suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-build.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-prefilter.h"
37 #include "detect-engine-content-inspection.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "app-layer.h"
44 #include "app-layer-parser.h"
45 #include "queue.h"
46 #include "stream-tcp-reassemble.h"
47 
48 #include "detect-dce-stub-data.h"
49 #include "detect-dce-iface.h"
50 
51 #include "util-debug.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 
56 #include "stream-tcp.h"
57 
58 #include "rust.h"
59 
60 #define BUFFER_NAME "dce_stub_data"
61 
62 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectDceStubDataRegisterTests(void);
65 #endif
66 static int g_dce_stub_data_buffer_id = 0;
67 
68 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
69  const DetectEngineTransforms *transforms,
70  Flow *_f, const uint8_t flow_flags,
71  void *txv, const int list_id)
72 {
73  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
74  if (!buffer->initialized) {
75  uint32_t data_len = 0;
76  const uint8_t *data = NULL;
77  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
78  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
79  return NULL;
80  SCLogDebug("have data!");
81 
82  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
83  InspectionBufferApplyTransforms(buffer, transforms);
84  }
85  return buffer;
86 }
87 
88 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
89  const DetectEngineTransforms *transforms,
90  Flow *_f, const uint8_t flow_flags,
91  void *txv, const int list_id)
92 {
93  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
94  if (!buffer->initialized) {
95  uint32_t data_len = 0;
96  const uint8_t *data = NULL;
97  uint8_t endianness;
98 
99  rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags);
100  if (data == NULL || data_len == 0)
101  return NULL;
102 
103  if (endianness > 0) {
104  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
105  } else {
106  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
107  }
108  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
109  InspectionBufferApplyTransforms(buffer, transforms);
110  }
111  return buffer;
112 }
113 
114 /**
115  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
116  */
117 void DetectDceStubDataRegister(void)
118 {
119  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
120  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
122 #ifdef UNITTESTS
123  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
124 #endif
125  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
126 
127  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
128  DetectEngineInspectBufferGeneric, GetSMBData);
129  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
130  GetSMBData, ALPROTO_SMB, 0);
131  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
132  DetectEngineInspectBufferGeneric, GetSMBData);
133  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
134  GetSMBData, ALPROTO_SMB, 0);
135 
136  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
137  DetectEngineInspectBufferGeneric, GetDCEData);
138  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
139  GetDCEData, ALPROTO_DCERPC, 0);
140  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
141  DetectEngineInspectBufferGeneric, GetDCEData);
142  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
143  GetDCEData, ALPROTO_DCERPC, 0);
144 
145  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
146 }
147 
148 /**
149  * \brief setups the dce_stub_data list
150  *
151  * \param de_ctx Pointer to the detection engine context
152  * \param s Pointer to signature for the current Signature being parsed
153  * from the rules
154  * \param arg Pointer to the string holding the keyword value
155  *
156  * \retval 0 on success, -1 on failure
157  */
158 
159 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
160 {
161  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
162  return -1;
163  if (DetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
164  return -1;
165  return 0;
166 }
167 
168 /************************************Unittests*********************************/
169 
170 #ifdef UNITTESTS
171 #include "detect-engine-alert.h"
172 
173 /**
174  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
175  */
176 static int DetectDceStubDataTestParse02(void)
177 {
178  int result = 0;
179  Signature *s = NULL;
180  ThreadVars th_v;
181  Packet *p = NULL;
182  Flow f;
183  TcpSession ssn;
184  DetectEngineThreadCtx *det_ctx = NULL;
185  DetectEngineCtx *de_ctx = NULL;
186  DCERPCState *dcerpc_state = NULL;
187  int r = 0;
188 
189  uint8_t dcerpc_bind[] = {
190  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
191  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
192  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
193  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
194  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
195  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
196  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
197  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
198  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
199  };
200 
201  uint8_t dcerpc_bindack[] = {
202  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
203  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
204  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
205  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
206  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
207  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
208  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
209  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
210  0x02, 0x00, 0x00, 0x00
211  };
212 
213  /* todo chop the request frag length and change the
214  * length related parameters in the frag */
215  uint8_t dcerpc_request[] = {
216  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
217  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
218  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
219  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
220  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
221  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
222  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
223  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
224  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
225  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
226  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
227  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
228  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
229  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
230  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
231  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
232  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
233  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
234  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
235  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
236  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
237  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
238  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
239  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
240  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
241  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
242  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
243  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
244  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
245  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
246  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
247  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
248  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
249  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
250  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
251  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
252  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
253  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
254  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
255  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
256  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
257  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
258  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
259  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
260  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
261  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
262  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
263  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
264  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
265  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
266  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
267  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
268  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
269  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
270  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
271  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
272  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
273  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
274  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
275  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
276  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
277  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
278  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
279  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
280  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
281  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
282  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
283  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
284  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
285  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
286  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
287  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
288  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
289  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
290  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
291  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
292  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
293  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
294  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
295  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
296  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
297  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
298  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
299  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
300  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
301  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
302  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
463  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
464  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
465  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
466  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
467  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
468  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
469  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
470  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
471  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
472  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
473  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
474  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
475  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
476  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
477  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
478  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
479  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
480  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
481  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
482  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
483  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
484  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
485  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
486  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
487  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
488  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
489  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
490  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
491  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
492  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
493  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
494  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
496  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
564  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
565  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
566  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x01, 0x02, 0x03, 0x04
630  };
631 
632  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
633  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
634  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
635  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
636 
637  memset(&th_v, 0, sizeof(th_v));
638  memset(&f, 0, sizeof(f));
639  memset(&ssn, 0, sizeof(ssn));
640 
641  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
642 
643  FLOW_INITIALIZE(&f);
644  f.protoctx = (void *)&ssn;
645  f.proto = IPPROTO_TCP;
646  p->flow = &f;
647  p->flowflags |= FLOW_PKT_TOSERVER;
648  p->flowflags |= FLOW_PKT_ESTABLISHED;
649  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
650  f.alproto = ALPROTO_DCERPC;
651 
652  StreamTcpInitConfig(true);
653 
654  de_ctx = DetectEngineCtxInit();
655  if (de_ctx == NULL)
656  goto end;
657 
658  de_ctx->flags |= DE_QUIET;
659 
660  s = de_ctx->sig_list = SigInit(de_ctx,
661  "alert tcp any any -> any any "
662  "(msg:\"DCERPC\"; "
663  "dce_stub_data; content:\"|42 42 42 42|\";"
664  "sid:1;)");
665  if (s == NULL)
666  goto end;
667 
668  SigGroupBuild(de_ctx);
669  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
670 
671  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
672  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
673  dcerpc_bind_len);
674  if (r != 0) {
675  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
676  goto end;
677  }
678 
679  dcerpc_state = f.alstate;
680  if (dcerpc_state == NULL) {
681  SCLogDebug("no dcerpc state: ");
682  goto end;
683  }
684 
685  p->flowflags &=~ FLOW_PKT_TOCLIENT;
686  p->flowflags |= FLOW_PKT_TOSERVER;
687  /* do detect */
688  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
689 
690  /* we shouldn't have any stub data */
691  if (PacketAlertCheck(p, 1))
692  goto end;
693 
694  /* do detect */
695  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
696  STREAM_TOCLIENT, dcerpc_bindack,
697  dcerpc_bindack_len);
698  if (r != 0) {
699  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
700  goto end;
701  }
702 
703  p->flowflags &=~ FLOW_PKT_TOSERVER;
704  p->flowflags |= FLOW_PKT_TOCLIENT;
705  /* do detect */
706  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
707 
708  /* we shouldn't have any stub data */
709  if (PacketAlertCheck(p, 1))
710  goto end;
711 
712  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
713  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
714  dcerpc_request_len);
715  if (r != 0) {
716  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
717  goto end;
718  }
719 
720  p->flowflags &=~ FLOW_PKT_TOCLIENT;
721  p->flowflags |= FLOW_PKT_TOSERVER;
722  /* do detect */
723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
724 
725  /* we should have the stub data since we previously parsed a request frag */
726  if (!PacketAlertCheck(p, 1))
727  goto end;
728 
729  result = 1;
730 
731  end:
732  if (alp_tctx != NULL)
733  AppLayerParserThreadCtxFree(alp_tctx);
734  SigGroupCleanup(de_ctx);
735  SigCleanSignatures(de_ctx);
736 
737  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
738  DetectEngineCtxFree(de_ctx);
739 
740  StreamTcpFreeConfig(true);
741  FLOW_DESTROY(&f);
742 
743  UTHFreePackets(&p, 1);
744  return result;
745 }
746 
747 /**
748  * \test Test a valid dce_stub_data with just a request frag.
749  */
750 static int DetectDceStubDataTestParse03(void)
751 {
752  Signature *s = NULL;
753  ThreadVars th_v;
754  Packet *p = NULL;
755  Flow f;
756  TcpSession ssn;
757  DetectEngineThreadCtx *det_ctx = NULL;
758  DetectEngineCtx *de_ctx = NULL;
759  DCERPCState *dcerpc_state = NULL;
760  int r = 0;
761 
762  /* todo chop the request frag length and change the
763  * length related parameters in the frag */
764  uint8_t dcerpc_request[] = {
765  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
766  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
767  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
768  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
769  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
770  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
771  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
772  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
773  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
774  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
775  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
776  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
777  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
778  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
779  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
780  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
781  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
782  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
783  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
784  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
785  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
786  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
787  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
788  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
789  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
790  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
791  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
792  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
793  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
794  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
795  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
796  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
797  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
798  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
799  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
800  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
801  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
802  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
803  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
804  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
805  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
806  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
807  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
808  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
809  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
810  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
811  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
812  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
813  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
814  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
815  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
816  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
817  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
818  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
819  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
820  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
821  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
822  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
823  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
824  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
825  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
826  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
827  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
828  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
829  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
830  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
831  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
832  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
833  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
834  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
835  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
836  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
837  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
838  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
839  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
840  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
841  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
842  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
843  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
844  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
845  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
846  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
847  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
848  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
849  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
850  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
851  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1012  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1013  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1014  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1015  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1016  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1017  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1018  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1019  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1020  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1021  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1022  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1023  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1024  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1025  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1026  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1027  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1028  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1029  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1031  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1032  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1033  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1034  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1036  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1037  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1038  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1039  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1040  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1041  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1042  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1043  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1044  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1045  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1046  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1113  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1114  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1115  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x01, 0x02, 0x03, 0x04
1179  };
1180 
1181  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1182 
1183  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1184 
1185  memset(&th_v, 0, sizeof(th_v));
1186  memset(&f, 0, sizeof(f));
1187  memset(&ssn, 0, sizeof(ssn));
1188 
1189  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1190 
1191  FLOW_INITIALIZE(&f);
1192  f.protoctx = (void *)&ssn;
1193  f.proto = IPPROTO_TCP;
1194  p->flow = &f;
1195  p->flowflags |= FLOW_PKT_TOSERVER;
1196  p->flowflags |= FLOW_PKT_ESTABLISHED;
1197  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1198  f.alproto = ALPROTO_DCERPC;
1199 
1200  StreamTcpInitConfig(true);
1201 
1202  de_ctx = DetectEngineCtxInit();
1203  FAIL_IF(de_ctx == NULL);
1204 
1205  de_ctx->flags |= DE_QUIET;
1206 
1207  s = de_ctx->sig_list = SigInit(de_ctx,
1208  "alert tcp any any -> any any "
1209  "(msg:\"DCERPC\"; "
1210  "dce_stub_data; content:\"|42 42 42 42|\";"
1211  "sid:1;)");
1212  FAIL_IF(s == NULL);
1213 
1214  SigGroupBuild(de_ctx);
1215  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1216 
1217  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1218  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1219  dcerpc_request_len);
1220  FAIL_IF(r != 0);
1221 
1222  dcerpc_state = f.alstate;
1223  FAIL_IF (dcerpc_state == NULL);
1224 
1225  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1226  p->flowflags |= FLOW_PKT_TOSERVER;
1227  /* do detect */
1228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1229  FAIL_IF(!PacketAlertCheck(p, 1));
1230 
1231  if (alp_tctx != NULL)
1232  AppLayerParserThreadCtxFree(alp_tctx);
1233  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1234  DetectEngineCtxFree(de_ctx);
1235  StreamTcpFreeConfig(true);
1236  FLOW_DESTROY(&f);
1237 
1238  UTHFreePackets(&p, 1);
1239  PASS;
1240 }
1241 
1242 static int DetectDceStubDataTestParse04(void)
1243 {
1244  int result = 0;
1245  Signature *s = NULL;
1246  ThreadVars th_v;
1247  Packet *p = NULL;
1248  Flow f;
1249  TcpSession ssn;
1250  DetectEngineThreadCtx *det_ctx = NULL;
1251  DetectEngineCtx *de_ctx = NULL;
1252  DCERPCState *dcerpc_state = NULL;
1253  int r = 0;
1254 
1255  uint8_t dcerpc_bind[] = {
1256  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1257  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1258  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1259  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1260  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1261  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1262  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1263  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1264  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1265  };
1266 
1267  uint8_t dcerpc_bindack[] = {
1268  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1269  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1270  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1271  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1272  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1273  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1274  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1275  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1276  0x02, 0x00, 0x00, 0x00,
1277  };
1278 
1279  uint8_t dcerpc_request1[] = {
1280  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1281  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1282  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1283  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1284  0x00, 0x00, 0x00, 0x02,
1285  };
1286 
1287  uint8_t dcerpc_response1[] = {
1288  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1289  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1290  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1292  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1293  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1294  };
1295 
1296  uint8_t dcerpc_request2[] = {
1297  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1298  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1299  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1300  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1301  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1302  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1303  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1304  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1305  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1306  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1307  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1308  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1309  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1310  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1311  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1312  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1313  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1314  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1315  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1316  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1317  0x03, 0x00, 0x00, 0x00,
1318  };
1319 
1320  uint8_t dcerpc_response2[] = {
1321  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1322  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1323  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1324  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1325  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1326  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1327  };
1328 
1329  uint8_t dcerpc_request3[] = {
1330  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1331  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1332  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1333  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1334  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1335  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1336  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1337  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1338  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1339  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1340  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1341  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1342  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1343  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1344  };
1345 
1346  uint8_t dcerpc_response3[] = {
1347  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1348  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1349  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1350  0x00, 0x00, 0x00, 0x00,
1351  };
1352 
1353  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1354  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1355 
1356  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1357  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1358 
1359  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1360  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1361 
1362  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1363  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1364 
1365  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1366 
1367  memset(&th_v, 0, sizeof(th_v));
1368  memset(&f, 0, sizeof(f));
1369  memset(&ssn, 0, sizeof(ssn));
1370 
1371  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1372 
1373  FLOW_INITIALIZE(&f);
1374  f.protoctx = (void *)&ssn;
1375  f.proto = IPPROTO_TCP;
1376  p->flow = &f;
1377  p->flowflags |= FLOW_PKT_TOSERVER;
1378  p->flowflags |= FLOW_PKT_ESTABLISHED;
1379  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1380  f.alproto = ALPROTO_DCERPC;
1381 
1382  StreamTcpInitConfig(true);
1383 
1384  de_ctx = DetectEngineCtxInit();
1385  if (de_ctx == NULL)
1386  goto end;
1387 
1388  de_ctx->flags |= DE_QUIET;
1389 
1390  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1391  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1392  if (s == NULL)
1393  goto end;
1394  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1395  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1396  if (s == NULL)
1397  goto end;
1398  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1399  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1400  if (s == NULL)
1401  goto end;
1402 
1403  SigGroupBuild(de_ctx);
1404  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1405 
1406  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1407  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1408  dcerpc_bind_len);
1409  if (r != 0) {
1410  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1411  goto end;
1412  }
1413  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1414  p->flowflags |= FLOW_PKT_TOSERVER;
1415  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1416 
1417  dcerpc_state = f.alstate;
1418  if (dcerpc_state == NULL) {
1419  SCLogDebug("no dcerpc state: ");
1420  goto end;
1421  }
1422 
1423  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1424  STREAM_TOCLIENT, dcerpc_bindack,
1425  dcerpc_bindack_len);
1426  if (r != 0) {
1427  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1428  goto end;
1429  }
1430  p->flowflags &=~ FLOW_PKT_TOSERVER;
1431  p->flowflags |= FLOW_PKT_TOCLIENT;
1432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1433 
1434  /* request1 */
1435  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1436  STREAM_TOSERVER, dcerpc_request1,
1437  dcerpc_request1_len);
1438  if (r != 0) {
1439  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1440  goto end;
1441  }
1442 
1443  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1444  p->flowflags |= FLOW_PKT_TOSERVER;
1445  /* do detect */
1446  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1447 
1448  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1449  goto end;
1450 
1451  /* response1 */
1452  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1453  STREAM_TOCLIENT, dcerpc_response1,
1454  dcerpc_response1_len);
1455  if (r != 0) {
1456  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1457  goto end;
1458  }
1459 
1460  p->flowflags &=~ FLOW_PKT_TOSERVER;
1461  p->flowflags |= FLOW_PKT_TOCLIENT;
1462  /* do detect */
1463  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1464 
1465  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1466  goto end;
1467 
1468  /* request2 */
1469  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1470  STREAM_TOSERVER, dcerpc_request2,
1471  dcerpc_request2_len);
1472  if (r != 0) {
1473  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1474  goto end;
1475  }
1476 
1477  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1478  p->flowflags |= FLOW_PKT_TOSERVER;
1479  /* do detect */
1480  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1481 
1482  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1483  goto end;
1484 
1485  /* response2 */
1486  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1487  STREAM_TOCLIENT, dcerpc_response2,
1488  dcerpc_response2_len);
1489  if (r != 0) {
1490  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1491  goto end;
1492  }
1493 
1494  p->flowflags &=~ FLOW_PKT_TOSERVER;
1495  p->flowflags |= FLOW_PKT_TOCLIENT;
1496  /* do detect */
1497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1498 
1499  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1500  goto end;
1501  /* request3 */
1502  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1503  STREAM_TOSERVER, dcerpc_request3,
1504  dcerpc_request3_len);
1505  if (r != 0) {
1506  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1507  goto end;
1508  }
1509 
1510  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1511  p->flowflags |= FLOW_PKT_TOSERVER;
1512  /* do detect */
1513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1514 
1515  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1516  goto end;
1517 
1518  /* response3 */
1519  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1520  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1521  dcerpc_response3_len);
1522  if (r != 0) {
1523  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1524  goto end;
1525  }
1526 
1527  p->flowflags &=~ FLOW_PKT_TOSERVER;
1528  p->flowflags |= FLOW_PKT_TOCLIENT;
1529  /* do detect */
1530  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1531 
1532  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1533  goto end;
1534 
1535  result = 1;
1536 
1537  end:
1538  if (alp_tctx != NULL)
1539  AppLayerParserThreadCtxFree(alp_tctx);
1540  SigGroupCleanup(de_ctx);
1541  SigCleanSignatures(de_ctx);
1542 
1543  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1544  DetectEngineCtxFree(de_ctx);
1545 
1546  StreamTcpFreeConfig(true);
1547  FLOW_DESTROY(&f);
1548 
1549  UTHFreePackets(&p, 1);
1550  return result;
1551 }
1552 
1553 static int DetectDceStubDataTestParse05(void)
1554 {
1555  int result = 0;
1556  Signature *s = NULL;
1557  ThreadVars th_v;
1558  Packet *p = NULL;
1559  Flow f;
1560  TcpSession ssn;
1561  DetectEngineThreadCtx *det_ctx = NULL;
1562  DetectEngineCtx *de_ctx = NULL;
1563  DCERPCState *dcerpc_state = NULL;
1564  int r = 0;
1565 
1566  uint8_t dcerpc_request1[] = {
1567  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1568  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1569  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1570  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1571  0x00, 0x00, 0x00, 0x02,
1572  };
1573 
1574  uint8_t dcerpc_response1[] = {
1575  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1576  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1577  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1579  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1580  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1581  };
1582 
1583  uint8_t dcerpc_request2[] = {
1584  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1585  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1586  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1587  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1588  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1589  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1590  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1591  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1592  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1593  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1594  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1595  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1596  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1597  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1598  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1599  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1600  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1601  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1602  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1603  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1604  0x03, 0x00, 0x00, 0x00,
1605  };
1606 
1607  uint8_t dcerpc_response2[] = {
1608  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1609  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1610  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1611  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1612  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1613  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1614  };
1615 
1616  uint8_t dcerpc_request3[] = {
1617  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1618  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1619  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1620  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1621  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1622  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1623  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1624  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1625  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1626  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1627  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1628  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1629  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1630  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1631  };
1632 
1633  uint8_t dcerpc_response3[] = {
1634  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1635  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1636  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637  0x00, 0x00, 0x00, 0x00,
1638  };
1639 
1640  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1641  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1642 
1643  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1644  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1645 
1646  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1647  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1648 
1649  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1650 
1651  memset(&th_v, 0, sizeof(th_v));
1652  memset(&f, 0, sizeof(f));
1653  memset(&ssn, 0, sizeof(ssn));
1654 
1655  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1656 
1657  FLOW_INITIALIZE(&f);
1658  f.protoctx = (void *)&ssn;
1659  f.proto = IPPROTO_TCP;
1660  p->flow = &f;
1661  p->flowflags |= FLOW_PKT_TOSERVER;
1662  p->flowflags |= FLOW_PKT_ESTABLISHED;
1663  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1664  f.alproto = ALPROTO_DCERPC;
1665 
1666  StreamTcpInitConfig(true);
1667 
1668  de_ctx = DetectEngineCtxInit();
1669  if (de_ctx == NULL)
1670  goto end;
1671 
1672  de_ctx->flags |= DE_QUIET;
1673 
1674  s = de_ctx->sig_list = SigInit(de_ctx,
1675  "alert tcp any any -> any any "
1676  "(msg:\"DCERPC\"; "
1677  "dce_stub_data; content:\"|00 02|\"; "
1678  "sid:1;)");
1679  if (s == NULL)
1680  goto end;
1681  s = de_ctx->sig_list->next = SigInit(de_ctx,
1682  "alert tcp any any -> any any "
1683  "(msg:\"DCERPC\"; "
1684  "dce_stub_data; content:\"|00 75|\"; "
1685  "sid:2;)");
1686  if (s == NULL)
1687  goto end;
1688  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1689  "alert tcp any any -> any any "
1690  "(msg:\"DCERPC\"; "
1691  "dce_stub_data; content:\"|00 18|\"; "
1692  "sid:3;)");
1693  if (s == NULL)
1694  goto end;
1695 
1696  SigGroupBuild(de_ctx);
1697  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1698 
1699  /* request1 */
1700  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1701  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1702  dcerpc_request1_len);
1703  if (r != 0) {
1704  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1705  goto end;
1706  }
1707 
1708  dcerpc_state = f.alstate;
1709  if (dcerpc_state == NULL) {
1710  SCLogDebug("no dcerpc state: ");
1711  goto end;
1712  }
1713 
1714  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1715  p->flowflags |= FLOW_PKT_TOSERVER;
1716  /* do detect */
1717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1718 
1719  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1720  goto end;
1721 
1722  /* response1 */
1723  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1724  STREAM_TOCLIENT, dcerpc_response1,
1725  dcerpc_response1_len);
1726  if (r != 0) {
1727  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1728  goto end;
1729  }
1730 
1731  p->flowflags &=~ FLOW_PKT_TOSERVER;
1732  p->flowflags |= FLOW_PKT_TOCLIENT;
1733  /* do detect */
1734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1735 
1736  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1737  goto end;
1738 
1739  /* request2 */
1740  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1741  STREAM_TOSERVER, dcerpc_request2,
1742  dcerpc_request2_len);
1743  if (r != 0) {
1744  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1745  goto end;
1746  }
1747 
1748  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1749  p->flowflags |= FLOW_PKT_TOSERVER;
1750  /* do detect */
1751  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1752 
1753  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1754  goto end;
1755 
1756  /* response2 */
1757  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1758  STREAM_TOCLIENT, dcerpc_response2,
1759  dcerpc_response2_len);
1760  if (r != 0) {
1761  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1762  goto end;
1763  }
1764 
1765  p->flowflags &=~ FLOW_PKT_TOSERVER;
1766  p->flowflags |= FLOW_PKT_TOCLIENT;
1767  /* do detect */
1768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1769 
1770  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1771  goto end;
1772 
1773  /* request3 */
1774  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1775  STREAM_TOSERVER, dcerpc_request3,
1776  dcerpc_request3_len);
1777  if (r != 0) {
1778  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1779  goto end;
1780  }
1781 
1782  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1783  p->flowflags |= FLOW_PKT_TOSERVER;
1784  /* do detect */
1785  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1786 
1787  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1788  goto end;
1789 
1790  /* response3 */
1791  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1792  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1793  dcerpc_response3_len);
1794  if (r != 0) {
1795  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1796  goto end;
1797  }
1798 
1799  p->flowflags &=~ FLOW_PKT_TOSERVER;
1800  p->flowflags |= FLOW_PKT_TOCLIENT;
1801  /* do detect */
1802  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1803 
1804  if (PacketAlertCheck(p, 1))
1805  goto end;
1806 
1807  result = 1;
1808 
1809  end:
1810  if (alp_tctx != NULL)
1811  AppLayerParserThreadCtxFree(alp_tctx);
1812 
1813  SigGroupCleanup(de_ctx);
1814  SigCleanSignatures(de_ctx);
1815 
1816  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1817  DetectEngineCtxFree(de_ctx);
1818 
1819  StreamTcpFreeConfig(true);
1820  FLOW_DESTROY(&f);
1821 
1822  UTHFreePackets(&p, 1);
1823  return result;
1824 }
1825 
1826 // invalid signature because of invalid protocol
1827 static int DetectDceStubDataTestParse06(void)
1828 {
1829  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1830  FAIL_IF_NULL(de_ctx);
1831  de_ctx->flags = DE_QUIET;
1832  Signature *s = DetectEngineAppendSig(de_ctx,
1833  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1834  FAIL_IF_NOT_NULL(s);
1835  DetectEngineCtxFree(de_ctx);
1836  PASS;
1837 }
1838 
1839 static void DetectDceStubDataRegisterTests(void)
1840 {
1841  UtRegisterTest("DetectDceStubDataTestParse02",
1842  DetectDceStubDataTestParse02);
1843  UtRegisterTest("DetectDceStubDataTestParse03",
1844  DetectDceStubDataTestParse03);
1845  UtRegisterTest("DetectDceStubDataTestParse04",
1846  DetectDceStubDataTestParse04);
1847  UtRegisterTest("DetectDceStubDataTestParse05",
1848  DetectDceStubDataTestParse05);
1849  UtRegisterTest("DetectDceStubDataTestParse06",
1850  DetectDceStubDataTestParse06);
1851 }
1852 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:117
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1512
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2154
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1304
InspectionBuffer::initialized
bool initialized
Definition: detect.h:377
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:408
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1356
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:373
Packet_::flags
uint32_t flags
Definition: decode.h:510
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1298
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:378
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:268
Flow_::protoctx
void * protoctx
Definition: flow.h:446
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1289
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1500
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1093
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:673
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:267
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:750
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:151
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2211
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:214
Packet_
Definition: decode.h:473
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
SigTableElmt_::alias
const char * alias
Definition: detect.h:1305
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
suricata-common.h
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1711
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1595
Flow_::alstate
void * alstate
Definition: flow.h:481
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1488
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:240
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1261
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1296
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450