suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "rust.h"
58 #include "rust-smb-detect-gen.h"
59 
60 #define BUFFER_NAME "dce_stub_data"
61 #define KEYWORD_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectDceStubDataRegisterTests(void);
65 static int g_dce_stub_data_buffer_id = 0;
66 
67 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
68  const DetectEngineTransforms *transforms,
69  Flow *_f, const uint8_t flow_flags,
70  void *txv, const int list_id)
71 {
72  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
73  if (buffer->inspect == NULL) {
74  uint32_t data_len = 0;
75  const uint8_t *data = NULL;
76  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
77  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
78  return NULL;
79  SCLogDebug("have data!");
80 
81  InspectionBufferSetup(buffer, data, data_len);
82  InspectionBufferApplyTransforms(buffer, transforms);
83  }
84  return buffer;
85 }
86 
87 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
88  const DetectEngineTransforms *transforms,
89  Flow *_f, const uint8_t flow_flags,
90  void *txv, const int list_id)
91 {
92  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
93  if (buffer->inspect == NULL) {
94  uint32_t data_len = 0;
95  uint8_t *data = NULL;
96 
97  DCERPCState *dcerpc_state = txv;
98  if (dcerpc_state == NULL)
99  return NULL;
100 
101  if (flow_flags & STREAM_TOSERVER) {
102  data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
103  data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
104  } else if (flow_flags & STREAM_TOCLIENT) {
105  data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
106  data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
107  }
108  if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) {
109  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
110  } else {
111  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
112  }
113  InspectionBufferSetup(buffer, data, data_len);
114  InspectionBufferApplyTransforms(buffer, transforms);
115  }
116  return buffer;
117 }
118 
119 /**
120  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
121  */
122 void DetectDceStubDataRegister(void)
123 {
124  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
125  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
126  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
127  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
128  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
129 
130  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
131  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
132  DetectEngineInspectBufferGeneric,
133  GetSMBData);
134  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
135  PrefilterGenericMpmRegister, GetSMBData,
136  ALPROTO_SMB, 0);
137  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
138  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
139  DetectEngineInspectBufferGeneric,
140  GetSMBData);
141  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
142  PrefilterGenericMpmRegister, GetSMBData,
143  ALPROTO_SMB, 0);
144 
145  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
146  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
147  DetectEngineInspectBufferGeneric,
148  GetDCEData);
149  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
150  PrefilterGenericMpmRegister, GetDCEData,
151  ALPROTO_DCERPC, 0);
152  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
153  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
154  DetectEngineInspectBufferGeneric,
155  GetDCEData);
156  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
157  PrefilterGenericMpmRegister, GetDCEData,
158  ALPROTO_DCERPC, 0);
159 
160  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
161 }
162 
163 /**
164  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
165  * and appends it to the Signature(s).
166  *
167  * \param de_ctx Pointer to the detection engine context
168  * \param s Pointer to signature for the current Signature being parsed
169  * from the rules
170  * \param arg Pointer to the string holding the keyword value
171  *
172  * \retval 0 on success, -1 on failure
173  */
174 
175 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
176 {
177  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
178  return -1;
179  return 0;
180 }
181 
182 /************************************Unittests*********************************/
183 
184 #ifdef UNITTESTS
185 
186 static int DetectDceStubDataTestParse01(void)
187 {
188  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
189  FAIL_IF_NULL(de_ctx);
190  de_ctx->flags = DE_QUIET;
191  Signature *s = DetectEngineAppendSig(de_ctx,
192  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
193  FAIL_IF_NULL(s);
194  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
195  DetectEngineCtxFree(de_ctx);
196  PASS;
197 }
198 
199 /**
200  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
201  */
202 static int DetectDceStubDataTestParse02(void)
203 {
204  int result = 0;
205  Signature *s = NULL;
206  ThreadVars th_v;
207  Packet *p = NULL;
208  Flow f;
209  TcpSession ssn;
210  DetectEngineThreadCtx *det_ctx = NULL;
211  DetectEngineCtx *de_ctx = NULL;
212  DCERPCState *dcerpc_state = NULL;
213  int r = 0;
214 
215  uint8_t dcerpc_bind[] = {
216  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
217  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
218  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
219  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
220  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
221  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
222  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
223  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
224  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
225  };
226 
227  uint8_t dcerpc_bindack[] = {
228  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
229  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
230  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
231  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
232  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
233  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
234  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
235  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
236  0x02, 0x00, 0x00, 0x00
237  };
238 
239  /* todo chop the request frag length and change the
240  * length related parameters in the frag */
241  uint8_t dcerpc_request[] = {
242  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
243  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
244  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
245  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
246  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
247  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
248  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
249  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
250  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
251  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
252  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
253  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
254  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
255  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
256  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
257  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
258  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
259  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
260  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
261  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
262  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
263  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
264  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
265  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
266  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
267  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
268  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
269  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
270  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
271  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
272  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
273  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
274  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
275  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
276  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
277  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
278  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
279  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
280  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
281  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
282  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
283  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
284  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
285  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
286  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
287  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
288  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
289  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
290  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
291  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
292  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
293  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
294  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
295  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
296  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
297  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
298  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
299  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
300  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
301  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
302  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
303  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
304  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
305  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
306  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
307  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
308  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
309  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
310  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
311  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
312  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
313  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
314  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
315  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
316  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
317  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
318  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
319  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
320  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
321  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
322  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
323  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
324  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
325  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
489  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
490  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
491  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
492  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
493  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
494  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
496  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
497  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
498  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
499  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
500  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
501  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
502  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
503  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
504  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
505  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
506  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
507  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
508  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
509  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
510  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
511  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
512  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
513  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
514  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
515  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
516  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
517  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
518  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
519  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
520  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
522  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
523  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
655  0x01, 0x02, 0x03, 0x04
656  };
657 
658  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
659  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
660  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
661  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
662 
663  memset(&th_v, 0, sizeof(th_v));
664  memset(&f, 0, sizeof(f));
665  memset(&ssn, 0, sizeof(ssn));
666 
667  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
668 
669  FLOW_INITIALIZE(&f);
670  f.protoctx = (void *)&ssn;
671  f.proto = IPPROTO_TCP;
672  p->flow = &f;
673  p->flowflags |= FLOW_PKT_TOSERVER;
674  p->flowflags |= FLOW_PKT_ESTABLISHED;
675  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
676  f.alproto = ALPROTO_DCERPC;
677 
678  StreamTcpInitConfig(TRUE);
679 
680  de_ctx = DetectEngineCtxInit();
681  if (de_ctx == NULL)
682  goto end;
683 
684  de_ctx->flags |= DE_QUIET;
685 
686  s = de_ctx->sig_list = SigInit(de_ctx,
687  "alert tcp any any -> any any "
688  "(msg:\"DCERPC\"; "
689  "dce_stub_data; content:\"|42 42 42 42|\";"
690  "sid:1;)");
691  if (s == NULL)
692  goto end;
693 
694  SigGroupBuild(de_ctx);
695  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
696 
697  FLOWLOCK_WRLOCK(&f);
698  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
699  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
700  dcerpc_bind_len);
701  if (r != 0) {
702  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
703  FLOWLOCK_UNLOCK(&f);
704  goto end;
705  }
706  FLOWLOCK_UNLOCK(&f);
707 
708  dcerpc_state = f.alstate;
709  if (dcerpc_state == NULL) {
710  SCLogDebug("no dcerpc state: ");
711  goto end;
712  }
713 
714  p->flowflags &=~ FLOW_PKT_TOCLIENT;
715  p->flowflags |= FLOW_PKT_TOSERVER;
716  /* do detect */
717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
718 
719  /* we shouldn't have any stub data */
720  if (PacketAlertCheck(p, 1))
721  goto end;
722 
723  /* do detect */
724  FLOWLOCK_WRLOCK(&f);
725  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
726  STREAM_TOCLIENT, dcerpc_bindack,
727  dcerpc_bindack_len);
728  if (r != 0) {
729  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
730  FLOWLOCK_UNLOCK(&f);
731  goto end;
732  }
733  FLOWLOCK_UNLOCK(&f);
734 
735  p->flowflags &=~ FLOW_PKT_TOSERVER;
736  p->flowflags |= FLOW_PKT_TOCLIENT;
737  /* do detect */
738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
739 
740  /* we shouldn't have any stub data */
741  if (PacketAlertCheck(p, 1))
742  goto end;
743 
744  FLOWLOCK_WRLOCK(&f);
745  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
746  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
747  dcerpc_request_len);
748  if (r != 0) {
749  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
750  FLOWLOCK_UNLOCK(&f);
751  goto end;
752  }
753  FLOWLOCK_UNLOCK(&f);
754 
755  p->flowflags &=~ FLOW_PKT_TOCLIENT;
756  p->flowflags |= FLOW_PKT_TOSERVER;
757  /* do detect */
758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759 
760  /* we should have the stub data since we previously parsed a request frag */
761  if (!PacketAlertCheck(p, 1))
762  goto end;
763 
764  result = 1;
765 
766  end:
767  if (alp_tctx != NULL)
768  AppLayerParserThreadCtxFree(alp_tctx);
769  SigGroupCleanup(de_ctx);
770  SigCleanSignatures(de_ctx);
771 
772  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
773  DetectEngineCtxFree(de_ctx);
774 
775  StreamTcpFreeConfig(TRUE);
776  FLOW_DESTROY(&f);
777 
778  UTHFreePackets(&p, 1);
779  return result;
780 }
781 
782 /**
783  * \test Test a valid dce_stub_data with just a request frag.
784  */
785 static int DetectDceStubDataTestParse03(void)
786 {
787  Signature *s = NULL;
788  ThreadVars th_v;
789  Packet *p = NULL;
790  Flow f;
791  TcpSession ssn;
792  DetectEngineThreadCtx *det_ctx = NULL;
793  DetectEngineCtx *de_ctx = NULL;
794  DCERPCState *dcerpc_state = NULL;
795  int r = 0;
796 
797  /* todo chop the request frag length and change the
798  * length related parameters in the frag */
799  uint8_t dcerpc_request[] = {
800  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
801  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
802  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
803  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
804  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
805  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
806  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
807  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
808  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
809  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
810  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
811  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
812  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
813  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
814  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
815  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
816  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
817  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
818  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
819  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
820  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
821  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
822  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
823  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
824  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
825  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
826  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
827  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
828  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
829  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
830  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
831  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
832  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
833  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
834  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
835  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
836  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
837  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
838  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
839  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
840  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
841  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
842  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
843  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
844  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
845  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
846  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
847  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
848  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
849  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
850  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
851  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
852  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
853  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
854  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
855  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
856  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
857  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
858  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
859  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
860  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
861  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
862  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
863  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
864  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
865  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
866  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
867  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
868  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
869  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
870  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
871  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
872  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
873  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
874  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
875  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
876  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
877  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
878  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
879  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
880  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
881  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
882  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
883  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1047  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1048  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1049  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1050  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1051  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1052  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1053  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1054  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1055  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1056  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1057  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1058  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1059  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1060  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1061  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1062  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1063  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1065  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1066  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1067  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1068  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1069  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1071  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1072  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1073  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1074  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1075  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1076  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1077  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1078  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1079  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1080  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1081  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1147  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1205  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1206  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1207  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1208  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1209  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1210  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1211  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1212  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1213  0x01, 0x02, 0x03, 0x04
1214  };
1215 
1216  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1217 
1218  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1219 
1220  memset(&th_v, 0, sizeof(th_v));
1221  memset(&f, 0, sizeof(f));
1222  memset(&ssn, 0, sizeof(ssn));
1223 
1224  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1225 
1226  FLOW_INITIALIZE(&f);
1227  f.protoctx = (void *)&ssn;
1228  f.proto = IPPROTO_TCP;
1229  p->flow = &f;
1230  p->flowflags |= FLOW_PKT_TOSERVER;
1231  p->flowflags |= FLOW_PKT_ESTABLISHED;
1232  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1233  f.alproto = ALPROTO_DCERPC;
1234 
1235  StreamTcpInitConfig(TRUE);
1236 
1237  de_ctx = DetectEngineCtxInit();
1238  FAIL_IF(de_ctx == NULL);
1239 
1240  de_ctx->flags |= DE_QUIET;
1241 
1242  s = de_ctx->sig_list = SigInit(de_ctx,
1243  "alert tcp any any -> any any "
1244  "(msg:\"DCERPC\"; "
1245  "dce_stub_data; content:\"|42 42 42 42|\";"
1246  "sid:1;)");
1247  FAIL_IF(s == NULL);
1248 
1249  SigGroupBuild(de_ctx);
1250  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1251 
1252  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1253  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1254  dcerpc_request_len);
1255  FAIL_IF(r != 0);
1256 
1257  dcerpc_state = f.alstate;
1258  FAIL_IF (dcerpc_state == NULL);
1259 
1260  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1261  p->flowflags |= FLOW_PKT_TOSERVER;
1262  /* do detect */
1263  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1264  FAIL_IF(!PacketAlertCheck(p, 1));
1265 
1266  if (alp_tctx != NULL)
1267  AppLayerParserThreadCtxFree(alp_tctx);
1268  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1269  DetectEngineCtxFree(de_ctx);
1270  StreamTcpFreeConfig(TRUE);
1271  FLOW_DESTROY(&f);
1272 
1273  UTHFreePackets(&p, 1);
1274  PASS;
1275 }
1276 
1277 static int DetectDceStubDataTestParse04(void)
1278 {
1279  int result = 0;
1280  Signature *s = NULL;
1281  ThreadVars th_v;
1282  Packet *p = NULL;
1283  Flow f;
1284  TcpSession ssn;
1285  DetectEngineThreadCtx *det_ctx = NULL;
1286  DetectEngineCtx *de_ctx = NULL;
1287  DCERPCState *dcerpc_state = NULL;
1288  int r = 0;
1289 
1290  uint8_t dcerpc_bind[] = {
1291  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1292  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1293  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1294  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1295  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1296  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1297  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1298  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1299  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1300  };
1301 
1302  uint8_t dcerpc_bindack[] = {
1303  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1304  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1305  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1306  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1307  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1308  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1310  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1311  0x02, 0x00, 0x00, 0x00,
1312  };
1313 
1314  uint8_t dcerpc_request1[] = {
1315  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1316  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1317  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1318  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1319  0x00, 0x00, 0x00, 0x02,
1320  };
1321 
1322  uint8_t dcerpc_response1[] = {
1323  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1324  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1325  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1327  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1328  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1329  };
1330 
1331  uint8_t dcerpc_request2[] = {
1332  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1333  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1334  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1335  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1336  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1337  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1338  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1339  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1340  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1341  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1342  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1343  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1344  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1345  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1346  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1347  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1348  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1349  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1350  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1351  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1352  0x03, 0x00, 0x00, 0x00,
1353  };
1354 
1355  uint8_t dcerpc_response2[] = {
1356  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1357  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1358  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1360  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1361  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1362  };
1363 
1364  uint8_t dcerpc_request3[] = {
1365  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1366  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1367  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1368  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1369  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1370  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1371  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1372  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1373  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1374  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1375  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1376  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1377  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1378  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1379  };
1380 
1381  uint8_t dcerpc_response3[] = {
1382  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1383  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1384  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1385  0x00, 0x00, 0x00, 0x00,
1386  };
1387 
1388  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1389  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1390 
1391  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1392  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1393 
1394  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1395  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1396 
1397  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1398  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1399 
1400  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1401 
1402  memset(&th_v, 0, sizeof(th_v));
1403  memset(&f, 0, sizeof(f));
1404  memset(&ssn, 0, sizeof(ssn));
1405 
1406  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1407 
1408  FLOW_INITIALIZE(&f);
1409  f.protoctx = (void *)&ssn;
1410  f.proto = IPPROTO_TCP;
1411  p->flow = &f;
1412  p->flowflags |= FLOW_PKT_TOSERVER;
1413  p->flowflags |= FLOW_PKT_ESTABLISHED;
1414  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1415  f.alproto = ALPROTO_DCERPC;
1416 
1417  StreamTcpInitConfig(TRUE);
1418 
1419  de_ctx = DetectEngineCtxInit();
1420  if (de_ctx == NULL)
1421  goto end;
1422 
1423  de_ctx->flags |= DE_QUIET;
1424 
1425  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1426  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1427  if (s == NULL)
1428  goto end;
1429  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1430  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1431  if (s == NULL)
1432  goto end;
1433  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1434  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1435  if (s == NULL)
1436  goto end;
1437 
1438  SigGroupBuild(de_ctx);
1439  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1440 
1441  FLOWLOCK_WRLOCK(&f);
1442  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1443  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1444  dcerpc_bind_len);
1445  if (r != 0) {
1446  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1447  FLOWLOCK_UNLOCK(&f);
1448  goto end;
1449  }
1450  FLOWLOCK_UNLOCK(&f);
1451  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1452  p->flowflags |= FLOW_PKT_TOSERVER;
1453  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1454 
1455  dcerpc_state = f.alstate;
1456  if (dcerpc_state == NULL) {
1457  SCLogDebug("no dcerpc state: ");
1458  goto end;
1459  }
1460 
1461  FLOWLOCK_WRLOCK(&f);
1462  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1463  STREAM_TOCLIENT, dcerpc_bindack,
1464  dcerpc_bindack_len);
1465  if (r != 0) {
1466  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1467  FLOWLOCK_UNLOCK(&f);
1468  goto end;
1469  }
1470  FLOWLOCK_UNLOCK(&f);
1471  p->flowflags &=~ FLOW_PKT_TOSERVER;
1472  p->flowflags |= FLOW_PKT_TOCLIENT;
1473  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1474 
1475  /* request1 */
1476  FLOWLOCK_WRLOCK(&f);
1477  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1478  STREAM_TOSERVER, dcerpc_request1,
1479  dcerpc_request1_len);
1480  if (r != 0) {
1481  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1482  FLOWLOCK_UNLOCK(&f);
1483  goto end;
1484  }
1485  FLOWLOCK_UNLOCK(&f);
1486 
1487  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1488  p->flowflags |= FLOW_PKT_TOSERVER;
1489  /* do detect */
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491 
1492  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1493  goto end;
1494 
1495  /* response1 */
1496  FLOWLOCK_WRLOCK(&f);
1497  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1498  STREAM_TOCLIENT, dcerpc_response1,
1499  dcerpc_response1_len);
1500  if (r != 0) {
1501  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1502  FLOWLOCK_UNLOCK(&f);
1503  goto end;
1504  }
1505  FLOWLOCK_UNLOCK(&f);
1506 
1507  p->flowflags &=~ FLOW_PKT_TOSERVER;
1508  p->flowflags |= FLOW_PKT_TOCLIENT;
1509  /* do detect */
1510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1511 
1512  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1513  goto end;
1514 
1515  /* request2 */
1516  FLOWLOCK_WRLOCK(&f);
1517  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1518  STREAM_TOSERVER, dcerpc_request2,
1519  dcerpc_request2_len);
1520  if (r != 0) {
1521  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1522  FLOWLOCK_UNLOCK(&f);
1523  goto end;
1524  }
1525  FLOWLOCK_UNLOCK(&f);
1526 
1527  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1528  p->flowflags |= FLOW_PKT_TOSERVER;
1529  /* do detect */
1530  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1531 
1532  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1533  goto end;
1534 
1535  /* response2 */
1536  FLOWLOCK_WRLOCK(&f);
1537  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1538  STREAM_TOCLIENT, dcerpc_response2,
1539  dcerpc_response2_len);
1540  if (r != 0) {
1541  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1542  FLOWLOCK_UNLOCK(&f);
1543  goto end;
1544  }
1545  FLOWLOCK_UNLOCK(&f);
1546 
1547  p->flowflags &=~ FLOW_PKT_TOSERVER;
1548  p->flowflags |= FLOW_PKT_TOCLIENT;
1549  /* do detect */
1550  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1551 
1552  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1553  goto end;
1554 
1555  /* request3 */
1556  FLOWLOCK_WRLOCK(&f);
1557  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1558  STREAM_TOSERVER, dcerpc_request3,
1559  dcerpc_request3_len);
1560  if (r != 0) {
1561  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1562  FLOWLOCK_UNLOCK(&f);
1563  goto end;
1564  }
1565  FLOWLOCK_UNLOCK(&f);
1566 
1567  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1568  p->flowflags |= FLOW_PKT_TOSERVER;
1569  /* do detect */
1570  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1571 
1572  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1573  goto end;
1574 
1575  /* response3 */
1576  FLOWLOCK_WRLOCK(&f);
1577  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1578  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1579  dcerpc_response3_len);
1580  if (r != 0) {
1581  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1582  FLOWLOCK_UNLOCK(&f);
1583  goto end;
1584  }
1585  FLOWLOCK_UNLOCK(&f);
1586 
1587  p->flowflags &=~ FLOW_PKT_TOSERVER;
1588  p->flowflags |= FLOW_PKT_TOCLIENT;
1589  /* do detect */
1590  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1591 
1592  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1593  goto end;
1594 
1595  result = 1;
1596 
1597  end:
1598  if (alp_tctx != NULL)
1599  AppLayerParserThreadCtxFree(alp_tctx);
1600  SigGroupCleanup(de_ctx);
1601  SigCleanSignatures(de_ctx);
1602 
1603  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1604  DetectEngineCtxFree(de_ctx);
1605 
1606  StreamTcpFreeConfig(TRUE);
1607  FLOW_DESTROY(&f);
1608 
1609  UTHFreePackets(&p, 1);
1610  return result;
1611 }
1612 
1613 static int DetectDceStubDataTestParse05(void)
1614 {
1615  int result = 0;
1616  Signature *s = NULL;
1617  ThreadVars th_v;
1618  Packet *p = NULL;
1619  Flow f;
1620  TcpSession ssn;
1621  DetectEngineThreadCtx *det_ctx = NULL;
1622  DetectEngineCtx *de_ctx = NULL;
1623  DCERPCState *dcerpc_state = NULL;
1624  int r = 0;
1625 
1626  uint8_t dcerpc_request1[] = {
1627  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1628  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1629  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1630  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1631  0x00, 0x00, 0x00, 0x02,
1632  };
1633 
1634  uint8_t dcerpc_response1[] = {
1635  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1636  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1637  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1639  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1640  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1641  };
1642 
1643  uint8_t dcerpc_request2[] = {
1644  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1645  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1646  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1647  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1648  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1649  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1650  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1651  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1652  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1653  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1654  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1655  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1656  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1657  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1658  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1659  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1660  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1661  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1662  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1663  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1664  0x03, 0x00, 0x00, 0x00,
1665  };
1666 
1667  uint8_t dcerpc_response2[] = {
1668  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1669  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1670  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1672  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1673  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1674  };
1675 
1676  uint8_t dcerpc_request3[] = {
1677  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1678  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1679  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1680  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1681  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1682  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1683  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1684  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1685  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1686  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1687  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1688  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1689  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1690  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1691  };
1692 
1693  uint8_t dcerpc_response3[] = {
1694  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1695  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1696  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1697  0x00, 0x00, 0x00, 0x00,
1698  };
1699 
1700  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1701  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1702 
1703  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1704  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1705 
1706  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1707  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1708 
1709  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1710 
1711  memset(&th_v, 0, sizeof(th_v));
1712  memset(&f, 0, sizeof(f));
1713  memset(&ssn, 0, sizeof(ssn));
1714 
1715  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1716 
1717  FLOW_INITIALIZE(&f);
1718  f.protoctx = (void *)&ssn;
1719  f.proto = IPPROTO_TCP;
1720  p->flow = &f;
1721  p->flowflags |= FLOW_PKT_TOSERVER;
1722  p->flowflags |= FLOW_PKT_ESTABLISHED;
1723  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1724  f.alproto = ALPROTO_DCERPC;
1725 
1726  StreamTcpInitConfig(TRUE);
1727 
1728  de_ctx = DetectEngineCtxInit();
1729  if (de_ctx == NULL)
1730  goto end;
1731 
1732  de_ctx->flags |= DE_QUIET;
1733 
1734  s = de_ctx->sig_list = SigInit(de_ctx,
1735  "alert tcp any any -> any any "
1736  "(msg:\"DCERPC\"; "
1737  "dce_stub_data; content:\"|00 02|\"; "
1738  "sid:1;)");
1739  if (s == NULL)
1740  goto end;
1741  s = de_ctx->sig_list->next = SigInit(de_ctx,
1742  "alert tcp any any -> any any "
1743  "(msg:\"DCERPC\"; "
1744  "dce_stub_data; content:\"|00 75|\"; "
1745  "sid:2;)");
1746  if (s == NULL)
1747  goto end;
1748  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1749  "alert tcp any any -> any any "
1750  "(msg:\"DCERPC\"; "
1751  "dce_stub_data; content:\"|00 18|\"; "
1752  "sid:3;)");
1753  if (s == NULL)
1754  goto end;
1755 
1756  SigGroupBuild(de_ctx);
1757  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1758 
1759  /* request1 */
1760  FLOWLOCK_WRLOCK(&f);
1761  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1762  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1763  dcerpc_request1_len);
1764  if (r != 0) {
1765  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1766  FLOWLOCK_UNLOCK(&f);
1767  goto end;
1768  }
1769  FLOWLOCK_UNLOCK(&f);
1770 
1771  dcerpc_state = f.alstate;
1772  if (dcerpc_state == NULL) {
1773  SCLogDebug("no dcerpc state: ");
1774  goto end;
1775  }
1776 
1777  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1778  p->flowflags |= FLOW_PKT_TOSERVER;
1779  /* do detect */
1780  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1781 
1782  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1783  goto end;
1784 
1785  /* response1 */
1786  FLOWLOCK_WRLOCK(&f);
1787  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1788  STREAM_TOCLIENT, dcerpc_response1,
1789  dcerpc_response1_len);
1790  if (r != 0) {
1791  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1792  FLOWLOCK_UNLOCK(&f);
1793  goto end;
1794  }
1795  FLOWLOCK_UNLOCK(&f);
1796 
1797  p->flowflags &=~ FLOW_PKT_TOSERVER;
1798  p->flowflags |= FLOW_PKT_TOCLIENT;
1799  /* do detect */
1800  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1801 
1802  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1803  goto end;
1804 
1805  /* request2 */
1806  FLOWLOCK_WRLOCK(&f);
1807  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1808  STREAM_TOSERVER, dcerpc_request2,
1809  dcerpc_request2_len);
1810  if (r != 0) {
1811  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1812  FLOWLOCK_UNLOCK(&f);
1813  goto end;
1814  }
1815  FLOWLOCK_UNLOCK(&f);
1816 
1817  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1818  p->flowflags |= FLOW_PKT_TOSERVER;
1819  /* do detect */
1820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1821 
1822  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1823  goto end;
1824 
1825  /* response2 */
1826  FLOWLOCK_WRLOCK(&f);
1827  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1828  STREAM_TOCLIENT, dcerpc_response2,
1829  dcerpc_response2_len);
1830  if (r != 0) {
1831  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1832  FLOWLOCK_UNLOCK(&f);
1833  goto end;
1834  }
1835  FLOWLOCK_UNLOCK(&f);
1836 
1837  p->flowflags &=~ FLOW_PKT_TOSERVER;
1838  p->flowflags |= FLOW_PKT_TOCLIENT;
1839  /* do detect */
1840  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1841 
1842  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1843  goto end;
1844 
1845  /* request3 */
1846  FLOWLOCK_WRLOCK(&f);
1847  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1848  STREAM_TOSERVER, dcerpc_request3,
1849  dcerpc_request3_len);
1850  if (r != 0) {
1851  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1852  FLOWLOCK_UNLOCK(&f);
1853  goto end;
1854  }
1855  FLOWLOCK_UNLOCK(&f);
1856 
1857  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1858  p->flowflags |= FLOW_PKT_TOSERVER;
1859  /* do detect */
1860  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1861 
1862  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1863  goto end;
1864 
1865  /* response3 */
1866  FLOWLOCK_WRLOCK(&f);
1867  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1868  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1869  dcerpc_response3_len);
1870  if (r != 0) {
1871  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1872  FLOWLOCK_UNLOCK(&f);
1873  goto end;
1874  }
1875  FLOWLOCK_UNLOCK(&f);
1876 
1877  p->flowflags &=~ FLOW_PKT_TOSERVER;
1878  p->flowflags |= FLOW_PKT_TOCLIENT;
1879  /* do detect */
1880  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1881 
1882  if (PacketAlertCheck(p, 1))
1883  goto end;
1884 
1885  result = 1;
1886 
1887  end:
1888  if (alp_tctx != NULL)
1889  AppLayerParserThreadCtxFree(alp_tctx);
1890 
1891  SigGroupCleanup(de_ctx);
1892  SigCleanSignatures(de_ctx);
1893 
1894  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1895  DetectEngineCtxFree(de_ctx);
1896 
1897  StreamTcpFreeConfig(TRUE);
1898  FLOW_DESTROY(&f);
1899 
1900  UTHFreePackets(&p, 1);
1901  return result;
1902 }
1903 
1904 
1905 #endif
1906 
1907 static void DetectDceStubDataRegisterTests(void)
1908 {
1909 #ifdef UNITTESTS
1910  UtRegisterTest("DetectDceStubDataTestParse01",
1911  DetectDceStubDataTestParse01);
1912  UtRegisterTest("DetectDceStubDataTestParse02",
1913  DetectDceStubDataTestParse02);
1914  UtRegisterTest("DetectDceStubDataTestParse03",
1915  DetectDceStubDataTestParse03);
1916  UtRegisterTest("DetectDceStubDataTestParse04",
1917  DetectDceStubDataTestParse04);
1918  UtRegisterTest("DetectDceStubDataTestParse05",
1919  DetectDceStubDataTestParse05);
1920 #endif
1921 
1922  return;
1923 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2225
DCERPCState_
Definition: app-layer-dcerpc.h:34
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1431
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:191
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1170
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DCERPCResponse_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:184
Packet_::flow
struct Flow_ * flow
Definition: decode.h:443
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:42
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DCERPC_::dcerpcresponse
DCERPCResponse dcerpcresponse
Definition: app-layer-dcerpc-common.h:192
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1945
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:749
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:274
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:122
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2533
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:869
SigTableElmt_::name
const char * name
Definition: detect.h:1184
Signature_
Signature container.
Definition: detect.h:514
TRUE
#define TRUE
Definition: suricata-common.h:33
DCERPCHdr_::packed_drep
uint8_t packed_drep[4]
Definition: app-layer-dcerpc-common.h:102
Flow_::protoctx
void * protoctx
Definition: flow.h:400
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:743
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2741
Flow_::alstate
void * alstate
Definition: flow.h:438
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:696
DCERPC_::dcerpchdr
DCERPCHdr dcerpchdr
Definition: app-layer-dcerpc-common.h:189
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:243
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1378
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:351
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:744
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1887
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:242
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:181
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:43
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:437
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:248
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1959
Signature_::next
struct Signature_ * next
Definition: detect.h:586
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1391
Packet_
Definition: decode.h:405
SigTableElmt_::alias
const char * alias
Definition: detect.h:1185
DCERPCRequest_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:173
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:928
detect-engine-content-inspection.h
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:976
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1354
STREAM_START
#define STREAM_START
Definition: stream.h:29
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1092
DCERPCResponse_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:182
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:808
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:348
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:986
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:441
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1178
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1835
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:325
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1090
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1176
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1155
DCERPCRequest_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:175
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1790
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:90