suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "queue.h"
44 #include "stream-tcp-reassemble.h"
45 
46 #include "detect-dce-stub-data.h"
47 #include "detect-dce-iface.h"
48 
49 #include "util-debug.h"
50 
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "rust.h"
57 
58 #define BUFFER_NAME "dce_stub_data"
59 #define KEYWORD_NAME "dce_stub_data"
60 
61 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
62 #ifdef UNITTESTS
63 static void DetectDceStubDataRegisterTests(void);
64 #endif
65 static int g_dce_stub_data_buffer_id = 0;
66 
67 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
68  const DetectEngineTransforms *transforms,
69  Flow *_f, const uint8_t flow_flags,
70  void *txv, const int list_id)
71 {
72  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
73  if (buffer->inspect == NULL) {
74  uint32_t data_len = 0;
75  const uint8_t *data = NULL;
76  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
77  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
78  return NULL;
79  SCLogDebug("have data!");
80 
81  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
82  InspectionBufferApplyTransforms(buffer, transforms);
83  }
84  return buffer;
85 }
86 
87 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
88  const DetectEngineTransforms *transforms,
89  Flow *_f, const uint8_t flow_flags,
90  void *txv, const int list_id)
91 {
92  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
93  if (buffer->inspect == NULL) {
94  uint32_t data_len = 0;
95  const uint8_t *data = NULL;
96  uint8_t endianness;
97 
98  rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags);
99  if (data == NULL || data_len == 0)
100  return NULL;
101 
102  if (endianness > 0) {
103  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
104  } else {
105  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
106  }
107  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
108  InspectionBufferApplyTransforms(buffer, transforms);
109  }
110  return buffer;
111 }
112 
113 /**
114  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
115  */
116 void DetectDceStubDataRegister(void)
117 {
118  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
119  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
120  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
121 #ifdef UNITTESTS
122  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
123 #endif
124  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
125 
126  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
127  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
128  DetectEngineInspectBufferGeneric,
129  GetSMBData);
130  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
131  PrefilterGenericMpmRegister, GetSMBData,
132  ALPROTO_SMB, 0);
133  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
134  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
135  DetectEngineInspectBufferGeneric,
136  GetSMBData);
137  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
138  PrefilterGenericMpmRegister, GetSMBData,
139  ALPROTO_SMB, 0);
140 
141  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
142  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
143  DetectEngineInspectBufferGeneric,
144  GetDCEData);
145  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
146  PrefilterGenericMpmRegister, GetDCEData,
147  ALPROTO_DCERPC, 0);
148  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
149  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
150  DetectEngineInspectBufferGeneric,
151  GetDCEData);
152  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
153  PrefilterGenericMpmRegister, GetDCEData,
154  ALPROTO_DCERPC, 0);
155 
156  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
157 }
158 
159 /**
160  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
161  * and appends it to the Signature(s).
162  *
163  * \param de_ctx Pointer to the detection engine context
164  * \param s Pointer to signature for the current Signature being parsed
165  * from the rules
166  * \param arg Pointer to the string holding the keyword value
167  *
168  * \retval 0 on success, -1 on failure
169  */
170 
171 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
172 {
173  if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
174  s->alproto != ALPROTO_SMB) {
175  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
176  return -1;
177  }
178  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
179  return -1;
180 
181  s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
182  return 0;
183 }
184 
185 /************************************Unittests*********************************/
186 
187 #ifdef UNITTESTS
188 
189 static int DetectDceStubDataTestParse01(void)
190 {
191  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
192  FAIL_IF_NULL(de_ctx);
193  de_ctx->flags = DE_QUIET;
194  Signature *s = DetectEngineAppendSig(de_ctx,
195  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
196  FAIL_IF_NULL(s);
197  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
198  DetectEngineCtxFree(de_ctx);
199  PASS;
200 }
201 
202 /**
203  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
204  */
205 static int DetectDceStubDataTestParse02(void)
206 {
207  int result = 0;
208  Signature *s = NULL;
209  ThreadVars th_v;
210  Packet *p = NULL;
211  Flow f;
212  TcpSession ssn;
213  DetectEngineThreadCtx *det_ctx = NULL;
214  DetectEngineCtx *de_ctx = NULL;
215  DCERPCState *dcerpc_state = NULL;
216  int r = 0;
217 
218  uint8_t dcerpc_bind[] = {
219  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
220  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
221  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
222  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
223  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
224  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
225  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
226  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
227  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
228  };
229 
230  uint8_t dcerpc_bindack[] = {
231  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
232  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
233  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
234  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
235  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
236  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
238  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
239  0x02, 0x00, 0x00, 0x00
240  };
241 
242  /* todo chop the request frag length and change the
243  * length related parameters in the frag */
244  uint8_t dcerpc_request[] = {
245  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
246  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
247  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
248  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
249  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
250  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
251  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
252  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
253  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
254  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
255  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
256  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
257  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
258  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
259  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
260  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
261  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
262  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
263  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
264  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
265  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
266  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
267  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
268  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
269  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
270  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
271  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
272  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
273  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
274  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
275  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
276  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
277  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
278  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
279  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
280  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
281  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
282  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
283  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
284  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
285  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
286  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
287  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
288  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
289  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
290  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
291  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
292  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
293  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
294  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
295  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
296  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
297  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
298  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
299  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
300  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
301  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
302  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
303  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
304  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
305  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
306  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
307  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
308  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
309  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
310  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
311  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
312  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
313  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
314  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
315  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
316  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
317  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
318  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
319  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
320  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
321  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
322  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
323  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
324  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
325  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
326  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
327  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
328  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
492  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
493  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
494  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
495  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
496  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
497  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
499  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
500  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
501  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
502  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
503  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
504  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
505  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
506  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
507  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
508  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
509  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
510  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
511  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
512  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
513  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
514  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
515  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
516  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
517  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
518  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
519  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
520  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
521  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
522  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
523  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
524  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
525  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
526  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
592  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
657  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
658  0x01, 0x02, 0x03, 0x04
659  };
660 
661  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
662  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
663  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
664  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
665 
666  memset(&th_v, 0, sizeof(th_v));
667  memset(&f, 0, sizeof(f));
668  memset(&ssn, 0, sizeof(ssn));
669 
670  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
671 
672  FLOW_INITIALIZE(&f);
673  f.protoctx = (void *)&ssn;
674  f.proto = IPPROTO_TCP;
675  p->flow = &f;
676  p->flowflags |= FLOW_PKT_TOSERVER;
677  p->flowflags |= FLOW_PKT_ESTABLISHED;
678  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
679  f.alproto = ALPROTO_DCERPC;
680 
681  StreamTcpInitConfig(true);
682 
683  de_ctx = DetectEngineCtxInit();
684  if (de_ctx == NULL)
685  goto end;
686 
687  de_ctx->flags |= DE_QUIET;
688 
689  s = de_ctx->sig_list = SigInit(de_ctx,
690  "alert tcp any any -> any any "
691  "(msg:\"DCERPC\"; "
692  "dce_stub_data; content:\"|42 42 42 42|\";"
693  "sid:1;)");
694  if (s == NULL)
695  goto end;
696 
697  SigGroupBuild(de_ctx);
698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
699 
700  FLOWLOCK_WRLOCK(&f);
701  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
702  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
703  dcerpc_bind_len);
704  if (r != 0) {
705  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
706  FLOWLOCK_UNLOCK(&f);
707  goto end;
708  }
709  FLOWLOCK_UNLOCK(&f);
710 
711  dcerpc_state = f.alstate;
712  if (dcerpc_state == NULL) {
713  SCLogDebug("no dcerpc state: ");
714  goto end;
715  }
716 
717  p->flowflags &=~ FLOW_PKT_TOCLIENT;
718  p->flowflags |= FLOW_PKT_TOSERVER;
719  /* do detect */
720  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
721 
722  /* we shouldn't have any stub data */
723  if (PacketAlertCheck(p, 1))
724  goto end;
725 
726  /* do detect */
727  FLOWLOCK_WRLOCK(&f);
728  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
729  STREAM_TOCLIENT, dcerpc_bindack,
730  dcerpc_bindack_len);
731  if (r != 0) {
732  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
733  FLOWLOCK_UNLOCK(&f);
734  goto end;
735  }
736  FLOWLOCK_UNLOCK(&f);
737 
738  p->flowflags &=~ FLOW_PKT_TOSERVER;
739  p->flowflags |= FLOW_PKT_TOCLIENT;
740  /* do detect */
741  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
742 
743  /* we shouldn't have any stub data */
744  if (PacketAlertCheck(p, 1))
745  goto end;
746 
747  FLOWLOCK_WRLOCK(&f);
748  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
749  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
750  dcerpc_request_len);
751  if (r != 0) {
752  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
753  FLOWLOCK_UNLOCK(&f);
754  goto end;
755  }
756  FLOWLOCK_UNLOCK(&f);
757 
758  p->flowflags &=~ FLOW_PKT_TOCLIENT;
759  p->flowflags |= FLOW_PKT_TOSERVER;
760  /* do detect */
761  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
762 
763  /* we should have the stub data since we previously parsed a request frag */
764  if (!PacketAlertCheck(p, 1))
765  goto end;
766 
767  result = 1;
768 
769  end:
770  if (alp_tctx != NULL)
771  AppLayerParserThreadCtxFree(alp_tctx);
772  SigGroupCleanup(de_ctx);
773  SigCleanSignatures(de_ctx);
774 
775  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
776  DetectEngineCtxFree(de_ctx);
777 
778  StreamTcpFreeConfig(true);
779  FLOW_DESTROY(&f);
780 
781  UTHFreePackets(&p, 1);
782  return result;
783 }
784 
785 /**
786  * \test Test a valid dce_stub_data with just a request frag.
787  */
788 static int DetectDceStubDataTestParse03(void)
789 {
790  Signature *s = NULL;
791  ThreadVars th_v;
792  Packet *p = NULL;
793  Flow f;
794  TcpSession ssn;
795  DetectEngineThreadCtx *det_ctx = NULL;
796  DetectEngineCtx *de_ctx = NULL;
797  DCERPCState *dcerpc_state = NULL;
798  int r = 0;
799 
800  /* todo chop the request frag length and change the
801  * length related parameters in the frag */
802  uint8_t dcerpc_request[] = {
803  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
804  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
805  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
806  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
807  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
808  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
809  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
810  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
811  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
812  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
813  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
814  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
815  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
816  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
817  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
818  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
819  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
820  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
821  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
822  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
823  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
824  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
825  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
826  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
827  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
828  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
829  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
830  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
831  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
832  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
833  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
834  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
835  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
836  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
837  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
838  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
839  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
840  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
841  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
842  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
843  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
844  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
845  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
846  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
847  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
848  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
849  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
850  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
851  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
852  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
853  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
854  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
855  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
856  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
857  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
858  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
859  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
860  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
861  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
862  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
863  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
864  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
865  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
866  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
867  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
868  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
869  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
870  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
871  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
872  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
873  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
874  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
875  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
876  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
877  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
878  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
879  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
880  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
881  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
882  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
883  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
884  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
885  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
886  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1050  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1051  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1052  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1053  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1054  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1055  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1056  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1057  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1058  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1059  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1060  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1061  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1062  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1063  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1064  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1065  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1066  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1067  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1068  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1069  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1070  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1071  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1072  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1073  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1074  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1075  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1076  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1077  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1078  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1079  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1080  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1081  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1082  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1083  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1084  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1147  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1148  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1149  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1150  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1205  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1206  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1207  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1208  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1209  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1210  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1211  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1212  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1213  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1214  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1215  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1216  0x01, 0x02, 0x03, 0x04
1217  };
1218 
1219  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1220 
1221  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1222 
1223  memset(&th_v, 0, sizeof(th_v));
1224  memset(&f, 0, sizeof(f));
1225  memset(&ssn, 0, sizeof(ssn));
1226 
1227  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1228 
1229  FLOW_INITIALIZE(&f);
1230  f.protoctx = (void *)&ssn;
1231  f.proto = IPPROTO_TCP;
1232  p->flow = &f;
1233  p->flowflags |= FLOW_PKT_TOSERVER;
1234  p->flowflags |= FLOW_PKT_ESTABLISHED;
1235  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1236  f.alproto = ALPROTO_DCERPC;
1237 
1238  StreamTcpInitConfig(true);
1239 
1240  de_ctx = DetectEngineCtxInit();
1241  FAIL_IF(de_ctx == NULL);
1242 
1243  de_ctx->flags |= DE_QUIET;
1244 
1245  s = de_ctx->sig_list = SigInit(de_ctx,
1246  "alert tcp any any -> any any "
1247  "(msg:\"DCERPC\"; "
1248  "dce_stub_data; content:\"|42 42 42 42|\";"
1249  "sid:1;)");
1250  FAIL_IF(s == NULL);
1251 
1252  SigGroupBuild(de_ctx);
1253  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1254 
1255  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1256  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1257  dcerpc_request_len);
1258  FAIL_IF(r != 0);
1259 
1260  dcerpc_state = f.alstate;
1261  FAIL_IF (dcerpc_state == NULL);
1262 
1263  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1264  p->flowflags |= FLOW_PKT_TOSERVER;
1265  /* do detect */
1266  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1267  FAIL_IF(!PacketAlertCheck(p, 1));
1268 
1269  if (alp_tctx != NULL)
1270  AppLayerParserThreadCtxFree(alp_tctx);
1271  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1272  DetectEngineCtxFree(de_ctx);
1273  StreamTcpFreeConfig(true);
1274  FLOW_DESTROY(&f);
1275 
1276  UTHFreePackets(&p, 1);
1277  PASS;
1278 }
1279 
1280 static int DetectDceStubDataTestParse04(void)
1281 {
1282  int result = 0;
1283  Signature *s = NULL;
1284  ThreadVars th_v;
1285  Packet *p = NULL;
1286  Flow f;
1287  TcpSession ssn;
1288  DetectEngineThreadCtx *det_ctx = NULL;
1289  DetectEngineCtx *de_ctx = NULL;
1290  DCERPCState *dcerpc_state = NULL;
1291  int r = 0;
1292 
1293  uint8_t dcerpc_bind[] = {
1294  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1295  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1296  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1297  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1298  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1299  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1300  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1301  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1302  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1303  };
1304 
1305  uint8_t dcerpc_bindack[] = {
1306  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1307  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1308  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1309  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1310  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1311  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1312  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1313  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1314  0x02, 0x00, 0x00, 0x00,
1315  };
1316 
1317  uint8_t dcerpc_request1[] = {
1318  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1319  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1320  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1321  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1322  0x00, 0x00, 0x00, 0x02,
1323  };
1324 
1325  uint8_t dcerpc_response1[] = {
1326  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1327  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1328  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1329  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1330  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1331  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1332  };
1333 
1334  uint8_t dcerpc_request2[] = {
1335  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1336  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1337  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1338  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1339  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1340  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1341  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1342  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1343  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1344  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1345  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1346  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1347  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1348  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1349  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1350  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1351  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1352  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1353  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1354  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1355  0x03, 0x00, 0x00, 0x00,
1356  };
1357 
1358  uint8_t dcerpc_response2[] = {
1359  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1360  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1361  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1362  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1363  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1364  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1365  };
1366 
1367  uint8_t dcerpc_request3[] = {
1368  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1369  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1370  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1371  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1372  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1373  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1374  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1375  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1376  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1377  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1378  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1379  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1380  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1381  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1382  };
1383 
1384  uint8_t dcerpc_response3[] = {
1385  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1386  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1387  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1388  0x00, 0x00, 0x00, 0x00,
1389  };
1390 
1391  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1392  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1393 
1394  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1395  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1396 
1397  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1398  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1399 
1400  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1401  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1402 
1403  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1404 
1405  memset(&th_v, 0, sizeof(th_v));
1406  memset(&f, 0, sizeof(f));
1407  memset(&ssn, 0, sizeof(ssn));
1408 
1409  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1410 
1411  FLOW_INITIALIZE(&f);
1412  f.protoctx = (void *)&ssn;
1413  f.proto = IPPROTO_TCP;
1414  p->flow = &f;
1415  p->flowflags |= FLOW_PKT_TOSERVER;
1416  p->flowflags |= FLOW_PKT_ESTABLISHED;
1417  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1418  f.alproto = ALPROTO_DCERPC;
1419 
1420  StreamTcpInitConfig(true);
1421 
1422  de_ctx = DetectEngineCtxInit();
1423  if (de_ctx == NULL)
1424  goto end;
1425 
1426  de_ctx->flags |= DE_QUIET;
1427 
1428  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1429  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1430  if (s == NULL)
1431  goto end;
1432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1433  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1434  if (s == NULL)
1435  goto end;
1436  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1437  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1438  if (s == NULL)
1439  goto end;
1440 
1441  SigGroupBuild(de_ctx);
1442  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1443 
1444  FLOWLOCK_WRLOCK(&f);
1445  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1446  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1447  dcerpc_bind_len);
1448  if (r != 0) {
1449  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1450  FLOWLOCK_UNLOCK(&f);
1451  goto end;
1452  }
1453  FLOWLOCK_UNLOCK(&f);
1454  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1455  p->flowflags |= FLOW_PKT_TOSERVER;
1456  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1457 
1458  dcerpc_state = f.alstate;
1459  if (dcerpc_state == NULL) {
1460  SCLogDebug("no dcerpc state: ");
1461  goto end;
1462  }
1463 
1464  FLOWLOCK_WRLOCK(&f);
1465  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1466  STREAM_TOCLIENT, dcerpc_bindack,
1467  dcerpc_bindack_len);
1468  if (r != 0) {
1469  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1470  FLOWLOCK_UNLOCK(&f);
1471  goto end;
1472  }
1473  FLOWLOCK_UNLOCK(&f);
1474  p->flowflags &=~ FLOW_PKT_TOSERVER;
1475  p->flowflags |= FLOW_PKT_TOCLIENT;
1476  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1477 
1478  /* request1 */
1479  FLOWLOCK_WRLOCK(&f);
1480  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1481  STREAM_TOSERVER, dcerpc_request1,
1482  dcerpc_request1_len);
1483  if (r != 0) {
1484  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1485  FLOWLOCK_UNLOCK(&f);
1486  goto end;
1487  }
1488  FLOWLOCK_UNLOCK(&f);
1489 
1490  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1491  p->flowflags |= FLOW_PKT_TOSERVER;
1492  /* do detect */
1493  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1494 
1495  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1496  goto end;
1497 
1498  /* response1 */
1499  FLOWLOCK_WRLOCK(&f);
1500  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1501  STREAM_TOCLIENT, dcerpc_response1,
1502  dcerpc_response1_len);
1503  if (r != 0) {
1504  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1505  FLOWLOCK_UNLOCK(&f);
1506  goto end;
1507  }
1508  FLOWLOCK_UNLOCK(&f);
1509 
1510  p->flowflags &=~ FLOW_PKT_TOSERVER;
1511  p->flowflags |= FLOW_PKT_TOCLIENT;
1512  /* do detect */
1513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1514 
1515  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1516  goto end;
1517 
1518  /* request2 */
1519  FLOWLOCK_WRLOCK(&f);
1520  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1521  STREAM_TOSERVER, dcerpc_request2,
1522  dcerpc_request2_len);
1523  if (r != 0) {
1524  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1525  FLOWLOCK_UNLOCK(&f);
1526  goto end;
1527  }
1528  FLOWLOCK_UNLOCK(&f);
1529 
1530  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1531  p->flowflags |= FLOW_PKT_TOSERVER;
1532  /* do detect */
1533  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1534 
1535  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1536  goto end;
1537 
1538  /* response2 */
1539  FLOWLOCK_WRLOCK(&f);
1540  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1541  STREAM_TOCLIENT, dcerpc_response2,
1542  dcerpc_response2_len);
1543  if (r != 0) {
1544  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1545  FLOWLOCK_UNLOCK(&f);
1546  goto end;
1547  }
1548  FLOWLOCK_UNLOCK(&f);
1549 
1550  p->flowflags &=~ FLOW_PKT_TOSERVER;
1551  p->flowflags |= FLOW_PKT_TOCLIENT;
1552  /* do detect */
1553  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1554 
1555  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1556  goto end;
1557  /* request3 */
1558  FLOWLOCK_WRLOCK(&f);
1559  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1560  STREAM_TOSERVER, dcerpc_request3,
1561  dcerpc_request3_len);
1562  if (r != 0) {
1563  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1564  FLOWLOCK_UNLOCK(&f);
1565  goto end;
1566  }
1567  FLOWLOCK_UNLOCK(&f);
1568 
1569  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1570  p->flowflags |= FLOW_PKT_TOSERVER;
1571  /* do detect */
1572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1573 
1574  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1575  goto end;
1576 
1577  /* response3 */
1578  FLOWLOCK_WRLOCK(&f);
1579  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1580  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1581  dcerpc_response3_len);
1582  if (r != 0) {
1583  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1584  FLOWLOCK_UNLOCK(&f);
1585  goto end;
1586  }
1587  FLOWLOCK_UNLOCK(&f);
1588 
1589  p->flowflags &=~ FLOW_PKT_TOSERVER;
1590  p->flowflags |= FLOW_PKT_TOCLIENT;
1591  /* do detect */
1592  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1593 
1594  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1595  goto end;
1596 
1597  result = 1;
1598 
1599  end:
1600  if (alp_tctx != NULL)
1601  AppLayerParserThreadCtxFree(alp_tctx);
1602  SigGroupCleanup(de_ctx);
1603  SigCleanSignatures(de_ctx);
1604 
1605  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1606  DetectEngineCtxFree(de_ctx);
1607 
1608  StreamTcpFreeConfig(true);
1609  FLOW_DESTROY(&f);
1610 
1611  UTHFreePackets(&p, 1);
1612  return result;
1613 }
1614 
1615 static int DetectDceStubDataTestParse05(void)
1616 {
1617  int result = 0;
1618  Signature *s = NULL;
1619  ThreadVars th_v;
1620  Packet *p = NULL;
1621  Flow f;
1622  TcpSession ssn;
1623  DetectEngineThreadCtx *det_ctx = NULL;
1624  DetectEngineCtx *de_ctx = NULL;
1625  DCERPCState *dcerpc_state = NULL;
1626  int r = 0;
1627 
1628  uint8_t dcerpc_request1[] = {
1629  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1630  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1631  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1632  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1633  0x00, 0x00, 0x00, 0x02,
1634  };
1635 
1636  uint8_t dcerpc_response1[] = {
1637  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1638  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1639  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1640  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1641  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1642  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1643  };
1644 
1645  uint8_t dcerpc_request2[] = {
1646  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1647  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1648  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1649  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1650  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1651  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1652  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1653  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1654  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1655  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1656  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1657  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1658  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1659  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1660  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1661  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1662  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1663  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1664  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1665  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1666  0x03, 0x00, 0x00, 0x00,
1667  };
1668 
1669  uint8_t dcerpc_response2[] = {
1670  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1671  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1672  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1673  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1674  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1675  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1676  };
1677 
1678  uint8_t dcerpc_request3[] = {
1679  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1680  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1681  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1682  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1683  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1684  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1685  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1686  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1687  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1688  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1689  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1690  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1691  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1692  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1693  };
1694 
1695  uint8_t dcerpc_response3[] = {
1696  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1697  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1698  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1699  0x00, 0x00, 0x00, 0x00,
1700  };
1701 
1702  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1703  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1704 
1705  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1706  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1707 
1708  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1709  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1710 
1711  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1712 
1713  memset(&th_v, 0, sizeof(th_v));
1714  memset(&f, 0, sizeof(f));
1715  memset(&ssn, 0, sizeof(ssn));
1716 
1717  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1718 
1719  FLOW_INITIALIZE(&f);
1720  f.protoctx = (void *)&ssn;
1721  f.proto = IPPROTO_TCP;
1722  p->flow = &f;
1723  p->flowflags |= FLOW_PKT_TOSERVER;
1724  p->flowflags |= FLOW_PKT_ESTABLISHED;
1725  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1726  f.alproto = ALPROTO_DCERPC;
1727 
1728  StreamTcpInitConfig(true);
1729 
1730  de_ctx = DetectEngineCtxInit();
1731  if (de_ctx == NULL)
1732  goto end;
1733 
1734  de_ctx->flags |= DE_QUIET;
1735 
1736  s = de_ctx->sig_list = SigInit(de_ctx,
1737  "alert tcp any any -> any any "
1738  "(msg:\"DCERPC\"; "
1739  "dce_stub_data; content:\"|00 02|\"; "
1740  "sid:1;)");
1741  if (s == NULL)
1742  goto end;
1743  s = de_ctx->sig_list->next = SigInit(de_ctx,
1744  "alert tcp any any -> any any "
1745  "(msg:\"DCERPC\"; "
1746  "dce_stub_data; content:\"|00 75|\"; "
1747  "sid:2;)");
1748  if (s == NULL)
1749  goto end;
1750  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1751  "alert tcp any any -> any any "
1752  "(msg:\"DCERPC\"; "
1753  "dce_stub_data; content:\"|00 18|\"; "
1754  "sid:3;)");
1755  if (s == NULL)
1756  goto end;
1757 
1758  SigGroupBuild(de_ctx);
1759  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1760 
1761  /* request1 */
1762  FLOWLOCK_WRLOCK(&f);
1763  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1764  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1765  dcerpc_request1_len);
1766  if (r != 0) {
1767  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1768  FLOWLOCK_UNLOCK(&f);
1769  goto end;
1770  }
1771  FLOWLOCK_UNLOCK(&f);
1772 
1773  dcerpc_state = f.alstate;
1774  if (dcerpc_state == NULL) {
1775  SCLogDebug("no dcerpc state: ");
1776  goto end;
1777  }
1778 
1779  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1780  p->flowflags |= FLOW_PKT_TOSERVER;
1781  /* do detect */
1782  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1783 
1784  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1785  goto end;
1786 
1787  /* response1 */
1788  FLOWLOCK_WRLOCK(&f);
1789  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1790  STREAM_TOCLIENT, dcerpc_response1,
1791  dcerpc_response1_len);
1792  if (r != 0) {
1793  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1794  FLOWLOCK_UNLOCK(&f);
1795  goto end;
1796  }
1797  FLOWLOCK_UNLOCK(&f);
1798 
1799  p->flowflags &=~ FLOW_PKT_TOSERVER;
1800  p->flowflags |= FLOW_PKT_TOCLIENT;
1801  /* do detect */
1802  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1803 
1804  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1805  goto end;
1806 
1807  /* request2 */
1808  FLOWLOCK_WRLOCK(&f);
1809  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1810  STREAM_TOSERVER, dcerpc_request2,
1811  dcerpc_request2_len);
1812  if (r != 0) {
1813  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1814  FLOWLOCK_UNLOCK(&f);
1815  goto end;
1816  }
1817  FLOWLOCK_UNLOCK(&f);
1818 
1819  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1820  p->flowflags |= FLOW_PKT_TOSERVER;
1821  /* do detect */
1822  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1823 
1824  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1825  goto end;
1826 
1827  /* response2 */
1828  FLOWLOCK_WRLOCK(&f);
1829  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1830  STREAM_TOCLIENT, dcerpc_response2,
1831  dcerpc_response2_len);
1832  if (r != 0) {
1833  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1834  FLOWLOCK_UNLOCK(&f);
1835  goto end;
1836  }
1837  FLOWLOCK_UNLOCK(&f);
1838 
1839  p->flowflags &=~ FLOW_PKT_TOSERVER;
1840  p->flowflags |= FLOW_PKT_TOCLIENT;
1841  /* do detect */
1842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1843 
1844  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1845  goto end;
1846 
1847  /* request3 */
1848  FLOWLOCK_WRLOCK(&f);
1849  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1850  STREAM_TOSERVER, dcerpc_request3,
1851  dcerpc_request3_len);
1852  if (r != 0) {
1853  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1854  FLOWLOCK_UNLOCK(&f);
1855  goto end;
1856  }
1857  FLOWLOCK_UNLOCK(&f);
1858 
1859  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1860  p->flowflags |= FLOW_PKT_TOSERVER;
1861  /* do detect */
1862  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1863 
1864  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1865  goto end;
1866 
1867  /* response3 */
1868  FLOWLOCK_WRLOCK(&f);
1869  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1870  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1871  dcerpc_response3_len);
1872  if (r != 0) {
1873  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1874  FLOWLOCK_UNLOCK(&f);
1875  goto end;
1876  }
1877  FLOWLOCK_UNLOCK(&f);
1878 
1879  p->flowflags &=~ FLOW_PKT_TOSERVER;
1880  p->flowflags |= FLOW_PKT_TOCLIENT;
1881  /* do detect */
1882  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1883 
1884  if (PacketAlertCheck(p, 1))
1885  goto end;
1886 
1887  result = 1;
1888 
1889  end:
1890  if (alp_tctx != NULL)
1891  AppLayerParserThreadCtxFree(alp_tctx);
1892 
1893  SigGroupCleanup(de_ctx);
1894  SigCleanSignatures(de_ctx);
1895 
1896  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1897  DetectEngineCtxFree(de_ctx);
1898 
1899  StreamTcpFreeConfig(true);
1900  FLOW_DESTROY(&f);
1901 
1902  UTHFreePackets(&p, 1);
1903  return result;
1904 }
1905 
1906 // invalid signature because of invalid protocol
1907 static int DetectDceStubDataTestParse06(void)
1908 {
1909  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1910  FAIL_IF_NULL(de_ctx);
1911  de_ctx->flags = DE_QUIET;
1912  Signature *s = DetectEngineAppendSig(de_ctx,
1913  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1914  FAIL_IF_NOT_NULL(s);
1915  DetectEngineCtxFree(de_ctx);
1916  PASS;
1917 }
1918 
1919 static void DetectDceStubDataRegisterTests(void)
1920 {
1921  UtRegisterTest("DetectDceStubDataTestParse01",
1922  DetectDceStubDataTestParse01);
1923  UtRegisterTest("DetectDceStubDataTestParse02",
1924  DetectDceStubDataTestParse02);
1925  UtRegisterTest("DetectDceStubDataTestParse03",
1926  DetectDceStubDataTestParse03);
1927  UtRegisterTest("DetectDceStubDataTestParse04",
1928  DetectDceStubDataTestParse04);
1929  UtRegisterTest("DetectDceStubDataTestParse05",
1930  DetectDceStubDataTestParse05);
1931  UtRegisterTest("DetectDceStubDataTestParse06",
1932  DetectDceStubDataTestParse06);
1933 }
1934 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:116
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1477
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:379
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:552
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:375
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
InspectionBuffer
Definition: detect.h:345
Packet_::flags
uint32_t flags
Definition: decode.h:462
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:753
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:349
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:511
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:43
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1360
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:622
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:189
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1983
Packet_
Definition: decode.h:427
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
SIG_FLAG_INIT_DCERPC
#define SIG_FLAG_INIT_DCERPC
Definition: detect.h:266
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
detect-engine-content-inspection.h
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
SigTableElmt_::alias
const char * alias
Definition: detect.h:1268
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1543
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:346
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1441
Flow_::alstate
void * alstate
Definition: flow.h:486
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:58
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1291
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:42
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468