suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "rust.h"
58 #include "rust-smb-detect-gen.h"
59 
60 #define BUFFER_NAME "dce_stub_data"
61 #define KEYWORD_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectDceStubDataRegisterTests(void);
65 static int g_dce_stub_data_buffer_id = 0;
66 
67 /** \brief DCERPC Stub Data Mpm prefilter callback
68  *
69  * \param det_ctx detection engine thread ctx
70  * \param p packet to inspect
71  * \param f flow to inspect
72  * \param txv tx to inspect
73  * \param pectx inspection context
74  */
75 static void PrefilterTxDceStubDataRequest(DetectEngineThreadCtx *det_ctx,
76  const void *pectx,
77  Packet *p, Flow *f, void *txv,
78  const uint64_t idx, const uint8_t flags)
79 {
80  SCEnter();
81 
82  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
83  uint8_t *buffer;
84  uint32_t buffer_len;
85 
86  if (f->alproto == ALPROTO_SMB) {
87  if (rs_smb_tx_get_stub_data(txv, STREAM_TOSERVER, &buffer, &buffer_len) != 1) {
88  SCLogDebug("have no data!");
89  return;
90  }
91  SCLogDebug("have data!");
92  } else {
93  DCERPCState *dcerpc_state = f->alstate;
94  if (dcerpc_state == NULL)
95  return;
96 
97  buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
98  buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
99  }
100  if (buffer_len >= mpm_ctx->minlen) {
101  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
102  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
103  }
104 }
105 
106 static int PrefilterTxDceStubDataRequestRegister(DetectEngineCtx *de_ctx,
107  SigGroupHead *sgh, MpmCtx *mpm_ctx)
108 {
109  SCEnter();
110 
111  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataRequest,
112  ALPROTO_DCERPC, 0,
113  mpm_ctx, NULL, KEYWORD_NAME " (request)");
114  if (r == 0) {
115  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataRequest,
116  ALPROTO_SMB, 0,
117  mpm_ctx, NULL, KEYWORD_NAME " (request)");
118  }
119  return r;
120 }
121 
122 /** \brief DCERPC Stub Data Mpm prefilter callback
123  *
124  * \param det_ctx detection engine thread ctx
125  * \param p packet to inspect
126  * \param f flow to inspect
127  * \param txv tx to inspect
128  * \param pectx inspection context
129  */
130 static void PrefilterTxDceStubDataResponse(DetectEngineThreadCtx *det_ctx,
131  const void *pectx,
132  Packet *p, Flow *f, void *txv,
133  const uint64_t idx, const uint8_t flags)
134 {
135  SCEnter();
136 
137  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
138  uint8_t *buffer;
139  uint32_t buffer_len;
140 
141  if (f->alproto == ALPROTO_SMB) {
142  if (rs_smb_tx_get_stub_data(txv, STREAM_TOCLIENT, &buffer, &buffer_len) != 1) {
143  SCLogDebug("have no data!");
144  return;
145  }
146  SCLogDebug("have data!");
147  } else {
148  DCERPCState *dcerpc_state = f->alstate;
149  if (dcerpc_state == NULL)
150  return;
151 
152  buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
153  buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
154  }
155 
156  if (buffer_len >= mpm_ctx->minlen) {
157  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
158  &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
159  }
160 }
161 
162 static int PrefilterTxDceStubDataResponseRegister(DetectEngineCtx *de_ctx,
163  SigGroupHead *sgh, MpmCtx *mpm_ctx)
164 {
165  SCEnter();
166 
167  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataResponse,
168  ALPROTO_DCERPC, 0,
169  mpm_ctx, NULL, KEYWORD_NAME " (response)");
170  if (r == 0) {
171  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDceStubDataResponse,
172  ALPROTO_SMB, 0,
173  mpm_ctx, NULL, KEYWORD_NAME " (response)");
174  }
175  return r;
176 }
177 
178 static int InspectEngineDceStubData(ThreadVars *tv,
179  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
180  const Signature *s, const SigMatchData *smd,
181  Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
182 {
183  uint32_t buffer_len = 0;
184  uint8_t *buffer = NULL;
185  DCERPCState *dcerpc_state = NULL;
186 
187  if (f->alproto == ALPROTO_SMB) {
188  uint8_t dir = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
189  if (rs_smb_tx_get_stub_data(tx, dir, &buffer, &buffer_len) != 1)
190  goto end;
191  SCLogDebug("have data!");
192  } else
193  {
194  dcerpc_state = alstate;
195  if (dcerpc_state == NULL)
196  goto end;
197 
198  if (flags & STREAM_TOSERVER) {
199  buffer_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
200  buffer = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
201  } else if (flags & STREAM_TOCLIENT) {
202  buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
203  buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
204  }
205  }
206  if (buffer == NULL ||buffer_len == 0)
207  goto end;
208 
209  det_ctx->buffer_offset = 0;
210  det_ctx->discontinue_matching = 0;
211  det_ctx->inspection_recursion_counter = 0;
212  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
213  f,
214  buffer, buffer_len,
215  0, DETECT_CI_FLAGS_SINGLE,
216  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
217  dcerpc_state);
218  if (r == 1)
219  return DETECT_ENGINE_INSPECT_SIG_MATCH;
220 
221 end:
222  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
223 }
224 /**
225  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
226  */
227 void DetectDceStubDataRegister(void)
228 {
229  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data";
230  sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL;
231  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
232  sigmatch_table[DETECT_DCE_STUB_DATA].Free = NULL;
233  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
234 
235  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT;
236 
237  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
238  PrefilterTxDceStubDataRequestRegister);
239  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
240  PrefilterTxDceStubDataResponseRegister);
241 
242  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
243  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
244  InspectEngineDceStubData);
245  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
246  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
247  InspectEngineDceStubData);
248 
249  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
250  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
251  InspectEngineDceStubData);
252  DetectAppLayerInspectEngineRegister(BUFFER_NAME,
253  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
254  InspectEngineDceStubData);
255 
256  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
257 }
258 
259 /**
260  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
261  * and appends it to the Signature(s).
262  *
263  * \param de_ctx Pointer to the detection engine context
264  * \param s Pointer to signature for the current Signature being parsed
265  * from the rules
266  * \param arg Pointer to the string holding the keyword value
267  *
268  * \retval 0 on success, -1 on failure
269  */
270 
271 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
272 {
273  s->init_data->list = g_dce_stub_data_buffer_id;
274  return 0;
275 }
276 
277 /************************************Unittests*********************************/
278 
279 #ifdef UNITTESTS
280 
281 static int DetectDceStubDataTestParse01(void)
282 {
283  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
284  FAIL_IF_NULL(de_ctx);
285  de_ctx->flags = DE_QUIET;
286  Signature *s = DetectEngineAppendSig(de_ctx,
287  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
288  FAIL_IF_NULL(s);
289  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
290  DetectEngineCtxFree(de_ctx);
291  PASS;
292 }
293 
294 /**
295  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
296  */
297 static int DetectDceStubDataTestParse02(void)
298 {
299  int result = 0;
300  Signature *s = NULL;
301  ThreadVars th_v;
302  Packet *p = NULL;
303  Flow f;
304  TcpSession ssn;
305  DetectEngineThreadCtx *det_ctx = NULL;
306  DetectEngineCtx *de_ctx = NULL;
307  DCERPCState *dcerpc_state = NULL;
308  int r = 0;
309 
310  uint8_t dcerpc_bind[] = {
311  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
312  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
313  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
314  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
315  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
316  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
317  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
318  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
319  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
320  };
321 
322  uint8_t dcerpc_bindack[] = {
323  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
324  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
325  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
326  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
327  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
328  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
329  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
330  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
331  0x02, 0x00, 0x00, 0x00
332  };
333 
334  /* todo chop the request frag length and change the
335  * length related parameters in the frag */
336  uint8_t dcerpc_request[] = {
337  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
338  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
339  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
340  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
341  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
342  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
343  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
344  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
345  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
346  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
347  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
348  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
349  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
350  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
351  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
352  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
353  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
354  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
355  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
356  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
357  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
358  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
359  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
360  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
361  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
362  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
363  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
364  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
365  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
366  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
367  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
368  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
369  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
370  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
371  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
372  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
373  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
374  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
375  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
376  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
377  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
378  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
379  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
380  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
381  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
382  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
383  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
384  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
385  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
386  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
387  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
388  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
389  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
390  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
391  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
392  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
393  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
394  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
395  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
396  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
397  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
398  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
399  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
400  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
401  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
402  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
403  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
404  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
405  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
406  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
407  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
408  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
409  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
410  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
411  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
412  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
413  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
414  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
415  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
416  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
417  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
418  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
419  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
420  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
491  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
492  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
493  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
494  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
495  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
496  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
497  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
498  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
499  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
584  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
585  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
586  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
587  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
588  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
589  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
591  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
592  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
593  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
594  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
595  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
596  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
597  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
598  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
599  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
600  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
601  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
602  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
603  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
604  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
605  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
606  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
607  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
608  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
609  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
610  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
611  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
612  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
613  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
614  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
615  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
616  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
617  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
618  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
619  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
620  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
621  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
622  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
623  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
624  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
625  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
626  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
627  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
628  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
629  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
630  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
631  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
632  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
633  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
634  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
635  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
636  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
637  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
638  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
639  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
640  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
641  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
642  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
643  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
644  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
645  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
646  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
647  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
648  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
649  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
650  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
651  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
652  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
653  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
654  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
655  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
656  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
657  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
658  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
659  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
660  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
661  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
662  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
663  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
664  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
665  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
666  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
667  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
668  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
669  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
670  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
671  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
672  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
673  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
674  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
675  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
676  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
677  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
678  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
679  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
680  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
681  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
682  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
683  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
684  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
685  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
686  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
687  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
688  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
689  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
690  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
691  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
692  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
693  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
694  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
695  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
696  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
697  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
698  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
699  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
700  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
701  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
702  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
703  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
704  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
705  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
706  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
707  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
708  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
709  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
710  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
711  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
712  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
713  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
714  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
715  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
716  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
717  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
718  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
719  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
720  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
721  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
722  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
723  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
724  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
725  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
726  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
727  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
728  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
729  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
730  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
731  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
732  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
733  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
734  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
735  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
736  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
737  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
738  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
739  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
740  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
741  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
742  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
743  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
744  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
745  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
746  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
747  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
748  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
749  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
750  0x01, 0x02, 0x03, 0x04
751  };
752 
753  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
754  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
755  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
756  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
757 
758  memset(&th_v, 0, sizeof(th_v));
759  memset(&f, 0, sizeof(f));
760  memset(&ssn, 0, sizeof(ssn));
761 
762  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
763 
764  FLOW_INITIALIZE(&f);
765  f.protoctx = (void *)&ssn;
766  f.proto = IPPROTO_TCP;
767  p->flow = &f;
768  p->flowflags |= FLOW_PKT_TOSERVER;
769  p->flowflags |= FLOW_PKT_ESTABLISHED;
770  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
771  f.alproto = ALPROTO_DCERPC;
772 
773  StreamTcpInitConfig(TRUE);
774 
775  de_ctx = DetectEngineCtxInit();
776  if (de_ctx == NULL)
777  goto end;
778 
779  de_ctx->flags |= DE_QUIET;
780 
781  s = de_ctx->sig_list = SigInit(de_ctx,
782  "alert tcp any any -> any any "
783  "(msg:\"DCERPC\"; "
784  "dce_stub_data; content:\"|42 42 42 42|\";"
785  "sid:1;)");
786  if (s == NULL)
787  goto end;
788 
789  SigGroupBuild(de_ctx);
790  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
791 
792  FLOWLOCK_WRLOCK(&f);
793  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
794  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
795  dcerpc_bind_len);
796  if (r != 0) {
797  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
798  FLOWLOCK_UNLOCK(&f);
799  goto end;
800  }
801  FLOWLOCK_UNLOCK(&f);
802 
803  dcerpc_state = f.alstate;
804  if (dcerpc_state == NULL) {
805  SCLogDebug("no dcerpc state: ");
806  goto end;
807  }
808 
809  p->flowflags &=~ FLOW_PKT_TOCLIENT;
810  p->flowflags |= FLOW_PKT_TOSERVER;
811  /* do detect */
812  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
813 
814  /* we shouldn't have any stub data */
815  if (PacketAlertCheck(p, 1))
816  goto end;
817 
818  /* do detect */
819  FLOWLOCK_WRLOCK(&f);
820  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
821  STREAM_TOCLIENT, dcerpc_bindack,
822  dcerpc_bindack_len);
823  if (r != 0) {
824  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
825  FLOWLOCK_UNLOCK(&f);
826  goto end;
827  }
828  FLOWLOCK_UNLOCK(&f);
829 
830  p->flowflags &=~ FLOW_PKT_TOSERVER;
831  p->flowflags |= FLOW_PKT_TOCLIENT;
832  /* do detect */
833  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
834 
835  /* we shouldn't have any stub data */
836  if (PacketAlertCheck(p, 1))
837  goto end;
838 
839  FLOWLOCK_WRLOCK(&f);
840  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
841  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
842  dcerpc_request_len);
843  if (r != 0) {
844  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
845  FLOWLOCK_UNLOCK(&f);
846  goto end;
847  }
848  FLOWLOCK_UNLOCK(&f);
849 
850  p->flowflags &=~ FLOW_PKT_TOCLIENT;
851  p->flowflags |= FLOW_PKT_TOSERVER;
852  /* do detect */
853  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
854 
855  /* we should have the stub data since we previously parsed a request frag */
856  if (!PacketAlertCheck(p, 1))
857  goto end;
858 
859  result = 1;
860 
861  end:
862  if (alp_tctx != NULL)
863  AppLayerParserThreadCtxFree(alp_tctx);
864  SigGroupCleanup(de_ctx);
865  SigCleanSignatures(de_ctx);
866 
867  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
868  DetectEngineCtxFree(de_ctx);
869 
870  StreamTcpFreeConfig(TRUE);
871  FLOW_DESTROY(&f);
872 
873  UTHFreePackets(&p, 1);
874  return result;
875 }
876 
877 /**
878  * \test Test a valid dce_stub_data with just a request frag.
879  */
880 static int DetectDceStubDataTestParse03(void)
881 {
882  Signature *s = NULL;
883  ThreadVars th_v;
884  Packet *p = NULL;
885  Flow f;
886  TcpSession ssn;
887  DetectEngineThreadCtx *det_ctx = NULL;
888  DetectEngineCtx *de_ctx = NULL;
889  DCERPCState *dcerpc_state = NULL;
890  int r = 0;
891 
892  /* todo chop the request frag length and change the
893  * length related parameters in the frag */
894  uint8_t dcerpc_request[] = {
895  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
896  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
897  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
898  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
899  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
900  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
901  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
902  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
903  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
904  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
905  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
906  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
907  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
908  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
909  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
910  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
911  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
912  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
913  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
914  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
915  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
916  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
917  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
918  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
919  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
920  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
921  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
922  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
923  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
924  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
925  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
926  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
927  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
928  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
929  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
930  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
931  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
932  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
933  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
934  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
935  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
936  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
937  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
938  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
939  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
940  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
941  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
942  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
943  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
944  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
945  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
946  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
947  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
948  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
949  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
950  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
951  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
952  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
953  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
954  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
955  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
956  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
957  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
958  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
959  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
960  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
961  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
962  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
963  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
964  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
965  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
966  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
967  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
968  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
969  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
970  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
971  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
972  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
973  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
974  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
975  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
976  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
977  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
978  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1049  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1142  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1143  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1144  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1145  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1146  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1147  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1148  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1149  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1150  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1151  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1152  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1153  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1154  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1155  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1156  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1157  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1158  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1159  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1160  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1161  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1162  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1163  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1164  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1165  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1166  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1167  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1168  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1169  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1171  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1172  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1173  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1174  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1175  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1176  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1177  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1178  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1179  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1180  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1181  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1182  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1183  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1184  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1185  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1186  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1187  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1188  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1189  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1190  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1191  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1192  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1193  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1194  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1195  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1196  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1197  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1198  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1199  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1200  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1201  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1202  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1203  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1204  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1205  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1206  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1207  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1208  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1209  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1210  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1211  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1212  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1213  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1214  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1215  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1216  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1217  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1218  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1219  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1220  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1221  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1222  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1223  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1224  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1225  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1226  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1227  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1228  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1229  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1230  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1231  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1232  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1233  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1234  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1235  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1236  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1237  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1238  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1239  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1240  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1241  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1242  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1243  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1244  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1245  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1246  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1247  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1248  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1249  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1250  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1251  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1252  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1253  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1254  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1255  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1256  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1257  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1258  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1259  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1260  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1261  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1262  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1263  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1264  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1265  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1266  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1267  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1268  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1269  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1270  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1271  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1272  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1273  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1274  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1275  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1276  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1277  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1278  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1279  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1280  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1281  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1282  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1283  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1284  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1285  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1286  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1287  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1288  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1289  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1290  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1291  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1292  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1293  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1294  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1295  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1296  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1297  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1298  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1299  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1300  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1301  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1302  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1303  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1304  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1305  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1306  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1307  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1308  0x01, 0x02, 0x03, 0x04
1309  };
1310 
1311  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1312 
1313  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1314 
1315  memset(&th_v, 0, sizeof(th_v));
1316  memset(&f, 0, sizeof(f));
1317  memset(&ssn, 0, sizeof(ssn));
1318 
1319  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1320 
1321  FLOW_INITIALIZE(&f);
1322  f.protoctx = (void *)&ssn;
1323  f.proto = IPPROTO_TCP;
1324  p->flow = &f;
1325  p->flowflags |= FLOW_PKT_TOSERVER;
1326  p->flowflags |= FLOW_PKT_ESTABLISHED;
1327  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1328  f.alproto = ALPROTO_DCERPC;
1329 
1330  StreamTcpInitConfig(TRUE);
1331 
1332  de_ctx = DetectEngineCtxInit();
1333  FAIL_IF(de_ctx == NULL);
1334 
1335  de_ctx->flags |= DE_QUIET;
1336 
1337  s = de_ctx->sig_list = SigInit(de_ctx,
1338  "alert tcp any any -> any any "
1339  "(msg:\"DCERPC\"; "
1340  "dce_stub_data; content:\"|42 42 42 42|\";"
1341  "sid:1;)");
1342  FAIL_IF(s == NULL);
1343 
1344  SigGroupBuild(de_ctx);
1345  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1346 
1347  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1348  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1349  dcerpc_request_len);
1350  FAIL_IF(r != 0);
1351 
1352  dcerpc_state = f.alstate;
1353  FAIL_IF (dcerpc_state == NULL);
1354 
1355  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1356  p->flowflags |= FLOW_PKT_TOSERVER;
1357  /* do detect */
1358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1359  FAIL_IF(!PacketAlertCheck(p, 1));
1360 
1361  if (alp_tctx != NULL)
1362  AppLayerParserThreadCtxFree(alp_tctx);
1363  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1364  DetectEngineCtxFree(de_ctx);
1365  StreamTcpFreeConfig(TRUE);
1366  FLOW_DESTROY(&f);
1367 
1368  UTHFreePackets(&p, 1);
1369  PASS;
1370 }
1371 
1372 static int DetectDceStubDataTestParse04(void)
1373 {
1374  int result = 0;
1375  Signature *s = NULL;
1376  ThreadVars th_v;
1377  Packet *p = NULL;
1378  Flow f;
1379  TcpSession ssn;
1380  DetectEngineThreadCtx *det_ctx = NULL;
1381  DetectEngineCtx *de_ctx = NULL;
1382  DCERPCState *dcerpc_state = NULL;
1383  int r = 0;
1384 
1385  uint8_t dcerpc_bind[] = {
1386  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1387  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1388  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1389  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1390  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1391  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1392  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1393  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1394  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1395  };
1396 
1397  uint8_t dcerpc_bindack[] = {
1398  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1399  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1400  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1401  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1402  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1403  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1405  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1406  0x02, 0x00, 0x00, 0x00,
1407  };
1408 
1409  uint8_t dcerpc_request1[] = {
1410  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1411  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1412  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1413  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1414  0x00, 0x00, 0x00, 0x02,
1415  };
1416 
1417  uint8_t dcerpc_response1[] = {
1418  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1419  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1420  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1421  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1422  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1423  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1424  };
1425 
1426  uint8_t dcerpc_request2[] = {
1427  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1428  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1429  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1430  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1431  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1432  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1433  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1434  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1435  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1436  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1437  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1438  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1439  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1440  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1441  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1442  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1443  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1444  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1445  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1446  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1447  0x03, 0x00, 0x00, 0x00,
1448  };
1449 
1450  uint8_t dcerpc_response2[] = {
1451  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1452  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1453  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1455  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1456  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1457  };
1458 
1459  uint8_t dcerpc_request3[] = {
1460  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1461  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1462  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1463  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1464  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1465  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1466  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1467  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1468  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1469  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1470  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1471  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1472  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1473  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1474  };
1475 
1476  uint8_t dcerpc_response3[] = {
1477  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1478  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1479  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1480  0x00, 0x00, 0x00, 0x00,
1481  };
1482 
1483  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1484  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1485 
1486  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1487  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1488 
1489  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1490  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1491 
1492  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1493  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1494 
1495  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1496 
1497  memset(&th_v, 0, sizeof(th_v));
1498  memset(&f, 0, sizeof(f));
1499  memset(&ssn, 0, sizeof(ssn));
1500 
1501  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1502 
1503  FLOW_INITIALIZE(&f);
1504  f.protoctx = (void *)&ssn;
1505  f.proto = IPPROTO_TCP;
1506  p->flow = &f;
1507  p->flowflags |= FLOW_PKT_TOSERVER;
1508  p->flowflags |= FLOW_PKT_ESTABLISHED;
1509  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1510  f.alproto = ALPROTO_DCERPC;
1511 
1512  StreamTcpInitConfig(TRUE);
1513 
1514  de_ctx = DetectEngineCtxInit();
1515  if (de_ctx == NULL)
1516  goto end;
1517 
1518  de_ctx->flags |= DE_QUIET;
1519 
1520  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1521  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1522  if (s == NULL)
1523  goto end;
1524  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1525  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1526  if (s == NULL)
1527  goto end;
1528  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1529  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1530  if (s == NULL)
1531  goto end;
1532 
1533  SigGroupBuild(de_ctx);
1534  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1535 
1536  FLOWLOCK_WRLOCK(&f);
1537  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1538  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1539  dcerpc_bind_len);
1540  if (r != 0) {
1541  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1542  FLOWLOCK_UNLOCK(&f);
1543  goto end;
1544  }
1545  FLOWLOCK_UNLOCK(&f);
1546  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1547  p->flowflags |= FLOW_PKT_TOSERVER;
1548  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1549 
1550  dcerpc_state = f.alstate;
1551  if (dcerpc_state == NULL) {
1552  SCLogDebug("no dcerpc state: ");
1553  goto end;
1554  }
1555 
1556  FLOWLOCK_WRLOCK(&f);
1557  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1558  STREAM_TOCLIENT, dcerpc_bindack,
1559  dcerpc_bindack_len);
1560  if (r != 0) {
1561  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1562  FLOWLOCK_UNLOCK(&f);
1563  goto end;
1564  }
1565  FLOWLOCK_UNLOCK(&f);
1566  p->flowflags &=~ FLOW_PKT_TOSERVER;
1567  p->flowflags |= FLOW_PKT_TOCLIENT;
1568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1569 
1570  /* request1 */
1571  FLOWLOCK_WRLOCK(&f);
1572  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1573  STREAM_TOSERVER, dcerpc_request1,
1574  dcerpc_request1_len);
1575  if (r != 0) {
1576  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1577  FLOWLOCK_UNLOCK(&f);
1578  goto end;
1579  }
1580  FLOWLOCK_UNLOCK(&f);
1581 
1582  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1583  p->flowflags |= FLOW_PKT_TOSERVER;
1584  /* do detect */
1585  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1586 
1587  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1588  goto end;
1589 
1590  /* response1 */
1591  FLOWLOCK_WRLOCK(&f);
1592  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1593  STREAM_TOCLIENT, dcerpc_response1,
1594  dcerpc_response1_len);
1595  if (r != 0) {
1596  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1597  FLOWLOCK_UNLOCK(&f);
1598  goto end;
1599  }
1600  FLOWLOCK_UNLOCK(&f);
1601 
1602  p->flowflags &=~ FLOW_PKT_TOSERVER;
1603  p->flowflags |= FLOW_PKT_TOCLIENT;
1604  /* do detect */
1605  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1606 
1607  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1608  goto end;
1609 
1610  /* request2 */
1611  FLOWLOCK_WRLOCK(&f);
1612  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1613  STREAM_TOSERVER, dcerpc_request2,
1614  dcerpc_request2_len);
1615  if (r != 0) {
1616  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1617  FLOWLOCK_UNLOCK(&f);
1618  goto end;
1619  }
1620  FLOWLOCK_UNLOCK(&f);
1621 
1622  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1623  p->flowflags |= FLOW_PKT_TOSERVER;
1624  /* do detect */
1625  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1626 
1627  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1628  goto end;
1629 
1630  /* response2 */
1631  FLOWLOCK_WRLOCK(&f);
1632  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1633  STREAM_TOCLIENT, dcerpc_response2,
1634  dcerpc_response2_len);
1635  if (r != 0) {
1636  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1637  FLOWLOCK_UNLOCK(&f);
1638  goto end;
1639  }
1640  FLOWLOCK_UNLOCK(&f);
1641 
1642  p->flowflags &=~ FLOW_PKT_TOSERVER;
1643  p->flowflags |= FLOW_PKT_TOCLIENT;
1644  /* do detect */
1645  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1646 
1647  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1648  goto end;
1649 
1650  /* request3 */
1651  FLOWLOCK_WRLOCK(&f);
1652  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1653  STREAM_TOSERVER, dcerpc_request3,
1654  dcerpc_request3_len);
1655  if (r != 0) {
1656  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1657  FLOWLOCK_UNLOCK(&f);
1658  goto end;
1659  }
1660  FLOWLOCK_UNLOCK(&f);
1661 
1662  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1663  p->flowflags |= FLOW_PKT_TOSERVER;
1664  /* do detect */
1665  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1666 
1667  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1668  goto end;
1669 
1670  /* response3 */
1671  FLOWLOCK_WRLOCK(&f);
1672  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1673  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1674  dcerpc_response3_len);
1675  if (r != 0) {
1676  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1677  FLOWLOCK_UNLOCK(&f);
1678  goto end;
1679  }
1680  FLOWLOCK_UNLOCK(&f);
1681 
1682  p->flowflags &=~ FLOW_PKT_TOSERVER;
1683  p->flowflags |= FLOW_PKT_TOCLIENT;
1684  /* do detect */
1685  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1686 
1687  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1688  goto end;
1689 
1690  result = 1;
1691 
1692  end:
1693  if (alp_tctx != NULL)
1694  AppLayerParserThreadCtxFree(alp_tctx);
1695  SigGroupCleanup(de_ctx);
1696  SigCleanSignatures(de_ctx);
1697 
1698  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1699  DetectEngineCtxFree(de_ctx);
1700 
1701  StreamTcpFreeConfig(TRUE);
1702  FLOW_DESTROY(&f);
1703 
1704  UTHFreePackets(&p, 1);
1705  return result;
1706 }
1707 
1708 static int DetectDceStubDataTestParse05(void)
1709 {
1710  int result = 0;
1711  Signature *s = NULL;
1712  ThreadVars th_v;
1713  Packet *p = NULL;
1714  Flow f;
1715  TcpSession ssn;
1716  DetectEngineThreadCtx *det_ctx = NULL;
1717  DetectEngineCtx *de_ctx = NULL;
1718  DCERPCState *dcerpc_state = NULL;
1719  int r = 0;
1720 
1721  uint8_t dcerpc_request1[] = {
1722  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1723  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1724  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1725  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1726  0x00, 0x00, 0x00, 0x02,
1727  };
1728 
1729  uint8_t dcerpc_response1[] = {
1730  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1731  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1732  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1733  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1734  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1735  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1736  };
1737 
1738  uint8_t dcerpc_request2[] = {
1739  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1740  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1741  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1742  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1743  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1744  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1745  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1746  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1747  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1748  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1749  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1750  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1751  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1752  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1753  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1754  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1755  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1756  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1757  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1758  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759  0x03, 0x00, 0x00, 0x00,
1760  };
1761 
1762  uint8_t dcerpc_response2[] = {
1763  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1764  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1765  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1767  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1768  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1769  };
1770 
1771  uint8_t dcerpc_request3[] = {
1772  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1773  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1774  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1775  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1776  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1777  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1778  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1779  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1780  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1781  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1782  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1783  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1784  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1785  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1786  };
1787 
1788  uint8_t dcerpc_response3[] = {
1789  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1790  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1791  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792  0x00, 0x00, 0x00, 0x00,
1793  };
1794 
1795  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1796  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1797 
1798  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1799  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1800 
1801  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1802  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1803 
1804  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1805 
1806  memset(&th_v, 0, sizeof(th_v));
1807  memset(&f, 0, sizeof(f));
1808  memset(&ssn, 0, sizeof(ssn));
1809 
1810  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1811 
1812  FLOW_INITIALIZE(&f);
1813  f.protoctx = (void *)&ssn;
1814  f.proto = IPPROTO_TCP;
1815  p->flow = &f;
1816  p->flowflags |= FLOW_PKT_TOSERVER;
1817  p->flowflags |= FLOW_PKT_ESTABLISHED;
1818  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1819  f.alproto = ALPROTO_DCERPC;
1820 
1821  StreamTcpInitConfig(TRUE);
1822 
1823  de_ctx = DetectEngineCtxInit();
1824  if (de_ctx == NULL)
1825  goto end;
1826 
1827  de_ctx->flags |= DE_QUIET;
1828 
1829  s = de_ctx->sig_list = SigInit(de_ctx,
1830  "alert tcp any any -> any any "
1831  "(msg:\"DCERPC\"; "
1832  "dce_stub_data; content:\"|00 02|\"; "
1833  "sid:1;)");
1834  if (s == NULL)
1835  goto end;
1836  s = de_ctx->sig_list->next = SigInit(de_ctx,
1837  "alert tcp any any -> any any "
1838  "(msg:\"DCERPC\"; "
1839  "dce_stub_data; content:\"|00 75|\"; "
1840  "sid:2;)");
1841  if (s == NULL)
1842  goto end;
1843  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1844  "alert tcp any any -> any any "
1845  "(msg:\"DCERPC\"; "
1846  "dce_stub_data; content:\"|00 18|\"; "
1847  "sid:3;)");
1848  if (s == NULL)
1849  goto end;
1850 
1851  SigGroupBuild(de_ctx);
1852  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1853 
1854  /* request1 */
1855  FLOWLOCK_WRLOCK(&f);
1856  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1857  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1858  dcerpc_request1_len);
1859  if (r != 0) {
1860  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1861  FLOWLOCK_UNLOCK(&f);
1862  goto end;
1863  }
1864  FLOWLOCK_UNLOCK(&f);
1865 
1866  dcerpc_state = f.alstate;
1867  if (dcerpc_state == NULL) {
1868  SCLogDebug("no dcerpc state: ");
1869  goto end;
1870  }
1871 
1872  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1873  p->flowflags |= FLOW_PKT_TOSERVER;
1874  /* do detect */
1875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1876 
1877  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1878  goto end;
1879 
1880  /* response1 */
1881  FLOWLOCK_WRLOCK(&f);
1882  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1883  STREAM_TOCLIENT, dcerpc_response1,
1884  dcerpc_response1_len);
1885  if (r != 0) {
1886  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1887  FLOWLOCK_UNLOCK(&f);
1888  goto end;
1889  }
1890  FLOWLOCK_UNLOCK(&f);
1891 
1892  p->flowflags &=~ FLOW_PKT_TOSERVER;
1893  p->flowflags |= FLOW_PKT_TOCLIENT;
1894  /* do detect */
1895  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1896 
1897  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1898  goto end;
1899 
1900  /* request2 */
1901  FLOWLOCK_WRLOCK(&f);
1902  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1903  STREAM_TOSERVER, dcerpc_request2,
1904  dcerpc_request2_len);
1905  if (r != 0) {
1906  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1907  FLOWLOCK_UNLOCK(&f);
1908  goto end;
1909  }
1910  FLOWLOCK_UNLOCK(&f);
1911 
1912  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1913  p->flowflags |= FLOW_PKT_TOSERVER;
1914  /* do detect */
1915  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1916 
1917  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1918  goto end;
1919 
1920  /* response2 */
1921  FLOWLOCK_WRLOCK(&f);
1922  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1923  STREAM_TOCLIENT, dcerpc_response2,
1924  dcerpc_response2_len);
1925  if (r != 0) {
1926  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1927  FLOWLOCK_UNLOCK(&f);
1928  goto end;
1929  }
1930  FLOWLOCK_UNLOCK(&f);
1931 
1932  p->flowflags &=~ FLOW_PKT_TOSERVER;
1933  p->flowflags |= FLOW_PKT_TOCLIENT;
1934  /* do detect */
1935  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1936 
1937  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1938  goto end;
1939 
1940  /* request3 */
1941  FLOWLOCK_WRLOCK(&f);
1942  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1943  STREAM_TOSERVER, dcerpc_request3,
1944  dcerpc_request3_len);
1945  if (r != 0) {
1946  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1947  FLOWLOCK_UNLOCK(&f);
1948  goto end;
1949  }
1950  FLOWLOCK_UNLOCK(&f);
1951 
1952  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1953  p->flowflags |= FLOW_PKT_TOSERVER;
1954  /* do detect */
1955  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1956 
1957  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1958  goto end;
1959 
1960  /* response3 */
1961  FLOWLOCK_WRLOCK(&f);
1962  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1963  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1964  dcerpc_response3_len);
1965  if (r != 0) {
1966  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1967  FLOWLOCK_UNLOCK(&f);
1968  goto end;
1969  }
1970  FLOWLOCK_UNLOCK(&f);
1971 
1972  p->flowflags &=~ FLOW_PKT_TOSERVER;
1973  p->flowflags |= FLOW_PKT_TOCLIENT;
1974  /* do detect */
1975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1976 
1977  if (PacketAlertCheck(p, 1))
1978  goto end;
1979 
1980  result = 1;
1981 
1982  end:
1983  if (alp_tctx != NULL)
1984  AppLayerParserThreadCtxFree(alp_tctx);
1985 
1986  SigGroupCleanup(de_ctx);
1987  SigCleanSignatures(de_ctx);
1988 
1989  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1990  DetectEngineCtxFree(de_ctx);
1991 
1992  StreamTcpFreeConfig(TRUE);
1993  FLOW_DESTROY(&f);
1994 
1995  UTHFreePackets(&p, 1);
1996  return result;
1997 }
1998 
1999 
2000 #endif
2001 
2002 static void DetectDceStubDataRegisterTests(void)
2003 {
2004 #ifdef UNITTESTS
2005  UtRegisterTest("DetectDceStubDataTestParse01",
2006  DetectDceStubDataTestParse01);
2007  UtRegisterTest("DetectDceStubDataTestParse02",
2008  DetectDceStubDataTestParse02);
2009  UtRegisterTest("DetectDceStubDataTestParse03",
2010  DetectDceStubDataTestParse03);
2011  UtRegisterTest("DetectDceStubDataTestParse04",
2012  DetectDceStubDataTestParse04);
2013  UtRegisterTest("DetectDceStubDataTestParse05",
2014  DetectDceStubDataTestParse05);
2015 #endif
2016 
2017  return;
2018 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2200
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:563
flags
uint16_t flags
Definition: app-layer-dns-common.h:246
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DCERPCResponse_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:184
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1029
Flow_::proto
uint8_t proto
Definition: flow.h:343
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx))
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:138
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DCERPC_::dcerpcresponse
DCERPCResponse dcerpcresponse
Definition: app-layer-dcerpc-common.h:192
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1920
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:729
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:271
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:227
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
SigMatchData_
Data needed for Match()
Definition: detect.h:331
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1298
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:82
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:994
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
TRUE
#define TRUE
Definition: suricata-common.h:33
Flow_::protoctx
void * protoctx
Definition: flow.h:395
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
Flow_::alstate
void * alstate
Definition: flow.h:433
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:698
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-dce-stub-data.c:61
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1064
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:245
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
Signature_::next
struct Signature_ * next
Definition: detect.h:566
Packet_
Definition: decode.h:405
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
DCERPCRequest_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:173
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:245
SignatureInitData_::list
int list
Definition: detect.h:471
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1062
detect-engine-content-inspection.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1331
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1041
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:44
DCERPCResponse_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:182
MpmCtx_
Definition: util-mpm.h:88
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:257
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:201
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:404
Packet_::flags
uint32_t flags
Definition: decode.h:441
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1157
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:324
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:129
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1130
DCERPCRequest_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:175
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640