suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-build.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-prefilter.h"
38 #include "detect-engine-content-inspection.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
46 #include "queue.h"
47 #include "stream-tcp-reassemble.h"
48 
49 #include "detect-dce-stub-data.h"
50 #include "detect-dce-iface.h"
51 
52 #include "util-debug.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 #include "stream-tcp.h"
58 
59 #include "rust.h"
60 
61 #define BUFFER_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDceStubDataRegisterTests(void);
66 #endif
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t flow_flags,
72  void *txv, const int list_id)
73 {
74  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75  if (!buffer->initialized) {
76  uint32_t data_len = 0;
77  const uint8_t *data = NULL;
78  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79  if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
80  return NULL;
81  SCLogDebug("have data!");
82 
83  InspectionBufferSetupAndApplyTransforms(
84  det_ctx, list_id, buffer, data, data_len, transforms);
85  }
86  return buffer;
87 }
88 
89 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90  const DetectEngineTransforms *transforms,
91  Flow *_f, const uint8_t flow_flags,
92  void *txv, const int list_id)
93 {
94  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95  if (!buffer->initialized) {
96  uint32_t data_len = 0;
97  const uint8_t *data = NULL;
98  uint8_t endianness;
99 
100  SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
101  if (data == NULL || data_len == 0)
102  return NULL;
103 
104  if (endianness > 0) {
105  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
106  } else {
107  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108  }
109  InspectionBufferSetupAndApplyTransforms(
110  det_ctx, list_id, buffer, data, data_len, transforms);
111  }
112  return buffer;
113 }
114 
115 /**
116  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117  */
118 void DetectDceStubDataRegister(void)
119 {
120  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123  sigmatch_table[DETECT_DCE_STUB_DATA].desc = "match on the stub data in a DCERPC packet";
124  sigmatch_table[DETECT_DCE_STUB_DATA].url = "/rules/dcerpc-keywords.html#dcerpc-stub-data";
125 #ifdef UNITTESTS
126  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
127 #endif
128  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
129 
130  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
131  DetectEngineInspectBufferGeneric, GetSMBData);
132  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
133  GetSMBData, ALPROTO_SMB, 0);
134  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
135  DetectEngineInspectBufferGeneric, GetSMBData);
136  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
137  GetSMBData, ALPROTO_SMB, 0);
138 
139  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
140  DetectEngineInspectBufferGeneric, GetDCEData);
141  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
142  GetDCEData, ALPROTO_DCERPC, 0);
143  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
144  DetectEngineInspectBufferGeneric, GetDCEData);
145  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
146  GetDCEData, ALPROTO_DCERPC, 0);
147 
148  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
149 }
150 
151 /**
152  * \brief setups the dce_stub_data list
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param s Pointer to signature for the current Signature being parsed
156  * from the rules
157  * \param arg Pointer to the string holding the keyword value
158  *
159  * \retval 0 on success, -1 on failure
160  */
161 
162 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
163 {
164  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
165  return -1;
166  if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
167  return -1;
168  return 0;
169 }
170 
171 /************************************Unittests*********************************/
172 
173 #ifdef UNITTESTS
174 #include "detect-engine-alert.h"
175 
176 /**
177  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
178  */
179 static int DetectDceStubDataTestParse02(void)
180 {
181  int result = 0;
182  Signature *s = NULL;
183  ThreadVars th_v;
184  Packet *p = NULL;
185  Flow f;
186  TcpSession ssn;
187  DetectEngineThreadCtx *det_ctx = NULL;
188  DetectEngineCtx *de_ctx = NULL;
189  DCERPCState *dcerpc_state = NULL;
190  int r = 0;
191 
192  uint8_t dcerpc_bind[] = {
193  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
194  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
195  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
196  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
197  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
198  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
199  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
200  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
201  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
202  };
203 
204  uint8_t dcerpc_bindack[] = {
205  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
206  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
207  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
208  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
209  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
210  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
212  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
213  0x02, 0x00, 0x00, 0x00
214  };
215 
216  /* todo chop the request frag length and change the
217  * length related parameters in the frag */
218  uint8_t dcerpc_request[] = {
219  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
220  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
221  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
222  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
224  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
225  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
226  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
227  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
228  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
229  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
230  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
231  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
232  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
233  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
234  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
235  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
236  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
237  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
238  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
239  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
240  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
241  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
242  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
243  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
244  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
245  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
246  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
247  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
248  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
249  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
250  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
251  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
252  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
253  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
254  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
255  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
256  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
257  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
258  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
259  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
260  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
261  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
262  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
263  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
264  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
265  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
266  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
267  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
268  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
269  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
270  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
271  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
272  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
273  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
274  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
275  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
276  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
277  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
278  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
279  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
280  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
281  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
282  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
283  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
284  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
285  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
286  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
287  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
288  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
289  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
290  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
291  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
292  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
293  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
294  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
295  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
296  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
297  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
298  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
299  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
300  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
301  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
302  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
466  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
467  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
468  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
469  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
470  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
471  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
472  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
473  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
474  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
475  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
476  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
477  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
478  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
479  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
480  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
481  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
482  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
484  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
485  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
486  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
487  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
488  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
489  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
490  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
491  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
492  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
493  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
494  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
495  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
496  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
497  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
499  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
500  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x01, 0x02, 0x03, 0x04
633  };
634 
635  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
636  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
637  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
638  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
639 
640  memset(&th_v, 0, sizeof(th_v));
641  StatsThreadInit(&th_v.stats);
642  memset(&f, 0, sizeof(f));
643  memset(&ssn, 0, sizeof(ssn));
644 
645  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
646 
647  FLOW_INITIALIZE(&f);
648  f.protoctx = (void *)&ssn;
649  f.proto = IPPROTO_TCP;
650  p->flow = &f;
651  p->flowflags |= FLOW_PKT_TOSERVER;
652  p->flowflags |= FLOW_PKT_ESTABLISHED;
653  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
654  f.alproto = ALPROTO_DCERPC;
655 
656  StreamTcpInitConfig(true);
657 
658  de_ctx = DetectEngineCtxInit();
659  if (de_ctx == NULL)
660  goto end;
661 
662  de_ctx->flags |= DE_QUIET;
663 
664  s = de_ctx->sig_list = SigInit(de_ctx,
665  "alert tcp any any -> any any "
666  "(msg:\"DCERPC\"; "
667  "dce_stub_data; content:\"|42 42 42 42|\";"
668  "sid:1;)");
669  if (s == NULL)
670  goto end;
671 
672  SigGroupBuild(de_ctx);
673  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
674 
675  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
676  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
677  dcerpc_bind_len);
678  if (r != 0) {
679  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
680  goto end;
681  }
682 
683  dcerpc_state = f.alstate;
684  if (dcerpc_state == NULL) {
685  SCLogDebug("no dcerpc state: ");
686  goto end;
687  }
688 
689  p->flowflags &=~ FLOW_PKT_TOCLIENT;
690  p->flowflags |= FLOW_PKT_TOSERVER;
691  /* do detect */
692  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
693 
694  /* we shouldn't have any stub data */
695  if (PacketAlertCheck(p, 1))
696  goto end;
697 
698  /* do detect */
699  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
700  STREAM_TOCLIENT, dcerpc_bindack,
701  dcerpc_bindack_len);
702  if (r != 0) {
703  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
704  goto end;
705  }
706 
707  p->flowflags &=~ FLOW_PKT_TOSERVER;
708  p->flowflags |= FLOW_PKT_TOCLIENT;
709  /* do detect */
710  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
711 
712  /* we shouldn't have any stub data */
713  if (PacketAlertCheck(p, 1))
714  goto end;
715 
716  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
717  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
718  dcerpc_request_len);
719  if (r != 0) {
720  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
721  goto end;
722  }
723 
724  p->flowflags &=~ FLOW_PKT_TOCLIENT;
725  p->flowflags |= FLOW_PKT_TOSERVER;
726  /* do detect */
727  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
728 
729  /* we should have the stub data since we previously parsed a request frag */
730  if (!PacketAlertCheck(p, 1))
731  goto end;
732 
733  result = 1;
734 
735  end:
736  if (alp_tctx != NULL)
737  AppLayerParserThreadCtxFree(alp_tctx);
738  SigGroupCleanup(de_ctx);
739  SigCleanSignatures(de_ctx);
740 
741  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
742  DetectEngineCtxFree(de_ctx);
743 
744  StreamTcpFreeConfig(true);
745  FLOW_DESTROY(&f);
746 
747  UTHFreePackets(&p, 1);
748  StatsThreadCleanup(&th_v.stats);
749  return result;
750 }
751 
752 /**
753  * \test Test a valid dce_stub_data with just a request frag.
754  */
755 static int DetectDceStubDataTestParse03(void)
756 {
757  Signature *s = NULL;
758  ThreadVars th_v;
759  Packet *p = NULL;
760  Flow f;
761  TcpSession ssn;
762  DetectEngineThreadCtx *det_ctx = NULL;
763  DetectEngineCtx *de_ctx = NULL;
764  DCERPCState *dcerpc_state = NULL;
765  int r = 0;
766 
767  /* todo chop the request frag length and change the
768  * length related parameters in the frag */
769  uint8_t dcerpc_request[] = {
770  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
771  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
772  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
773  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
774  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
775  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
776  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
777  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
778  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
779  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
780  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
781  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
782  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
783  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
784  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
785  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
786  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
787  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
788  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
789  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
790  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
791  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
792  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
793  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
794  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
795  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
796  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
797  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
798  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
799  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
800  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
801  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
802  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
803  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
804  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
805  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
806  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
807  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
808  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
809  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
810  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
811  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
812  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
813  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
814  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
815  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
816  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
817  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
818  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
819  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
820  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
821  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
822  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
823  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
824  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
825  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
826  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
827  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
828  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
829  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
830  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
831  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
832  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
833  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
834  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
835  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
836  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
837  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
838  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
839  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
840  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
841  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
842  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
843  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
844  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
845  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
846  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
847  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
848  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
849  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
850  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
851  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
852  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
853  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1017  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1018  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1019  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1020  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1021  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1022  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1023  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1024  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1025  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1026  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1027  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1028  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1029  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1030  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1031  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1032  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1033  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1036  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1037  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1038  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1039  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1040  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1041  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1042  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1043  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1044  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1045  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1046  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1047  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1048  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1049  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1050  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1051  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x01, 0x02, 0x03, 0x04
1184  };
1185 
1186  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1187 
1188  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1189 
1190  memset(&th_v, 0, sizeof(th_v));
1191  StatsThreadInit(&th_v.stats);
1192  memset(&f, 0, sizeof(f));
1193  memset(&ssn, 0, sizeof(ssn));
1194 
1195  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1196 
1197  FLOW_INITIALIZE(&f);
1198  f.protoctx = (void *)&ssn;
1199  f.proto = IPPROTO_TCP;
1200  p->flow = &f;
1201  p->flowflags |= FLOW_PKT_TOSERVER;
1202  p->flowflags |= FLOW_PKT_ESTABLISHED;
1203  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1204  f.alproto = ALPROTO_DCERPC;
1205 
1206  StreamTcpInitConfig(true);
1207 
1208  de_ctx = DetectEngineCtxInit();
1209  FAIL_IF(de_ctx == NULL);
1210 
1211  de_ctx->flags |= DE_QUIET;
1212 
1213  s = de_ctx->sig_list = SigInit(de_ctx,
1214  "alert tcp any any -> any any "
1215  "(msg:\"DCERPC\"; "
1216  "dce_stub_data; content:\"|42 42 42 42|\";"
1217  "sid:1;)");
1218  FAIL_IF(s == NULL);
1219 
1220  SigGroupBuild(de_ctx);
1221  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1222 
1223  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1224  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1225  dcerpc_request_len);
1226  FAIL_IF(r != 0);
1227 
1228  dcerpc_state = f.alstate;
1229  FAIL_IF (dcerpc_state == NULL);
1230 
1231  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1232  p->flowflags |= FLOW_PKT_TOSERVER;
1233  /* do detect */
1234  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1235  FAIL_IF(!PacketAlertCheck(p, 1));
1236 
1237  if (alp_tctx != NULL)
1238  AppLayerParserThreadCtxFree(alp_tctx);
1239  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1240  DetectEngineCtxFree(de_ctx);
1241  StreamTcpFreeConfig(true);
1242  FLOW_DESTROY(&f);
1243 
1244  UTHFreePackets(&p, 1);
1245  StatsThreadCleanup(&th_v.stats);
1246  PASS;
1247 }
1248 
1249 static int DetectDceStubDataTestParse04(void)
1250 {
1251  int result = 0;
1252  Signature *s = NULL;
1253  ThreadVars th_v;
1254  Packet *p = NULL;
1255  Flow f;
1256  TcpSession ssn;
1257  DetectEngineThreadCtx *det_ctx = NULL;
1258  DetectEngineCtx *de_ctx = NULL;
1259  DCERPCState *dcerpc_state = NULL;
1260  int r = 0;
1261 
1262  uint8_t dcerpc_bind[] = {
1263  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1264  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1265  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1266  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1267  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1268  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1269  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1270  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1271  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1272  };
1273 
1274  uint8_t dcerpc_bindack[] = {
1275  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1276  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1277  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1278  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1279  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1280  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1281  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1282  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1283  0x02, 0x00, 0x00, 0x00,
1284  };
1285 
1286  uint8_t dcerpc_request1[] = {
1287  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1288  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1289  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1290  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1291  0x00, 0x00, 0x00, 0x02,
1292  };
1293 
1294  uint8_t dcerpc_response1[] = {
1295  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1296  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1297  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1298  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1299  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1300  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1301  };
1302 
1303  uint8_t dcerpc_request2[] = {
1304  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1305  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1306  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1307  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1308  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1309  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1310  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1311  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1312  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1313  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1314  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1315  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1316  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1317  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1318  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1319  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1320  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1321  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1322  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1323  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1324  0x03, 0x00, 0x00, 0x00,
1325  };
1326 
1327  uint8_t dcerpc_response2[] = {
1328  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1329  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1330  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1332  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1333  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1334  };
1335 
1336  uint8_t dcerpc_request3[] = {
1337  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1338  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1339  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1340  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1341  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1342  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1343  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1344  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1345  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1346  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1347  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1348  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1349  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1350  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1351  };
1352 
1353  uint8_t dcerpc_response3[] = {
1354  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1355  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1356  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1357  0x00, 0x00, 0x00, 0x00,
1358  };
1359 
1360  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1361  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1362 
1363  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1364  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1365 
1366  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1367  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1368 
1369  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1370  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1371 
1372  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1373 
1374  memset(&th_v, 0, sizeof(th_v));
1375  StatsThreadInit(&th_v.stats);
1376  memset(&f, 0, sizeof(f));
1377  memset(&ssn, 0, sizeof(ssn));
1378 
1379  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1380 
1381  FLOW_INITIALIZE(&f);
1382  f.protoctx = (void *)&ssn;
1383  f.proto = IPPROTO_TCP;
1384  p->flow = &f;
1385  p->flowflags |= FLOW_PKT_TOSERVER;
1386  p->flowflags |= FLOW_PKT_ESTABLISHED;
1387  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1388  f.alproto = ALPROTO_DCERPC;
1389 
1390  StreamTcpInitConfig(true);
1391 
1392  de_ctx = DetectEngineCtxInit();
1393  if (de_ctx == NULL)
1394  goto end;
1395 
1396  de_ctx->flags |= DE_QUIET;
1397 
1398  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1399  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1400  if (s == NULL)
1401  goto end;
1402  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1403  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1404  if (s == NULL)
1405  goto end;
1406  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1407  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1408  if (s == NULL)
1409  goto end;
1410 
1411  SigGroupBuild(de_ctx);
1412  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1413 
1414  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1415  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1416  dcerpc_bind_len);
1417  if (r != 0) {
1418  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1419  goto end;
1420  }
1421  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1422  p->flowflags |= FLOW_PKT_TOSERVER;
1423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1424 
1425  dcerpc_state = f.alstate;
1426  if (dcerpc_state == NULL) {
1427  SCLogDebug("no dcerpc state: ");
1428  goto end;
1429  }
1430 
1431  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1432  STREAM_TOCLIENT, dcerpc_bindack,
1433  dcerpc_bindack_len);
1434  if (r != 0) {
1435  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1436  goto end;
1437  }
1438  p->flowflags &=~ FLOW_PKT_TOSERVER;
1439  p->flowflags |= FLOW_PKT_TOCLIENT;
1440  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1441 
1442  /* request1 */
1443  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1444  STREAM_TOSERVER, dcerpc_request1,
1445  dcerpc_request1_len);
1446  if (r != 0) {
1447  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1448  goto end;
1449  }
1450 
1451  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1452  p->flowflags |= FLOW_PKT_TOSERVER;
1453  /* do detect */
1454  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1455 
1456  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1457  goto end;
1458 
1459  /* response1 */
1460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1461  STREAM_TOCLIENT, dcerpc_response1,
1462  dcerpc_response1_len);
1463  if (r != 0) {
1464  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1465  goto end;
1466  }
1467 
1468  p->flowflags &=~ FLOW_PKT_TOSERVER;
1469  p->flowflags |= FLOW_PKT_TOCLIENT;
1470  /* do detect */
1471  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1472 
1473  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1474  goto end;
1475 
1476  /* request2 */
1477  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1478  STREAM_TOSERVER, dcerpc_request2,
1479  dcerpc_request2_len);
1480  if (r != 0) {
1481  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1482  goto end;
1483  }
1484 
1485  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1486  p->flowflags |= FLOW_PKT_TOSERVER;
1487  /* do detect */
1488  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1489 
1490  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1491  goto end;
1492 
1493  /* response2 */
1494  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1495  STREAM_TOCLIENT, dcerpc_response2,
1496  dcerpc_response2_len);
1497  if (r != 0) {
1498  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1499  goto end;
1500  }
1501 
1502  p->flowflags &=~ FLOW_PKT_TOSERVER;
1503  p->flowflags |= FLOW_PKT_TOCLIENT;
1504  /* do detect */
1505  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1506 
1507  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1508  goto end;
1509  /* request3 */
1510  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1511  STREAM_TOSERVER, dcerpc_request3,
1512  dcerpc_request3_len);
1513  if (r != 0) {
1514  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1515  goto end;
1516  }
1517 
1518  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1519  p->flowflags |= FLOW_PKT_TOSERVER;
1520  /* do detect */
1521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1522 
1523  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1524  goto end;
1525 
1526  /* response3 */
1527  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1528  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1529  dcerpc_response3_len);
1530  if (r != 0) {
1531  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1532  goto end;
1533  }
1534 
1535  p->flowflags &=~ FLOW_PKT_TOSERVER;
1536  p->flowflags |= FLOW_PKT_TOCLIENT;
1537  /* do detect */
1538  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1539 
1540  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1541  goto end;
1542 
1543  result = 1;
1544 
1545  end:
1546  if (alp_tctx != NULL)
1547  AppLayerParserThreadCtxFree(alp_tctx);
1548  SigGroupCleanup(de_ctx);
1549  SigCleanSignatures(de_ctx);
1550 
1551  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1552  DetectEngineCtxFree(de_ctx);
1553 
1554  StreamTcpFreeConfig(true);
1555  FLOW_DESTROY(&f);
1556 
1557  UTHFreePackets(&p, 1);
1558  StatsThreadCleanup(&th_v.stats);
1559  return result;
1560 }
1561 
1562 static int DetectDceStubDataTestParse05(void)
1563 {
1564  int result = 0;
1565  Signature *s = NULL;
1566  ThreadVars th_v;
1567  Packet *p = NULL;
1568  Flow f;
1569  TcpSession ssn;
1570  DetectEngineThreadCtx *det_ctx = NULL;
1571  DetectEngineCtx *de_ctx = NULL;
1572  DCERPCState *dcerpc_state = NULL;
1573  int r = 0;
1574 
1575  uint8_t dcerpc_request1[] = {
1576  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1577  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1578  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1579  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1580  0x00, 0x00, 0x00, 0x02,
1581  };
1582 
1583  uint8_t dcerpc_response1[] = {
1584  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1585  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1586  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1587  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1588  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1589  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1590  };
1591 
1592  uint8_t dcerpc_request2[] = {
1593  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1594  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1595  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1596  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1597  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1598  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1599  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1600  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1601  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1602  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1603  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1604  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1605  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1606  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1607  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1608  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1609  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1610  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1611  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1612  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613  0x03, 0x00, 0x00, 0x00,
1614  };
1615 
1616  uint8_t dcerpc_response2[] = {
1617  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1618  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1619  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1620  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1621  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1622  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1623  };
1624 
1625  uint8_t dcerpc_request3[] = {
1626  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1627  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1628  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1629  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1630  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1631  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1632  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1633  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1634  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1635  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1636  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1637  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1638  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1639  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1640  };
1641 
1642  uint8_t dcerpc_response3[] = {
1643  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1644  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1645  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1646  0x00, 0x00, 0x00, 0x00,
1647  };
1648 
1649  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1650  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1651 
1652  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1653  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1654 
1655  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1656  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1657 
1658  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1659 
1660  memset(&th_v, 0, sizeof(th_v));
1661  StatsThreadInit(&th_v.stats);
1662  memset(&f, 0, sizeof(f));
1663  memset(&ssn, 0, sizeof(ssn));
1664 
1665  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1666 
1667  FLOW_INITIALIZE(&f);
1668  f.protoctx = (void *)&ssn;
1669  f.proto = IPPROTO_TCP;
1670  p->flow = &f;
1671  p->flowflags |= FLOW_PKT_TOSERVER;
1672  p->flowflags |= FLOW_PKT_ESTABLISHED;
1673  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1674  f.alproto = ALPROTO_DCERPC;
1675 
1676  StreamTcpInitConfig(true);
1677 
1678  de_ctx = DetectEngineCtxInit();
1679  if (de_ctx == NULL)
1680  goto end;
1681 
1682  de_ctx->flags |= DE_QUIET;
1683 
1684  s = de_ctx->sig_list = SigInit(de_ctx,
1685  "alert tcp any any -> any any "
1686  "(msg:\"DCERPC\"; "
1687  "dce_stub_data; content:\"|00 02|\"; "
1688  "sid:1;)");
1689  if (s == NULL)
1690  goto end;
1691  s = de_ctx->sig_list->next = SigInit(de_ctx,
1692  "alert tcp any any -> any any "
1693  "(msg:\"DCERPC\"; "
1694  "dce_stub_data; content:\"|00 75|\"; "
1695  "sid:2;)");
1696  if (s == NULL)
1697  goto end;
1698  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1699  "alert tcp any any -> any any "
1700  "(msg:\"DCERPC\"; "
1701  "dce_stub_data; content:\"|00 18|\"; "
1702  "sid:3;)");
1703  if (s == NULL)
1704  goto end;
1705 
1706  SigGroupBuild(de_ctx);
1707  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1708 
1709  /* request1 */
1710  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1711  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1712  dcerpc_request1_len);
1713  if (r != 0) {
1714  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1715  goto end;
1716  }
1717 
1718  dcerpc_state = f.alstate;
1719  if (dcerpc_state == NULL) {
1720  SCLogDebug("no dcerpc state: ");
1721  goto end;
1722  }
1723 
1724  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1725  p->flowflags |= FLOW_PKT_TOSERVER;
1726  /* do detect */
1727  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1728 
1729  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1730  goto end;
1731 
1732  /* response1 */
1733  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1734  STREAM_TOCLIENT, dcerpc_response1,
1735  dcerpc_response1_len);
1736  if (r != 0) {
1737  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1738  goto end;
1739  }
1740 
1741  p->flowflags &=~ FLOW_PKT_TOSERVER;
1742  p->flowflags |= FLOW_PKT_TOCLIENT;
1743  /* do detect */
1744  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1745 
1746  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1747  goto end;
1748 
1749  /* request2 */
1750  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1751  STREAM_TOSERVER, dcerpc_request2,
1752  dcerpc_request2_len);
1753  if (r != 0) {
1754  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1755  goto end;
1756  }
1757 
1758  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1759  p->flowflags |= FLOW_PKT_TOSERVER;
1760  /* do detect */
1761  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1762 
1763  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1764  goto end;
1765 
1766  /* response2 */
1767  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1768  STREAM_TOCLIENT, dcerpc_response2,
1769  dcerpc_response2_len);
1770  if (r != 0) {
1771  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1772  goto end;
1773  }
1774 
1775  p->flowflags &=~ FLOW_PKT_TOSERVER;
1776  p->flowflags |= FLOW_PKT_TOCLIENT;
1777  /* do detect */
1778  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1779 
1780  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1781  goto end;
1782 
1783  /* request3 */
1784  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1785  STREAM_TOSERVER, dcerpc_request3,
1786  dcerpc_request3_len);
1787  if (r != 0) {
1788  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1789  goto end;
1790  }
1791 
1792  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1793  p->flowflags |= FLOW_PKT_TOSERVER;
1794  /* do detect */
1795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1796 
1797  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1798  goto end;
1799 
1800  /* response3 */
1801  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1802  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1803  dcerpc_response3_len);
1804  if (r != 0) {
1805  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1806  goto end;
1807  }
1808 
1809  p->flowflags &=~ FLOW_PKT_TOSERVER;
1810  p->flowflags |= FLOW_PKT_TOCLIENT;
1811  /* do detect */
1812  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1813 
1814  if (PacketAlertCheck(p, 1))
1815  goto end;
1816 
1817  result = 1;
1818 
1819  end:
1820  if (alp_tctx != NULL)
1821  AppLayerParserThreadCtxFree(alp_tctx);
1822 
1823  SigGroupCleanup(de_ctx);
1824  SigCleanSignatures(de_ctx);
1825 
1826  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1827  DetectEngineCtxFree(de_ctx);
1828 
1829  StreamTcpFreeConfig(true);
1830  FLOW_DESTROY(&f);
1831 
1832  UTHFreePackets(&p, 1);
1833  StatsThreadCleanup(&th_v.stats);
1834  return result;
1835 }
1836 
1837 // invalid signature because of invalid protocol
1838 static int DetectDceStubDataTestParse06(void)
1839 {
1840  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1841  FAIL_IF_NULL(de_ctx);
1842  de_ctx->flags = DE_QUIET;
1843  Signature *s = DetectEngineAppendSig(
1844  de_ctx, "alert dns any any -> any any dce_stub_data;content:\"0\"; sid:1;");
1845  FAIL_IF_NOT_NULL(s);
1846  DetectEngineCtxFree(de_ctx);
1847  PASS;
1848 }
1849 
1850 static void DetectDceStubDataRegisterTests(void)
1851 {
1852  UtRegisterTest("DetectDceStubDataTestParse02",
1853  DetectDceStubDataTestParse02);
1854  UtRegisterTest("DetectDceStubDataTestParse03",
1855  DetectDceStubDataTestParse03);
1856  UtRegisterTest("DetectDceStubDataTestParse04",
1857  DetectDceStubDataTestParse04);
1858  UtRegisterTest("DetectDceStubDataTestParse05",
1859  DetectDceStubDataTestParse05);
1860  UtRegisterTest("DetectDceStubDataTestParse06",
1861  DetectDceStubDataTestParse06);
1862 }
1863 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:118
SigTableElmt_::url
const char * url
Definition: detect.h:1461
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1675
SigTableElmt_::desc
const char * desc
Definition: detect.h:1460
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1270
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2049
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1458
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1449
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:369
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:224
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2236
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
Flow_::protoctx
void * protoctx
Definition: flow.h:432
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1440
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:750
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1577
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3105
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2265
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:219
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:225
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1249
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
SigTableElmt_::alias
const char * alias
Definition: detect.h:1459
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:942
Flow_::alstate
void * alstate
Definition: flow.h:470
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:61
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:226
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1650
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:441
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1345
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1266
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1447
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456