suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "rust.h"
58 
59 #define BUFFER_NAME "dce_stub_data"
60 #define KEYWORD_NAME "dce_stub_data"
61 
62 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectDceStubDataRegisterTests(void);
65 #endif
66 static int g_dce_stub_data_buffer_id = 0;
67 
68 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
69  const DetectEngineTransforms *transforms,
70  Flow *_f, const uint8_t flow_flags,
71  void *txv, const int list_id)
72 {
73  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
74  if (buffer->inspect == NULL) {
75  uint32_t data_len = 0;
76  const uint8_t *data = NULL;
77  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
78  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
79  return NULL;
80  SCLogDebug("have data!");
81 
82  InspectionBufferSetup(buffer, data, data_len);
83  InspectionBufferApplyTransforms(buffer, transforms);
84  }
85  return buffer;
86 }
87 
88 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
89  const DetectEngineTransforms *transforms,
90  Flow *_f, const uint8_t flow_flags,
91  void *txv, const int list_id)
92 {
93  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
94  if (buffer->inspect == NULL) {
95  uint32_t data_len = 0;
96  const uint8_t *data = NULL;
97  uint8_t endianness;
98 
99  rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags);
100  if (data == NULL || data_len == 0)
101  return NULL;
102 
103  if (endianness > 0) {
104  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
105  } else {
106  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
107  }
108  InspectionBufferSetup(buffer, data, data_len);
109  InspectionBufferApplyTransforms(buffer, transforms);
110  }
111  return buffer;
112 }
113 
114 /**
115  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
116  */
117 void DetectDceStubDataRegister(void)
118 {
119  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
120  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
122 #ifdef UNITTESTS
123  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
124 #endif
125  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
126 
127  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
128  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
129  DetectEngineInspectBufferGeneric,
130  GetSMBData);
131  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
132  PrefilterGenericMpmRegister, GetSMBData,
133  ALPROTO_SMB, 0);
134  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
135  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
136  DetectEngineInspectBufferGeneric,
137  GetSMBData);
138  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
139  PrefilterGenericMpmRegister, GetSMBData,
140  ALPROTO_SMB, 0);
141 
142  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
143  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
144  DetectEngineInspectBufferGeneric,
145  GetDCEData);
146  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
147  PrefilterGenericMpmRegister, GetDCEData,
148  ALPROTO_DCERPC, 0);
149  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
150  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
151  DetectEngineInspectBufferGeneric,
152  GetDCEData);
153  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
154  PrefilterGenericMpmRegister, GetDCEData,
155  ALPROTO_DCERPC, 0);
156 
157  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
158 }
159 
160 /**
161  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
162  * and appends it to the Signature(s).
163  *
164  * \param de_ctx Pointer to the detection engine context
165  * \param s Pointer to signature for the current Signature being parsed
166  * from the rules
167  * \param arg Pointer to the string holding the keyword value
168  *
169  * \retval 0 on success, -1 on failure
170  */
171 
172 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
173 {
174  if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
175  s->alproto != ALPROTO_SMB) {
176  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
177  return -1;
178  }
179  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
180  return -1;
181 
182  s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
183  return 0;
184 }
185 
186 /************************************Unittests*********************************/
187 
188 #ifdef UNITTESTS
189 
190 static int DetectDceStubDataTestParse01(void)
191 {
192  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
193  FAIL_IF_NULL(de_ctx);
194  de_ctx->flags = DE_QUIET;
195  Signature *s = DetectEngineAppendSig(de_ctx,
196  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
197  FAIL_IF_NULL(s);
198  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
199  DetectEngineCtxFree(de_ctx);
200  PASS;
201 }
202 
203 /**
204  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
205  */
206 static int DetectDceStubDataTestParse02(void)
207 {
208  int result = 0;
209  Signature *s = NULL;
210  ThreadVars th_v;
211  Packet *p = NULL;
212  Flow f;
213  TcpSession ssn;
214  DetectEngineThreadCtx *det_ctx = NULL;
215  DetectEngineCtx *de_ctx = NULL;
216  DCERPCState *dcerpc_state = NULL;
217  int r = 0;
218 
219  uint8_t dcerpc_bind[] = {
220  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
221  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
222  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
223  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
224  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
225  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
226  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
227  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
228  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
229  };
230 
231  uint8_t dcerpc_bindack[] = {
232  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
233  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
234  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
235  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
236  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
237  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
239  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
240  0x02, 0x00, 0x00, 0x00
241  };
242 
243  /* todo chop the request frag length and change the
244  * length related parameters in the frag */
245  uint8_t dcerpc_request[] = {
246  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
247  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
248  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
249  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
251  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
252  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
253  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
254  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
255  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
256  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
257  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
258  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
259  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
260  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
261  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
262  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
263  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
264  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
265  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
266  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
267  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
268  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
269  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
270  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
271  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
272  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
273  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
274  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
275  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
276  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
277  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
278  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
279  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
280  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
281  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
282  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
283  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
284  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
285  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
286  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
287  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
288  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
289  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
290  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
291  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
292  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
293  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
294  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
295  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
296  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
297  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
298  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
299  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
300  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
301  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
302  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
303  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
304  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
305  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
306  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
307  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
308  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
309  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
310  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
311  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
312  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
313  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
314  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
315  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
316  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
317  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
318  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
319  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
320  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
321  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
322  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
323  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
324  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
325  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
326  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
327  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
328  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
329  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
493  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
494  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
495  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
496  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
497  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
498  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
499  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
500  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
501  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
502  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
503  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
504  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
505  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
506  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
507  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
508  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
509  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
510  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
512  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
513  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
514  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
515  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
516  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
517  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
518  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
519  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
520  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
522  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
523  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
524  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
525  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
526  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
527  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
593  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
658  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
659  0x01, 0x02, 0x03, 0x04
660  };
661 
662  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
663  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
664  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
665  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
666 
667  memset(&th_v, 0, sizeof(th_v));
668  memset(&f, 0, sizeof(f));
669  memset(&ssn, 0, sizeof(ssn));
670 
671  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
672 
673  FLOW_INITIALIZE(&f);
674  f.protoctx = (void *)&ssn;
675  f.proto = IPPROTO_TCP;
676  p->flow = &f;
677  p->flowflags |= FLOW_PKT_TOSERVER;
678  p->flowflags |= FLOW_PKT_ESTABLISHED;
679  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
680  f.alproto = ALPROTO_DCERPC;
681 
682  StreamTcpInitConfig(TRUE);
683 
684  de_ctx = DetectEngineCtxInit();
685  if (de_ctx == NULL)
686  goto end;
687 
688  de_ctx->flags |= DE_QUIET;
689 
690  s = de_ctx->sig_list = SigInit(de_ctx,
691  "alert tcp any any -> any any "
692  "(msg:\"DCERPC\"; "
693  "dce_stub_data; content:\"|42 42 42 42|\";"
694  "sid:1;)");
695  if (s == NULL)
696  goto end;
697 
698  SigGroupBuild(de_ctx);
699  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
700 
701  FLOWLOCK_WRLOCK(&f);
702  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
703  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
704  dcerpc_bind_len);
705  if (r != 0) {
706  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
707  FLOWLOCK_UNLOCK(&f);
708  goto end;
709  }
710  FLOWLOCK_UNLOCK(&f);
711 
712  dcerpc_state = f.alstate;
713  if (dcerpc_state == NULL) {
714  SCLogDebug("no dcerpc state: ");
715  goto end;
716  }
717 
718  p->flowflags &=~ FLOW_PKT_TOCLIENT;
719  p->flowflags |= FLOW_PKT_TOSERVER;
720  /* do detect */
721  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
722 
723  /* we shouldn't have any stub data */
724  if (PacketAlertCheck(p, 1))
725  goto end;
726 
727  /* do detect */
728  FLOWLOCK_WRLOCK(&f);
729  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
730  STREAM_TOCLIENT, dcerpc_bindack,
731  dcerpc_bindack_len);
732  if (r != 0) {
733  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
734  FLOWLOCK_UNLOCK(&f);
735  goto end;
736  }
737  FLOWLOCK_UNLOCK(&f);
738 
739  p->flowflags &=~ FLOW_PKT_TOSERVER;
740  p->flowflags |= FLOW_PKT_TOCLIENT;
741  /* do detect */
742  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
743 
744  /* we shouldn't have any stub data */
745  if (PacketAlertCheck(p, 1))
746  goto end;
747 
748  FLOWLOCK_WRLOCK(&f);
749  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
750  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
751  dcerpc_request_len);
752  if (r != 0) {
753  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
754  FLOWLOCK_UNLOCK(&f);
755  goto end;
756  }
757  FLOWLOCK_UNLOCK(&f);
758 
759  p->flowflags &=~ FLOW_PKT_TOCLIENT;
760  p->flowflags |= FLOW_PKT_TOSERVER;
761  /* do detect */
762  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
763 
764  /* we should have the stub data since we previously parsed a request frag */
765  if (!PacketAlertCheck(p, 1))
766  goto end;
767 
768  result = 1;
769 
770  end:
771  if (alp_tctx != NULL)
772  AppLayerParserThreadCtxFree(alp_tctx);
773  SigGroupCleanup(de_ctx);
774  SigCleanSignatures(de_ctx);
775 
776  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
777  DetectEngineCtxFree(de_ctx);
778 
779  StreamTcpFreeConfig(TRUE);
780  FLOW_DESTROY(&f);
781 
782  UTHFreePackets(&p, 1);
783  return result;
784 }
785 
786 /**
787  * \test Test a valid dce_stub_data with just a request frag.
788  */
789 static int DetectDceStubDataTestParse03(void)
790 {
791  Signature *s = NULL;
792  ThreadVars th_v;
793  Packet *p = NULL;
794  Flow f;
795  TcpSession ssn;
796  DetectEngineThreadCtx *det_ctx = NULL;
797  DetectEngineCtx *de_ctx = NULL;
798  DCERPCState *dcerpc_state = NULL;
799  int r = 0;
800 
801  /* todo chop the request frag length and change the
802  * length related parameters in the frag */
803  uint8_t dcerpc_request[] = {
804  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
805  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
806  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
807  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
808  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
809  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
810  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
811  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
812  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
813  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
814  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
815  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
816  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
817  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
818  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
819  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
820  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
821  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
822  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
823  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
824  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
825  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
826  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
827  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
828  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
829  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
830  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
831  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
832  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
833  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
834  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
835  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
836  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
837  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
838  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
839  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
840  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
841  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
842  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
843  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
844  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
845  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
846  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
847  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
848  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
849  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
850  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
851  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
852  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
853  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
854  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
855  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
856  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
857  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
858  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
859  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
860  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
861  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
862  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
863  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
864  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
865  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
866  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
867  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
868  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
869  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
870  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
871  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
872  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
873  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
874  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
875  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
876  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
877  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
878  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
879  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
880  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
881  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
882  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
883  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
884  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
885  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
886  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
887  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1051  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1052  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1053  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1054  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1055  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1056  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1057  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1058  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1059  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1060  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1061  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1062  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1063  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1064  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1065  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1066  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1067  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1068  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1070  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1071  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1072  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1073  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1074  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1075  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1076  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1077  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1078  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1079  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1080  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1081  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1082  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1083  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1084  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1085  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1147  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1148  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1149  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1150  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1151  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1205  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1206  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1207  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1208  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1209  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1210  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1211  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1212  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1213  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1214  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1215  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1216  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1217  0x01, 0x02, 0x03, 0x04
1218  };
1219 
1220  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1221 
1222  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1223 
1224  memset(&th_v, 0, sizeof(th_v));
1225  memset(&f, 0, sizeof(f));
1226  memset(&ssn, 0, sizeof(ssn));
1227 
1228  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1229 
1230  FLOW_INITIALIZE(&f);
1231  f.protoctx = (void *)&ssn;
1232  f.proto = IPPROTO_TCP;
1233  p->flow = &f;
1234  p->flowflags |= FLOW_PKT_TOSERVER;
1235  p->flowflags |= FLOW_PKT_ESTABLISHED;
1236  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1237  f.alproto = ALPROTO_DCERPC;
1238 
1239  StreamTcpInitConfig(TRUE);
1240 
1241  de_ctx = DetectEngineCtxInit();
1242  FAIL_IF(de_ctx == NULL);
1243 
1244  de_ctx->flags |= DE_QUIET;
1245 
1246  s = de_ctx->sig_list = SigInit(de_ctx,
1247  "alert tcp any any -> any any "
1248  "(msg:\"DCERPC\"; "
1249  "dce_stub_data; content:\"|42 42 42 42|\";"
1250  "sid:1;)");
1251  FAIL_IF(s == NULL);
1252 
1253  SigGroupBuild(de_ctx);
1254  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1255 
1256  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1257  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1258  dcerpc_request_len);
1259  FAIL_IF(r != 0);
1260 
1261  dcerpc_state = f.alstate;
1262  FAIL_IF (dcerpc_state == NULL);
1263 
1264  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1265  p->flowflags |= FLOW_PKT_TOSERVER;
1266  /* do detect */
1267  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1268  FAIL_IF(!PacketAlertCheck(p, 1));
1269 
1270  if (alp_tctx != NULL)
1271  AppLayerParserThreadCtxFree(alp_tctx);
1272  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1273  DetectEngineCtxFree(de_ctx);
1274  StreamTcpFreeConfig(TRUE);
1275  FLOW_DESTROY(&f);
1276 
1277  UTHFreePackets(&p, 1);
1278  PASS;
1279 }
1280 
1281 static int DetectDceStubDataTestParse04(void)
1282 {
1283  int result = 0;
1284  Signature *s = NULL;
1285  ThreadVars th_v;
1286  Packet *p = NULL;
1287  Flow f;
1288  TcpSession ssn;
1289  DetectEngineThreadCtx *det_ctx = NULL;
1290  DetectEngineCtx *de_ctx = NULL;
1291  DCERPCState *dcerpc_state = NULL;
1292  int r = 0;
1293 
1294  uint8_t dcerpc_bind[] = {
1295  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1296  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1297  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1298  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1299  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1300  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1301  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1302  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1303  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1304  };
1305 
1306  uint8_t dcerpc_bindack[] = {
1307  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1308  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1309  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1310  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1311  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1312  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1314  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1315  0x02, 0x00, 0x00, 0x00,
1316  };
1317 
1318  uint8_t dcerpc_request1[] = {
1319  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1320  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1321  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1322  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1323  0x00, 0x00, 0x00, 0x02,
1324  };
1325 
1326  uint8_t dcerpc_response1[] = {
1327  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1328  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1329  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1330  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1331  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1332  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1333  };
1334 
1335  uint8_t dcerpc_request2[] = {
1336  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1337  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1338  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1339  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1340  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1341  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1342  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1343  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1344  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1345  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1346  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1347  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1348  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1349  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1350  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1351  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1352  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1353  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1354  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1355  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1356  0x03, 0x00, 0x00, 0x00,
1357  };
1358 
1359  uint8_t dcerpc_response2[] = {
1360  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1361  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1362  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1363  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1364  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1365  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1366  };
1367 
1368  uint8_t dcerpc_request3[] = {
1369  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1370  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1371  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1372  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1373  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1374  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1375  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1376  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1377  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1378  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1379  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1380  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1381  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1382  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1383  };
1384 
1385  uint8_t dcerpc_response3[] = {
1386  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1387  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1388  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1389  0x00, 0x00, 0x00, 0x00,
1390  };
1391 
1392  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1393  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1394 
1395  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1396  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1397 
1398  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1399  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1400 
1401  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1402  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1403 
1404  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1405 
1406  memset(&th_v, 0, sizeof(th_v));
1407  memset(&f, 0, sizeof(f));
1408  memset(&ssn, 0, sizeof(ssn));
1409 
1410  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1411 
1412  FLOW_INITIALIZE(&f);
1413  f.protoctx = (void *)&ssn;
1414  f.proto = IPPROTO_TCP;
1415  p->flow = &f;
1416  p->flowflags |= FLOW_PKT_TOSERVER;
1417  p->flowflags |= FLOW_PKT_ESTABLISHED;
1418  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1419  f.alproto = ALPROTO_DCERPC;
1420 
1421  StreamTcpInitConfig(TRUE);
1422 
1423  de_ctx = DetectEngineCtxInit();
1424  if (de_ctx == NULL)
1425  goto end;
1426 
1427  de_ctx->flags |= DE_QUIET;
1428 
1429  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1430  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1431  if (s == NULL)
1432  goto end;
1433  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1434  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1435  if (s == NULL)
1436  goto end;
1437  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1438  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1439  if (s == NULL)
1440  goto end;
1441 
1442  SigGroupBuild(de_ctx);
1443  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1444 
1445  FLOWLOCK_WRLOCK(&f);
1446  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1447  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1448  dcerpc_bind_len);
1449  if (r != 0) {
1450  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1451  FLOWLOCK_UNLOCK(&f);
1452  goto end;
1453  }
1454  FLOWLOCK_UNLOCK(&f);
1455  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1456  p->flowflags |= FLOW_PKT_TOSERVER;
1457  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1458 
1459  dcerpc_state = f.alstate;
1460  if (dcerpc_state == NULL) {
1461  SCLogDebug("no dcerpc state: ");
1462  goto end;
1463  }
1464 
1465  FLOWLOCK_WRLOCK(&f);
1466  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1467  STREAM_TOCLIENT, dcerpc_bindack,
1468  dcerpc_bindack_len);
1469  if (r != 0) {
1470  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1471  FLOWLOCK_UNLOCK(&f);
1472  goto end;
1473  }
1474  FLOWLOCK_UNLOCK(&f);
1475  p->flowflags &=~ FLOW_PKT_TOSERVER;
1476  p->flowflags |= FLOW_PKT_TOCLIENT;
1477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1478 
1479  /* request1 */
1480  FLOWLOCK_WRLOCK(&f);
1481  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1482  STREAM_TOSERVER, dcerpc_request1,
1483  dcerpc_request1_len);
1484  if (r != 0) {
1485  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1486  FLOWLOCK_UNLOCK(&f);
1487  goto end;
1488  }
1489  FLOWLOCK_UNLOCK(&f);
1490 
1491  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1492  p->flowflags |= FLOW_PKT_TOSERVER;
1493  /* do detect */
1494  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1495 
1496  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1497  goto end;
1498 
1499  /* response1 */
1500  FLOWLOCK_WRLOCK(&f);
1501  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1502  STREAM_TOCLIENT, dcerpc_response1,
1503  dcerpc_response1_len);
1504  if (r != 0) {
1505  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1506  FLOWLOCK_UNLOCK(&f);
1507  goto end;
1508  }
1509  FLOWLOCK_UNLOCK(&f);
1510 
1511  p->flowflags &=~ FLOW_PKT_TOSERVER;
1512  p->flowflags |= FLOW_PKT_TOCLIENT;
1513  /* do detect */
1514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1515 
1516  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1517  goto end;
1518 
1519  /* request2 */
1520  FLOWLOCK_WRLOCK(&f);
1521  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1522  STREAM_TOSERVER, dcerpc_request2,
1523  dcerpc_request2_len);
1524  if (r != 0) {
1525  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1526  FLOWLOCK_UNLOCK(&f);
1527  goto end;
1528  }
1529  FLOWLOCK_UNLOCK(&f);
1530 
1531  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1532  p->flowflags |= FLOW_PKT_TOSERVER;
1533  /* do detect */
1534  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1535 
1536  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1537  goto end;
1538 
1539  /* response2 */
1540  FLOWLOCK_WRLOCK(&f);
1541  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1542  STREAM_TOCLIENT, dcerpc_response2,
1543  dcerpc_response2_len);
1544  if (r != 0) {
1545  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1546  FLOWLOCK_UNLOCK(&f);
1547  goto end;
1548  }
1549  FLOWLOCK_UNLOCK(&f);
1550 
1551  p->flowflags &=~ FLOW_PKT_TOSERVER;
1552  p->flowflags |= FLOW_PKT_TOCLIENT;
1553  /* do detect */
1554  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1555 
1556  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1557  goto end;
1558  /* request3 */
1559  FLOWLOCK_WRLOCK(&f);
1560  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1561  STREAM_TOSERVER, dcerpc_request3,
1562  dcerpc_request3_len);
1563  if (r != 0) {
1564  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1565  FLOWLOCK_UNLOCK(&f);
1566  goto end;
1567  }
1568  FLOWLOCK_UNLOCK(&f);
1569 
1570  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1571  p->flowflags |= FLOW_PKT_TOSERVER;
1572  /* do detect */
1573  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1574 
1575  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1576  goto end;
1577 
1578  /* response3 */
1579  FLOWLOCK_WRLOCK(&f);
1580  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1581  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1582  dcerpc_response3_len);
1583  if (r != 0) {
1584  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1585  FLOWLOCK_UNLOCK(&f);
1586  goto end;
1587  }
1588  FLOWLOCK_UNLOCK(&f);
1589 
1590  p->flowflags &=~ FLOW_PKT_TOSERVER;
1591  p->flowflags |= FLOW_PKT_TOCLIENT;
1592  /* do detect */
1593  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1594 
1595  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1596  goto end;
1597 
1598  result = 1;
1599 
1600  end:
1601  if (alp_tctx != NULL)
1602  AppLayerParserThreadCtxFree(alp_tctx);
1603  SigGroupCleanup(de_ctx);
1604  SigCleanSignatures(de_ctx);
1605 
1606  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1607  DetectEngineCtxFree(de_ctx);
1608 
1609  StreamTcpFreeConfig(TRUE);
1610  FLOW_DESTROY(&f);
1611 
1612  UTHFreePackets(&p, 1);
1613  return result;
1614 }
1615 
1616 static int DetectDceStubDataTestParse05(void)
1617 {
1618  int result = 0;
1619  Signature *s = NULL;
1620  ThreadVars th_v;
1621  Packet *p = NULL;
1622  Flow f;
1623  TcpSession ssn;
1624  DetectEngineThreadCtx *det_ctx = NULL;
1625  DetectEngineCtx *de_ctx = NULL;
1626  DCERPCState *dcerpc_state = NULL;
1627  int r = 0;
1628 
1629  uint8_t dcerpc_request1[] = {
1630  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1631  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1632  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1633  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1634  0x00, 0x00, 0x00, 0x02,
1635  };
1636 
1637  uint8_t dcerpc_response1[] = {
1638  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1639  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1640  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1641  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1642  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1643  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1644  };
1645 
1646  uint8_t dcerpc_request2[] = {
1647  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1648  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1649  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1650  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1651  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1652  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1653  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1654  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1655  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1656  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1657  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1658  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1659  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1660  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1661  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1662  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1663  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1664  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1665  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1666  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1667  0x03, 0x00, 0x00, 0x00,
1668  };
1669 
1670  uint8_t dcerpc_response2[] = {
1671  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1672  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1673  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1674  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1675  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1676  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1677  };
1678 
1679  uint8_t dcerpc_request3[] = {
1680  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1681  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1682  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1683  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1684  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1685  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1686  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1687  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1688  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1689  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1690  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1691  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1692  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1693  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1694  };
1695 
1696  uint8_t dcerpc_response3[] = {
1697  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1698  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1699  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1700  0x00, 0x00, 0x00, 0x00,
1701  };
1702 
1703  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1704  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1705 
1706  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1707  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1708 
1709  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1710  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1711 
1712  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1713 
1714  memset(&th_v, 0, sizeof(th_v));
1715  memset(&f, 0, sizeof(f));
1716  memset(&ssn, 0, sizeof(ssn));
1717 
1718  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1719 
1720  FLOW_INITIALIZE(&f);
1721  f.protoctx = (void *)&ssn;
1722  f.proto = IPPROTO_TCP;
1723  p->flow = &f;
1724  p->flowflags |= FLOW_PKT_TOSERVER;
1725  p->flowflags |= FLOW_PKT_ESTABLISHED;
1726  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1727  f.alproto = ALPROTO_DCERPC;
1728 
1729  StreamTcpInitConfig(TRUE);
1730 
1731  de_ctx = DetectEngineCtxInit();
1732  if (de_ctx == NULL)
1733  goto end;
1734 
1735  de_ctx->flags |= DE_QUIET;
1736 
1737  s = de_ctx->sig_list = SigInit(de_ctx,
1738  "alert tcp any any -> any any "
1739  "(msg:\"DCERPC\"; "
1740  "dce_stub_data; content:\"|00 02|\"; "
1741  "sid:1;)");
1742  if (s == NULL)
1743  goto end;
1744  s = de_ctx->sig_list->next = SigInit(de_ctx,
1745  "alert tcp any any -> any any "
1746  "(msg:\"DCERPC\"; "
1747  "dce_stub_data; content:\"|00 75|\"; "
1748  "sid:2;)");
1749  if (s == NULL)
1750  goto end;
1751  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1752  "alert tcp any any -> any any "
1753  "(msg:\"DCERPC\"; "
1754  "dce_stub_data; content:\"|00 18|\"; "
1755  "sid:3;)");
1756  if (s == NULL)
1757  goto end;
1758 
1759  SigGroupBuild(de_ctx);
1760  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1761 
1762  /* request1 */
1763  FLOWLOCK_WRLOCK(&f);
1764  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1765  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1766  dcerpc_request1_len);
1767  if (r != 0) {
1768  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1769  FLOWLOCK_UNLOCK(&f);
1770  goto end;
1771  }
1772  FLOWLOCK_UNLOCK(&f);
1773 
1774  dcerpc_state = f.alstate;
1775  if (dcerpc_state == NULL) {
1776  SCLogDebug("no dcerpc state: ");
1777  goto end;
1778  }
1779 
1780  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1781  p->flowflags |= FLOW_PKT_TOSERVER;
1782  /* do detect */
1783  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1784 
1785  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1786  goto end;
1787 
1788  /* response1 */
1789  FLOWLOCK_WRLOCK(&f);
1790  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1791  STREAM_TOCLIENT, dcerpc_response1,
1792  dcerpc_response1_len);
1793  if (r != 0) {
1794  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1795  FLOWLOCK_UNLOCK(&f);
1796  goto end;
1797  }
1798  FLOWLOCK_UNLOCK(&f);
1799 
1800  p->flowflags &=~ FLOW_PKT_TOSERVER;
1801  p->flowflags |= FLOW_PKT_TOCLIENT;
1802  /* do detect */
1803  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1804 
1805  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1806  goto end;
1807 
1808  /* request2 */
1809  FLOWLOCK_WRLOCK(&f);
1810  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1811  STREAM_TOSERVER, dcerpc_request2,
1812  dcerpc_request2_len);
1813  if (r != 0) {
1814  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1815  FLOWLOCK_UNLOCK(&f);
1816  goto end;
1817  }
1818  FLOWLOCK_UNLOCK(&f);
1819 
1820  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1821  p->flowflags |= FLOW_PKT_TOSERVER;
1822  /* do detect */
1823  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1824 
1825  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1826  goto end;
1827 
1828  /* response2 */
1829  FLOWLOCK_WRLOCK(&f);
1830  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1831  STREAM_TOCLIENT, dcerpc_response2,
1832  dcerpc_response2_len);
1833  if (r != 0) {
1834  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1835  FLOWLOCK_UNLOCK(&f);
1836  goto end;
1837  }
1838  FLOWLOCK_UNLOCK(&f);
1839 
1840  p->flowflags &=~ FLOW_PKT_TOSERVER;
1841  p->flowflags |= FLOW_PKT_TOCLIENT;
1842  /* do detect */
1843  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1844 
1845  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1846  goto end;
1847 
1848  /* request3 */
1849  FLOWLOCK_WRLOCK(&f);
1850  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1851  STREAM_TOSERVER, dcerpc_request3,
1852  dcerpc_request3_len);
1853  if (r != 0) {
1854  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1855  FLOWLOCK_UNLOCK(&f);
1856  goto end;
1857  }
1858  FLOWLOCK_UNLOCK(&f);
1859 
1860  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1861  p->flowflags |= FLOW_PKT_TOSERVER;
1862  /* do detect */
1863  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1864 
1865  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1866  goto end;
1867 
1868  /* response3 */
1869  FLOWLOCK_WRLOCK(&f);
1870  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1871  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1872  dcerpc_response3_len);
1873  if (r != 0) {
1874  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1875  FLOWLOCK_UNLOCK(&f);
1876  goto end;
1877  }
1878  FLOWLOCK_UNLOCK(&f);
1879 
1880  p->flowflags &=~ FLOW_PKT_TOSERVER;
1881  p->flowflags |= FLOW_PKT_TOCLIENT;
1882  /* do detect */
1883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1884 
1885  if (PacketAlertCheck(p, 1))
1886  goto end;
1887 
1888  result = 1;
1889 
1890  end:
1891  if (alp_tctx != NULL)
1892  AppLayerParserThreadCtxFree(alp_tctx);
1893 
1894  SigGroupCleanup(de_ctx);
1895  SigCleanSignatures(de_ctx);
1896 
1897  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1898  DetectEngineCtxFree(de_ctx);
1899 
1900  StreamTcpFreeConfig(TRUE);
1901  FLOW_DESTROY(&f);
1902 
1903  UTHFreePackets(&p, 1);
1904  return result;
1905 }
1906 
1907 // invalid signature because of invalid protocol
1908 static int DetectDceStubDataTestParse06(void)
1909 {
1910  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1911  FAIL_IF_NULL(de_ctx);
1912  de_ctx->flags = DE_QUIET;
1913  Signature *s = DetectEngineAppendSig(de_ctx,
1914  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1915  FAIL_IF_NOT_NULL(s);
1916  DetectEngineCtxFree(de_ctx);
1917  PASS;
1918 }
1919 
1920 static void DetectDceStubDataRegisterTests(void)
1921 {
1922  UtRegisterTest("DetectDceStubDataTestParse01",
1923  DetectDceStubDataTestParse01);
1924  UtRegisterTest("DetectDceStubDataTestParse02",
1925  DetectDceStubDataTestParse02);
1926  UtRegisterTest("DetectDceStubDataTestParse03",
1927  DetectDceStubDataTestParse03);
1928  UtRegisterTest("DetectDceStubDataTestParse04",
1929  DetectDceStubDataTestParse04);
1930  UtRegisterTest("DetectDceStubDataTestParse05",
1931  DetectDceStubDataTestParse05);
1932  UtRegisterTest("DetectDceStubDataTestParse06",
1933  DetectDceStubDataTestParse06);
1934 }
1935 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:117
app-layer-dcerpc.h
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1404
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:376
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:532
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
InspectionBuffer
Definition: detect.h:344
Packet_::flags
uint32_t flags
Definition: decode.h:449
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:348
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:493
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:42
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1061
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
STREAM_START
#define STREAM_START
Definition: stream.h:29
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:600
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:186
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1641
Packet_
Definition: decode.h:414
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:232
SIG_FLAG_INIT_DCERPC
#define SIG_FLAG_INIT_DCERPC
Definition: detect.h:266
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
detect-engine-content-inspection.h
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
SigTableElmt_::alias
const char * alias
Definition: detect.h:1212
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1203
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1211
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:345
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:59
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:992
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:41
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1107
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468