suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-build.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-prefilter.h"
38 #include "detect-engine-content-inspection.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
46 #include "queue.h"
47 #include "stream-tcp-reassemble.h"
48 
49 #include "detect-dce-stub-data.h"
50 #include "detect-dce-iface.h"
51 
52 #include "util-debug.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 #include "stream-tcp.h"
58 
59 #include "rust.h"
60 
61 #define BUFFER_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDceStubDataRegisterTests(void);
66 #endif
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t flow_flags,
72  void *txv, const int list_id)
73 {
74  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75  if (!buffer->initialized) {
76  uint32_t data_len = 0;
77  const uint8_t *data = NULL;
78  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79  if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
80  return NULL;
81  SCLogDebug("have data!");
82 
83  InspectionBufferSetupAndApplyTransforms(
84  det_ctx, list_id, buffer, data, data_len, transforms);
85  }
86  return buffer;
87 }
88 
89 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90  const DetectEngineTransforms *transforms,
91  Flow *_f, const uint8_t flow_flags,
92  void *txv, const int list_id)
93 {
94  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95  if (!buffer->initialized) {
96  uint32_t data_len = 0;
97  const uint8_t *data = NULL;
98  uint8_t endianness;
99 
100  SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
101  if (data == NULL || data_len == 0)
102  return NULL;
103 
104  if (endianness > 0) {
105  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
106  } else {
107  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108  }
109  InspectionBufferSetupAndApplyTransforms(
110  det_ctx, list_id, buffer, data, data_len, transforms);
111  }
112  return buffer;
113 }
114 
115 /**
116  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117  */
118 void DetectDceStubDataRegister(void)
119 {
120  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123 #ifdef UNITTESTS
124  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
125 #endif
126  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
127 
128  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
129  DetectEngineInspectBufferGeneric, GetSMBData);
130  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
131  GetSMBData, ALPROTO_SMB, 0);
132  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
133  DetectEngineInspectBufferGeneric, GetSMBData);
134  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
135  GetSMBData, ALPROTO_SMB, 0);
136 
137  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
138  DetectEngineInspectBufferGeneric, GetDCEData);
139  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
140  GetDCEData, ALPROTO_DCERPC, 0);
141  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
142  DetectEngineInspectBufferGeneric, GetDCEData);
143  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
144  GetDCEData, ALPROTO_DCERPC, 0);
145 
146  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
147 }
148 
149 /**
150  * \brief setups the dce_stub_data list
151  *
152  * \param de_ctx Pointer to the detection engine context
153  * \param s Pointer to signature for the current Signature being parsed
154  * from the rules
155  * \param arg Pointer to the string holding the keyword value
156  *
157  * \retval 0 on success, -1 on failure
158  */
159 
160 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
161 {
162  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
163  return -1;
164  if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
165  return -1;
166  return 0;
167 }
168 
169 /************************************Unittests*********************************/
170 
171 #ifdef UNITTESTS
172 #include "detect-engine-alert.h"
173 
174 /**
175  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
176  */
177 static int DetectDceStubDataTestParse02(void)
178 {
179  int result = 0;
180  Signature *s = NULL;
181  ThreadVars th_v;
182  Packet *p = NULL;
183  Flow f;
184  TcpSession ssn;
185  DetectEngineThreadCtx *det_ctx = NULL;
186  DetectEngineCtx *de_ctx = NULL;
187  DCERPCState *dcerpc_state = NULL;
188  int r = 0;
189 
190  uint8_t dcerpc_bind[] = {
191  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
192  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
193  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
194  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
195  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
196  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
197  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
198  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
199  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
200  };
201 
202  uint8_t dcerpc_bindack[] = {
203  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
204  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
205  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
206  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
207  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
208  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
209  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
210  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
211  0x02, 0x00, 0x00, 0x00
212  };
213 
214  /* todo chop the request frag length and change the
215  * length related parameters in the frag */
216  uint8_t dcerpc_request[] = {
217  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
218  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
219  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
220  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
221  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
222  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
223  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
224  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
225  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
226  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
227  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
228  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
229  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
230  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
231  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
232  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
233  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
234  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
235  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
236  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
237  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
238  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
239  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
240  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
241  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
242  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
243  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
244  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
245  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
246  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
247  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
248  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
249  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
250  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
251  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
252  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
253  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
254  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
255  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
256  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
257  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
258  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
259  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
260  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
261  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
262  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
263  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
264  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
265  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
266  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
267  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
268  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
269  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
270  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
271  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
272  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
273  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
274  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
275  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
276  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
277  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
278  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
279  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
280  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
281  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
282  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
283  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
284  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
285  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
286  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
287  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
288  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
289  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
290  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
291  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
292  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
293  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
294  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
295  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
296  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
297  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
298  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
299  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
300  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
301  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
302  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
464  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
465  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
466  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
467  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
468  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
469  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
470  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
471  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
472  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
473  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
474  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
475  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
476  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
477  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
478  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
479  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
480  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
481  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
482  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
483  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
484  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
485  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
486  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
487  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
488  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
489  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
490  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
491  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
492  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
493  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
494  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
495  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
497  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
565  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
566  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x01, 0x02, 0x03, 0x04
631  };
632 
633  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
634  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
635  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
636  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
637 
638  memset(&th_v, 0, sizeof(th_v));
639  memset(&f, 0, sizeof(f));
640  memset(&ssn, 0, sizeof(ssn));
641 
642  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
643 
644  FLOW_INITIALIZE(&f);
645  f.protoctx = (void *)&ssn;
646  f.proto = IPPROTO_TCP;
647  p->flow = &f;
648  p->flowflags |= FLOW_PKT_TOSERVER;
649  p->flowflags |= FLOW_PKT_ESTABLISHED;
650  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
651  f.alproto = ALPROTO_DCERPC;
652 
653  StreamTcpInitConfig(true);
654 
655  de_ctx = DetectEngineCtxInit();
656  if (de_ctx == NULL)
657  goto end;
658 
659  de_ctx->flags |= DE_QUIET;
660 
661  s = de_ctx->sig_list = SigInit(de_ctx,
662  "alert tcp any any -> any any "
663  "(msg:\"DCERPC\"; "
664  "dce_stub_data; content:\"|42 42 42 42|\";"
665  "sid:1;)");
666  if (s == NULL)
667  goto end;
668 
669  SigGroupBuild(de_ctx);
670  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
671 
672  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
673  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
674  dcerpc_bind_len);
675  if (r != 0) {
676  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
677  goto end;
678  }
679 
680  dcerpc_state = f.alstate;
681  if (dcerpc_state == NULL) {
682  SCLogDebug("no dcerpc state: ");
683  goto end;
684  }
685 
686  p->flowflags &=~ FLOW_PKT_TOCLIENT;
687  p->flowflags |= FLOW_PKT_TOSERVER;
688  /* do detect */
689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690 
691  /* we shouldn't have any stub data */
692  if (PacketAlertCheck(p, 1))
693  goto end;
694 
695  /* do detect */
696  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
697  STREAM_TOCLIENT, dcerpc_bindack,
698  dcerpc_bindack_len);
699  if (r != 0) {
700  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
701  goto end;
702  }
703 
704  p->flowflags &=~ FLOW_PKT_TOSERVER;
705  p->flowflags |= FLOW_PKT_TOCLIENT;
706  /* do detect */
707  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
708 
709  /* we shouldn't have any stub data */
710  if (PacketAlertCheck(p, 1))
711  goto end;
712 
713  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
714  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
715  dcerpc_request_len);
716  if (r != 0) {
717  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
718  goto end;
719  }
720 
721  p->flowflags &=~ FLOW_PKT_TOCLIENT;
722  p->flowflags |= FLOW_PKT_TOSERVER;
723  /* do detect */
724  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
725 
726  /* we should have the stub data since we previously parsed a request frag */
727  if (!PacketAlertCheck(p, 1))
728  goto end;
729 
730  result = 1;
731 
732  end:
733  if (alp_tctx != NULL)
734  AppLayerParserThreadCtxFree(alp_tctx);
735  SigGroupCleanup(de_ctx);
736  SigCleanSignatures(de_ctx);
737 
738  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
739  DetectEngineCtxFree(de_ctx);
740 
741  StreamTcpFreeConfig(true);
742  FLOW_DESTROY(&f);
743 
744  UTHFreePackets(&p, 1);
745  return result;
746 }
747 
748 /**
749  * \test Test a valid dce_stub_data with just a request frag.
750  */
751 static int DetectDceStubDataTestParse03(void)
752 {
753  Signature *s = NULL;
754  ThreadVars th_v;
755  Packet *p = NULL;
756  Flow f;
757  TcpSession ssn;
758  DetectEngineThreadCtx *det_ctx = NULL;
759  DetectEngineCtx *de_ctx = NULL;
760  DCERPCState *dcerpc_state = NULL;
761  int r = 0;
762 
763  /* todo chop the request frag length and change the
764  * length related parameters in the frag */
765  uint8_t dcerpc_request[] = {
766  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
767  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
768  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
769  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
770  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
771  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
772  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
773  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
774  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
775  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
776  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
777  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
778  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
779  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
780  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
781  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
782  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
783  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
784  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
785  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
786  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
787  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
788  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
789  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
790  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
791  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
792  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
793  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
794  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
795  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
796  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
797  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
798  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
799  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
800  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
801  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
802  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
803  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
804  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
805  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
806  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
807  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
808  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
809  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
810  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
811  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
812  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
813  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
814  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
815  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
816  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
817  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
818  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
819  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
820  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
821  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
822  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
823  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
824  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
825  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
826  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
827  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
828  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
829  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
830  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
831  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
832  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
833  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
834  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
835  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
836  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
837  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
838  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
839  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
840  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
841  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
842  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
843  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
844  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
845  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
846  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
847  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
848  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
849  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1013  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1014  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1015  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1016  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1017  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1018  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1019  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1020  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1021  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1022  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1023  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1024  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1025  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1026  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1027  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1028  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1029  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1031  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1032  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1033  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1034  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1035  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1036  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1037  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1038  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1039  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1040  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1042  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1043  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1044  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1045  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1046  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1047  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x01, 0x02, 0x03, 0x04
1180  };
1181 
1182  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1183 
1184  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1185 
1186  memset(&th_v, 0, sizeof(th_v));
1187  memset(&f, 0, sizeof(f));
1188  memset(&ssn, 0, sizeof(ssn));
1189 
1190  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1191 
1192  FLOW_INITIALIZE(&f);
1193  f.protoctx = (void *)&ssn;
1194  f.proto = IPPROTO_TCP;
1195  p->flow = &f;
1196  p->flowflags |= FLOW_PKT_TOSERVER;
1197  p->flowflags |= FLOW_PKT_ESTABLISHED;
1198  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1199  f.alproto = ALPROTO_DCERPC;
1200 
1201  StreamTcpInitConfig(true);
1202 
1203  de_ctx = DetectEngineCtxInit();
1204  FAIL_IF(de_ctx == NULL);
1205 
1206  de_ctx->flags |= DE_QUIET;
1207 
1208  s = de_ctx->sig_list = SigInit(de_ctx,
1209  "alert tcp any any -> any any "
1210  "(msg:\"DCERPC\"; "
1211  "dce_stub_data; content:\"|42 42 42 42|\";"
1212  "sid:1;)");
1213  FAIL_IF(s == NULL);
1214 
1215  SigGroupBuild(de_ctx);
1216  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1217 
1218  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1219  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1220  dcerpc_request_len);
1221  FAIL_IF(r != 0);
1222 
1223  dcerpc_state = f.alstate;
1224  FAIL_IF (dcerpc_state == NULL);
1225 
1226  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1227  p->flowflags |= FLOW_PKT_TOSERVER;
1228  /* do detect */
1229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1230  FAIL_IF(!PacketAlertCheck(p, 1));
1231 
1232  if (alp_tctx != NULL)
1233  AppLayerParserThreadCtxFree(alp_tctx);
1234  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1235  DetectEngineCtxFree(de_ctx);
1236  StreamTcpFreeConfig(true);
1237  FLOW_DESTROY(&f);
1238 
1239  UTHFreePackets(&p, 1);
1240  PASS;
1241 }
1242 
1243 static int DetectDceStubDataTestParse04(void)
1244 {
1245  int result = 0;
1246  Signature *s = NULL;
1247  ThreadVars th_v;
1248  Packet *p = NULL;
1249  Flow f;
1250  TcpSession ssn;
1251  DetectEngineThreadCtx *det_ctx = NULL;
1252  DetectEngineCtx *de_ctx = NULL;
1253  DCERPCState *dcerpc_state = NULL;
1254  int r = 0;
1255 
1256  uint8_t dcerpc_bind[] = {
1257  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1258  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1259  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1260  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1261  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1262  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1263  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1264  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1265  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1266  };
1267 
1268  uint8_t dcerpc_bindack[] = {
1269  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1270  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1271  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1272  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1273  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1274  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1276  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1277  0x02, 0x00, 0x00, 0x00,
1278  };
1279 
1280  uint8_t dcerpc_request1[] = {
1281  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1282  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1283  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1284  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1285  0x00, 0x00, 0x00, 0x02,
1286  };
1287 
1288  uint8_t dcerpc_response1[] = {
1289  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1290  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1291  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1292  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1293  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1294  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1295  };
1296 
1297  uint8_t dcerpc_request2[] = {
1298  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1299  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1300  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1301  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1302  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1303  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1304  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1305  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1306  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1307  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1308  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1309  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1310  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1311  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1312  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1313  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1314  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1315  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1316  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1317  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1318  0x03, 0x00, 0x00, 0x00,
1319  };
1320 
1321  uint8_t dcerpc_response2[] = {
1322  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1323  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1324  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1325  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1326  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1327  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1328  };
1329 
1330  uint8_t dcerpc_request3[] = {
1331  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1332  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1333  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1334  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1335  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1336  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1337  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1338  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1339  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1340  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1341  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1342  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1343  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1344  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1345  };
1346 
1347  uint8_t dcerpc_response3[] = {
1348  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1349  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1350  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1351  0x00, 0x00, 0x00, 0x00,
1352  };
1353 
1354  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1355  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1356 
1357  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1358  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1359 
1360  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1361  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1362 
1363  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1364  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1365 
1366  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1367 
1368  memset(&th_v, 0, sizeof(th_v));
1369  memset(&f, 0, sizeof(f));
1370  memset(&ssn, 0, sizeof(ssn));
1371 
1372  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1373 
1374  FLOW_INITIALIZE(&f);
1375  f.protoctx = (void *)&ssn;
1376  f.proto = IPPROTO_TCP;
1377  p->flow = &f;
1378  p->flowflags |= FLOW_PKT_TOSERVER;
1379  p->flowflags |= FLOW_PKT_ESTABLISHED;
1380  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1381  f.alproto = ALPROTO_DCERPC;
1382 
1383  StreamTcpInitConfig(true);
1384 
1385  de_ctx = DetectEngineCtxInit();
1386  if (de_ctx == NULL)
1387  goto end;
1388 
1389  de_ctx->flags |= DE_QUIET;
1390 
1391  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1392  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1393  if (s == NULL)
1394  goto end;
1395  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1396  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1397  if (s == NULL)
1398  goto end;
1399  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1400  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1401  if (s == NULL)
1402  goto end;
1403 
1404  SigGroupBuild(de_ctx);
1405  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1406 
1407  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1408  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1409  dcerpc_bind_len);
1410  if (r != 0) {
1411  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1412  goto end;
1413  }
1414  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1415  p->flowflags |= FLOW_PKT_TOSERVER;
1416  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1417 
1418  dcerpc_state = f.alstate;
1419  if (dcerpc_state == NULL) {
1420  SCLogDebug("no dcerpc state: ");
1421  goto end;
1422  }
1423 
1424  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1425  STREAM_TOCLIENT, dcerpc_bindack,
1426  dcerpc_bindack_len);
1427  if (r != 0) {
1428  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1429  goto end;
1430  }
1431  p->flowflags &=~ FLOW_PKT_TOSERVER;
1432  p->flowflags |= FLOW_PKT_TOCLIENT;
1433  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1434 
1435  /* request1 */
1436  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1437  STREAM_TOSERVER, dcerpc_request1,
1438  dcerpc_request1_len);
1439  if (r != 0) {
1440  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1441  goto end;
1442  }
1443 
1444  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1445  p->flowflags |= FLOW_PKT_TOSERVER;
1446  /* do detect */
1447  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1448 
1449  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1450  goto end;
1451 
1452  /* response1 */
1453  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1454  STREAM_TOCLIENT, dcerpc_response1,
1455  dcerpc_response1_len);
1456  if (r != 0) {
1457  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1458  goto end;
1459  }
1460 
1461  p->flowflags &=~ FLOW_PKT_TOSERVER;
1462  p->flowflags |= FLOW_PKT_TOCLIENT;
1463  /* do detect */
1464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1465 
1466  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1467  goto end;
1468 
1469  /* request2 */
1470  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1471  STREAM_TOSERVER, dcerpc_request2,
1472  dcerpc_request2_len);
1473  if (r != 0) {
1474  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1475  goto end;
1476  }
1477 
1478  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1479  p->flowflags |= FLOW_PKT_TOSERVER;
1480  /* do detect */
1481  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1482 
1483  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1484  goto end;
1485 
1486  /* response2 */
1487  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1488  STREAM_TOCLIENT, dcerpc_response2,
1489  dcerpc_response2_len);
1490  if (r != 0) {
1491  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1492  goto end;
1493  }
1494 
1495  p->flowflags &=~ FLOW_PKT_TOSERVER;
1496  p->flowflags |= FLOW_PKT_TOCLIENT;
1497  /* do detect */
1498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1499 
1500  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1501  goto end;
1502  /* request3 */
1503  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1504  STREAM_TOSERVER, dcerpc_request3,
1505  dcerpc_request3_len);
1506  if (r != 0) {
1507  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1508  goto end;
1509  }
1510 
1511  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1512  p->flowflags |= FLOW_PKT_TOSERVER;
1513  /* do detect */
1514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1515 
1516  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1517  goto end;
1518 
1519  /* response3 */
1520  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1521  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1522  dcerpc_response3_len);
1523  if (r != 0) {
1524  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1525  goto end;
1526  }
1527 
1528  p->flowflags &=~ FLOW_PKT_TOSERVER;
1529  p->flowflags |= FLOW_PKT_TOCLIENT;
1530  /* do detect */
1531  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1532 
1533  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1534  goto end;
1535 
1536  result = 1;
1537 
1538  end:
1539  if (alp_tctx != NULL)
1540  AppLayerParserThreadCtxFree(alp_tctx);
1541  SigGroupCleanup(de_ctx);
1542  SigCleanSignatures(de_ctx);
1543 
1544  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1545  DetectEngineCtxFree(de_ctx);
1546 
1547  StreamTcpFreeConfig(true);
1548  FLOW_DESTROY(&f);
1549 
1550  UTHFreePackets(&p, 1);
1551  return result;
1552 }
1553 
1554 static int DetectDceStubDataTestParse05(void)
1555 {
1556  int result = 0;
1557  Signature *s = NULL;
1558  ThreadVars th_v;
1559  Packet *p = NULL;
1560  Flow f;
1561  TcpSession ssn;
1562  DetectEngineThreadCtx *det_ctx = NULL;
1563  DetectEngineCtx *de_ctx = NULL;
1564  DCERPCState *dcerpc_state = NULL;
1565  int r = 0;
1566 
1567  uint8_t dcerpc_request1[] = {
1568  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1569  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1570  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1571  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1572  0x00, 0x00, 0x00, 0x02,
1573  };
1574 
1575  uint8_t dcerpc_response1[] = {
1576  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1577  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1578  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1580  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1581  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1582  };
1583 
1584  uint8_t dcerpc_request2[] = {
1585  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1586  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1587  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1588  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1589  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1590  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1591  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1592  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1593  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1594  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1595  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1596  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1597  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1598  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1599  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1600  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1601  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1602  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1603  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1604  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1605  0x03, 0x00, 0x00, 0x00,
1606  };
1607 
1608  uint8_t dcerpc_response2[] = {
1609  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1610  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1611  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1613  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1614  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1615  };
1616 
1617  uint8_t dcerpc_request3[] = {
1618  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1619  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1620  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1621  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1622  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1623  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1624  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1625  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1626  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1627  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1628  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1629  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1630  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1631  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1632  };
1633 
1634  uint8_t dcerpc_response3[] = {
1635  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1636  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1637  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638  0x00, 0x00, 0x00, 0x00,
1639  };
1640 
1641  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1642  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1643 
1644  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1645  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1646 
1647  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1648  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1649 
1650  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1651 
1652  memset(&th_v, 0, sizeof(th_v));
1653  memset(&f, 0, sizeof(f));
1654  memset(&ssn, 0, sizeof(ssn));
1655 
1656  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1657 
1658  FLOW_INITIALIZE(&f);
1659  f.protoctx = (void *)&ssn;
1660  f.proto = IPPROTO_TCP;
1661  p->flow = &f;
1662  p->flowflags |= FLOW_PKT_TOSERVER;
1663  p->flowflags |= FLOW_PKT_ESTABLISHED;
1664  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1665  f.alproto = ALPROTO_DCERPC;
1666 
1667  StreamTcpInitConfig(true);
1668 
1669  de_ctx = DetectEngineCtxInit();
1670  if (de_ctx == NULL)
1671  goto end;
1672 
1673  de_ctx->flags |= DE_QUIET;
1674 
1675  s = de_ctx->sig_list = SigInit(de_ctx,
1676  "alert tcp any any -> any any "
1677  "(msg:\"DCERPC\"; "
1678  "dce_stub_data; content:\"|00 02|\"; "
1679  "sid:1;)");
1680  if (s == NULL)
1681  goto end;
1682  s = de_ctx->sig_list->next = SigInit(de_ctx,
1683  "alert tcp any any -> any any "
1684  "(msg:\"DCERPC\"; "
1685  "dce_stub_data; content:\"|00 75|\"; "
1686  "sid:2;)");
1687  if (s == NULL)
1688  goto end;
1689  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1690  "alert tcp any any -> any any "
1691  "(msg:\"DCERPC\"; "
1692  "dce_stub_data; content:\"|00 18|\"; "
1693  "sid:3;)");
1694  if (s == NULL)
1695  goto end;
1696 
1697  SigGroupBuild(de_ctx);
1698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1699 
1700  /* request1 */
1701  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1702  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1703  dcerpc_request1_len);
1704  if (r != 0) {
1705  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1706  goto end;
1707  }
1708 
1709  dcerpc_state = f.alstate;
1710  if (dcerpc_state == NULL) {
1711  SCLogDebug("no dcerpc state: ");
1712  goto end;
1713  }
1714 
1715  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1716  p->flowflags |= FLOW_PKT_TOSERVER;
1717  /* do detect */
1718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1719 
1720  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1721  goto end;
1722 
1723  /* response1 */
1724  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1725  STREAM_TOCLIENT, dcerpc_response1,
1726  dcerpc_response1_len);
1727  if (r != 0) {
1728  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1729  goto end;
1730  }
1731 
1732  p->flowflags &=~ FLOW_PKT_TOSERVER;
1733  p->flowflags |= FLOW_PKT_TOCLIENT;
1734  /* do detect */
1735  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1736 
1737  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1738  goto end;
1739 
1740  /* request2 */
1741  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1742  STREAM_TOSERVER, dcerpc_request2,
1743  dcerpc_request2_len);
1744  if (r != 0) {
1745  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1746  goto end;
1747  }
1748 
1749  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1750  p->flowflags |= FLOW_PKT_TOSERVER;
1751  /* do detect */
1752  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1753 
1754  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1755  goto end;
1756 
1757  /* response2 */
1758  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1759  STREAM_TOCLIENT, dcerpc_response2,
1760  dcerpc_response2_len);
1761  if (r != 0) {
1762  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1763  goto end;
1764  }
1765 
1766  p->flowflags &=~ FLOW_PKT_TOSERVER;
1767  p->flowflags |= FLOW_PKT_TOCLIENT;
1768  /* do detect */
1769  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1770 
1771  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1772  goto end;
1773 
1774  /* request3 */
1775  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1776  STREAM_TOSERVER, dcerpc_request3,
1777  dcerpc_request3_len);
1778  if (r != 0) {
1779  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1780  goto end;
1781  }
1782 
1783  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1784  p->flowflags |= FLOW_PKT_TOSERVER;
1785  /* do detect */
1786  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1787 
1788  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1789  goto end;
1790 
1791  /* response3 */
1792  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1793  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1794  dcerpc_response3_len);
1795  if (r != 0) {
1796  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1797  goto end;
1798  }
1799 
1800  p->flowflags &=~ FLOW_PKT_TOSERVER;
1801  p->flowflags |= FLOW_PKT_TOCLIENT;
1802  /* do detect */
1803  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1804 
1805  if (PacketAlertCheck(p, 1))
1806  goto end;
1807 
1808  result = 1;
1809 
1810  end:
1811  if (alp_tctx != NULL)
1812  AppLayerParserThreadCtxFree(alp_tctx);
1813 
1814  SigGroupCleanup(de_ctx);
1815  SigCleanSignatures(de_ctx);
1816 
1817  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1818  DetectEngineCtxFree(de_ctx);
1819 
1820  StreamTcpFreeConfig(true);
1821  FLOW_DESTROY(&f);
1822 
1823  UTHFreePackets(&p, 1);
1824  return result;
1825 }
1826 
1827 // invalid signature because of invalid protocol
1828 static int DetectDceStubDataTestParse06(void)
1829 {
1830  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1831  FAIL_IF_NULL(de_ctx);
1832  de_ctx->flags = DE_QUIET;
1833  Signature *s = DetectEngineAppendSig(de_ctx,
1834  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1835  FAIL_IF_NOT_NULL(s);
1836  DetectEngineCtxFree(de_ctx);
1837  PASS;
1838 }
1839 
1840 static void DetectDceStubDataRegisterTests(void)
1841 {
1842  UtRegisterTest("DetectDceStubDataTestParse02",
1843  DetectDceStubDataTestParse02);
1844  UtRegisterTest("DetectDceStubDataTestParse03",
1845  DetectDceStubDataTestParse03);
1846  UtRegisterTest("DetectDceStubDataTestParse04",
1847  DetectDceStubDataTestParse04);
1848  UtRegisterTest("DetectDceStubDataTestParse05",
1849  DetectDceStubDataTestParse05);
1850  UtRegisterTest("DetectDceStubDataTestParse06",
1851  DetectDceStubDataTestParse06);
1852 }
1853 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:118
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2313
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1645
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1250
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2103
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1428
InspectionBuffer::initialized
bool initialized
Definition: detect.h:384
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine.c:1570
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:415
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:380
Packet_::flags
uint32_t flags
Definition: decode.h:535
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1422
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:322
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:385
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2347
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:523
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1413
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1429
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1157
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:752
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1223
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3400
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1547
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:151
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2200
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:219
Packet_
Definition: decode.h:492
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:234
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:537
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
SigTableElmt_::alias
const char * alias
Definition: detect.h:1429
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1290
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3626
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:940
Flow_::alstate
void * alstate
Definition: flow.h:479
detect-parse.h
Signature_
Signature container.
Definition: detect.h:670
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:61
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:235
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1620
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:245
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:933
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1247
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1420
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456