suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #ifdef HAVE_RUST
58 #include "rust.h"
59 #include "rust-smb-detect-gen.h"
60 #endif
61 
62 #define BUFFER_NAME "dce_stub_data"
63 #define KEYWORD_NAME "dce_stub_data"
64 
65 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
66 static void DetectDceStubDataRegisterTests(void);
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 /** \brief DCERPC Stub Data Mpm prefilter callback
70  *
71  * \param det_ctx detection engine thread ctx
72  * \param p packet to inspect
73  * \param f flow to inspect
74  * \param txv tx to inspect
75  * \param pectx inspection context
76  */
77 static void PrefilterTxDceStubDataRequest(DetectEngineThreadCtx *det_ctx,
78  const void *pectx,
79  Packet *p, Flow *f, void *txv,
80  const uint64_t idx, const uint8_t flags)
81 {
82  SCEnter();
83 
84  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
85  uint8_t *buffer;
86  uint32_t buffer_len;
87 
88 #ifdef HAVE_RUST
89  if (f->alproto == ALPROTO_SMB) {
90  if (rs_smb_tx_get_stub_data(txv, STREAM_TOSERVER, &buffer, &buffer_len) != 1) {
91  SCLogDebug("have no data!");
92  return;
93  }
94  SCLogDebug("have data!");
95  } else
96 #endif
97  {
98  DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
99  if (dcerpc_state == NULL)
100  return;
101 
102  buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
103  buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
104  }
105  if (buffer_len >= mpm_ctx->minlen) {
106  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
107  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
108  }
109 }
110 
111 static int PrefilterTxDceStubDataRequestRegister(DetectEngineCtx *de_ctx,
112  SigGroupHead *sgh, MpmCtx *mpm_ctx)
113 {
114  SCEnter();
115 
116  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataRequest,
117  ALPROTO_DCERPC, 0,
118  mpm_ctx, NULL, KEYWORD_NAME " (request)");
119  if (r == 0) {
120  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataRequest,
121  ALPROTO_SMB, 0,
122  mpm_ctx, NULL, KEYWORD_NAME " (request)");
123  }
124  return r;
125 }
126 
127 /** \brief DCERPC Stub Data Mpm prefilter callback
128  *
129  * \param det_ctx detection engine thread ctx
130  * \param p packet to inspect
131  * \param f flow to inspect
132  * \param txv tx to inspect
133  * \param pectx inspection context
134  */
135 static void PrefilterTxDceStubDataResponse(DetectEngineThreadCtx *det_ctx,
136  const void *pectx,
137  Packet *p, Flow *f, void *txv,
138  const uint64_t idx, const uint8_t flags)
139 {
140  SCEnter();
141 
142  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
143  uint8_t *buffer;
144  uint32_t buffer_len;
145 
146 #ifdef HAVE_RUST
147  if (f->alproto == ALPROTO_SMB) {
148  if (rs_smb_tx_get_stub_data(txv, STREAM_TOCLIENT, &buffer, &buffer_len) != 1) {
149  SCLogDebug("have no data!");
150  return;
151  }
152  SCLogDebug("have data!");
153  } else
154 #endif
155  {
156  DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
157  if (dcerpc_state == NULL)
158  return;
159 
160  buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
161  buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
162  }
163 
164  if (buffer_len >= mpm_ctx->minlen) {
165  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
166  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
167  }
168 }
169 
170 static int PrefilterTxDceStubDataResponseRegister(DetectEngineCtx *de_ctx,
171  SigGroupHead *sgh, MpmCtx *mpm_ctx)
172 {
173  SCEnter();
174 
175  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataResponse,
176  ALPROTO_DCERPC, 0,
177  mpm_ctx, NULL, KEYWORD_NAME " (response)");
178  if (r == 0) {
179  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataResponse,
180  ALPROTO_SMB, 0,
181  mpm_ctx, NULL, KEYWORD_NAME " (response)");
182  }
183  return r;
184 }
185 
186 static int InspectEngineDceStubData(ThreadVars *tv,
187  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
188  const Signature *s, const SigMatchData *smd,
189  Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
190 {
191  uint32_t buffer_len = 0;
192  uint8_t *buffer = NULL;
193  DCERPCState *dcerpc_state = NULL;
194 
195 #ifdef HAVE_RUST
196  if (f->alproto == ALPROTO_SMB) {
197  uint8_t dir = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
198  if (rs_smb_tx_get_stub_data(tx, dir, &buffer, &buffer_len) != 1)
199  goto end;
200  SCLogDebug("have data!");
201  } else
202 #endif
203  {
204  dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
205  if (dcerpc_state == NULL)
206  goto end;
207 
208  if (flags & STREAM_TOSERVER) {
209  buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
210  buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
211  } else if (flags & STREAM_TOCLIENT) {
212  buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
213  buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
214  }
215  }
216  if (buffer == NULL ||buffer_len == 0)
217  goto end;
218 
219  det_ctx->buffer_offset = 0;
220  det_ctx->discontinue_matching = 0;
221  det_ctx->inspection_recursion_counter = 0;
222  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
223  f,
224  buffer, buffer_len,
225  0, DETECT_CI_FLAGS_SINGLE,
226  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
227  dcerpc_state);
228  if (r == 1)
229  return DETECT_ENGINE_INSPECT_SIG_MATCH;
230 
231 end:
232  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
233 }
234 /**
235  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
236  */
237 void DetectDceStubDataRegister(void)
238 {
239  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data";
240  sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL;
241  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
242  sigmatch_table[DETECT_DCE_STUB_DATA].Free = NULL;
243  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
244 
245  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT;
246 
247  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
248  PrefilterTxDceStubDataRequestRegister);
249  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
250  PrefilterTxDceStubDataResponseRegister);
251 
252  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
253  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
254  InspectEngineDceStubData);
255  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
256  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
257  InspectEngineDceStubData);
258 
259  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
260  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
261  InspectEngineDceStubData);
262  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
263  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
264  InspectEngineDceStubData);
265 
266  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
267 }
268 
269 /**
270  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
271  * and appends it to the Signature(s).
272  *
273  * \param de_ctx Pointer to the detection engine context
274  * \param s Pointer to signature for the current Signature being parsed
275  * from the rules
276  * \param arg Pointer to the string holding the keyword value
277  *
278  * \retval 0 on success, -1 on failure
279  */
280 
281 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
282 {
283  s->init_data->list = g_dce_stub_data_buffer_id;
284  return 0;
285 }
286 
287 /************************************Unittests*********************************/
288 
289 #ifdef UNITTESTS
290 
291 static int DetectDceStubDataTestParse01(void)
292 {
293  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
294  FAIL_IF_NULL(de_ctx);
295  de_ctx->flags = DE_QUIET;
296  Signature *s = DetectEngineAppendSig(de_ctx,
297  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
298  FAIL_IF_NULL(s);
299  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
300  DetectEngineCtxFree(de_ctx);
301  PASS;
302 }
303 
304 /**
305  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
306  */
307 static int DetectDceStubDataTestParse02(void)
308 {
309  int result = 0;
310  Signature *s = NULL;
311  ThreadVars th_v;
312  Packet *p = NULL;
313  Flow f;
314  TcpSession ssn;
315  DetectEngineThreadCtx *det_ctx = NULL;
316  DetectEngineCtx *de_ctx = NULL;
317  DCERPCState *dcerpc_state = NULL;
318  int r = 0;
319 
320  uint8_t dcerpc_bind[] = {
321  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
322  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
323  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
324  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
325  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
326  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
327  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
328  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
329  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
330  };
331 
332  uint8_t dcerpc_bindack[] = {
333  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
334  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
335  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
336  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
337  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
338  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
339  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
340  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
341  0x02, 0x00, 0x00, 0x00
342  };
343 
344  /* todo chop the request frag length and change the
345  * length related parameters in the frag */
346  uint8_t dcerpc_request[] = {
347  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
348  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
349  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
350  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
351  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
352  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
353  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
354  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
355  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
356  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
357  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
358  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
359  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
360  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
361  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
362  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
363  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
364  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
365  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
366  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
367  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
368  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
369  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
370  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
371  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
372  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
373  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
374  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
375  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
376  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
377  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
378  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
379  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
380  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
381  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
382  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
383  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
384  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
385  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
386  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
387  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
388  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
389  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
390  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
391  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
392  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
393  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
394  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
395  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
396  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
397  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
398  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
399  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
400  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
401  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
402  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
403  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
404  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
405  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
406  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
407  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
408  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
409  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
410  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
411  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
412  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
413  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
414  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
415  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
416  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
417  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
418  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
419  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
420  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
421  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
422  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
423  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
424  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
425  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
426  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
427  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
428  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
429  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
430  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
591  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
592  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
593  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
594  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
595  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
596  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
597  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
598  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
599  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
600  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
601  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
602  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
603  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
604  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
605  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
606  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
607  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
608  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
609  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
610  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
611  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
612  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
613  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
614  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
615  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
616  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
617  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
618  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
619  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
620  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
621  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
622  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
623  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
624  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
625  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
626  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
627  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
628  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
629  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
630  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
631  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
632  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
633  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
634  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
635  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
636  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
637  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
638  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
639  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
640  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
641  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
642  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
643  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
644  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
645  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
646  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
647  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
648  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
649  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
650  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
651  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
652  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
653  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
654  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
655  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
656  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
657  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
658  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
659  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
660  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
661  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
662  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
663  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
664  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
665  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
666  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
667  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
668  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
669  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
670  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
671  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
672  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
673  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
674  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
675  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
676  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
677  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
678  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
679  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
680  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
681  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
682  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
683  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
684  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
685  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
686  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
687  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
688  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
689  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
690  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
691  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
692  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
693  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
694  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
695  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
696  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
697  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
698  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
699  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
700  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
701  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
702  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
703  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
704  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
705  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
706  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
707  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
708  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
709  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
710  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
711  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
712  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
713  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
714  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
715  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
716  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
717  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
718  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
719  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
720  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
721  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
722  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
723  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
724  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
725  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
726  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
727  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
728  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
729  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
730  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
731  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
732  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
733  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
734  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
735  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
736  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
737  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
738  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
739  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
740  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
741  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
742  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
743  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
744  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
745  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
746  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
747  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
748  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
749  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
750  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
751  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
752  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
753  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
754  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
755  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
756  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
757  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
758  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
759  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
760  0x01, 0x02, 0x03, 0x04
761  };
762 
763  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
764  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
765  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
766  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
767 
768  memset(&th_v, 0, sizeof(th_v));
769  memset(&f, 0, sizeof(f));
770  memset(&ssn, 0, sizeof(ssn));
771 
772  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
773 
774  FLOW_INITIALIZE(&f);
775  f.protoctx = (void *)&ssn;
776  f.proto = IPPROTO_TCP;
777  p->flow = &f;
778  p->flowflags |= FLOW_PKT_TOSERVER;
779  p->flowflags |= FLOW_PKT_ESTABLISHED;
780  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
781  f.alproto = ALPROTO_DCERPC;
782 
783  StreamTcpInitConfig(TRUE);
784 
785  de_ctx = DetectEngineCtxInit();
786  if (de_ctx == NULL)
787  goto end;
788 
789  de_ctx->flags |= DE_QUIET;
790 
791  s = de_ctx->sig_list = SigInit(de_ctx,
792  "alert tcp any any -> any any "
793  "(msg:\"DCERPC\"; "
794  "dce_stub_data; content:\"|42 42 42 42|\";"
795  "sid:1;)");
796  if (s == NULL)
797  goto end;
798 
799  SigGroupBuild(de_ctx);
800  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
801 
802  FLOWLOCK_WRLOCK(&f);
803  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
804  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
805  dcerpc_bind_len);
806  if (r != 0) {
807  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
808  FLOWLOCK_UNLOCK(&f);
809  goto end;
810  }
811  FLOWLOCK_UNLOCK(&f);
812 
813  dcerpc_state = f.alstate;
814  if (dcerpc_state == NULL) {
815  SCLogDebug("no dcerpc state: ");
816  goto end;
817  }
818 
819  p->flowflags &=~ FLOW_PKT_TOCLIENT;
820  p->flowflags |= FLOW_PKT_TOSERVER;
821  /* do detect */
822  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
823 
824  /* we shouldn't have any stub data */
825  if (PacketAlertCheck(p, 1))
826  goto end;
827 
828  /* do detect */
829  FLOWLOCK_WRLOCK(&f);
830  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
831  STREAM_TOCLIENT, dcerpc_bindack,
832  dcerpc_bindack_len);
833  if (r != 0) {
834  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
835  FLOWLOCK_UNLOCK(&f);
836  goto end;
837  }
838  FLOWLOCK_UNLOCK(&f);
839 
840  p->flowflags &=~ FLOW_PKT_TOSERVER;
841  p->flowflags |= FLOW_PKT_TOCLIENT;
842  /* do detect */
843  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
844 
845  /* we shouldn't have any stub data */
846  if (PacketAlertCheck(p, 1))
847  goto end;
848 
849  FLOWLOCK_WRLOCK(&f);
850  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
851  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
852  dcerpc_request_len);
853  if (r != 0) {
854  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
855  FLOWLOCK_UNLOCK(&f);
856  goto end;
857  }
858  FLOWLOCK_UNLOCK(&f);
859 
860  p->flowflags &=~ FLOW_PKT_TOCLIENT;
861  p->flowflags |= FLOW_PKT_TOSERVER;
862  /* do detect */
863  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
864 
865  /* we should have the stub data since we previously parsed a request frag */
866  if (!PacketAlertCheck(p, 1))
867  goto end;
868 
869  result = 1;
870 
871  end:
872  if (alp_tctx != NULL)
873  AppLayerParserThreadCtxFree(alp_tctx);
874  SigGroupCleanup(de_ctx);
875  SigCleanSignatures(de_ctx);
876 
877  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
878  DetectEngineCtxFree(de_ctx);
879 
880  StreamTcpFreeConfig(TRUE);
881  FLOW_DESTROY(&f);
882 
883  UTHFreePackets(&p, 1);
884  return result;
885 }
886 
887 /**
888  * \test Test a valid dce_stub_data with just a request frag.
889  */
890 static int DetectDceStubDataTestParse03(void)
891 {
892  Signature *s = NULL;
893  ThreadVars th_v;
894  Packet *p = NULL;
895  Flow f;
896  TcpSession ssn;
897  DetectEngineThreadCtx *det_ctx = NULL;
898  DetectEngineCtx *de_ctx = NULL;
899  DCERPCState *dcerpc_state = NULL;
900  int r = 0;
901 
902  /* todo chop the request frag length and change the
903  * length related parameters in the frag */
904  uint8_t dcerpc_request[] = {
905  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
906  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
907  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
908  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
909  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
910  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
911  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
912  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
913  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
914  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
915  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
916  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
917  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
918  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
919  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
920  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
921  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
922  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
923  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
924  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
925  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
926  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
927  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
928  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
929  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
930  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
931  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
932  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
933  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
934  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
935  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
936  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
937  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
938  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
939  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
940  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
941  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
942  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
943  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
944  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
945  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
946  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
947  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
948  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
949  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
950  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
951  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
952  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
953  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
954  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
955  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
956  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
957  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
958  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
959  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
960  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
961  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
962  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
963  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
964  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
965  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
966  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
967  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
968  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
969  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
970  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
971  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
972  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
973  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
974  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
975  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
976  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
977  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
978  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
979  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
980  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
981  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
982  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
983  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
984  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
985  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
986  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
987  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
988  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1147  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1148  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1149  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1150  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1151  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1152  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1153  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1154  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1155  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1156  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1157  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1159  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1160  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1161  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1162  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1163  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1164  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1165  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1166  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1167  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1168  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1171  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1172  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1173  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1174  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1175  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1176  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1177  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1178  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1179  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1181  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1182  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1183  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1185  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1186  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1187  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1188  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1189  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1190  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1191  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1192  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1193  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1194  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1195  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1196  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1197  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1198  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1199  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1200  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1201  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1202  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1203  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1204  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1205  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1206  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1207  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1208  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1209  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1210  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1211  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1212  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1213  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1214  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1215  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1216  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1217  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1218  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1219  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1220  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1221  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1222  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1223  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1224  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1225  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1226  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1227  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1228  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1229  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1230  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1231  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1232  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1233  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1234  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1235  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1236  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1237  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1238  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1239  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1240  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1241  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1242  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1243  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1244  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1245  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1246  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1247  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1248  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1249  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1250  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1251  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1252  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1253  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1254  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1255  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1256  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1257  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1258  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1259  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1260  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1261  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1262  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1263  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1264  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1265  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1266  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1267  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1268  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1269  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1270  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1271  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1272  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1273  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1274  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1275  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1276  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1277  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1278  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1279  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1280  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1281  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1282  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1283  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1284  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1285  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1286  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1287  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1288  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1289  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1290  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1291  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1292  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1293  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1294  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1295  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1296  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1297  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1298  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1299  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1300  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1301  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1302  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1303  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1304  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1305  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1306  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1307  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1308  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1309  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1310  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1311  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1312  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1313  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1314  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1315  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1316  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1317  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1318  0x01, 0x02, 0x03, 0x04
1319  };
1320 
1321  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1322 
1323  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1324 
1325  memset(&th_v, 0, sizeof(th_v));
1326  memset(&f, 0, sizeof(f));
1327  memset(&ssn, 0, sizeof(ssn));
1328 
1329  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1330 
1331  FLOW_INITIALIZE(&f);
1332  f.protoctx = (void *)&ssn;
1333  f.proto = IPPROTO_TCP;
1334  p->flow = &f;
1335  p->flowflags |= FLOW_PKT_TOSERVER;
1336  p->flowflags |= FLOW_PKT_ESTABLISHED;
1337  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1338  f.alproto = ALPROTO_DCERPC;
1339 
1340  StreamTcpInitConfig(TRUE);
1341 
1342  de_ctx = DetectEngineCtxInit();
1343  FAIL_IF(de_ctx == NULL);
1344 
1345  de_ctx->flags |= DE_QUIET;
1346 
1347  s = de_ctx->sig_list = SigInit(de_ctx,
1348  "alert tcp any any -> any any "
1349  "(msg:\"DCERPC\"; "
1350  "dce_stub_data; content:\"|42 42 42 42|\";"
1351  "sid:1;)");
1352  FAIL_IF(s == NULL);
1353 
1354  SigGroupBuild(de_ctx);
1355  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1356 
1357  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1358  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1359  dcerpc_request_len);
1360  FAIL_IF(r != 0);
1361 
1362  dcerpc_state = f.alstate;
1363  FAIL_IF (dcerpc_state == NULL);
1364 
1365  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1366  p->flowflags |= FLOW_PKT_TOSERVER;
1367  /* do detect */
1368  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1369  FAIL_IF(!PacketAlertCheck(p, 1));
1370 
1371  if (alp_tctx != NULL)
1372  AppLayerParserThreadCtxFree(alp_tctx);
1373  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1374  DetectEngineCtxFree(de_ctx);
1375  StreamTcpFreeConfig(TRUE);
1376  FLOW_DESTROY(&f);
1377 
1378  UTHFreePackets(&p, 1);
1379  PASS;
1380 }
1381 
1382 static int DetectDceStubDataTestParse04(void)
1383 {
1384  int result = 0;
1385  Signature *s = NULL;
1386  ThreadVars th_v;
1387  Packet *p = NULL;
1388  Flow f;
1389  TcpSession ssn;
1390  DetectEngineThreadCtx *det_ctx = NULL;
1391  DetectEngineCtx *de_ctx = NULL;
1392  DCERPCState *dcerpc_state = NULL;
1393  int r = 0;
1394 
1395  uint8_t dcerpc_bind[] = {
1396  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1397  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1398  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1399  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1400  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1401  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1402  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1403  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1404  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1405  };
1406 
1407  uint8_t dcerpc_bindack[] = {
1408  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1409  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1410  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1411  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1412  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1413  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1415  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1416  0x02, 0x00, 0x00, 0x00,
1417  };
1418 
1419  uint8_t dcerpc_request1[] = {
1420  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1421  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1422  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1423  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1424  0x00, 0x00, 0x00, 0x02,
1425  };
1426 
1427  uint8_t dcerpc_response1[] = {
1428  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1429  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1430  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1431  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1432  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1433  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1434  };
1435 
1436  uint8_t dcerpc_request2[] = {
1437  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1438  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1439  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1440  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1441  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1442  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1443  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1444  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1445  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1446  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1447  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1448  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1449  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1450  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1451  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1452  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1453  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1454  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1455  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1456  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457  0x03, 0x00, 0x00, 0x00,
1458  };
1459 
1460  uint8_t dcerpc_response2[] = {
1461  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1462  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1463  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1465  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1466  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1467  };
1468 
1469  uint8_t dcerpc_request3[] = {
1470  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1471  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1472  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1473  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1474  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1475  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1476  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1477  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1478  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1479  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1480  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1481  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1482  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1483  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1484  };
1485 
1486  uint8_t dcerpc_response3[] = {
1487  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1488  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1489  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490  0x00, 0x00, 0x00, 0x00,
1491  };
1492 
1493  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1494  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1495 
1496  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1497  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1498 
1499  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1500  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1501 
1502  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1503  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1504 
1505  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1506 
1507  memset(&th_v, 0, sizeof(th_v));
1508  memset(&f, 0, sizeof(f));
1509  memset(&ssn, 0, sizeof(ssn));
1510 
1511  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1512 
1513  FLOW_INITIALIZE(&f);
1514  f.protoctx = (void *)&ssn;
1515  f.proto = IPPROTO_TCP;
1516  p->flow = &f;
1517  p->flowflags |= FLOW_PKT_TOSERVER;
1518  p->flowflags |= FLOW_PKT_ESTABLISHED;
1519  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1520  f.alproto = ALPROTO_DCERPC;
1521 
1522  StreamTcpInitConfig(TRUE);
1523 
1524  de_ctx = DetectEngineCtxInit();
1525  if (de_ctx == NULL)
1526  goto end;
1527 
1528  de_ctx->flags |= DE_QUIET;
1529 
1530  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1531  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1532  if (s == NULL)
1533  goto end;
1534  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1535  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1536  if (s == NULL)
1537  goto end;
1538  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1539  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1540  if (s == NULL)
1541  goto end;
1542 
1543  SigGroupBuild(de_ctx);
1544  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1545 
1546  FLOWLOCK_WRLOCK(&f);
1547  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1548  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1549  dcerpc_bind_len);
1550  if (r != 0) {
1551  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1552  FLOWLOCK_UNLOCK(&f);
1553  goto end;
1554  }
1555  FLOWLOCK_UNLOCK(&f);
1556  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1557  p->flowflags |= FLOW_PKT_TOSERVER;
1558  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1559 
1560  dcerpc_state = f.alstate;
1561  if (dcerpc_state == NULL) {
1562  SCLogDebug("no dcerpc state: ");
1563  goto end;
1564  }
1565 
1566  FLOWLOCK_WRLOCK(&f);
1567  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1568  STREAM_TOCLIENT, dcerpc_bindack,
1569  dcerpc_bindack_len);
1570  if (r != 0) {
1571  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1572  FLOWLOCK_UNLOCK(&f);
1573  goto end;
1574  }
1575  FLOWLOCK_UNLOCK(&f);
1576  p->flowflags &=~ FLOW_PKT_TOSERVER;
1577  p->flowflags |= FLOW_PKT_TOCLIENT;
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1579 
1580  /* request1 */
1581  FLOWLOCK_WRLOCK(&f);
1582  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1583  STREAM_TOSERVER, dcerpc_request1,
1584  dcerpc_request1_len);
1585  if (r != 0) {
1586  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1587  FLOWLOCK_UNLOCK(&f);
1588  goto end;
1589  }
1590  FLOWLOCK_UNLOCK(&f);
1591 
1592  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1593  p->flowflags |= FLOW_PKT_TOSERVER;
1594  /* do detect */
1595  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1596 
1597  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1598  goto end;
1599 
1600  /* response1 */
1601  FLOWLOCK_WRLOCK(&f);
1602  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1603  STREAM_TOCLIENT, dcerpc_response1,
1604  dcerpc_response1_len);
1605  if (r != 0) {
1606  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1607  FLOWLOCK_UNLOCK(&f);
1608  goto end;
1609  }
1610  FLOWLOCK_UNLOCK(&f);
1611 
1612  p->flowflags &=~ FLOW_PKT_TOSERVER;
1613  p->flowflags |= FLOW_PKT_TOCLIENT;
1614  /* do detect */
1615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1616 
1617  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1618  goto end;
1619 
1620  /* request2 */
1621  FLOWLOCK_WRLOCK(&f);
1622  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1623  STREAM_TOSERVER, dcerpc_request2,
1624  dcerpc_request2_len);
1625  if (r != 0) {
1626  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1627  FLOWLOCK_UNLOCK(&f);
1628  goto end;
1629  }
1630  FLOWLOCK_UNLOCK(&f);
1631 
1632  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1633  p->flowflags |= FLOW_PKT_TOSERVER;
1634  /* do detect */
1635  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1636 
1637  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1638  goto end;
1639 
1640  /* response2 */
1641  FLOWLOCK_WRLOCK(&f);
1642  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1643  STREAM_TOCLIENT, dcerpc_response2,
1644  dcerpc_response2_len);
1645  if (r != 0) {
1646  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1647  FLOWLOCK_UNLOCK(&f);
1648  goto end;
1649  }
1650  FLOWLOCK_UNLOCK(&f);
1651 
1652  p->flowflags &=~ FLOW_PKT_TOSERVER;
1653  p->flowflags |= FLOW_PKT_TOCLIENT;
1654  /* do detect */
1655  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1656 
1657  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1658  goto end;
1659 
1660  /* request3 */
1661  FLOWLOCK_WRLOCK(&f);
1662  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1663  STREAM_TOSERVER, dcerpc_request3,
1664  dcerpc_request3_len);
1665  if (r != 0) {
1666  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1667  FLOWLOCK_UNLOCK(&f);
1668  goto end;
1669  }
1670  FLOWLOCK_UNLOCK(&f);
1671 
1672  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1673  p->flowflags |= FLOW_PKT_TOSERVER;
1674  /* do detect */
1675  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1676 
1677  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1678  goto end;
1679 
1680  /* response3 */
1681  FLOWLOCK_WRLOCK(&f);
1682  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1683  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1684  dcerpc_response3_len);
1685  if (r != 0) {
1686  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1687  FLOWLOCK_UNLOCK(&f);
1688  goto end;
1689  }
1690  FLOWLOCK_UNLOCK(&f);
1691 
1692  p->flowflags &=~ FLOW_PKT_TOSERVER;
1693  p->flowflags |= FLOW_PKT_TOCLIENT;
1694  /* do detect */
1695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1696 
1697  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1698  goto end;
1699 
1700  result = 1;
1701 
1702  end:
1703  if (alp_tctx != NULL)
1704  AppLayerParserThreadCtxFree(alp_tctx);
1705  SigGroupCleanup(de_ctx);
1706  SigCleanSignatures(de_ctx);
1707 
1708  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1709  DetectEngineCtxFree(de_ctx);
1710 
1711  StreamTcpFreeConfig(TRUE);
1712  FLOW_DESTROY(&f);
1713 
1714  UTHFreePackets(&p, 1);
1715  return result;
1716 }
1717 
1718 static int DetectDceStubDataTestParse05(void)
1719 {
1720  int result = 0;
1721  Signature *s = NULL;
1722  ThreadVars th_v;
1723  Packet *p = NULL;
1724  Flow f;
1725  TcpSession ssn;
1726  DetectEngineThreadCtx *det_ctx = NULL;
1727  DetectEngineCtx *de_ctx = NULL;
1728  DCERPCState *dcerpc_state = NULL;
1729  int r = 0;
1730 
1731  uint8_t dcerpc_request1[] = {
1732  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1733  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1734  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1735  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1736  0x00, 0x00, 0x00, 0x02,
1737  };
1738 
1739  uint8_t dcerpc_response1[] = {
1740  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1741  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1742  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1743  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1744  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1745  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1746  };
1747 
1748  uint8_t dcerpc_request2[] = {
1749  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1750  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1751  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1752  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1753  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1754  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1755  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1756  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1757  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1758  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1759  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1760  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1761  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1762  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1763  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1764  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1765  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1766  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1767  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1768  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1769  0x03, 0x00, 0x00, 0x00,
1770  };
1771 
1772  uint8_t dcerpc_response2[] = {
1773  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1774  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1775  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1777  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1778  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1779  };
1780 
1781  uint8_t dcerpc_request3[] = {
1782  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1783  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1784  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1785  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1786  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1787  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1788  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1789  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1790  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1791  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1792  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1793  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1794  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1795  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1796  };
1797 
1798  uint8_t dcerpc_response3[] = {
1799  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1800  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1801  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1802  0x00, 0x00, 0x00, 0x00,
1803  };
1804 
1805  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1806  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1807 
1808  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1809  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1810 
1811  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1812  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1813 
1814  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1815 
1816  memset(&th_v, 0, sizeof(th_v));
1817  memset(&f, 0, sizeof(f));
1818  memset(&ssn, 0, sizeof(ssn));
1819 
1820  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1821 
1822  FLOW_INITIALIZE(&f);
1823  f.protoctx = (void *)&ssn;
1824  f.proto = IPPROTO_TCP;
1825  p->flow = &f;
1826  p->flowflags |= FLOW_PKT_TOSERVER;
1827  p->flowflags |= FLOW_PKT_ESTABLISHED;
1828  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1829  f.alproto = ALPROTO_DCERPC;
1830 
1831  StreamTcpInitConfig(TRUE);
1832 
1833  de_ctx = DetectEngineCtxInit();
1834  if (de_ctx == NULL)
1835  goto end;
1836 
1837  de_ctx->flags |= DE_QUIET;
1838 
1839  s = de_ctx->sig_list = SigInit(de_ctx,
1840  "alert tcp any any -> any any "
1841  "(msg:\"DCERPC\"; "
1842  "dce_stub_data; content:\"|00 02|\"; "
1843  "sid:1;)");
1844  if (s == NULL)
1845  goto end;
1846  s = de_ctx->sig_list->next = SigInit(de_ctx,
1847  "alert tcp any any -> any any "
1848  "(msg:\"DCERPC\"; "
1849  "dce_stub_data; content:\"|00 75|\"; "
1850  "sid:2;)");
1851  if (s == NULL)
1852  goto end;
1853  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1854  "alert tcp any any -> any any "
1855  "(msg:\"DCERPC\"; "
1856  "dce_stub_data; content:\"|00 18|\"; "
1857  "sid:3;)");
1858  if (s == NULL)
1859  goto end;
1860 
1861  SigGroupBuild(de_ctx);
1862  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1863 
1864  /* request1 */
1865  FLOWLOCK_WRLOCK(&f);
1866  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1867  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1868  dcerpc_request1_len);
1869  if (r != 0) {
1870  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1871  FLOWLOCK_UNLOCK(&f);
1872  goto end;
1873  }
1874  FLOWLOCK_UNLOCK(&f);
1875 
1876  dcerpc_state = f.alstate;
1877  if (dcerpc_state == NULL) {
1878  SCLogDebug("no dcerpc state: ");
1879  goto end;
1880  }
1881 
1882  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1883  p->flowflags |= FLOW_PKT_TOSERVER;
1884  /* do detect */
1885  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1886 
1887  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1888  goto end;
1889 
1890  /* response1 */
1891  FLOWLOCK_WRLOCK(&f);
1892  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1893  STREAM_TOCLIENT, dcerpc_response1,
1894  dcerpc_response1_len);
1895  if (r != 0) {
1896  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1897  FLOWLOCK_UNLOCK(&f);
1898  goto end;
1899  }
1900  FLOWLOCK_UNLOCK(&f);
1901 
1902  p->flowflags &=~ FLOW_PKT_TOSERVER;
1903  p->flowflags |= FLOW_PKT_TOCLIENT;
1904  /* do detect */
1905  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1906 
1907  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1908  goto end;
1909 
1910  /* request2 */
1911  FLOWLOCK_WRLOCK(&f);
1912  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1913  STREAM_TOSERVER, dcerpc_request2,
1914  dcerpc_request2_len);
1915  if (r != 0) {
1916  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1917  FLOWLOCK_UNLOCK(&f);
1918  goto end;
1919  }
1920  FLOWLOCK_UNLOCK(&f);
1921 
1922  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1923  p->flowflags |= FLOW_PKT_TOSERVER;
1924  /* do detect */
1925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1926 
1927  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1928  goto end;
1929 
1930  /* response2 */
1931  FLOWLOCK_WRLOCK(&f);
1932  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1933  STREAM_TOCLIENT, dcerpc_response2,
1934  dcerpc_response2_len);
1935  if (r != 0) {
1936  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1937  FLOWLOCK_UNLOCK(&f);
1938  goto end;
1939  }
1940  FLOWLOCK_UNLOCK(&f);
1941 
1942  p->flowflags &=~ FLOW_PKT_TOSERVER;
1943  p->flowflags |= FLOW_PKT_TOCLIENT;
1944  /* do detect */
1945  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1946 
1947  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1948  goto end;
1949 
1950  /* request3 */
1951  FLOWLOCK_WRLOCK(&f);
1952  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1953  STREAM_TOSERVER, dcerpc_request3,
1954  dcerpc_request3_len);
1955  if (r != 0) {
1956  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1957  FLOWLOCK_UNLOCK(&f);
1958  goto end;
1959  }
1960  FLOWLOCK_UNLOCK(&f);
1961 
1962  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1963  p->flowflags |= FLOW_PKT_TOSERVER;
1964  /* do detect */
1965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966 
1967  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1968  goto end;
1969 
1970  /* response3 */
1971  FLOWLOCK_WRLOCK(&f);
1972  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1973  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1974  dcerpc_response3_len);
1975  if (r != 0) {
1976  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1977  FLOWLOCK_UNLOCK(&f);
1978  goto end;
1979  }
1980  FLOWLOCK_UNLOCK(&f);
1981 
1982  p->flowflags &=~ FLOW_PKT_TOSERVER;
1983  p->flowflags |= FLOW_PKT_TOCLIENT;
1984  /* do detect */
1985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1986 
1987  if (PacketAlertCheck(p, 1))
1988  goto end;
1989 
1990  result = 1;
1991 
1992  end:
1993  if (alp_tctx != NULL)
1994  AppLayerParserThreadCtxFree(alp_tctx);
1995 
1996  SigGroupCleanup(de_ctx);
1997  SigCleanSignatures(de_ctx);
1998 
1999  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2000  DetectEngineCtxFree(de_ctx);
2001 
2002  StreamTcpFreeConfig(TRUE);
2003  FLOW_DESTROY(&f);
2004 
2005  UTHFreePackets(&p, 1);
2006  return result;
2007 }
2008 
2009 
2010 #endif
2011 
2012 static void DetectDceStubDataRegisterTests(void)
2013 {
2014 #ifdef UNITTESTS
2015  UtRegisterTest("DetectDceStubDataTestParse01",
2016  DetectDceStubDataTestParse01);
2017  UtRegisterTest("DetectDceStubDataTestParse02",
2018  DetectDceStubDataTestParse02);
2019  UtRegisterTest("DetectDceStubDataTestParse03",
2020  DetectDceStubDataTestParse03);
2021  UtRegisterTest("DetectDceStubDataTestParse04",
2022  DetectDceStubDataTestParse04);
2023  UtRegisterTest("DetectDceStubDataTestParse05",
2024  DetectDceStubDataTestParse05);
2025 #endif
2026 
2027  return;
2028 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:560
flags
uint16_t flags
Definition: app-layer-dns-common.h:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DCERPCResponse_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:184
Packet_::flow
struct Flow_ * flow
Definition: decode.h:444
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:95
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1026
Flow_::proto
uint8_t proto
Definition: flow.h:346
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx))
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:138
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DCERPC_::dcerpcresponse
DCERPCResponse dcerpcresponse
Definition: app-layer-dcerpc-common.h:192
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1910
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:237
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
SigMatchData_
Data needed for Match()
Definition: detect.h:333
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1295
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:991
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
Signature_
Signature container.
Definition: detect.h:492
TRUE
#define TRUE
Definition: suricata-common.h:33
Flow_::protoctx
void * protoctx
Definition: flow.h:398
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
Flow_::alstate
void * alstate
Definition: flow.h:436
DE_QUIET
#define DE_QUIET
Definition: detect.h:298
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:244
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:721
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
MpmCtx_::mpm_type
uint16_t mpm_type
Definition: util-mpm.h:84
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1151
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-dce-stub-data.c:63
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:243
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1061
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1965
Signature_::next
struct Signature_ * next
Definition: detect.h:563
Packet_
Definition: decode.h:406
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:34
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:165
DCERPCRequest_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:173
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:38
SignatureInitData_::list
int list
Definition: detect.h:468
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1059
detect-engine-content-inspection.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1328
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1038
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1101
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:44
DCERPCResponse_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:182
MpmCtx_
Definition: util-mpm.h:82
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:158
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:257
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectDceGetState
DCERPCState * DetectDceGetState(AppProto alproto, void *alstate)
Definition: detect-dce-iface.c:250
DetectEngineThreadCtx_
Definition: detect.h:962
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:407
Packet_::flags
uint32_t flags
Definition: decode.h:442
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1154
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:327
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1099
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:129
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:62
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
DCERPCRequest_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:175
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640