suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-build.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
36 #include "detect-engine-prefilter.h"
37 #include "detect-engine-content-inspection.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "app-layer.h"
44 #include "app-layer-parser.h"
45 #include "queue.h"
46 #include "stream-tcp-reassemble.h"
47 
48 #include "detect-dce-stub-data.h"
49 #include "detect-dce-iface.h"
50 
51 #include "util-debug.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 
56 #include "stream-tcp.h"
57 
58 #include "rust.h"
59 
60 #define BUFFER_NAME "dce_stub_data"
61 #define KEYWORD_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDceStubDataRegisterTests(void);
66 #endif
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t flow_flags,
72  void *txv, const int list_id)
73 {
74  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75  if (buffer->inspect == NULL) {
76  uint32_t data_len = 0;
77  const uint8_t *data = NULL;
78  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
80  return NULL;
81  SCLogDebug("have data!");
82 
83  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
84  InspectionBufferApplyTransforms(buffer, transforms);
85  }
86  return buffer;
87 }
88 
89 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90  const DetectEngineTransforms *transforms,
91  Flow *_f, const uint8_t flow_flags,
92  void *txv, const int list_id)
93 {
94  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95  if (buffer->inspect == NULL) {
96  uint32_t data_len = 0;
97  const uint8_t *data = NULL;
98  uint8_t endianness;
99 
100  rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags);
101  if (data == NULL || data_len == 0)
102  return NULL;
103 
104  if (endianness > 0) {
105  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
106  } else {
107  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108  }
109  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
110  InspectionBufferApplyTransforms(buffer, transforms);
111  }
112  return buffer;
113 }
114 
115 /**
116  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117  */
118 void DetectDceStubDataRegister(void)
119 {
120  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123 #ifdef UNITTESTS
124  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
125 #endif
126  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
127 
128  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
129  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
130  DetectEngineInspectBufferGeneric,
131  GetSMBData);
132  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
133  PrefilterGenericMpmRegister, GetSMBData,
134  ALPROTO_SMB, 0);
135  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
136  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
137  DetectEngineInspectBufferGeneric,
138  GetSMBData);
139  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
140  PrefilterGenericMpmRegister, GetSMBData,
141  ALPROTO_SMB, 0);
142 
143  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
144  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
145  DetectEngineInspectBufferGeneric,
146  GetDCEData);
147  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
148  PrefilterGenericMpmRegister, GetDCEData,
149  ALPROTO_DCERPC, 0);
150  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
151  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
152  DetectEngineInspectBufferGeneric,
153  GetDCEData);
154  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
155  PrefilterGenericMpmRegister, GetDCEData,
156  ALPROTO_DCERPC, 0);
157 
158  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
159 }
160 
161 /**
162  * \brief setups the dce_stub_data list
163  *
164  * \param de_ctx Pointer to the detection engine context
165  * \param s Pointer to signature for the current Signature being parsed
166  * from the rules
167  * \param arg Pointer to the string holding the keyword value
168  *
169  * \retval 0 on success, -1 on failure
170  */
171 
172 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
173 {
174  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
175  return -1;
176  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
177  return -1;
178  return 0;
179 }
180 
181 /************************************Unittests*********************************/
182 
183 #ifdef UNITTESTS
184 #include "detect-engine-alert.h"
185 
186 static int DetectDceStubDataTestParse01(void)
187 {
188  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
189  FAIL_IF_NULL(de_ctx);
190  de_ctx->flags = DE_QUIET;
191  Signature *s = DetectEngineAppendSig(de_ctx,
192  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
193  FAIL_IF_NULL(s);
194  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
195  DetectEngineCtxFree(de_ctx);
196  PASS;
197 }
198 
199 /**
200  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
201  */
202 static int DetectDceStubDataTestParse02(void)
203 {
204  int result = 0;
205  Signature *s = NULL;
206  ThreadVars th_v;
207  Packet *p = NULL;
208  Flow f;
209  TcpSession ssn;
210  DetectEngineThreadCtx *det_ctx = NULL;
211  DetectEngineCtx *de_ctx = NULL;
212  DCERPCState *dcerpc_state = NULL;
213  int r = 0;
214 
215  uint8_t dcerpc_bind[] = {
216  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
217  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
218  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
219  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
220  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
221  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
222  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
223  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
224  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
225  };
226 
227  uint8_t dcerpc_bindack[] = {
228  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
229  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
230  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
231  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
232  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
233  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
234  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
235  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
236  0x02, 0x00, 0x00, 0x00
237  };
238 
239  /* todo chop the request frag length and change the
240  * length related parameters in the frag */
241  uint8_t dcerpc_request[] = {
242  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
243  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
244  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
245  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
246  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
247  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
248  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
249  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
250  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
251  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
252  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
253  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
254  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
255  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
256  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
257  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
258  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
259  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
260  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
261  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
262  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
263  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
264  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
265  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
266  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
267  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
268  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
269  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
270  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
271  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
272  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
273  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
274  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
275  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
276  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
277  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
278  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
279  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
280  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
281  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
282  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
283  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
284  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
285  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
286  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
287  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
288  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
289  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
290  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
291  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
292  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
293  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
294  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
295  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
296  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
297  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
298  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
299  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
300  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
301  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
302  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
303  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
304  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
305  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
306  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
307  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
308  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
309  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
310  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
311  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
312  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
313  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
314  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
315  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
316  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
317  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
318  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
319  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
320  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
321  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
322  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
323  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
324  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
325  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
489  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
490  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
491  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
492  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
493  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
494  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
496  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
497  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
498  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
499  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
500  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
501  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
502  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
503  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
504  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
505  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
506  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
507  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
508  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
509  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
510  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
511  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
513  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
514  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
515  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
516  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
517  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
518  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
519  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
520  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
522  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
523  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
655  0x01, 0x02, 0x03, 0x04
656  };
657 
658  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
659  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
660  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
661  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
662 
663  memset(&th_v, 0, sizeof(th_v));
664  memset(&f, 0, sizeof(f));
665  memset(&ssn, 0, sizeof(ssn));
666 
667  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
668 
669  FLOW_INITIALIZE(&f);
670  f.protoctx = (void *)&ssn;
671  f.proto = IPPROTO_TCP;
672  p->flow = &f;
673  p->flowflags |= FLOW_PKT_TOSERVER;
674  p->flowflags |= FLOW_PKT_ESTABLISHED;
675  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
676  f.alproto = ALPROTO_DCERPC;
677 
678  StreamTcpInitConfig(true);
679 
680  de_ctx = DetectEngineCtxInit();
681  if (de_ctx == NULL)
682  goto end;
683 
684  de_ctx->flags |= DE_QUIET;
685 
686  s = de_ctx->sig_list = SigInit(de_ctx,
687  "alert tcp any any -> any any "
688  "(msg:\"DCERPC\"; "
689  "dce_stub_data; content:\"|42 42 42 42|\";"
690  "sid:1;)");
691  if (s == NULL)
692  goto end;
693 
694  SigGroupBuild(de_ctx);
695  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
696 
697  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
698  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
699  dcerpc_bind_len);
700  if (r != 0) {
701  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
702  goto end;
703  }
704 
705  dcerpc_state = f.alstate;
706  if (dcerpc_state == NULL) {
707  SCLogDebug("no dcerpc state: ");
708  goto end;
709  }
710 
711  p->flowflags &=~ FLOW_PKT_TOCLIENT;
712  p->flowflags |= FLOW_PKT_TOSERVER;
713  /* do detect */
714  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
715 
716  /* we shouldn't have any stub data */
717  if (PacketAlertCheck(p, 1))
718  goto end;
719 
720  /* do detect */
721  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
722  STREAM_TOCLIENT, dcerpc_bindack,
723  dcerpc_bindack_len);
724  if (r != 0) {
725  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
726  goto end;
727  }
728 
729  p->flowflags &=~ FLOW_PKT_TOSERVER;
730  p->flowflags |= FLOW_PKT_TOCLIENT;
731  /* do detect */
732  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
733 
734  /* we shouldn't have any stub data */
735  if (PacketAlertCheck(p, 1))
736  goto end;
737 
738  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
739  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
740  dcerpc_request_len);
741  if (r != 0) {
742  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
743  goto end;
744  }
745 
746  p->flowflags &=~ FLOW_PKT_TOCLIENT;
747  p->flowflags |= FLOW_PKT_TOSERVER;
748  /* do detect */
749  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
750 
751  /* we should have the stub data since we previously parsed a request frag */
752  if (!PacketAlertCheck(p, 1))
753  goto end;
754 
755  result = 1;
756 
757  end:
758  if (alp_tctx != NULL)
759  AppLayerParserThreadCtxFree(alp_tctx);
760  SigGroupCleanup(de_ctx);
761  SigCleanSignatures(de_ctx);
762 
763  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
764  DetectEngineCtxFree(de_ctx);
765 
766  StreamTcpFreeConfig(true);
767  FLOW_DESTROY(&f);
768 
769  UTHFreePackets(&p, 1);
770  return result;
771 }
772 
773 /**
774  * \test Test a valid dce_stub_data with just a request frag.
775  */
776 static int DetectDceStubDataTestParse03(void)
777 {
778  Signature *s = NULL;
779  ThreadVars th_v;
780  Packet *p = NULL;
781  Flow f;
782  TcpSession ssn;
783  DetectEngineThreadCtx *det_ctx = NULL;
784  DetectEngineCtx *de_ctx = NULL;
785  DCERPCState *dcerpc_state = NULL;
786  int r = 0;
787 
788  /* todo chop the request frag length and change the
789  * length related parameters in the frag */
790  uint8_t dcerpc_request[] = {
791  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
792  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
793  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
794  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
795  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
796  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
797  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
798  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
799  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
800  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
801  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
802  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
803  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
804  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
805  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
806  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
807  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
808  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
809  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
810  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
811  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
812  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
813  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
814  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
815  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
816  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
817  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
818  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
819  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
820  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
821  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
822  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
823  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
824  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
825  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
826  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
827  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
828  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
829  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
830  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
831  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
832  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
833  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
834  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
835  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
836  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
837  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
838  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
839  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
840  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
841  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
842  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
843  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
844  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
845  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
846  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
847  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
848  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
849  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
850  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
851  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
852  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
853  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
854  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
855  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
856  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
857  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
858  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
859  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
860  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
861  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
862  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
863  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
864  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
865  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
866  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
867  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
868  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
869  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
870  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
871  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
872  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
873  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
874  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1038  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1039  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1040  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1041  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1042  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1043  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1044  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1045  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1046  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1047  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1048  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1049  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1050  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1051  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1052  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1053  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1054  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1055  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1056  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1057  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1058  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1059  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1060  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1061  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1062  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1063  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1064  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1065  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1066  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1067  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1068  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1069  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1071  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1072  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x01, 0x02, 0x03, 0x04
1205  };
1206 
1207  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1208 
1209  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1210 
1211  memset(&th_v, 0, sizeof(th_v));
1212  memset(&f, 0, sizeof(f));
1213  memset(&ssn, 0, sizeof(ssn));
1214 
1215  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1216 
1217  FLOW_INITIALIZE(&f);
1218  f.protoctx = (void *)&ssn;
1219  f.proto = IPPROTO_TCP;
1220  p->flow = &f;
1221  p->flowflags |= FLOW_PKT_TOSERVER;
1222  p->flowflags |= FLOW_PKT_ESTABLISHED;
1223  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1224  f.alproto = ALPROTO_DCERPC;
1225 
1226  StreamTcpInitConfig(true);
1227 
1228  de_ctx = DetectEngineCtxInit();
1229  FAIL_IF(de_ctx == NULL);
1230 
1231  de_ctx->flags |= DE_QUIET;
1232 
1233  s = de_ctx->sig_list = SigInit(de_ctx,
1234  "alert tcp any any -> any any "
1235  "(msg:\"DCERPC\"; "
1236  "dce_stub_data; content:\"|42 42 42 42|\";"
1237  "sid:1;)");
1238  FAIL_IF(s == NULL);
1239 
1240  SigGroupBuild(de_ctx);
1241  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1242 
1243  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1244  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1245  dcerpc_request_len);
1246  FAIL_IF(r != 0);
1247 
1248  dcerpc_state = f.alstate;
1249  FAIL_IF (dcerpc_state == NULL);
1250 
1251  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1252  p->flowflags |= FLOW_PKT_TOSERVER;
1253  /* do detect */
1254  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1255  FAIL_IF(!PacketAlertCheck(p, 1));
1256 
1257  if (alp_tctx != NULL)
1258  AppLayerParserThreadCtxFree(alp_tctx);
1259  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1260  DetectEngineCtxFree(de_ctx);
1261  StreamTcpFreeConfig(true);
1262  FLOW_DESTROY(&f);
1263 
1264  UTHFreePackets(&p, 1);
1265  PASS;
1266 }
1267 
1268 static int DetectDceStubDataTestParse04(void)
1269 {
1270  int result = 0;
1271  Signature *s = NULL;
1272  ThreadVars th_v;
1273  Packet *p = NULL;
1274  Flow f;
1275  TcpSession ssn;
1276  DetectEngineThreadCtx *det_ctx = NULL;
1277  DetectEngineCtx *de_ctx = NULL;
1278  DCERPCState *dcerpc_state = NULL;
1279  int r = 0;
1280 
1281  uint8_t dcerpc_bind[] = {
1282  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1283  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1284  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1285  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1286  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1287  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1288  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1289  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1290  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1291  };
1292 
1293  uint8_t dcerpc_bindack[] = {
1294  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1295  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1296  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1297  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1298  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1299  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1300  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1301  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1302  0x02, 0x00, 0x00, 0x00,
1303  };
1304 
1305  uint8_t dcerpc_request1[] = {
1306  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1307  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1308  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1309  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1310  0x00, 0x00, 0x00, 0x02,
1311  };
1312 
1313  uint8_t dcerpc_response1[] = {
1314  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1315  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1316  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1317  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1318  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1319  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1320  };
1321 
1322  uint8_t dcerpc_request2[] = {
1323  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1324  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1325  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1326  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1327  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1328  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1329  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1330  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1331  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1332  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1333  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1334  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1335  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1336  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1337  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1338  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1339  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1340  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1341  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1342  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1343  0x03, 0x00, 0x00, 0x00,
1344  };
1345 
1346  uint8_t dcerpc_response2[] = {
1347  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1348  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1349  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1350  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1351  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1352  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1353  };
1354 
1355  uint8_t dcerpc_request3[] = {
1356  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1357  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1358  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1359  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1360  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1361  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1362  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1363  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1364  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1365  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1366  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1367  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1368  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1369  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1370  };
1371 
1372  uint8_t dcerpc_response3[] = {
1373  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1374  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1375  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1376  0x00, 0x00, 0x00, 0x00,
1377  };
1378 
1379  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1380  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1381 
1382  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1383  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1384 
1385  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1386  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1387 
1388  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1389  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1390 
1391  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1392 
1393  memset(&th_v, 0, sizeof(th_v));
1394  memset(&f, 0, sizeof(f));
1395  memset(&ssn, 0, sizeof(ssn));
1396 
1397  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1398 
1399  FLOW_INITIALIZE(&f);
1400  f.protoctx = (void *)&ssn;
1401  f.proto = IPPROTO_TCP;
1402  p->flow = &f;
1403  p->flowflags |= FLOW_PKT_TOSERVER;
1404  p->flowflags |= FLOW_PKT_ESTABLISHED;
1405  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1406  f.alproto = ALPROTO_DCERPC;
1407 
1408  StreamTcpInitConfig(true);
1409 
1410  de_ctx = DetectEngineCtxInit();
1411  if (de_ctx == NULL)
1412  goto end;
1413 
1414  de_ctx->flags |= DE_QUIET;
1415 
1416  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1417  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1418  if (s == NULL)
1419  goto end;
1420  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1421  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1422  if (s == NULL)
1423  goto end;
1424  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1425  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1426  if (s == NULL)
1427  goto end;
1428 
1429  SigGroupBuild(de_ctx);
1430  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1431 
1432  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1433  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1434  dcerpc_bind_len);
1435  if (r != 0) {
1436  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1437  goto end;
1438  }
1439  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1440  p->flowflags |= FLOW_PKT_TOSERVER;
1441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1442 
1443  dcerpc_state = f.alstate;
1444  if (dcerpc_state == NULL) {
1445  SCLogDebug("no dcerpc state: ");
1446  goto end;
1447  }
1448 
1449  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1450  STREAM_TOCLIENT, dcerpc_bindack,
1451  dcerpc_bindack_len);
1452  if (r != 0) {
1453  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1454  goto end;
1455  }
1456  p->flowflags &=~ FLOW_PKT_TOSERVER;
1457  p->flowflags |= FLOW_PKT_TOCLIENT;
1458  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1459 
1460  /* request1 */
1461  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1462  STREAM_TOSERVER, dcerpc_request1,
1463  dcerpc_request1_len);
1464  if (r != 0) {
1465  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1466  goto end;
1467  }
1468 
1469  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1470  p->flowflags |= FLOW_PKT_TOSERVER;
1471  /* do detect */
1472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1473 
1474  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1475  goto end;
1476 
1477  /* response1 */
1478  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1479  STREAM_TOCLIENT, dcerpc_response1,
1480  dcerpc_response1_len);
1481  if (r != 0) {
1482  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1483  goto end;
1484  }
1485 
1486  p->flowflags &=~ FLOW_PKT_TOSERVER;
1487  p->flowflags |= FLOW_PKT_TOCLIENT;
1488  /* do detect */
1489  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1490 
1491  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1492  goto end;
1493 
1494  /* request2 */
1495  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1496  STREAM_TOSERVER, dcerpc_request2,
1497  dcerpc_request2_len);
1498  if (r != 0) {
1499  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1500  goto end;
1501  }
1502 
1503  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1504  p->flowflags |= FLOW_PKT_TOSERVER;
1505  /* do detect */
1506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1507 
1508  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1509  goto end;
1510 
1511  /* response2 */
1512  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1513  STREAM_TOCLIENT, dcerpc_response2,
1514  dcerpc_response2_len);
1515  if (r != 0) {
1516  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1517  goto end;
1518  }
1519 
1520  p->flowflags &=~ FLOW_PKT_TOSERVER;
1521  p->flowflags |= FLOW_PKT_TOCLIENT;
1522  /* do detect */
1523  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1524 
1525  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1526  goto end;
1527  /* request3 */
1528  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1529  STREAM_TOSERVER, dcerpc_request3,
1530  dcerpc_request3_len);
1531  if (r != 0) {
1532  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1533  goto end;
1534  }
1535 
1536  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1537  p->flowflags |= FLOW_PKT_TOSERVER;
1538  /* do detect */
1539  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1540 
1541  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1542  goto end;
1543 
1544  /* response3 */
1545  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1546  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1547  dcerpc_response3_len);
1548  if (r != 0) {
1549  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1550  goto end;
1551  }
1552 
1553  p->flowflags &=~ FLOW_PKT_TOSERVER;
1554  p->flowflags |= FLOW_PKT_TOCLIENT;
1555  /* do detect */
1556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1557 
1558  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1559  goto end;
1560 
1561  result = 1;
1562 
1563  end:
1564  if (alp_tctx != NULL)
1565  AppLayerParserThreadCtxFree(alp_tctx);
1566  SigGroupCleanup(de_ctx);
1567  SigCleanSignatures(de_ctx);
1568 
1569  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1570  DetectEngineCtxFree(de_ctx);
1571 
1572  StreamTcpFreeConfig(true);
1573  FLOW_DESTROY(&f);
1574 
1575  UTHFreePackets(&p, 1);
1576  return result;
1577 }
1578 
1579 static int DetectDceStubDataTestParse05(void)
1580 {
1581  int result = 0;
1582  Signature *s = NULL;
1583  ThreadVars th_v;
1584  Packet *p = NULL;
1585  Flow f;
1586  TcpSession ssn;
1587  DetectEngineThreadCtx *det_ctx = NULL;
1588  DetectEngineCtx *de_ctx = NULL;
1589  DCERPCState *dcerpc_state = NULL;
1590  int r = 0;
1591 
1592  uint8_t dcerpc_request1[] = {
1593  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1594  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1595  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1596  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1597  0x00, 0x00, 0x00, 0x02,
1598  };
1599 
1600  uint8_t dcerpc_response1[] = {
1601  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1602  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1603  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1604  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1605  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1606  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1607  };
1608 
1609  uint8_t dcerpc_request2[] = {
1610  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1611  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1612  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1613  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1614  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1615  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1616  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1617  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1618  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1619  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1620  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1621  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1622  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1623  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1624  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1625  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1626  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1627  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1628  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1629  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630  0x03, 0x00, 0x00, 0x00,
1631  };
1632 
1633  uint8_t dcerpc_response2[] = {
1634  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1635  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1636  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1638  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1639  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1640  };
1641 
1642  uint8_t dcerpc_request3[] = {
1643  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1644  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1645  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1646  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1647  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1648  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1649  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1650  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1651  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1652  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1653  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1654  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1655  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1656  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1657  };
1658 
1659  uint8_t dcerpc_response3[] = {
1660  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1661  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1662  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1663  0x00, 0x00, 0x00, 0x00,
1664  };
1665 
1666  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1667  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1668 
1669  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1670  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1671 
1672  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1673  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1674 
1675  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1676 
1677  memset(&th_v, 0, sizeof(th_v));
1678  memset(&f, 0, sizeof(f));
1679  memset(&ssn, 0, sizeof(ssn));
1680 
1681  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1682 
1683  FLOW_INITIALIZE(&f);
1684  f.protoctx = (void *)&ssn;
1685  f.proto = IPPROTO_TCP;
1686  p->flow = &f;
1687  p->flowflags |= FLOW_PKT_TOSERVER;
1688  p->flowflags |= FLOW_PKT_ESTABLISHED;
1689  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1690  f.alproto = ALPROTO_DCERPC;
1691 
1692  StreamTcpInitConfig(true);
1693 
1694  de_ctx = DetectEngineCtxInit();
1695  if (de_ctx == NULL)
1696  goto end;
1697 
1698  de_ctx->flags |= DE_QUIET;
1699 
1700  s = de_ctx->sig_list = SigInit(de_ctx,
1701  "alert tcp any any -> any any "
1702  "(msg:\"DCERPC\"; "
1703  "dce_stub_data; content:\"|00 02|\"; "
1704  "sid:1;)");
1705  if (s == NULL)
1706  goto end;
1707  s = de_ctx->sig_list->next = SigInit(de_ctx,
1708  "alert tcp any any -> any any "
1709  "(msg:\"DCERPC\"; "
1710  "dce_stub_data; content:\"|00 75|\"; "
1711  "sid:2;)");
1712  if (s == NULL)
1713  goto end;
1714  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1715  "alert tcp any any -> any any "
1716  "(msg:\"DCERPC\"; "
1717  "dce_stub_data; content:\"|00 18|\"; "
1718  "sid:3;)");
1719  if (s == NULL)
1720  goto end;
1721 
1722  SigGroupBuild(de_ctx);
1723  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1724 
1725  /* request1 */
1726  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1727  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1728  dcerpc_request1_len);
1729  if (r != 0) {
1730  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1731  goto end;
1732  }
1733 
1734  dcerpc_state = f.alstate;
1735  if (dcerpc_state == NULL) {
1736  SCLogDebug("no dcerpc state: ");
1737  goto end;
1738  }
1739 
1740  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1741  p->flowflags |= FLOW_PKT_TOSERVER;
1742  /* do detect */
1743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1744 
1745  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1746  goto end;
1747 
1748  /* response1 */
1749  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1750  STREAM_TOCLIENT, dcerpc_response1,
1751  dcerpc_response1_len);
1752  if (r != 0) {
1753  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1754  goto end;
1755  }
1756 
1757  p->flowflags &=~ FLOW_PKT_TOSERVER;
1758  p->flowflags |= FLOW_PKT_TOCLIENT;
1759  /* do detect */
1760  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1761 
1762  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1763  goto end;
1764 
1765  /* request2 */
1766  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1767  STREAM_TOSERVER, dcerpc_request2,
1768  dcerpc_request2_len);
1769  if (r != 0) {
1770  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1771  goto end;
1772  }
1773 
1774  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1775  p->flowflags |= FLOW_PKT_TOSERVER;
1776  /* do detect */
1777  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1778 
1779  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1780  goto end;
1781 
1782  /* response2 */
1783  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1784  STREAM_TOCLIENT, dcerpc_response2,
1785  dcerpc_response2_len);
1786  if (r != 0) {
1787  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1788  goto end;
1789  }
1790 
1791  p->flowflags &=~ FLOW_PKT_TOSERVER;
1792  p->flowflags |= FLOW_PKT_TOCLIENT;
1793  /* do detect */
1794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1795 
1796  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1797  goto end;
1798 
1799  /* request3 */
1800  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1801  STREAM_TOSERVER, dcerpc_request3,
1802  dcerpc_request3_len);
1803  if (r != 0) {
1804  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1805  goto end;
1806  }
1807 
1808  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1809  p->flowflags |= FLOW_PKT_TOSERVER;
1810  /* do detect */
1811  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1812 
1813  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1814  goto end;
1815 
1816  /* response3 */
1817  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1818  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1819  dcerpc_response3_len);
1820  if (r != 0) {
1821  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1822  goto end;
1823  }
1824 
1825  p->flowflags &=~ FLOW_PKT_TOSERVER;
1826  p->flowflags |= FLOW_PKT_TOCLIENT;
1827  /* do detect */
1828  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1829 
1830  if (PacketAlertCheck(p, 1))
1831  goto end;
1832 
1833  result = 1;
1834 
1835  end:
1836  if (alp_tctx != NULL)
1837  AppLayerParserThreadCtxFree(alp_tctx);
1838 
1839  SigGroupCleanup(de_ctx);
1840  SigCleanSignatures(de_ctx);
1841 
1842  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1843  DetectEngineCtxFree(de_ctx);
1844 
1845  StreamTcpFreeConfig(true);
1846  FLOW_DESTROY(&f);
1847 
1848  UTHFreePackets(&p, 1);
1849  return result;
1850 }
1851 
1852 // invalid signature because of invalid protocol
1853 static int DetectDceStubDataTestParse06(void)
1854 {
1855  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1856  FAIL_IF_NULL(de_ctx);
1857  de_ctx->flags = DE_QUIET;
1858  Signature *s = DetectEngineAppendSig(de_ctx,
1859  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1860  FAIL_IF_NOT_NULL(s);
1861  DetectEngineCtxFree(de_ctx);
1862  PASS;
1863 }
1864 
1865 static void DetectDceStubDataRegisterTests(void)
1866 {
1867  UtRegisterTest("DetectDceStubDataTestParse01",
1868  DetectDceStubDataTestParse01);
1869  UtRegisterTest("DetectDceStubDataTestParse02",
1870  DetectDceStubDataTestParse02);
1871  UtRegisterTest("DetectDceStubDataTestParse03",
1872  DetectDceStubDataTestParse03);
1873  UtRegisterTest("DetectDceStubDataTestParse04",
1874  DetectDceStubDataTestParse04);
1875  UtRegisterTest("DetectDceStubDataTestParse05",
1876  DetectDceStubDataTestParse05);
1877  UtRegisterTest("DetectDceStubDataTestParse06",
1878  DetectDceStubDataTestParse06);
1879 }
1880 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:118
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1493
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1445
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:996
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1994
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:371
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:337
Packet_::flags
uint32_t flags
Definition: decode.h:460
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:749
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:316
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:341
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:456
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
Flow_::protoctx
void * protoctx
Definition: flow.h:454
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:43
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1369
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:613
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:361
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:194
Packet_
Definition: decode.h:425
detect-engine-build.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:228
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:227
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
detect-engine-content-inspection.h
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flow
struct Flow_ * flow
Definition: decode.h:462
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:669
SigTableElmt_::alias
const char * alias
Definition: detect.h:1236
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1280
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1552
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1450
Flow_::alstate
void * alstate
Definition: flow.h:489
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1421
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1300
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:68
TcpSession_
Definition: stream-tcp-private.h:272
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:42
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:993
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:470