
385  return;
386 }
387 
388 /************************************Unittests*********************************/
389 
390 #ifdef UNITTESTS
391 
392 static int DetectDceOpnumTestParse01(void)
393 {
394  Signature *s = SigAlloc();
395  int result = 0;
396 
397  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
398  result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
399  result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
400  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
401  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
402  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
403  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
404 
405  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
406  SigFree(s);
407  result &= 1;
408  }
409 
410  return result;
411 }
412 
413 static int DetectDceOpnumTestParse02(void)
414 {
415  Signature *s = SigAlloc();
416  int result = 0;
417  DetectDceOpnumData *dod = NULL;
418  DetectDceOpnumRange *dor = NULL;
419  SigMatch *temp = NULL;
420 
421  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
422 
423  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
424  temp = s->sm_lists[g_dce_generic_list_id];
425  dod = (DetectDceOpnumData *)temp->ctx;
426  if (dod == NULL)
427  goto end;
428  dor = dod->range;
429  result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
430  result &= (dor->next == NULL);
431  } else {
432  result = 0;
433  }
434 
435  end:
436  SigFree(s);
437  return result;
438 }
439 
440 static int DetectDceOpnumTestParse03(void)
441 {
442  Signature *s = SigAlloc();
443  int result = 0;
444  DetectDceOpnumData *dod = NULL;
445  DetectDceOpnumRange *dor = NULL;
446  SigMatch *temp = NULL;
447 
448  result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
449 
450  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
451  temp = s->sm_lists[g_dce_generic_list_id];
452  dod = (DetectDceOpnumData *)temp->ctx;
453  if (dod == NULL)
454  goto end;
455  dor = dod->range;
456  result &= (dor->range1 == 12 && dor->range2 == 24);
457  result &= (dor->next == NULL);
458  } else {
459  result = 0;
460  }
461 
462  end:
463  SigFree(s);
464  return result;
465 }
466 
467 static int DetectDceOpnumTestParse04(void)
468 {
469  Signature *s = SigAlloc();
470  int result = 0;
471  DetectDceOpnumData *dod = NULL;
472  DetectDceOpnumRange *dor = NULL;
473  SigMatch *temp = NULL;
474 
475  result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
476 
477  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
478  temp = s->sm_lists[g_dce_generic_list_id];
479  dod = (DetectDceOpnumData *)temp->ctx;
480  if (dod == NULL)
481  goto end;
482  dor = dod->range;
483  result &= (dor->range1 == 12 && dor->range2 == 24);
484  result &= (dor->next != NULL);
485  if (result == 0)
486  goto end;
487 
488  dor = dor->next;
489  result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
490  result &= (dor->next != NULL);
491  if (result == 0)
492  goto end;
493 
494  dor = dor->next;
495  result &= (dor->range1 == 62 && dor->range2 == 72);
496  result &= (dor->next != NULL);
497  if (result == 0)
498  goto end;
499 
500  dor = dor->next;
501  result &= (dor->range1 == 623 && dor->range2 == 635);
502  result &= (dor->next != NULL);
503  if (result == 0)
504  goto end;
505 
506  dor = dor->next;
507  result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
508  result &= (dor->next != NULL);
509  if (result == 0)
510  goto end;
511 
512  dor = dor->next;
513  result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
514  result &= (dor->next != NULL);
515  if (result == 0)
516  goto end;
517 
518  dor = dor->next;
519  result &= (dor->range1 == 213 && dor->range2 == 235);
520  if (result == 0)
521  goto end;
522  } else {
523  result = 0;
524  }
525 
526  end:
527  SigFree(s);
528  return result;
529 }
530 
531 static int DetectDceOpnumTestParse05(void)
532 {
533  Signature *s = SigAlloc();
534  int result = 0;
535  DetectDceOpnumData *dod = NULL;
536  DetectDceOpnumRange *dor = NULL;
537  SigMatch *temp = NULL;
538 
539  result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
540 
541  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
542  temp = s->sm_lists[g_dce_generic_list_id];
543  dod = (DetectDceOpnumData *)temp->ctx;
544  if (dod == NULL)
545  goto end;
546  dor = dod->range;
547  result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
548  result &= (dor->next != NULL);
549  if (result == 0)
550  goto end;
551 
552  dor = dor->next;
553  result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
554  result &= (dor->next != NULL);
555  if (result == 0)
556  goto end;
557 
558  dor = dor->next;
559  result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
560  result &= (dor->next != NULL);
561  if (result == 0)
562  goto end;
563 
564  dor = dor->next;
565  result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
566  result &= (dor->next != NULL);
567  if (result == 0)
568  goto end;
569 
570  dor = dor->next;
571  result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
572  result &= (dor->next != NULL);
573  if (result == 0)
574  goto end;
575 
576  dor = dor->next;
577  result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
578  result &= (dor->next != NULL);
579  if (result == 0)
580  goto end;
581 
582  dor = dor->next;
583  result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
584  if (result == 0)
585  goto end;
586  } else {
587  result = 0;
588  }
589 
590  end:
591  SigFree(s);
592  return result;
593 }
594 
595 static int DetectDceOpnumTestParse06(void)
596 {
597  Signature *s = SigAlloc();
598  int result = 0;
599  DetectDceOpnumData *dod = NULL;
600  DetectDceOpnumRange *dor = NULL;
601  SigMatch *temp = NULL;
602 
603  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
604 
605  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
606  temp = s->sm_lists[g_dce_generic_list_id];
607  dod = (DetectDceOpnumData *)temp->ctx;
608  if (dod == NULL)
609  goto end;
610  dor = dod->range;
611  result &= (dor->range1 == 1 && dor->range2 == 2);
612  result &= (dor->next != NULL);
613  if (result == 0)
614  goto end;
615 
616  dor = dor->next;
617  result &= (dor->range1 == 3 && dor->range2 == 4);
618  result &= (dor->next != NULL);
619  if (result == 0)
620  goto end;
621 
622  dor = dor->next;
623  result &= (dor->range1 == 5 && dor->range2 == 6);
624  result &= (dor->next != NULL);
625  if (result == 0)
626  goto end;
627 
628  dor = dor->next;
629  result &= (dor->range1 == 7 && dor->range2 == 8);
630  if (result == 0)
631  goto end;
632  } else {
633  result = 0;
634  }
635 
636  end:
637  SigFree(s);
638  return result;
639 }
640 
641 static int DetectDceOpnumTestParse07(void)
642 {
643  Signature *s = SigAlloc();
644  int result = 0;
645  DetectDceOpnumData *dod = NULL;
646  DetectDceOpnumRange *dor = NULL;
647  SigMatch *temp = NULL;
648 
649  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
650 
651  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
652  temp = s->sm_lists[g_dce_generic_list_id];
653  dod = (DetectDceOpnumData *)temp->ctx;
654  if (dod == NULL)
655  goto end;
656  dor = dod->range;
657  result &= (dor->range1 == 1 && dor->range2 == 2);
658  result &= (dor->next != NULL);
659  if (result == 0)
660  goto end;
661 
662  dor = dor->next;
663  result &= (dor->range1 == 3 && dor->range2 == 4);
664  result &= (dor->next != NULL);
665  if (result == 0)
666  goto end;
667 
668  dor = dor->next;
669  result &= (dor->range1 == 5 && dor->range2 == 6);
670  result &= (dor->next != NULL);
671  if (result == 0)
672  goto end;
673 
674  dor = dor->next;
675  result &= (dor->range1 == 7 && dor->range2 == 8);
676  if (result == 0)
677  goto end;
678 
679  dor = dor->next;
680  result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
681  if (result == 0)
682  goto end;
683  } else {
684  result = 0;
685  }
686 
687  end:
688  SigFree(s);
689  return result;
690 }
691 
692 /**
693  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
694  */
695 static int DetectDceOpnumTestParse08(void)
696 {
697  int result = 0;
698  Signature *s = NULL;
699  ThreadVars th_v;
700  Packet *p = NULL;
701  Flow f;
702  TcpSession ssn;
703  DetectEngineThreadCtx *det_ctx = NULL;
704  DetectEngineCtx *de_ctx = NULL;
705  DCERPCState *dcerpc_state = NULL;
706  int r = 0;
707 
708  uint8_t dcerpc_bind[] = {
709  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
710  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
711  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
712  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
713  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
714  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
715  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
716  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
717  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
718  };
719 
720  uint8_t dcerpc_bindack[] = {
721  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
722  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
723  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
724  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
725  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
726  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
727  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
728  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
729  0x02, 0x00, 0x00, 0x00
730  };
731 
732  /* todo chop the request frag length and change the
733  * length related parameters in the frag */
734  uint8_t dcerpc_request[] = {
735  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
736  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
737  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
738  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
739  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
740  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
741  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
742  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
743  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
744  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
745  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
746  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
747  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
748  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
749  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
750  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
751  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
752  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
753  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
754  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
755  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
756  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
757  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
758  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
759  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
760  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
761  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
762  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
763  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
764  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
765  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
766  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
767  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
768  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
769  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
770  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
771  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
772  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
773  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
774  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
775  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
776  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
777  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
778  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
779  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
780  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
781  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
782  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
783  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
784  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
785  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
786  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
787  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
788  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
789  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
790  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
791  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
792  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
793  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
794  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
795  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
796  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
797  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
798  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
799  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
800  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
801  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
802  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
803  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
804  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
805  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
806  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
807  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
808  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
809  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
810  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
811  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
812  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
813  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
814  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
815  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
816  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
817  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
818  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
819  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
820  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
821  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
822  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
823  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
824  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
825  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
826  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
827  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
828  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
829  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
830  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
831  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
832  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
833  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
834  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
835  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
836  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
837  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
838  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
839  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
840  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
841  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
842  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
843  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
982  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
983  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
984  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
985  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
986  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
987  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
988  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
989  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
990  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
991  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
992  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
993  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
994  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
995  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
996  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
997  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
998  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
999  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1000  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1001  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1002  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1003  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1004  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1005  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1006  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1007  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1008  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1009  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1010  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1011  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1012  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1013  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1014  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1015  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1016  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1083  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1084  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1085  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1086  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1087  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1088  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1089  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1090  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1091  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1092  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1093  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1094  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1095  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1096  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1097  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1098  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1099  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1100  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1101  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1102  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1103  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1104  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1105  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1106  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1107  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x01, 0x02, 0x03, 0x04
1149  };
1150 
1151  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1152  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1153  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1154 
1155  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1156 
1157  memset(&th_v, 0, sizeof(th_v));
1158  memset(&f, 0, sizeof(f));
1159  memset(&ssn, 0, sizeof(ssn));
1160 
1161  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1162 
1163  FLOW_INITIALIZE(&f);
1164  f.protoctx = (void *)&ssn;
1165  f.proto = IPPROTO_TCP;
1166  p->flow = &f;
1167  p->flowflags |= FLOW_PKT_TOSERVER;
1168  p->flowflags |= FLOW_PKT_ESTABLISHED;
1169  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1170  f.alproto = ALPROTO_DCERPC;
1171 
1172  StreamTcpInitConfig(TRUE);
1173 
1174  de_ctx = DetectEngineCtxInit();
1175  if (de_ctx == NULL)
1176  goto end;
1177 
1178  de_ctx->flags |= DE_QUIET;
1179 
1180  s = de_ctx->sig_list = SigInit(de_ctx,
1181  "alert tcp any any -> any any "
1182  "(msg:\"DCERPC\"; "
1183  "dce_opnum:9; "
1184  "sid:1;)");
1185  if (s == NULL)
1186  goto end;
1187 
1188  SigGroupBuild(de_ctx);
1189  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1190 
1191  FLOWLOCK_WRLOCK(&f);
1192  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1193  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1194  dcerpc_bind_len);
1195  if (r != 0) {
1196  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1197  FLOWLOCK_UNLOCK(&f);
1198  goto end;
1199  }
1200  FLOWLOCK_UNLOCK(&f);
1201 
1202  dcerpc_state = f.alstate;
1203  if (dcerpc_state == NULL) {
1204  SCLogDebug("no dcerpc state: ");
1205  goto end;
1206  }
1207 
1208  FLOWLOCK_WRLOCK(&f);
1209  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1210  STREAM_TOCLIENT, dcerpc_bindack,
1211  dcerpc_bindack_len);
1212  if (r != 0) {
1213  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1214  FLOWLOCK_UNLOCK(&f);
1215  goto end;
1216  }
1217  FLOWLOCK_UNLOCK(&f);
1218 
1219  FLOWLOCK_WRLOCK(&f);
1220  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1221  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
1222  dcerpc_request_len);
1223  if (r != 0) {
1224  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1225  FLOWLOCK_UNLOCK(&f);
1226  goto end;
1227  }
1228  FLOWLOCK_UNLOCK(&f);
1229 
1230  dcerpc_state = f.alstate;
1231  if (dcerpc_state == NULL) {
1232  SCLogDebug("no dcerpc state: ");
1233  goto end;
1234  }
1235 
1236  /* do detect */
1237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238 
1239  if (!PacketAlertCheck(p, 1))
1240  goto end;
1241 
1242  result = 1;
1243 
1244  end:
1245  if (alp_tctx != NULL)
1246  AppLayerParserThreadCtxFree(alp_tctx);
1247  SigGroupCleanup(de_ctx);
1248  SigCleanSignatures(de_ctx);
1249 
1250  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1251  DetectEngineCtxFree(de_ctx);
1252 
1253  StreamTcpFreeConfig(TRUE);
1254  FLOW_DESTROY(&f);
1255 
1256  UTHFreePackets(&p, 1);
1257  return result;
1258 }
1259 
1260 /**
1261  * \test Test a valid dce_opnum entry with only a request frag.
1262  */
1263 static int DetectDceOpnumTestParse09(void)
1264 {
1265  int result = 0;
1266  Signature *s = NULL;
1267  ThreadVars th_v;
1268  Packet *p = NULL;
1269  Flow f;
1270  TcpSession ssn;
1271  DetectEngineThreadCtx *det_ctx = NULL;
1272  DetectEngineCtx *de_ctx = NULL;
1273  DCERPCState *dcerpc_state = NULL;
1274  int r = 0;
1275 
1276  /* todo chop the request frag length and change the
1277  * length related parameters in the frag */
1278  uint8_t dcerpc_request[] = {
1279  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1280  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1281  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1282  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1283  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
1284  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
1285  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
1286  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
1287  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
1288  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
1289  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
1290  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
1291  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
1292  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
1293  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
1294  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
1295  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
1296  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
1297  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
1298  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
1299  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
1300  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
1301  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
1302  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
1303  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
1304  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
1305  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
1306  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
1307  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
1308  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
1309  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
1310  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
1311  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
1312  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
1313  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
1314  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
1315  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
1316  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
1317  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
1318  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
1319  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
1320  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
1321  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
1322  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
1323  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
1324  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
1325  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
1326  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
1327  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
1328  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
1329  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
1330  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
1331  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
1332  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
1333  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
1334  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
1335  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
1336  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
1337  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
1338  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
1339  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
1340  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
1341  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
1342  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
1343  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
1344  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
1345  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
1346  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
1347  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
1348  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
1349  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
1350  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
1351  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
1352  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
1353  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
1354  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
1355  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
1356  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
1357  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
1358  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
1359  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
1360  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
1361  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
1362  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
1363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1526  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1527  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1528  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1529  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1530  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1531  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1533  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1534  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1535  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1536  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1537  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1538  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1539  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1540  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1541  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1542  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1543  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1544  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1545  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1546  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1547  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1548  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1549  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1550  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1551  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1552  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1553  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1554  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1555  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1556  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1557  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1558  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1559  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1560  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1594  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1595  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1596  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1597  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1598  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1599  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1600  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1601  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1602  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1603  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1604  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1605  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1606  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1607  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1608  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1609  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1610  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1611  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1612  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1613  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1614  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1615  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1616  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1617  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1618  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1619  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1620  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1621  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1622  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1623  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1624  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1625  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1626  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1659  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1660  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1661  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1662  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1663  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1664  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1665  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1666  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1667  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1668  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1669  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1670  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1671  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1672  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1673  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1674  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1675  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1676  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1677  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1678  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1679  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1680  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1681  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1682  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1683  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1684  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1685  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1686  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1687  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1688  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1689  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1690  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1691  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1692  0x01, 0x02, 0x03, 0x04
1693  };
1694 
1695  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1696 
1697  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1698 
1699  memset(&th_v, 0, sizeof(th_v));
1700  memset(&f, 0, sizeof(f));
1701  memset(&ssn, 0, sizeof(ssn));
1702 
1703  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1704 
1705  FLOW_INITIALIZE(&f);
1706  f.protoctx = (void *)&ssn;
1707  f.proto = IPPROTO_TCP;
1708  p->flow = &f;
1709  p->flowflags |= FLOW_PKT_TOSERVER;
1710  p->flowflags |= FLOW_PKT_ESTABLISHED;
1711  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1712  f.alproto = ALPROTO_DCERPC;
1713 
1714  StreamTcpInitConfig(TRUE);
1715 
1716  de_ctx = DetectEngineCtxInit();
1717  if (de_ctx == NULL)
1718  goto end;
1719 
1720  de_ctx->flags |= DE_QUIET;
1721 
1722  s = de_ctx->sig_list = SigInit(de_ctx,
1723  "alert tcp any any -> any any "
1724  "(msg:\"DCERPC\"; "
1725  "dce_opnum:9; "
1726  "sid:1;)");
1727  if (s == NULL)
1728  goto end;
1729 
1730  SigGroupBuild(de_ctx);
1731  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1732 
1733  FLOWLOCK_WRLOCK(&f);
1734  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1735  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1736  dcerpc_request_len);
1737  if (r != 0) {
1738  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1739  FLOWLOCK_UNLOCK(&f);
1740  goto end;
1741  }
1742  FLOWLOCK_UNLOCK(&f);
1743 
1744  dcerpc_state = f.alstate;
1745  if (dcerpc_state == NULL) {
1746  SCLogDebug("no dcerpc state: ");
1747  goto end;
1748  }
1749 
1750  /* do detect */
1751  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1752 
1753  if (!PacketAlertCheck(p, 1))
1754  goto end;
1755 
1756  result = 1;
1757 
1758  end:
1759  if (alp_tctx != NULL)
1760  AppLayerParserThreadCtxFree(alp_tctx);
1761  SigGroupCleanup(de_ctx);
1762  SigCleanSignatures(de_ctx);
1763 
1764  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1765  DetectEngineCtxFree(de_ctx);
1766 
1767  StreamTcpFreeConfig(TRUE);
1768  FLOW_DESTROY(&f);
1769 
1770  UTHFreePackets(&p, 1);
1771  return result;
1772 }
1773 
1774 /* Disabled because of bug_753. Would be enabled, once we rewrite
1775  * dce parser */
1776 #if 0
1777 
1778 /**
1779  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1780  * and multiple request/responses with a match test after each frag parsing.
1781  */
1782 static int DetectDceOpnumTestParse10(void)
1783 {
1784  int result = 0;
1785  Signature *s = NULL;
1786  ThreadVars th_v;
1787  Packet *p = NULL;
1788  Flow f;
1789  TcpSession ssn;
1790  DetectEngineThreadCtx *det_ctx = NULL;
1791  DetectEngineCtx *de_ctx = NULL;
1792  DCERPCState *dcerpc_state = NULL;
1793  int r = 0;
1794 
1795  uint8_t dcerpc_bind[] = {
1796  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1797  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1798  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1799  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1800  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1801  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1802  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1803  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1804  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1805  };
1806 
1807  uint8_t dcerpc_bindack[] = {
1808  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1809  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1810  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1811  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1812  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1813  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1814  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1815  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1816  0x02, 0x00, 0x00, 0x00,
1817  };
1818 
1819  uint8_t dcerpc_request1[] = {
1820  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1821  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1822  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1823  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1824  0x00, 0x00, 0x00, 0x02,
1825  };
1826 
1827  uint8_t dcerpc_response1[] = {
1828  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1829  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1830  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1831  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1832  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1833  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1834  };
1835 
1836  uint8_t dcerpc_request2[] = {
1837  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1838  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1839  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1840  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1841  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1842  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1843  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1844  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1845  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1846  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1847  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1848  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1849  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1850  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1851  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1852  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1853  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1854  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1855  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1856  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1857  0x03, 0x00, 0x00, 0x00,
1858  };
1859 
1860  uint8_t dcerpc_response2[] = {
1861  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1862  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1863  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1864  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1865  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1866  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1867  };
1868 
1869  uint8_t dcerpc_request3[] = {
1870  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1871  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1872  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1873  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1874  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1875  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1876  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1877  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1878  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1879  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1880  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1881  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1882  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1883  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1884  };
1885 
1886  uint8_t dcerpc_response3[] = {
1887  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1888  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1889  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1890  0x00, 0x00, 0x00, 0x00,
1891  };
1892 
1893  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1894  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1895 
1896  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1897  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1898 
1899  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1900  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1901 
1902  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1903  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1904 
1905  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1906 
1907  memset(&th_v, 0, sizeof(th_v));
1908  memset(&f, 0, sizeof(f));
1909  memset(&ssn, 0, sizeof(ssn));
1910 
1911  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1912 
1913  FLOW_INITIALIZE(&f);
1914  f.protoctx = (void *)&ssn;
1915  f.proto = IPPROTO_TCP;
1916  p->flow = &f;
1917  p->flowflags |= FLOW_PKT_TOSERVER;
1918  p->flowflags |= FLOW_PKT_ESTABLISHED;
1919  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1920  f.alproto = ALPROTO_DCERPC;
1921 
1922  StreamTcpInitConfig(TRUE);
1923 
1924  de_ctx = DetectEngineCtxInit();
1925  if (de_ctx == NULL) {
1926  goto end;
1927  }
1928 
1929  de_ctx->flags |= DE_QUIET;
1930 
1931  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1932  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1933  if (s == NULL) {
1934  goto end;
1935  }
1936 
1937  SigGroupBuild(de_ctx);
1938  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1939 
1940  SCLogDebug("sending bind");
1941 
1942  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1943  dcerpc_bind, dcerpc_bind_len);
1944  if (r != 0) {
1945  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1946  goto end;
1947  }
1948 
1949  dcerpc_state = f.alstate;
1950  if (dcerpc_state == NULL) {
1951  SCLogDebug("no dcerpc state: ");
1952  goto end;
1953  }
1954  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1955  p->flowflags |= FLOW_PKT_TOSERVER;
1956  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1957 
1958  SCLogDebug("sending bind_ack");
1959 
1960  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1961  dcerpc_bindack, dcerpc_bindack_len);
1962  if (r != 0) {
1963  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1964  goto end;
1965  }
1966  p->flowflags &=~ FLOW_PKT_TOSERVER;
1967  p->flowflags |= FLOW_PKT_TOCLIENT;
1968  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1969 
1970  SCLogDebug("sending request1");
1971 
1972  /* request1 */
1973  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1974  dcerpc_request1, dcerpc_request1_len);
1975  if (r != 0) {
1976  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1977  goto end;
1978  }
1979 
1980  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1981  p->flowflags |= FLOW_PKT_TOSERVER;
1982  /* do detect */
1983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1984 
1985  if (!PacketAlertCheck(p, 1)) {
1986  printf("sig 1 didn't match, but should have: ");
1987  goto end;
1988  }
1989 
1990  SCLogDebug("sending response1");
1991 
1992  /* response1 */
1993  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1994  dcerpc_response1, dcerpc_response1_len);
1995  if (r != 0) {
1996  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1997  goto end;
1998  }
1999 
2000  p->flowflags &=~ FLOW_PKT_TOSERVER;
2001  p->flowflags |= FLOW_PKT_TOCLIENT;
2002  /* do detect */
2003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2004 
2005  if (PacketAlertCheck(p, 1)) {
2006  printf("sig 1 did match, shouldn't have on response1: ");
2007  goto end;
2008  }
2009 
2010  /* request2 */
2011  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2012  dcerpc_request2, dcerpc_request2_len);
2013  if (r != 0) {
2014  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2015  goto end;
2016  }
2017 
2018  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2019  p->flowflags |= FLOW_PKT_TOSERVER;
2020  /* do detect */
2021  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2022 
2023  if (!PacketAlertCheck(p, 1)) {
2024  printf("sig 1 didn't match, but should have on request2: ");
2025  goto end;
2026  }
2027 
2028  /* response2 */
2029  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2030  dcerpc_response2, dcerpc_response2_len);
2031  if (r != 0) {
2032  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2033  goto end;
2034  }
2035 
2036  p->flowflags &=~ FLOW_PKT_TOSERVER;
2037  p->flowflags |= FLOW_PKT_TOCLIENT;
2038  /* do detect */
2039  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2040 
2041  if (PacketAlertCheck(p, 1)) {
2042  printf("sig 1 did match, shouldn't have on response2: ");
2043  goto end;
2044  }
2045 
2046  /* request3 */
2047  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2048  dcerpc_request3, dcerpc_request3_len);
2049  if (r != 0) {
2050  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2051  goto end;
2052  }
2053 
2054  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2055  p->flowflags |= FLOW_PKT_TOSERVER;
2056  /* do detect */
2057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2058 
2059  if (!PacketAlertCheck(p, 1)) {
2060  printf("sig 1 didn't match, but should have on request3: ");
2061  goto end;
2062  }
2063 
2064  /* response3 */
2065  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2066  dcerpc_response3, dcerpc_response3_len);
2067  if (r != 0) {
2068  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2069  goto end;
2070  }
2071 
2072  p->flowflags &=~ FLOW_PKT_TOSERVER;
2073  p->flowflags |= FLOW_PKT_TOCLIENT;
2074  /* do detect */
2075  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2076 
2077  if (PacketAlertCheck(p, 1)) {
2078  printf("sig 1 did match, shouldn't have on response2: ");
2079  goto end;
2080  }
2081 
2082  result = 1;
2083 
2084  end:
2085  if (alp_tctx != NULL)
2086  AppLayerDestroyCtxThread(alp_tctx);
2087  SigGroupCleanup(de_ctx);
2088  SigCleanSignatures(de_ctx);
2089 
2090  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2091  DetectEngineCtxFree(de_ctx);
2092 
2093  StreamTcpFreeConfig(TRUE);
2094  FLOW_DESTROY(&f);
2095 
2096  UTHFreePackets(&p, 1);
2097  return result;
2098 }
2099 
2100 /**
2101  * \test Test a valid dce_opnum entry(with multiple values) with multiple
2102  * request/responses.
2103  */
2104 static int DetectDceOpnumTestParse11(void)
2105 {
2106  int result = 0;
2107  Signature *s = NULL;
2108  ThreadVars th_v;
2109  Packet *p = NULL;
2110  Flow f;
2111  TcpSession ssn;
2112  DetectEngineThreadCtx *det_ctx = NULL;
2113  DetectEngineCtx *de_ctx = NULL;
2114  DCERPCState *dcerpc_state = NULL;
2115  int r = 0;
2116 
2117  uint8_t dcerpc_request1[] = {
2118  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2119  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2120  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2121  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
2122  0x00, 0x00, 0x00, 0x02,
2123  };
2124 
2125  uint8_t dcerpc_response1[] = {
2126  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2127  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2128  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2129  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2130  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2131  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2132  };
2133 
2134  uint8_t dcerpc_request2[] = {
2135  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2136  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2137  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
2138  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2139  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2140  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
2141  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
2142  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
2143  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
2144  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
2145  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
2146  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
2147  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
2148  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
2149  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
2150  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
2151  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
2152  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
2153  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
2154  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2155  0x03, 0x00, 0x00, 0x00,
2156  };
2157 
2158  uint8_t dcerpc_response2[] = {
2159  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2160  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2161  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2162  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2163  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2164  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2165  };
2166 
2167  uint8_t dcerpc_request3[] = {
2168  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2169  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2170  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
2171  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2172  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2173  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
2174  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
2175  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
2176  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
2177  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2178  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
2179  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
2180  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
2181  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
2182  };
2183 
2184  uint8_t dcerpc_response3[] = {
2185  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2186  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2187  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2188  0x00, 0x00, 0x00, 0x00,
2189  };
2190 
2191  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2192  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2193 
2194  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2195  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2196 
2197  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
2198  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
2199 
2200  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2201 
2202  memset(&th_v, 0, sizeof(th_v));
2203  memset(&f, 0, sizeof(f));
2204  memset(&ssn, 0, sizeof(ssn));
2205 
2206  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2207 
2208  FLOW_INITIALIZE(&f);
2209  f.protoctx = (void *)&ssn;
2210  f.proto = IPPROTO_TCP;
2211  p->flow = &f;
2212  p->flowflags |= FLOW_PKT_TOSERVER;
2213  p->flowflags |= FLOW_PKT_ESTABLISHED;
2214  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2215  f.alproto = ALPROTO_DCERPC;
2216 
2217  StreamTcpInitConfig(TRUE);
2218 
2219  de_ctx = DetectEngineCtxInit();
2220  if (de_ctx == NULL)
2221  goto end;
2222 
2223  de_ctx->flags |= DE_QUIET;
2224 
2225  s = de_ctx->sig_list = SigInit(de_ctx,
2226  "alert tcp any any -> any any "
2227  "(msg:\"DCERPC\"; "
2228  "dce_opnum:2-22; "
2229  "sid:1;)");
2230  if (s == NULL)
2231  goto end;
2232 
2233  SigGroupBuild(de_ctx);
2234  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2235 
2236  /* request1 */
2237  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2238  dcerpc_request1, dcerpc_request1_len);
2239  if (r != 0) {
2240  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2241  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
2242  goto end;
2243  }
2244 
2245  dcerpc_state = f.alstate;
2246  if (dcerpc_state == NULL) {
2247  SCLogDebug("no dcerpc state: ");
2248  printf("no dcerpc state: ");
2249  goto end;
2250  }
2251 
2252  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2253  p->flowflags |= FLOW_PKT_TOSERVER;
2254  /* do detect */
2255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2256 
2257  if (!PacketAlertCheck(p, 1))
2258  goto end;
2259 
2260  /* response1 */
2261  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2262  dcerpc_response1, dcerpc_response1_len);
2263  if (r != 0) {
2264  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2265  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
2266  goto end;
2267  }
2268 
2269  p->flowflags &=~ FLOW_PKT_TOSERVER;
2270  p->flowflags |= FLOW_PKT_TOCLIENT;
2271  /* do detect */
2272  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2273 
2274  if (PacketAlertCheck(p, 1))
2275  goto end;
2276 
2277  /* request2 */
2278  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2279  dcerpc_request2, dcerpc_request2_len);
2280  if (r != 0) {
2281  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2282  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
2283  goto end;
2284  }
2285 
2286  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2287  p->flowflags |= FLOW_PKT_TOSERVER;
2288  /* do detect */
2289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2290 
2291  if (!PacketAlertCheck(p, 1))
2292  goto end;
2293 
2294  /* response2 */
2295  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2296  dcerpc_response2, dcerpc_response2_len);
2297  if (r != 0) {
2298  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2299  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
2300  goto end;
2301  }
2302 
2303  p->flowflags &=~ FLOW_PKT_TOSERVER;
2304  p->flowflags |= FLOW_PKT_TOCLIENT;
2305  /* do detect */
2306  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2307 
2308  if (PacketAlertCheck(p, 1))
2309  goto end;
2310 
2311  /* request3 */
2312  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2313  dcerpc_request3, dcerpc_request3_len);
2314  if (r != 0) {
2315  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2316  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
2317  goto end;
2318  }
2319 
2320  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2321  p->flowflags |= FLOW_PKT_TOSERVER;
2322  /* do detect */
2323  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2324 
2325  if (!PacketAlertCheck(p, 1))
2326  goto end;
2327 
2328  /* response3 */
2329  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2330  dcerpc_response3, dcerpc_response3_len);
2331  if (r != 0) {
2332  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2333  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
2334  goto end;
2335  }
2336 
2337  p->flowflags &=~ FLOW_PKT_TOSERVER;
2338  p->flowflags |= FLOW_PKT_TOCLIENT;
2339  /* do detect */
2340  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2341 
2342  if (PacketAlertCheck(p, 1))
2343  goto end;
2344 
2345  result = 1;
2346 
2347  end:
2348  if (alp_tctx != NULL)
2349  AppLayerDestroyCtxThread(alp_tctx);
2350  SigGroupCleanup(de_ctx);
2351  SigCleanSignatures(de_ctx);
2352 
2353  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2354  DetectEngineCtxFree(de_ctx);
2355 
2356  StreamTcpFreeConfig(TRUE);
2357  FLOW_DESTROY(&f);
2358 
2359  UTHFreePackets(&p, 1);
2360  return result;
2361 }
2362 
2363 /**
2364  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2365  * and multiple request/responses with a match test after each frag parsing.
2366  */
2367 static int DetectDceOpnumTestParse12(void)
2368 {
2369  int result = 0;
2370  Signature *s = NULL;
2371  ThreadVars th_v;
2372  Packet *p = NULL;
2373  Flow f;
2374  TcpSession ssn;
2375  DetectEngineThreadCtx *det_ctx = NULL;
2376  DetectEngineCtx *de_ctx = NULL;
2377  DCERPCState *dcerpc_state = NULL;
2378  int r = 0;
2379 
2380  uint8_t dcerpc_bind[] = {
2381  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2382  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2383  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2384  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2385  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
2386  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
2387  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2388  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2389  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2390  };
2391 
2392  uint8_t dcerpc_bindack[] = {
2393  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
2394  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2395  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
2396  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
2397  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
2398  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2399  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2400  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2401  0x02, 0x00, 0x00, 0x00,
2402  };
2403 
2404  uint8_t dcerpc_request1[] = {
2405  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2406  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2407  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
2408  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2409  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2410  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2411  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2412  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2413  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2414  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2415  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2416  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2417  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2418  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2424  0x00, 0x00
2425  };
2426 
2427  uint8_t dcerpc_response1[] = {
2428  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2429  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2430  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2431  0x00, 0x00, 0x00, 0x00,
2432  };
2433 
2434  uint8_t dcerpc_request2[] = {
2435  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2436  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2437  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2438  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2439  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2440  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2441  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2442  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2443  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2444  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2445  0x4e, 0x6f, 0x6e, 0x65
2446  };
2447 
2448  uint8_t dcerpc_response2[] = {
2449  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2450  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2451  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2452  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2453  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2454  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2455  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2456  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2457  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2458  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2459  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2460  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2465  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2466  0x00, 0x00, 0x00, 0x00,
2467  };
2468 
2469  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
2470  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
2471 
2472  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2473  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2474 
2475  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2476  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2477 
2478  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2479 
2480  memset(&th_v, 0, sizeof(th_v));
2481  memset(&f, 0, sizeof(f));
2482  memset(&ssn, 0, sizeof(ssn));
2483 
2484  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2485 
2486  FLOW_INITIALIZE(&f);
2487  f.protoctx = (void *)&ssn;
2488  f.proto = IPPROTO_TCP;
2489  p->flow = &f;
2490  p->flowflags |= FLOW_PKT_TOSERVER;
2491  p->flowflags |= FLOW_PKT_ESTABLISHED;
2492  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2493  f.alproto = ALPROTO_DCERPC;
2494 
2495  StreamTcpInitConfig(TRUE);
2496 
2497  de_ctx = DetectEngineCtxInit();
2498  if (de_ctx == NULL)
2499  goto end;
2500 
2501  de_ctx->flags |= DE_QUIET;
2502 
2503  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
2504  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
2505  if (s == NULL)
2506  goto end;
2507 
2508  SigGroupBuild(de_ctx);
2509  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2510 
2511  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2512  dcerpc_bind, dcerpc_bind_len);
2513  if (r != 0) {
2514  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2515  goto end;
2516  }
2517  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2518  p->flowflags |= FLOW_PKT_TOSERVER;
2519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2520 
2521  dcerpc_state = f.alstate;
2522  if (dcerpc_state == NULL) {
2523  printf("no dcerpc state: ");
2524  goto end;
2525  }
2526 
2527  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2528  dcerpc_bindack_len);
2529  if (r != 0) {
2530  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2531  goto end;
2532  }
2533  p->flowflags &=~ FLOW_PKT_TOSERVER;
2534  p->flowflags |= FLOW_PKT_TOCLIENT;
2535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2536 
2537  /* request1 */
2538  SCLogDebug("Sending request1");
2539 
2540  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2541  dcerpc_request1_len);
2542  if (r != 0) {
2543  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2544  goto end;
2545  }
2546 
2547  dcerpc_state = f.alstate;
2548  if (dcerpc_state == NULL) {
2549  printf("no dcerpc state: ");
2550  goto end;
2551  }
2552 
2553  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2554  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2555  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2556  goto end;
2557  }
2558 
2559  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2560  p->flowflags |= FLOW_PKT_TOSERVER;
2561  /* do detect */
2562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2563 
2564  if (!PacketAlertCheck(p, 1)) {
2565  printf("signature 1 didn't match, should have: ");
2566  goto end;
2567  }
2568 
2569  /* response1 */
2570  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2571  dcerpc_response1_len);
2572  if (r != 0) {
2573  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2574  goto end;
2575  }
2576 
2577  dcerpc_state = f.alstate;
2578  if (dcerpc_state == NULL) {
2579  printf("no dcerpc state: ");
2580  goto end;
2581  }
2582 
2583  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2584  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2585  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2586  goto end;
2587  }
2588 
2589  p->flowflags &=~ FLOW_PKT_TOSERVER;
2590  p->flowflags |= FLOW_PKT_TOCLIENT;
2591  /* do detect */
2592  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2593 
2594  if (PacketAlertCheck(p, 1)) {
2595  printf("sig 1 matched on response 1, but shouldn't: ");
2596  goto end;
2597  }
2598 
2599  /* request2 */
2600  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2601  dcerpc_request2_len);
2602  if (r != 0) {
2603  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2604  goto end;
2605  }
2606 
2607  dcerpc_state = f.alstate;
2608  if (dcerpc_state == NULL) {
2609  printf("no dcerpc state: ");
2610  goto end;
2611  }
2612 
2613  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2614  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2615  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2616  goto end;
2617  }
2618 
2619  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2620  p->flowflags |= FLOW_PKT_TOSERVER;
2621  /* do detect */
2622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2623 
2624  if (!PacketAlertCheck(p, 1)) {
2625  printf("sig 1 didn't match on request 2: ");
2626  goto end;
2627  }
2628 
2629  /* response2 */
2630  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2631  dcerpc_response2_len);
2632  if (r != 0) {
2633  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2634  goto end;
2635  }
2636 
2637  dcerpc_state = f.alstate;
2638  if (dcerpc_state == NULL) {
2639  printf("no dcerpc state: ");
2640  goto end;
2641  }
2642 
2643  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2644  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2645  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2646  goto end;
2647  }
2648 
2649  p->flowflags &=~ FLOW_PKT_TOSERVER;
2650  p->flowflags |= FLOW_PKT_TOCLIENT;
2651  /* do detect */
2652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2653 
2654  if (PacketAlertCheck(p, 1)) {
2655  printf("sig 1 matched on response2, but shouldn't: ");
2656  goto end;
2657  }
2658 
2659  result = 1;
2660 
2661 end:
2662  if (alp_tctx != NULL)
2663  AppLayerDestroyCtxThread(alp_tctx);
2664  SigGroupCleanup(de_ctx);
2665  SigCleanSignatures(de_ctx);
2666 
2667  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2668  DetectEngineCtxFree(de_ctx);
2669 
2670  StreamTcpFreeConfig(TRUE);
2671  FLOW_DESTROY(&f);
2672 
2673  UTHFreePackets(&p, 1);
2674  return result;
2675 }
2676 
2677 /**
2678  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2679  * and multiple request/responses with a match test after each frag parsing.
2680  */
2681 static int DetectDceOpnumTestParse13(void)
2682 {
2683  int result = 0;
2684  Signature *s = NULL;
2685  ThreadVars th_v;
2686  Packet *p = NULL;
2687  Flow f;
2688  TcpSession ssn;
2689  DetectEngineThreadCtx *det_ctx = NULL;
2690  DetectEngineCtx *de_ctx = NULL;
2691  DCERPCState *dcerpc_state = NULL;
2692  int r = 0;
2693 
2694  uint8_t dcerpc_request1[] = {
2695  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2696  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2697  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2698  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2699  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2700  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2701  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2702  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2703  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2704  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2705  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2706  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2707  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2708  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2709  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2710  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2711  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2712  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2713  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2714  0x00, 0x00
2715  };
2716 
2717  uint8_t dcerpc_response1[] = {
2718  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2719  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2720  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2721  0x00, 0x00, 0x00, 0x00,
2722  };
2723 
2724  uint8_t dcerpc_request2[] = {
2725  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2726  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2727  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2728  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2729  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2730  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2731  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2732  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2733  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2734  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2735  0x4e, 0x6f, 0x6e, 0x65
2736  };
2737 
2738  uint8_t dcerpc_response2[] = {
2739  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2740  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2741  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2742  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2743  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2744  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2745  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2746  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2747  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2748  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2749  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2750  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2751  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2752  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2753  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2754  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2755  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2756  0x00, 0x00, 0x00, 0x00,
2757  };
2758 
2759  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2760  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2761 
2762  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2763  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2764 
2765  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2766 
2767  memset(&th_v, 0, sizeof(th_v));
2768  memset(&f, 0, sizeof(f));
2769  memset(&ssn, 0, sizeof(ssn));
2770 
2771  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2772 
2773  FLOW_INITIALIZE(&f);
2774  f.protoctx = (void *)&ssn;
2775  f.proto = IPPROTO_TCP;
2776  p->flow = &f;
2777  p->flowflags |= FLOW_PKT_TOSERVER;
2778  p->flowflags |= FLOW_PKT_ESTABLISHED;
2779  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2780  f.alproto = ALPROTO_DCERPC;
2781 
2782  StreamTcpInitConfig(TRUE);
2783 
2784  de_ctx = DetectEngineCtxInit();
2785  if (de_ctx == NULL)
2786  goto end;
2787 
2788  de_ctx->flags |= DE_QUIET;
2789 
2790  s = de_ctx->sig_list = SigInit(de_ctx,
2791  "alert tcp any any -> any any "
2792  "(msg:\"DCERPC\"; "
2793  "dce_opnum:30, 40; "
2794  "sid:1;)");
2795  if (s == NULL)
2796  goto end;
2797 
2798  SigGroupBuild(de_ctx);
2799  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2800 
2801  /* request1 */
2802  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2803  dcerpc_request1_len);
2804  if (r != 0) {
2805  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2806  goto end;
2807  }
2808 
2809  dcerpc_state = f.alstate;
2810  if (dcerpc_state == NULL) {
2811  printf("no dcerpc state: ");
2812  goto end;
2813  }
2814 
2815  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2816  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2817  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2818  goto end;
2819  }
2820 
2821  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2822  p->flowflags |= FLOW_PKT_TOSERVER;
2823  /* do detect */
2824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2825 
2826  if (!PacketAlertCheck(p, 1))
2827  goto end;
2828 
2829  /* response1 */
2830  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2831  dcerpc_response1_len);
2832  if (r != 0) {
2833  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2834  goto end;
2835  }
2836 
2837  dcerpc_state = f.alstate;
2838  if (dcerpc_state == NULL) {
2839  printf("no dcerpc state: ");
2840  goto end;
2841  }
2842 
2843  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2844  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2845  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2846  goto end;
2847  }
2848 
2849  p->flowflags &=~ FLOW_PKT_TOSERVER;
2850  p->flowflags |= FLOW_PKT_TOCLIENT;
2851  /* do detect */
2852  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2853 
2854  if (PacketAlertCheck(p, 1))
2855  goto end;
2856 
2857  /* request2 */
2858  printf("Sending Request2\n");
2859  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2860  dcerpc_request2_len);
2861  if (r != 0) {
2862  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2863  goto end;
2864  }
2865 
2866  dcerpc_state = f.alstate;
2867  if (dcerpc_state == NULL) {
2868  printf("no dcerpc state: ");
2869  goto end;
2870  }
2871 
2872  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2873  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2874  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2875  goto end;
2876  }
2877 
2878  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2879  p->flowflags |= FLOW_PKT_TOSERVER;
2880  /* do detect */
2881  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2882 
2883  if (!PacketAlertCheck(p, 1))
2884  goto end;
2885 
2886  /* response2 */
2887  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2888  dcerpc_response2_len);
2889  if (r != 0) {
2890  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2891  goto end;
2892  }
2893 
2894  dcerpc_state = f.alstate;
2895  if (dcerpc_state == NULL) {
2896  printf("no dcerpc state: ");
2897  goto end;
2898  }
2899 
2900  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2901  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2902  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2903  goto end;
2904  }
2905 
2906  p->flowflags &=~ FLOW_PKT_TOSERVER;
2907  p->flowflags |= FLOW_PKT_TOCLIENT;
2908  /* do detect */
2909  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2910 
2911  if (PacketAlertCheck(p, 1))
2912  goto end;
2913 
2914  result = 1;
2915 
2916  end:
2917  if (alp_tctx != NULL)
2918  AppLayerDestroyCtxThread(alp_tctx);
2919  SigGroupCleanup(de_ctx);
2920  SigCleanSignatures(de_ctx);
2921 
2922  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2923  DetectEngineCtxFree(de_ctx);
2924 
2925  StreamTcpFreeConfig(TRUE);
2926  FLOW_DESTROY(&f);
2927 
2928  UTHFreePackets(&p, 1);
2929  return result;
2930 }
2931 #endif
2932 #endif /* UNITTESTS */
2933 
2934 static void DetectDceOpnumRegisterTests(void)
2935 {
2936 #ifdef UNITTESTS
2937  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2938  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2939  UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
2940  UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
2941  UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
2942  UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
2943  UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
2944  UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
2945  UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
2946  /* Disabled because of bug_753. Would be enabled, once we rewrite
2947  * dce parser */
2948 #if 0
2949  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2950  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2951  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2952  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2953 #endif
2954 #endif
2955 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:56
DetectDceOpnumData_
Definition: detect-dce-opnum.h:36
Packet_::flow
struct Flow_ * flow
Definition: decode.h:444
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DetectDceOpnumRange_::next
struct DetectDceOpnumRange_ * next
Definition: detect-dce-opnum.h:33
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:346
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
DetectDceOpnumRange_
Definition: detect-dce-opnum.h:30
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1910
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:726
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DCE_OPNUM_RANGE_MAX
#define DCE_OPNUM_RANGE_MAX
Definition: detect-dce-opnum.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
Signature_
Signature container.
Definition: detect.h:492
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::protoctx
void * protoctx
Definition: flow.h:398
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
Flow_::alstate
void * alstate
Definition: flow.h:436
DE_QUIET
#define DE_QUIET
Definition: detect.h:298
DetectDceOpnumData_::range
DetectDceOpnumRange * range
Definition: detect-dce-opnum.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:721
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1151
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1291
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2276
DetectDceOpnumRange_::range1
uint32_t range1
Definition: detect-dce-opnum.h:31
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:78
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1965
DCERPCRequest_::opnum
uint16_t opnum
Definition: app-layer-dcerpc-common.h:171
SigMatch_::type
uint8_t type
Definition: detect.h:325
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
index
#define index
Definition: win32-misc.h:29
Packet_
Definition: decode.h:406
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:654
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1168
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:174
SCFree
#define SCFree(a)
Definition: util-mem.h:236
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:805
DetectDceOpnumRange_::range2
uint32_t range2
Definition: detect-dce-opnum.h:32
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1101
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:220
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectDceGetState
DCERPCState * DetectDceGetState(AppProto alproto, void *alstate)
Definition: detect-dce-iface.c:250
DetectEngineThreadCtx_
Definition: detect.h:962
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:407
Packet_::flags
uint32_t flags
Definition: decode.h:442
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:327
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1099
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
SigMatch_
a single match condition for a signature
Definition: detect.h:324
DCE_OPNUM_RANGE_UNINITIALIZED
#define DCE_OPNUM_RANGE_UNINITIALIZED
Definition: detect-dce-opnum.h:28
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640