suricata
detect-dce-opnum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements dce_opnum keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-engine-state.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 #include "flow-util.h"
38 
39 #include "app-layer.h"
40 #include "app-layer-dcerpc.h"
41 #include "queue.h"
42 #include "stream-tcp-reassemble.h"
43 #include "detect-dce-opnum.h"
44 #include "detect-dce-iface.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "stream-tcp.h"
50 
51 #include "rust.h"
52 #include "rust-smb-detect-gen.h"
53 
54 #define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
55 
56 static pcre *parse_regex = NULL;
57 static pcre_extra *parse_regex_study = NULL;
58 
59 static int DetectDceOpnumMatchRust(ThreadVars *t,
60  DetectEngineThreadCtx *det_ctx,
61  Flow *f, uint8_t flags, void *state, void *txv,
62  const Signature *s, const SigMatchCtx *m);
63 static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectDceOpnumFree(void *);
65 static void DetectDceOpnumRegisterTests(void);
66 static int g_dce_generic_list_id = 0;
67 
68 /**
69  * \brief Registers the keyword handlers for the "dce_opnum" keyword.
70  */
71 void DetectDceOpnumRegister(void)
72 {
73  sigmatch_table[DETECT_DCE_OPNUM].name = "dcerpc.opnum";
74  sigmatch_table[DETECT_DCE_OPNUM].alias = "dce_opnum";
75  sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatchRust;
76  sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
77  sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
78  sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
79 
80  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
81 
82  g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
83 }
84 
85 /**
86  * \internal
87  * \brief Creates and returns a new instance of DetectDceOpnumRange.
88  *
89  * \retval dor Pointer to the new instance DetectDceOpnumRange.
90  */
91 static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
92 {
93  DetectDceOpnumRange *dor = NULL;
94 
95  if ( (dor = SCCalloc(1, sizeof(DetectDceOpnumRange))) == NULL)
96  return NULL;
97  dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
98  return dor;
99 }
100 
101 /**
102  * \internal
103  * \brief Parses the argument sent along with the "dce_opnum" keyword.
104  *
105  * \param arg Pointer to the string containing the argument to be parsed.
106  *
107  * \retval did Pointer to a DetectDceIfaceData instance that holds the data
108  * from the parsed arg.
109  */
110 static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
111 {
112  DetectDceOpnumData *dod = NULL;
113 
114  DetectDceOpnumRange *dor = NULL;
115  DetectDceOpnumRange *prev_dor = NULL;
116 
117 #define MAX_SUBSTRINGS 30
118  int ret = 0, res = 0;
119  int ov[MAX_SUBSTRINGS];
120  const char *pcre_sub_str = NULL;
121 
122  char *dup_str = NULL;
123  char *dup_str_temp = NULL;
124  char *dup_str_head = NULL;
125  char *comma_token = NULL;
126  char *hyphen_token = NULL;
127 
128  if (arg == NULL) {
129  goto error;
130  }
131 
132  ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
133  MAX_SUBSTRINGS);
134  if (ret < 2) {
135  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
136  goto error;
137  }
138 
139  res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
140  if (res < 0) {
141  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
142  goto error;
143  }
144 
145  if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
146  goto error;
147  memset(dod, 0, sizeof(DetectDceOpnumData));
148 
149  if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
150  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
151  goto error;
152  }
153 
154  /* free the substring */
155  pcre_free_substring(pcre_sub_str);
156 
157  /* keep a copy of the strdup string in dup_str_head so that we can free it
158  * once we are done using it */
159  dup_str_head = dup_str;
160  dup_str_temp = dup_str;
161  while ( (comma_token = index(dup_str, ',')) != NULL) {
162  comma_token[0] = '\0';
163  dup_str = comma_token + 1;
164 
165  dor = DetectDceOpnumAllocDetectDceOpnumRange();
166  if (dor == NULL)
167  goto error;
168  if (prev_dor == NULL) {
169  prev_dor = dor;
170  dod->range = dor;
171  } else {
172  prev_dor->next = dor;
173  prev_dor = dor;
174  }
175 
176  if ((hyphen_token = index(dup_str_temp, '-')) != NULL) {
177  hyphen_token[0] = '\0';
178  hyphen_token++;
179  dor->range1 = atoi(dup_str_temp);
180  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
181  goto error;
182  dor->range2 = atoi(hyphen_token);
183  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
184  goto error;
185  if (dor->range1 > dor->range2)
186  goto error;
187  }
188  dor->range1 = atoi(dup_str_temp);
189  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
190  goto error;
191 
192  dup_str_temp = dup_str;
193  }
194 
195  dor = DetectDceOpnumAllocDetectDceOpnumRange();
196  if (dor == NULL)
197  goto error;
198  if (prev_dor == NULL) {
199  dod->range = dor;
200  } else {
201  prev_dor->next = dor;
202  }
203 
204  if ( (hyphen_token = index(dup_str, '-')) != NULL) {
205  hyphen_token[0] = '\0';
206  hyphen_token++;
207  dor->range1 = atoi(dup_str);
208  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
209  goto error;
210  dor->range2 = atoi(hyphen_token);
211  if (dor->range2 > DCE_OPNUM_RANGE_MAX)
212  goto error;
213  if (dor->range1 > dor->range2)
214  goto error;
215  }
216  dor->range1 = atoi(dup_str);
217  if (dor->range1 > DCE_OPNUM_RANGE_MAX)
218  goto error;
219 
220  if (dup_str_head != NULL)
221  SCFree(dup_str_head);
222 
223  return dod;
224 
225  error:
226  if (dup_str_head != NULL)
227  SCFree(dup_str_head);
228  DetectDceOpnumFree(dod);
229  return NULL;
230 }
231 
232 /**
233  * \brief App layer match function for the "dce_opnum" keyword.
234  *
235  * \param t Pointer to the ThreadVars instance.
236  * \param det_ctx Pointer to the DetectEngineThreadCtx.
237  * \param f Pointer to the flow.
238  * \param flags Pointer to the flags indicating the flow direction.
239  * \param state Pointer to the app layer state data.
240  * \param s Pointer to the Signature instance.
241  * \param m Pointer to the SigMatch.
242  *
243  * \retval 1 On Match.
244  * \retval 0 On no match.
245  */
246 static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
247  Flow *f, uint8_t flags, void *state, void *txv,
248  const Signature *s, const SigMatchCtx *m)
249 {
250  SCEnter();
251 
252  DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
253 
254  DCERPCState *dcerpc_state = state;
255  if (dcerpc_state == NULL) {
256  SCLogDebug("No DCERPCState for the flow");
257  SCReturnInt(0);
258  }
259 
260  uint16_t opnum = dcerpc_state->dcerpc.dcerpcrequest.opnum;
261  DetectDceOpnumRange *dor = dce_data->range;
262  for ( ; dor != NULL; dor = dor->next) {
263  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
264  if (dor->range1 == opnum) {
265  SCReturnInt(1);
266  }
267  } else {
268  if (dor->range1 <= opnum && dor->range2 >= opnum)
269  {
270  SCReturnInt(1);
271  }
272  }
273  }
274 
275  SCReturnInt(0);
276 }
277 
278 static int DetectDceOpnumMatchRust(ThreadVars *t,
279  DetectEngineThreadCtx *det_ctx,
280  Flow *f, uint8_t flags, void *state, void *txv,
281  const Signature *s, const SigMatchCtx *m)
282 {
283  SCEnter();
284 
285  if (f->alproto == ALPROTO_DCERPC) {
286  return DetectDceOpnumMatch(t, det_ctx, f, flags,
287  state, txv, s, m);
288  }
289 
290  const DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
291  const DetectDceOpnumRange *dor = dce_data->range;
292 
293  uint16_t opnum;
294  if (rs_smb_tx_get_dce_opnum(txv, &opnum) != 1)
295  SCReturnInt(0);
296  SCLogDebug("(rust) opnum %u", opnum);
297 
298  for ( ; dor != NULL; dor = dor->next) {
299  if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
300  if (dor->range1 == opnum) {
301  SCReturnInt(1);
302  }
303  } else {
304  if (dor->range1 <= opnum && dor->range2 >= opnum) {
305  SCReturnInt(1);
306  }
307  }
308  }
309 
310  SCReturnInt(0);
311 }
312 
313 /**
314  * \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
315  * and appends it to the Signature(s).
316  *
317  * \param de_ctx Pointer to the detection engine context.
318  * \param s Pointer to signature for the current Signature being parsed
319  * from the rules.
320  * \param arg Pointer to the string holding the keyword value.
321  *
322  * \retval 0 on success, -1 on failure
323  */
324 
325 static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
326 {
327  if (arg == NULL) {
328  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
329  "signature, option needs a value");
330  return -1;
331  }
332 
333  DetectDceOpnumData *dod = DetectDceOpnumArgParse(arg);
334  if (dod == NULL) {
335  SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
336  "signature");
337  return -1;
338  }
339 
340  SigMatch *sm = SigMatchAlloc();
341  if (sm == NULL) {
342  DetectDceOpnumFree(dod);
343  return -1;
344  }
345 
346  sm->type = DETECT_DCE_OPNUM;
347  sm->ctx = (void *)dod;
348 
349  SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
350  return 0;
351 }
352 
353 static void DetectDceOpnumFree(void *ptr)
354 {
355  DetectDceOpnumData *dod = ptr;
356  DetectDceOpnumRange *dor = NULL;
357  DetectDceOpnumRange *dor_temp = NULL;
358 
359  if (dod != NULL) {
360  dor = dod->range;
361  while (dor != NULL) {
362  dor_temp = dor;
363  dor = dor->next;
364  SCFree(dor_temp);
365  }
366  SCFree(dod);
367  }
368 
369  return;
370 }
371 
372 /************************************Unittests*********************************/
373 
374 #ifdef UNITTESTS
375 
376 static int DetectDceOpnumTestParse01(void)
377 {
378  Signature *s = SigAlloc();
379  int result = 0;
380 
381  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
382  result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
383  result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
384  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
385  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
386  result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
387  result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
388 
389  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
390  SigFree(s);
391  result &= 1;
392  }
393 
394  return result;
395 }
396 
397 static int DetectDceOpnumTestParse02(void)
398 {
399  Signature *s = SigAlloc();
400  int result = 0;
401  DetectDceOpnumData *dod = NULL;
402  DetectDceOpnumRange *dor = NULL;
403  SigMatch *temp = NULL;
404 
405  result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
406 
407  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
408  temp = s->sm_lists[g_dce_generic_list_id];
409  dod = (DetectDceOpnumData *)temp->ctx;
410  if (dod == NULL)
411  goto end;
412  dor = dod->range;
413  result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
414  result &= (dor->next == NULL);
415  } else {
416  result = 0;
417  }
418 
419  end:
420  SigFree(s);
421  return result;
422 }
423 
424 static int DetectDceOpnumTestParse03(void)
425 {
426  Signature *s = SigAlloc();
427  int result = 0;
428  DetectDceOpnumData *dod = NULL;
429  DetectDceOpnumRange *dor = NULL;
430  SigMatch *temp = NULL;
431 
432  result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
433 
434  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
435  temp = s->sm_lists[g_dce_generic_list_id];
436  dod = (DetectDceOpnumData *)temp->ctx;
437  if (dod == NULL)
438  goto end;
439  dor = dod->range;
440  result &= (dor->range1 == 12 && dor->range2 == 24);
441  result &= (dor->next == NULL);
442  } else {
443  result = 0;
444  }
445 
446  end:
447  SigFree(s);
448  return result;
449 }
450 
451 static int DetectDceOpnumTestParse04(void)
452 {
453  Signature *s = SigAlloc();
454  int result = 0;
455  DetectDceOpnumData *dod = NULL;
456  DetectDceOpnumRange *dor = NULL;
457  SigMatch *temp = NULL;
458 
459  result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
460 
461  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
462  temp = s->sm_lists[g_dce_generic_list_id];
463  dod = (DetectDceOpnumData *)temp->ctx;
464  if (dod == NULL)
465  goto end;
466  dor = dod->range;
467  result &= (dor->range1 == 12 && dor->range2 == 24);
468  result &= (dor->next != NULL);
469  if (result == 0)
470  goto end;
471 
472  dor = dor->next;
473  result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
474  result &= (dor->next != NULL);
475  if (result == 0)
476  goto end;
477 
478  dor = dor->next;
479  result &= (dor->range1 == 62 && dor->range2 == 72);
480  result &= (dor->next != NULL);
481  if (result == 0)
482  goto end;
483 
484  dor = dor->next;
485  result &= (dor->range1 == 623 && dor->range2 == 635);
486  result &= (dor->next != NULL);
487  if (result == 0)
488  goto end;
489 
490  dor = dor->next;
491  result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
492  result &= (dor->next != NULL);
493  if (result == 0)
494  goto end;
495 
496  dor = dor->next;
497  result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
498  result &= (dor->next != NULL);
499  if (result == 0)
500  goto end;
501 
502  dor = dor->next;
503  result &= (dor->range1 == 213 && dor->range2 == 235);
504  if (result == 0)
505  goto end;
506  } else {
507  result = 0;
508  }
509 
510  end:
511  SigFree(s);
512  return result;
513 }
514 
515 static int DetectDceOpnumTestParse05(void)
516 {
517  Signature *s = SigAlloc();
518  int result = 0;
519  DetectDceOpnumData *dod = NULL;
520  DetectDceOpnumRange *dor = NULL;
521  SigMatch *temp = NULL;
522 
523  result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
524 
525  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
526  temp = s->sm_lists[g_dce_generic_list_id];
527  dod = (DetectDceOpnumData *)temp->ctx;
528  if (dod == NULL)
529  goto end;
530  dor = dod->range;
531  result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
532  result &= (dor->next != NULL);
533  if (result == 0)
534  goto end;
535 
536  dor = dor->next;
537  result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
538  result &= (dor->next != NULL);
539  if (result == 0)
540  goto end;
541 
542  dor = dor->next;
543  result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
544  result &= (dor->next != NULL);
545  if (result == 0)
546  goto end;
547 
548  dor = dor->next;
549  result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
550  result &= (dor->next != NULL);
551  if (result == 0)
552  goto end;
553 
554  dor = dor->next;
555  result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
556  result &= (dor->next != NULL);
557  if (result == 0)
558  goto end;
559 
560  dor = dor->next;
561  result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
562  result &= (dor->next != NULL);
563  if (result == 0)
564  goto end;
565 
566  dor = dor->next;
567  result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
568  if (result == 0)
569  goto end;
570  } else {
571  result = 0;
572  }
573 
574  end:
575  SigFree(s);
576  return result;
577 }
578 
579 static int DetectDceOpnumTestParse06(void)
580 {
581  Signature *s = SigAlloc();
582  int result = 0;
583  DetectDceOpnumData *dod = NULL;
584  DetectDceOpnumRange *dor = NULL;
585  SigMatch *temp = NULL;
586 
587  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
588 
589  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
590  temp = s->sm_lists[g_dce_generic_list_id];
591  dod = (DetectDceOpnumData *)temp->ctx;
592  if (dod == NULL)
593  goto end;
594  dor = dod->range;
595  result &= (dor->range1 == 1 && dor->range2 == 2);
596  result &= (dor->next != NULL);
597  if (result == 0)
598  goto end;
599 
600  dor = dor->next;
601  result &= (dor->range1 == 3 && dor->range2 == 4);
602  result &= (dor->next != NULL);
603  if (result == 0)
604  goto end;
605 
606  dor = dor->next;
607  result &= (dor->range1 == 5 && dor->range2 == 6);
608  result &= (dor->next != NULL);
609  if (result == 0)
610  goto end;
611 
612  dor = dor->next;
613  result &= (dor->range1 == 7 && dor->range2 == 8);
614  if (result == 0)
615  goto end;
616  } else {
617  result = 0;
618  }
619 
620  end:
621  SigFree(s);
622  return result;
623 }
624 
625 static int DetectDceOpnumTestParse07(void)
626 {
627  Signature *s = SigAlloc();
628  int result = 0;
629  DetectDceOpnumData *dod = NULL;
630  DetectDceOpnumRange *dor = NULL;
631  SigMatch *temp = NULL;
632 
633  result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
634 
635  if (s->sm_lists[g_dce_generic_list_id] != NULL) {
636  temp = s->sm_lists[g_dce_generic_list_id];
637  dod = (DetectDceOpnumData *)temp->ctx;
638  if (dod == NULL)
639  goto end;
640  dor = dod->range;
641  result &= (dor->range1 == 1 && dor->range2 == 2);
642  result &= (dor->next != NULL);
643  if (result == 0)
644  goto end;
645 
646  dor = dor->next;
647  result &= (dor->range1 == 3 && dor->range2 == 4);
648  result &= (dor->next != NULL);
649  if (result == 0)
650  goto end;
651 
652  dor = dor->next;
653  result &= (dor->range1 == 5 && dor->range2 == 6);
654  result &= (dor->next != NULL);
655  if (result == 0)
656  goto end;
657 
658  dor = dor->next;
659  result &= (dor->range1 == 7 && dor->range2 == 8);
660  if (result == 0)
661  goto end;
662 
663  dor = dor->next;
664  result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
665  if (result == 0)
666  goto end;
667  } else {
668  result = 0;
669  }
670 
671  end:
672  SigFree(s);
673  return result;
674 }
675 
676 /**
677  * \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
678  */
679 static int DetectDceOpnumTestParse08(void)
680 {
681  int result = 0;
682  Signature *s = NULL;
683  ThreadVars th_v;
684  Packet *p = NULL;
685  Flow f;
686  TcpSession ssn;
687  DetectEngineThreadCtx *det_ctx = NULL;
688  DetectEngineCtx *de_ctx = NULL;
689  DCERPCState *dcerpc_state = NULL;
690  int r = 0;
691 
692  uint8_t dcerpc_bind[] = {
693  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
694  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
695  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
696  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
697  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
698  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
699  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
700  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
701  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
702  };
703 
704  uint8_t dcerpc_bindack[] = {
705  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
706  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
707  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
708  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
709  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
710  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
711  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
712  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
713  0x02, 0x00, 0x00, 0x00
714  };
715 
716  /* todo chop the request frag length and change the
717  * length related parameters in the frag */
718  uint8_t dcerpc_request[] = {
719  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
720  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
721  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
722  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
723  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
724  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
725  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
726  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
727  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
728  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
729  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
730  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
731  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
732  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
733  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
734  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
735  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
736  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
737  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
738  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
739  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
740  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
741  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
742  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
743  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
744  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
745  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
746  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
747  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
748  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
749  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
750  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
751  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
752  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
753  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
754  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
755  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
756  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
757  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
758  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
759  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
760  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
761  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
762  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
763  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
764  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
765  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
766  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
767  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
768  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
769  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
770  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
771  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
772  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
773  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
774  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
775  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
776  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
777  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
778  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
779  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
780  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
781  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
782  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
783  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
784  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
785  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
786  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
787  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
788  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
789  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
790  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
791  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
792  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
793  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
794  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
795  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
796  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
797  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
798  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
799  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
800  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
801  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
802  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
803  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
804  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
805  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
806  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
807  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
808  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
809  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
810  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
811  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
812  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
813  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
814  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
815  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
816  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
817  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
818  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
819  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
820  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
821  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
822  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
823  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
824  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
825  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
826  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
827  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
828  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
829  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
830  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
831  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
832  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
833  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
834  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
835  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
836  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
837  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
838  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
839  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
840  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
841  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
842  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
843  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
844  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
845  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
846  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
847  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
848  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
966  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
967  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
968  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
969  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
970  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
971  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
972  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
973  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
974  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
975  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
976  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
977  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
978  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
979  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
980  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
981  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
982  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
983  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
984  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
985  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
986  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
987  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
988  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
989  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
990  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
991  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
992  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
993  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
994  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
995  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
996  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
997  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
998  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
999  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1000  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1067  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1068  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1069  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1070  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1071  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1072  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1073  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1074  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1075  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1076  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1077  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1078  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1079  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1080  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1081  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1082  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1083  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1084  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1085  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1086  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1087  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1088  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1089  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1090  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1091  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1092  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1093  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1094  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1095  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1096  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1097  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1098  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1099  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1100  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1101  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1102  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1103  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1104  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1105  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1106  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1107  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1108  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1109  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1110  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1111  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1112  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x01, 0x02, 0x03, 0x04
1133  };
1134 
1135  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1136  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1137  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1138 
1139  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1140 
1141  memset(&th_v, 0, sizeof(th_v));
1142  memset(&f, 0, sizeof(f));
1143  memset(&ssn, 0, sizeof(ssn));
1144 
1145  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1146 
1147  FLOW_INITIALIZE(&f);
1148  f.protoctx = (void *)&ssn;
1149  f.proto = IPPROTO_TCP;
1150  p->flow = &f;
1151  p->flowflags |= FLOW_PKT_TOSERVER;
1152  p->flowflags |= FLOW_PKT_ESTABLISHED;
1153  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1154  f.alproto = ALPROTO_DCERPC;
1155 
1156  StreamTcpInitConfig(TRUE);
1157 
1158  de_ctx = DetectEngineCtxInit();
1159  if (de_ctx == NULL)
1160  goto end;
1161 
1162  de_ctx->flags |= DE_QUIET;
1163 
1164  s = de_ctx->sig_list = SigInit(de_ctx,
1165  "alert tcp any any -> any any "
1166  "(msg:\"DCERPC\"; "
1167  "dce_opnum:9; "
1168  "sid:1;)");
1169  if (s == NULL)
1170  goto end;
1171 
1172  SigGroupBuild(de_ctx);
1173  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1174 
1175  FLOWLOCK_WRLOCK(&f);
1176  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1177  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1178  dcerpc_bind_len);
1179  if (r != 0) {
1180  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1181  FLOWLOCK_UNLOCK(&f);
1182  goto end;
1183  }
1184  FLOWLOCK_UNLOCK(&f);
1185 
1186  dcerpc_state = f.alstate;
1187  if (dcerpc_state == NULL) {
1188  SCLogDebug("no dcerpc state: ");
1189  goto end;
1190  }
1191 
1192  FLOWLOCK_WRLOCK(&f);
1193  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1194  STREAM_TOCLIENT, dcerpc_bindack,
1195  dcerpc_bindack_len);
1196  if (r != 0) {
1197  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1198  FLOWLOCK_UNLOCK(&f);
1199  goto end;
1200  }
1201  FLOWLOCK_UNLOCK(&f);
1202 
1203  FLOWLOCK_WRLOCK(&f);
1204  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1205  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
1206  dcerpc_request_len);
1207  if (r != 0) {
1208  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1209  FLOWLOCK_UNLOCK(&f);
1210  goto end;
1211  }
1212  FLOWLOCK_UNLOCK(&f);
1213 
1214  dcerpc_state = f.alstate;
1215  if (dcerpc_state == NULL) {
1216  SCLogDebug("no dcerpc state: ");
1217  goto end;
1218  }
1219 
1220  /* do detect */
1221  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1222 
1223  if (!PacketAlertCheck(p, 1))
1224  goto end;
1225 
1226  result = 1;
1227 
1228  end:
1229  if (alp_tctx != NULL)
1230  AppLayerParserThreadCtxFree(alp_tctx);
1231  SigGroupCleanup(de_ctx);
1232  SigCleanSignatures(de_ctx);
1233 
1234  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1235  DetectEngineCtxFree(de_ctx);
1236 
1237  StreamTcpFreeConfig(TRUE);
1238  FLOW_DESTROY(&f);
1239 
1240  UTHFreePackets(&p, 1);
1241  return result;
1242 }
1243 
1244 /**
1245  * \test Test a valid dce_opnum entry with only a request frag.
1246  */
1247 static int DetectDceOpnumTestParse09(void)
1248 {
1249  int result = 0;
1250  Signature *s = NULL;
1251  ThreadVars th_v;
1252  Packet *p = NULL;
1253  Flow f;
1254  TcpSession ssn;
1255  DetectEngineThreadCtx *det_ctx = NULL;
1256  DetectEngineCtx *de_ctx = NULL;
1257  DCERPCState *dcerpc_state = NULL;
1258  int r = 0;
1259 
1260  /* todo chop the request frag length and change the
1261  * length related parameters in the frag */
1262  uint8_t dcerpc_request[] = {
1263  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1264  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1265  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
1266  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1267  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
1268  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
1269  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
1270  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
1271  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
1272  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
1273  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
1274  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
1275  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
1276  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
1277  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
1278  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
1279  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
1280  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
1281  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
1282  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
1283  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
1284  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
1285  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
1286  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
1287  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
1288  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
1289  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
1290  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
1291  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
1292  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
1293  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
1294  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
1295  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
1296  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
1297  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
1298  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
1299  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
1300  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
1301  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
1302  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
1303  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
1304  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
1305  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
1306  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
1307  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
1308  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
1309  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
1310  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
1311  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
1312  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
1313  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
1314  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
1315  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
1316  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
1317  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
1318  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
1319  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
1320  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
1321  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
1322  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
1323  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
1324  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
1325  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
1326  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
1327  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
1328  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
1329  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
1330  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
1331  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
1332  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
1333  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
1334  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
1335  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
1336  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
1337  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
1338  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
1339  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
1340  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
1341  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
1342  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
1343  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
1344  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
1345  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
1346  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
1347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1510  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1511  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1512  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1513  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1514  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1515  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1516  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1517  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1518  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1519  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1520  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1521  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1522  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1523  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1524  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1525  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1526  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1527  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1528  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1529  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1530  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1531  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1532  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1533  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1534  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1535  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1536  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1537  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1538  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1539  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1540  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1541  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1542  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1543  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1544  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1594  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1595  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1596  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1597  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1598  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1599  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1600  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1601  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1602  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1603  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1604  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1605  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1606  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1607  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1608  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1609  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1610  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1659  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1660  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1661  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1662  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1663  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1664  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1665  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1666  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1667  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1668  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1669  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1670  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1671  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1672  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1673  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1674  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1675  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1676  0x01, 0x02, 0x03, 0x04
1677  };
1678 
1679  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1680 
1681  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1682 
1683  memset(&th_v, 0, sizeof(th_v));
1684  memset(&f, 0, sizeof(f));
1685  memset(&ssn, 0, sizeof(ssn));
1686 
1687  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1688 
1689  FLOW_INITIALIZE(&f);
1690  f.protoctx = (void *)&ssn;
1691  f.proto = IPPROTO_TCP;
1692  p->flow = &f;
1693  p->flowflags |= FLOW_PKT_TOSERVER;
1694  p->flowflags |= FLOW_PKT_ESTABLISHED;
1695  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1696  f.alproto = ALPROTO_DCERPC;
1697 
1698  StreamTcpInitConfig(TRUE);
1699 
1700  de_ctx = DetectEngineCtxInit();
1701  if (de_ctx == NULL)
1702  goto end;
1703 
1704  de_ctx->flags |= DE_QUIET;
1705 
1706  s = de_ctx->sig_list = SigInit(de_ctx,
1707  "alert tcp any any -> any any "
1708  "(msg:\"DCERPC\"; "
1709  "dce_opnum:9; "
1710  "sid:1;)");
1711  if (s == NULL)
1712  goto end;
1713 
1714  SigGroupBuild(de_ctx);
1715  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1716 
1717  FLOWLOCK_WRLOCK(&f);
1718  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1719  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1720  dcerpc_request_len);
1721  if (r != 0) {
1722  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1723  FLOWLOCK_UNLOCK(&f);
1724  goto end;
1725  }
1726  FLOWLOCK_UNLOCK(&f);
1727 
1728  dcerpc_state = f.alstate;
1729  if (dcerpc_state == NULL) {
1730  SCLogDebug("no dcerpc state: ");
1731  goto end;
1732  }
1733 
1734  /* do detect */
1735  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1736 
1737  if (!PacketAlertCheck(p, 1))
1738  goto end;
1739 
1740  result = 1;
1741 
1742  end:
1743  if (alp_tctx != NULL)
1744  AppLayerParserThreadCtxFree(alp_tctx);
1745  SigGroupCleanup(de_ctx);
1746  SigCleanSignatures(de_ctx);
1747 
1748  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1749  DetectEngineCtxFree(de_ctx);
1750 
1751  StreamTcpFreeConfig(TRUE);
1752  FLOW_DESTROY(&f);
1753 
1754  UTHFreePackets(&p, 1);
1755  return result;
1756 }
1757 
1758 /* Disabled because of bug_753. Would be enabled, once we rewrite
1759  * dce parser */
1760 #if 0
1761 
1762 /**
1763  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
1764  * and multiple request/responses with a match test after each frag parsing.
1765  */
1766 static int DetectDceOpnumTestParse10(void)
1767 {
1768  int result = 0;
1769  Signature *s = NULL;
1770  ThreadVars th_v;
1771  Packet *p = NULL;
1772  Flow f;
1773  TcpSession ssn;
1774  DetectEngineThreadCtx *det_ctx = NULL;
1775  DetectEngineCtx *de_ctx = NULL;
1776  DCERPCState *dcerpc_state = NULL;
1777  int r = 0;
1778 
1779  uint8_t dcerpc_bind[] = {
1780  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1781  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1782  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1783  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1784  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1785  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1786  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1787  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1788  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1789  };
1790 
1791  uint8_t dcerpc_bindack[] = {
1792  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1793  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1794  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1795  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1796  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1797  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1798  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1799  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1800  0x02, 0x00, 0x00, 0x00,
1801  };
1802 
1803  uint8_t dcerpc_request1[] = {
1804  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1805  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1806  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1807  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1808  0x00, 0x00, 0x00, 0x02,
1809  };
1810 
1811  uint8_t dcerpc_response1[] = {
1812  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1813  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1814  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1815  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1816  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1817  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1818  };
1819 
1820  uint8_t dcerpc_request2[] = {
1821  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1822  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1823  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1824  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1825  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1826  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1827  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1828  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1829  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1830  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1831  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1832  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1833  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1834  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1835  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1836  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1837  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1838  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1839  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1840  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1841  0x03, 0x00, 0x00, 0x00,
1842  };
1843 
1844  uint8_t dcerpc_response2[] = {
1845  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1846  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1847  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1848  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1849  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1850  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1851  };
1852 
1853  uint8_t dcerpc_request3[] = {
1854  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1855  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1856  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1857  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1858  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1859  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1860  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1861  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1862  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1863  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1864  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1865  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1866  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1867  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1868  };
1869 
1870  uint8_t dcerpc_response3[] = {
1871  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1872  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1873  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1874  0x00, 0x00, 0x00, 0x00,
1875  };
1876 
1877  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1878  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1879 
1880  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1881  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1882 
1883  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1884  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1885 
1886  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1887  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1888 
1889  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1890 
1891  memset(&th_v, 0, sizeof(th_v));
1892  memset(&f, 0, sizeof(f));
1893  memset(&ssn, 0, sizeof(ssn));
1894 
1895  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1896 
1897  FLOW_INITIALIZE(&f);
1898  f.protoctx = (void *)&ssn;
1899  f.proto = IPPROTO_TCP;
1900  p->flow = &f;
1901  p->flowflags |= FLOW_PKT_TOSERVER;
1902  p->flowflags |= FLOW_PKT_ESTABLISHED;
1903  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1904  f.alproto = ALPROTO_DCERPC;
1905 
1906  StreamTcpInitConfig(TRUE);
1907 
1908  de_ctx = DetectEngineCtxInit();
1909  if (de_ctx == NULL) {
1910  goto end;
1911  }
1912 
1913  de_ctx->flags |= DE_QUIET;
1914 
1915  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1916  "(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
1917  if (s == NULL) {
1918  goto end;
1919  }
1920 
1921  SigGroupBuild(de_ctx);
1922  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1923 
1924  SCLogDebug("sending bind");
1925 
1926  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
1927  dcerpc_bind, dcerpc_bind_len);
1928  if (r != 0) {
1929  SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
1930  goto end;
1931  }
1932 
1933  dcerpc_state = f.alstate;
1934  if (dcerpc_state == NULL) {
1935  SCLogDebug("no dcerpc state: ");
1936  goto end;
1937  }
1938  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1939  p->flowflags |= FLOW_PKT_TOSERVER;
1940  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1941 
1942  SCLogDebug("sending bind_ack");
1943 
1944  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1945  dcerpc_bindack, dcerpc_bindack_len);
1946  if (r != 0) {
1947  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1948  goto end;
1949  }
1950  p->flowflags &=~ FLOW_PKT_TOSERVER;
1951  p->flowflags |= FLOW_PKT_TOCLIENT;
1952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1953 
1954  SCLogDebug("sending request1");
1955 
1956  /* request1 */
1957  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1958  dcerpc_request1, dcerpc_request1_len);
1959  if (r != 0) {
1960  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1961  goto end;
1962  }
1963 
1964  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1965  p->flowflags |= FLOW_PKT_TOSERVER;
1966  /* do detect */
1967  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1968 
1969  if (!PacketAlertCheck(p, 1)) {
1970  printf("sig 1 didn't match, but should have: ");
1971  goto end;
1972  }
1973 
1974  SCLogDebug("sending response1");
1975 
1976  /* response1 */
1977  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
1978  dcerpc_response1, dcerpc_response1_len);
1979  if (r != 0) {
1980  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1981  goto end;
1982  }
1983 
1984  p->flowflags &=~ FLOW_PKT_TOSERVER;
1985  p->flowflags |= FLOW_PKT_TOCLIENT;
1986  /* do detect */
1987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1988 
1989  if (PacketAlertCheck(p, 1)) {
1990  printf("sig 1 did match, shouldn't have on response1: ");
1991  goto end;
1992  }
1993 
1994  /* request2 */
1995  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
1996  dcerpc_request2, dcerpc_request2_len);
1997  if (r != 0) {
1998  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1999  goto end;
2000  }
2001 
2002  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2003  p->flowflags |= FLOW_PKT_TOSERVER;
2004  /* do detect */
2005  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2006 
2007  if (!PacketAlertCheck(p, 1)) {
2008  printf("sig 1 didn't match, but should have on request2: ");
2009  goto end;
2010  }
2011 
2012  /* response2 */
2013  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2014  dcerpc_response2, dcerpc_response2_len);
2015  if (r != 0) {
2016  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2017  goto end;
2018  }
2019 
2020  p->flowflags &=~ FLOW_PKT_TOSERVER;
2021  p->flowflags |= FLOW_PKT_TOCLIENT;
2022  /* do detect */
2023  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2024 
2025  if (PacketAlertCheck(p, 1)) {
2026  printf("sig 1 did match, shouldn't have on response2: ");
2027  goto end;
2028  }
2029 
2030  /* request3 */
2031  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2032  dcerpc_request3, dcerpc_request3_len);
2033  if (r != 0) {
2034  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2035  goto end;
2036  }
2037 
2038  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2039  p->flowflags |= FLOW_PKT_TOSERVER;
2040  /* do detect */
2041  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2042 
2043  if (!PacketAlertCheck(p, 1)) {
2044  printf("sig 1 didn't match, but should have on request3: ");
2045  goto end;
2046  }
2047 
2048  /* response3 */
2049  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2050  dcerpc_response3, dcerpc_response3_len);
2051  if (r != 0) {
2052  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2053  goto end;
2054  }
2055 
2056  p->flowflags &=~ FLOW_PKT_TOSERVER;
2057  p->flowflags |= FLOW_PKT_TOCLIENT;
2058  /* do detect */
2059  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2060 
2061  if (PacketAlertCheck(p, 1)) {
2062  printf("sig 1 did match, shouldn't have on response2: ");
2063  goto end;
2064  }
2065 
2066  result = 1;
2067 
2068  end:
2069  if (alp_tctx != NULL)
2070  AppLayerDestroyCtxThread(alp_tctx);
2071  SigGroupCleanup(de_ctx);
2072  SigCleanSignatures(de_ctx);
2073 
2074  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2075  DetectEngineCtxFree(de_ctx);
2076 
2077  StreamTcpFreeConfig(TRUE);
2078  FLOW_DESTROY(&f);
2079 
2080  UTHFreePackets(&p, 1);
2081  return result;
2082 }
2083 
2084 /**
2085  * \test Test a valid dce_opnum entry(with multiple values) with multiple
2086  * request/responses.
2087  */
2088 static int DetectDceOpnumTestParse11(void)
2089 {
2090  int result = 0;
2091  Signature *s = NULL;
2092  ThreadVars th_v;
2093  Packet *p = NULL;
2094  Flow f;
2095  TcpSession ssn;
2096  DetectEngineThreadCtx *det_ctx = NULL;
2097  DetectEngineCtx *de_ctx = NULL;
2098  DCERPCState *dcerpc_state = NULL;
2099  int r = 0;
2100 
2101  uint8_t dcerpc_request1[] = {
2102  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2103  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2104  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2105  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
2106  0x00, 0x00, 0x00, 0x02,
2107  };
2108 
2109  uint8_t dcerpc_response1[] = {
2110  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2111  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2112  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2113  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2114  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2115  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2116  };
2117 
2118  uint8_t dcerpc_request2[] = {
2119  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2120  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2121  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
2122  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
2123  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2124  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
2125  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
2126  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
2127  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
2128  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
2129  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
2130  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
2131  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
2132  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
2133  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
2134  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
2135  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
2136  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
2137  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
2138  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2139  0x03, 0x00, 0x00, 0x00,
2140  };
2141 
2142  uint8_t dcerpc_response2[] = {
2143  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2144  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2145  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2146  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2147  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2148  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
2149  };
2150 
2151  uint8_t dcerpc_request3[] = {
2152  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2153  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2154  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
2155  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
2156  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
2157  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
2158  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
2159  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
2160  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
2161  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2162  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
2163  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
2164  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
2165  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
2166  };
2167 
2168  uint8_t dcerpc_response3[] = {
2169  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2170  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
2171  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2172  0x00, 0x00, 0x00, 0x00,
2173  };
2174 
2175  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2176  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2177 
2178  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2179  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2180 
2181  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
2182  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
2183 
2184  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2185 
2186  memset(&th_v, 0, sizeof(th_v));
2187  memset(&f, 0, sizeof(f));
2188  memset(&ssn, 0, sizeof(ssn));
2189 
2190  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2191 
2192  FLOW_INITIALIZE(&f);
2193  f.protoctx = (void *)&ssn;
2194  f.proto = IPPROTO_TCP;
2195  p->flow = &f;
2196  p->flowflags |= FLOW_PKT_TOSERVER;
2197  p->flowflags |= FLOW_PKT_ESTABLISHED;
2198  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2199  f.alproto = ALPROTO_DCERPC;
2200 
2201  StreamTcpInitConfig(TRUE);
2202 
2203  de_ctx = DetectEngineCtxInit();
2204  if (de_ctx == NULL)
2205  goto end;
2206 
2207  de_ctx->flags |= DE_QUIET;
2208 
2209  s = de_ctx->sig_list = SigInit(de_ctx,
2210  "alert tcp any any -> any any "
2211  "(msg:\"DCERPC\"; "
2212  "dce_opnum:2-22; "
2213  "sid:1;)");
2214  if (s == NULL)
2215  goto end;
2216 
2217  SigGroupBuild(de_ctx);
2218  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2219 
2220  /* request1 */
2221  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2222  dcerpc_request1, dcerpc_request1_len);
2223  if (r != 0) {
2224  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2225  printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
2226  goto end;
2227  }
2228 
2229  dcerpc_state = f.alstate;
2230  if (dcerpc_state == NULL) {
2231  SCLogDebug("no dcerpc state: ");
2232  printf("no dcerpc state: ");
2233  goto end;
2234  }
2235 
2236  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2237  p->flowflags |= FLOW_PKT_TOSERVER;
2238  /* do detect */
2239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2240 
2241  if (!PacketAlertCheck(p, 1))
2242  goto end;
2243 
2244  /* response1 */
2245  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2246  dcerpc_response1, dcerpc_response1_len);
2247  if (r != 0) {
2248  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2249  printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
2250  goto end;
2251  }
2252 
2253  p->flowflags &=~ FLOW_PKT_TOSERVER;
2254  p->flowflags |= FLOW_PKT_TOCLIENT;
2255  /* do detect */
2256  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2257 
2258  if (PacketAlertCheck(p, 1))
2259  goto end;
2260 
2261  /* request2 */
2262  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2263  dcerpc_request2, dcerpc_request2_len);
2264  if (r != 0) {
2265  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2266  printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
2267  goto end;
2268  }
2269 
2270  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2271  p->flowflags |= FLOW_PKT_TOSERVER;
2272  /* do detect */
2273  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2274 
2275  if (!PacketAlertCheck(p, 1))
2276  goto end;
2277 
2278  /* response2 */
2279  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
2280  dcerpc_response2, dcerpc_response2_len);
2281  if (r != 0) {
2282  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2283  printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
2284  goto end;
2285  }
2286 
2287  p->flowflags &=~ FLOW_PKT_TOSERVER;
2288  p->flowflags |= FLOW_PKT_TOCLIENT;
2289  /* do detect */
2290  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2291 
2292  if (PacketAlertCheck(p, 1))
2293  goto end;
2294 
2295  /* request3 */
2296  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
2297  dcerpc_request3, dcerpc_request3_len);
2298  if (r != 0) {
2299  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2300  printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
2301  goto end;
2302  }
2303 
2304  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2305  p->flowflags |= FLOW_PKT_TOSERVER;
2306  /* do detect */
2307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2308 
2309  if (!PacketAlertCheck(p, 1))
2310  goto end;
2311 
2312  /* response3 */
2313  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
2314  dcerpc_response3, dcerpc_response3_len);
2315  if (r != 0) {
2316  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2317  printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
2318  goto end;
2319  }
2320 
2321  p->flowflags &=~ FLOW_PKT_TOSERVER;
2322  p->flowflags |= FLOW_PKT_TOCLIENT;
2323  /* do detect */
2324  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2325 
2326  if (PacketAlertCheck(p, 1))
2327  goto end;
2328 
2329  result = 1;
2330 
2331  end:
2332  if (alp_tctx != NULL)
2333  AppLayerDestroyCtxThread(alp_tctx);
2334  SigGroupCleanup(de_ctx);
2335  SigCleanSignatures(de_ctx);
2336 
2337  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2338  DetectEngineCtxFree(de_ctx);
2339 
2340  StreamTcpFreeConfig(TRUE);
2341  FLOW_DESTROY(&f);
2342 
2343  UTHFreePackets(&p, 1);
2344  return result;
2345 }
2346 
2347 /**
2348  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2349  * and multiple request/responses with a match test after each frag parsing.
2350  */
2351 static int DetectDceOpnumTestParse12(void)
2352 {
2353  int result = 0;
2354  Signature *s = NULL;
2355  ThreadVars th_v;
2356  Packet *p = NULL;
2357  Flow f;
2358  TcpSession ssn;
2359  DetectEngineThreadCtx *det_ctx = NULL;
2360  DetectEngineCtx *de_ctx = NULL;
2361  DCERPCState *dcerpc_state = NULL;
2362  int r = 0;
2363 
2364  uint8_t dcerpc_bind[] = {
2365  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
2366  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2367  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2368  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2369  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
2370  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
2371  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2372  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2373  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2374  };
2375 
2376  uint8_t dcerpc_bindack[] = {
2377  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
2378  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2379  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
2380  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
2381  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
2382  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2384  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2385  0x02, 0x00, 0x00, 0x00,
2386  };
2387 
2388  uint8_t dcerpc_request1[] = {
2389  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2390  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2391  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
2392  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2393  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2394  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2395  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2396  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2397  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2398  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2399  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2400  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2401  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2402  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2408  0x00, 0x00
2409  };
2410 
2411  uint8_t dcerpc_response1[] = {
2412  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2413  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2414  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2415  0x00, 0x00, 0x00, 0x00,
2416  };
2417 
2418  uint8_t dcerpc_request2[] = {
2419  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2420  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2421  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2422  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2423  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2424  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2425  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2426  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2427  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2428  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2429  0x4e, 0x6f, 0x6e, 0x65
2430  };
2431 
2432  uint8_t dcerpc_response2[] = {
2433  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2434  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2435  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2436  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2437  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2438  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2439  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2440  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2441  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2442  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2443  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2444  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2449  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2450  0x00, 0x00, 0x00, 0x00,
2451  };
2452 
2453  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
2454  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
2455 
2456  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2457  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2458 
2459  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2460  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2461 
2462  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2463 
2464  memset(&th_v, 0, sizeof(th_v));
2465  memset(&f, 0, sizeof(f));
2466  memset(&ssn, 0, sizeof(ssn));
2467 
2468  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2469 
2470  FLOW_INITIALIZE(&f);
2471  f.protoctx = (void *)&ssn;
2472  f.proto = IPPROTO_TCP;
2473  p->flow = &f;
2474  p->flowflags |= FLOW_PKT_TOSERVER;
2475  p->flowflags |= FLOW_PKT_ESTABLISHED;
2476  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2477  f.alproto = ALPROTO_DCERPC;
2478 
2479  StreamTcpInitConfig(TRUE);
2480 
2481  de_ctx = DetectEngineCtxInit();
2482  if (de_ctx == NULL)
2483  goto end;
2484 
2485  de_ctx->flags |= DE_QUIET;
2486 
2487  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
2488  "(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
2489  if (s == NULL)
2490  goto end;
2491 
2492  SigGroupBuild(de_ctx);
2493  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2494 
2495  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
2496  dcerpc_bind, dcerpc_bind_len);
2497  if (r != 0) {
2498  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2499  goto end;
2500  }
2501  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2502  p->flowflags |= FLOW_PKT_TOSERVER;
2503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2504 
2505  dcerpc_state = f.alstate;
2506  if (dcerpc_state == NULL) {
2507  printf("no dcerpc state: ");
2508  goto end;
2509  }
2510 
2511  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
2512  dcerpc_bindack_len);
2513  if (r != 0) {
2514  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2515  goto end;
2516  }
2517  p->flowflags &=~ FLOW_PKT_TOSERVER;
2518  p->flowflags |= FLOW_PKT_TOCLIENT;
2519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2520 
2521  /* request1 */
2522  SCLogDebug("Sending request1");
2523 
2524  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2525  dcerpc_request1_len);
2526  if (r != 0) {
2527  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2528  goto end;
2529  }
2530 
2531  dcerpc_state = f.alstate;
2532  if (dcerpc_state == NULL) {
2533  printf("no dcerpc state: ");
2534  goto end;
2535  }
2536 
2537  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2538  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2539  "expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2540  goto end;
2541  }
2542 
2543  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2544  p->flowflags |= FLOW_PKT_TOSERVER;
2545  /* do detect */
2546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2547 
2548  if (!PacketAlertCheck(p, 1)) {
2549  printf("signature 1 didn't match, should have: ");
2550  goto end;
2551  }
2552 
2553  /* response1 */
2554  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2555  dcerpc_response1_len);
2556  if (r != 0) {
2557  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2558  goto end;
2559  }
2560 
2561  dcerpc_state = f.alstate;
2562  if (dcerpc_state == NULL) {
2563  printf("no dcerpc state: ");
2564  goto end;
2565  }
2566 
2567  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2568  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2569  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2570  goto end;
2571  }
2572 
2573  p->flowflags &=~ FLOW_PKT_TOSERVER;
2574  p->flowflags |= FLOW_PKT_TOCLIENT;
2575  /* do detect */
2576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2577 
2578  if (PacketAlertCheck(p, 1)) {
2579  printf("sig 1 matched on response 1, but shouldn't: ");
2580  goto end;
2581  }
2582 
2583  /* request2 */
2584  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2585  dcerpc_request2_len);
2586  if (r != 0) {
2587  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2588  goto end;
2589  }
2590 
2591  dcerpc_state = f.alstate;
2592  if (dcerpc_state == NULL) {
2593  printf("no dcerpc state: ");
2594  goto end;
2595  }
2596 
2597  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2598  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2599  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2600  goto end;
2601  }
2602 
2603  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2604  p->flowflags |= FLOW_PKT_TOSERVER;
2605  /* do detect */
2606  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2607 
2608  if (!PacketAlertCheck(p, 1)) {
2609  printf("sig 1 didn't match on request 2: ");
2610  goto end;
2611  }
2612 
2613  /* response2 */
2614  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2615  dcerpc_response2_len);
2616  if (r != 0) {
2617  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2618  goto end;
2619  }
2620 
2621  dcerpc_state = f.alstate;
2622  if (dcerpc_state == NULL) {
2623  printf("no dcerpc state: ");
2624  goto end;
2625  }
2626 
2627  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2628  printf("dcerpc state holding invalid opnum. Holding %d, while we are "
2629  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2630  goto end;
2631  }
2632 
2633  p->flowflags &=~ FLOW_PKT_TOSERVER;
2634  p->flowflags |= FLOW_PKT_TOCLIENT;
2635  /* do detect */
2636  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2637 
2638  if (PacketAlertCheck(p, 1)) {
2639  printf("sig 1 matched on response2, but shouldn't: ");
2640  goto end;
2641  }
2642 
2643  result = 1;
2644 
2645 end:
2646  if (alp_tctx != NULL)
2647  AppLayerDestroyCtxThread(alp_tctx);
2648  SigGroupCleanup(de_ctx);
2649  SigCleanSignatures(de_ctx);
2650 
2651  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2652  DetectEngineCtxFree(de_ctx);
2653 
2654  StreamTcpFreeConfig(TRUE);
2655  FLOW_DESTROY(&f);
2656 
2657  UTHFreePackets(&p, 1);
2658  return result;
2659 }
2660 
2661 /**
2662  * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
2663  * and multiple request/responses with a match test after each frag parsing.
2664  */
2665 static int DetectDceOpnumTestParse13(void)
2666 {
2667  int result = 0;
2668  Signature *s = NULL;
2669  ThreadVars th_v;
2670  Packet *p = NULL;
2671  Flow f;
2672  TcpSession ssn;
2673  DetectEngineThreadCtx *det_ctx = NULL;
2674  DetectEngineCtx *de_ctx = NULL;
2675  DCERPCState *dcerpc_state = NULL;
2676  int r = 0;
2677 
2678  uint8_t dcerpc_request1[] = {
2679  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2680  0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2681  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
2682  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2683  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2684  0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
2685  0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
2686  0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
2687  0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2688  0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
2689  0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
2690  0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
2691  0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2692  0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
2693  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2694  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2695  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2696  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2697  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2698  0x00, 0x00
2699  };
2700 
2701  uint8_t dcerpc_response1[] = {
2702  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2703  0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2704  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2705  0x00, 0x00, 0x00, 0x00,
2706  };
2707 
2708  uint8_t dcerpc_request2[] = {
2709  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
2710  0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2711  0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
2712  0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
2713  0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
2714  0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
2715  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2716  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2717  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2718  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2719  0x4e, 0x6f, 0x6e, 0x65
2720  };
2721 
2722  uint8_t dcerpc_response2[] = {
2723  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
2724  0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2725  0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2726  0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
2727  0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
2728  0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2729  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
2730  0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
2731  0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
2732  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2733  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
2734  0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
2735  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2736  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2737  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2738  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2739  0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
2740  0x00, 0x00, 0x00, 0x00,
2741  };
2742 
2743  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
2744  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
2745 
2746  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
2747  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
2748 
2749  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
2750 
2751  memset(&th_v, 0, sizeof(th_v));
2752  memset(&f, 0, sizeof(f));
2753  memset(&ssn, 0, sizeof(ssn));
2754 
2755  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2756 
2757  FLOW_INITIALIZE(&f);
2758  f.protoctx = (void *)&ssn;
2759  f.proto = IPPROTO_TCP;
2760  p->flow = &f;
2761  p->flowflags |= FLOW_PKT_TOSERVER;
2762  p->flowflags |= FLOW_PKT_ESTABLISHED;
2763  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
2764  f.alproto = ALPROTO_DCERPC;
2765 
2766  StreamTcpInitConfig(TRUE);
2767 
2768  de_ctx = DetectEngineCtxInit();
2769  if (de_ctx == NULL)
2770  goto end;
2771 
2772  de_ctx->flags |= DE_QUIET;
2773 
2774  s = de_ctx->sig_list = SigInit(de_ctx,
2775  "alert tcp any any -> any any "
2776  "(msg:\"DCERPC\"; "
2777  "dce_opnum:30, 40; "
2778  "sid:1;)");
2779  if (s == NULL)
2780  goto end;
2781 
2782  SigGroupBuild(de_ctx);
2783  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2784 
2785  /* request1 */
2786  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
2787  dcerpc_request1_len);
2788  if (r != 0) {
2789  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2790  goto end;
2791  }
2792 
2793  dcerpc_state = f.alstate;
2794  if (dcerpc_state == NULL) {
2795  printf("no dcerpc state: ");
2796  goto end;
2797  }
2798 
2799  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2800  printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
2801  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2802  goto end;
2803  }
2804 
2805  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2806  p->flowflags |= FLOW_PKT_TOSERVER;
2807  /* do detect */
2808  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2809 
2810  if (!PacketAlertCheck(p, 1))
2811  goto end;
2812 
2813  /* response1 */
2814  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
2815  dcerpc_response1_len);
2816  if (r != 0) {
2817  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2818  goto end;
2819  }
2820 
2821  dcerpc_state = f.alstate;
2822  if (dcerpc_state == NULL) {
2823  printf("no dcerpc state: ");
2824  goto end;
2825  }
2826 
2827  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
2828  printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
2829  "expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2830  goto end;
2831  }
2832 
2833  p->flowflags &=~ FLOW_PKT_TOSERVER;
2834  p->flowflags |= FLOW_PKT_TOCLIENT;
2835  /* do detect */
2836  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2837 
2838  if (PacketAlertCheck(p, 1))
2839  goto end;
2840 
2841  /* request2 */
2842  printf("Sending Request2\n");
2843  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
2844  dcerpc_request2_len);
2845  if (r != 0) {
2846  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2847  goto end;
2848  }
2849 
2850  dcerpc_state = f.alstate;
2851  if (dcerpc_state == NULL) {
2852  printf("no dcerpc state: ");
2853  goto end;
2854  }
2855 
2856  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2857  printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
2858  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2859  goto end;
2860  }
2861 
2862  p->flowflags &=~ FLOW_PKT_TOCLIENT;
2863  p->flowflags |= FLOW_PKT_TOSERVER;
2864  /* do detect */
2865  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2866 
2867  if (!PacketAlertCheck(p, 1))
2868  goto end;
2869 
2870  /* response2 */
2871  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
2872  dcerpc_response2_len);
2873  if (r != 0) {
2874  printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
2875  goto end;
2876  }
2877 
2878  dcerpc_state = f.alstate;
2879  if (dcerpc_state == NULL) {
2880  printf("no dcerpc state: ");
2881  goto end;
2882  }
2883 
2884  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
2885  printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
2886  "expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
2887  goto end;
2888  }
2889 
2890  p->flowflags &=~ FLOW_PKT_TOSERVER;
2891  p->flowflags |= FLOW_PKT_TOCLIENT;
2892  /* do detect */
2893  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2894 
2895  if (PacketAlertCheck(p, 1))
2896  goto end;
2897 
2898  result = 1;
2899 
2900  end:
2901  if (alp_tctx != NULL)
2902  AppLayerDestroyCtxThread(alp_tctx);
2903  SigGroupCleanup(de_ctx);
2904  SigCleanSignatures(de_ctx);
2905 
2906  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2907  DetectEngineCtxFree(de_ctx);
2908 
2909  StreamTcpFreeConfig(TRUE);
2910  FLOW_DESTROY(&f);
2911 
2912  UTHFreePackets(&p, 1);
2913  return result;
2914 }
2915 #endif
2916 #endif /* UNITTESTS */
2917 
2918 static void DetectDceOpnumRegisterTests(void)
2919 {
2920 #ifdef UNITTESTS
2921  UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
2922  UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
2923  UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
2924  UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
2925  UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
2926  UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
2927  UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
2928  UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
2929  UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
2930  /* Disabled because of bug_753. Would be enabled, once we rewrite
2931  * dce parser */
2932 #if 0
2933  UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
2934  UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
2935  UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
2936  UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
2937 #endif
2938 #endif
2939 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2225
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1170
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1156
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-dce-opnum.c:54
DetectDceOpnumData_
Definition: detect-dce-opnum.h:36
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DetectDceOpnumRange_::next
struct DetectDceOpnumRange_ * next
Definition: detect-dce-opnum.h:33
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
DetectDceOpnumRange_
Definition: detect-dce-opnum.h:30
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1945
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:749
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:274
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DCE_OPNUM_RANGE_MAX
#define DCE_OPNUM_RANGE_MAX
Definition: detect-dce-opnum.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2533
SigTableElmt_::name
const char * name
Definition: detect.h:1184
Signature_
Signature container.
Definition: detect.h:514
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:318
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Flow_::protoctx
void * protoctx
Definition: flow.h:400
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:743
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2741
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:197
DetectDceOpnumData_::range
DetectDceOpnumRange * range
Definition: detect-dce-opnum.h:37
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:744
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1175
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1310
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1887
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2311
DetectDceOpnumRange_::range1
uint32_t range1
Definition: detect-dce-opnum.h:31
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:248
DetectDceOpnumRegister
void DetectDceOpnumRegister(void)
Registers the keyword handlers for the "dce_opnum" keyword.
Definition: detect-dce-opnum.c:71
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1959
DCERPCRequest_::opnum
uint16_t opnum
Definition: app-layer-dcerpc-common.h:171
SigMatch_::type
uint8_t type
Definition: detect.h:324
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
index
#define index
Definition: win32-misc.h:29
Packet_
Definition: decode.h:405
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:652
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1187
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
SigTableElmt_::alias
const char * alias
Definition: detect.h:1185
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:825
DetectDceOpnumRange_::range2
uint32_t range2
Definition: detect-dce-opnum.h:32
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:212
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:986
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:441
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1835
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:325
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1176
SigMatch_
a single match condition for a signature
Definition: detect.h:323
DCE_OPNUM_RANGE_UNINITIALIZED
#define DCE_OPNUM_RANGE_UNINITIALIZED
Definition: detect-dce-opnum.h:28
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1155
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1790