suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "rust.h"
58 
59 #define BUFFER_NAME "dce_stub_data"
60 #define KEYWORD_NAME "dce_stub_data"
61 
62 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectDceStubDataRegisterTests(void);
65 #endif
66 static int g_dce_stub_data_buffer_id = 0;
67 
68 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
69  const DetectEngineTransforms *transforms,
70  Flow *_f, const uint8_t flow_flags,
71  void *txv, const int list_id)
72 {
73  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
74  if (buffer->inspect == NULL) {
75  uint32_t data_len = 0;
76  const uint8_t *data = NULL;
77  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
78  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
79  return NULL;
80  SCLogDebug("have data!");
81 
82  InspectionBufferSetup(buffer, data, data_len);
83  InspectionBufferApplyTransforms(buffer, transforms);
84  }
85  return buffer;
86 }
87 
88 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
89  const DetectEngineTransforms *transforms,
90  Flow *_f, const uint8_t flow_flags,
91  void *txv, const int list_id)
92 {
93  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
94  if (buffer->inspect == NULL) {
95  uint32_t data_len = 0;
96  const uint8_t *data = NULL;
97  uint8_t endianness;
98 
99  rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags);
100  if (data == NULL || data_len == 0)
101  return NULL;
102 
103  if (endianness > 0) {
104  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
105  } else {
106  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
107  }
108  InspectionBufferSetup(buffer, data, data_len);
109  InspectionBufferApplyTransforms(buffer, transforms);
110  }
111  return buffer;
112 }
113 
114 /**
115  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
116  */
117 void DetectDceStubDataRegister(void)
118 {
119  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
120  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
122 #ifdef UNITTESTS
123  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
124 #endif
125  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
126 
127  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
128  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
129  DetectEngineInspectBufferGeneric,
130  GetSMBData);
131  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
132  PrefilterGenericMpmRegister, GetSMBData,
133  ALPROTO_SMB, 0);
134  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
135  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
136  DetectEngineInspectBufferGeneric,
137  GetSMBData);
138  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
139  PrefilterGenericMpmRegister, GetSMBData,
140  ALPROTO_SMB, 0);
141 
142  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
143  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
144  DetectEngineInspectBufferGeneric,
145  GetDCEData);
146  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
147  PrefilterGenericMpmRegister, GetDCEData,
148  ALPROTO_DCERPC, 0);
149  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
150  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
151  DetectEngineInspectBufferGeneric,
152  GetDCEData);
153  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
154  PrefilterGenericMpmRegister, GetDCEData,
155  ALPROTO_DCERPC, 0);
156 
157  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
158 }
159 
160 /**
161  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
162  * and appends it to the Signature(s).
163  *
164  * \param de_ctx Pointer to the detection engine context
165  * \param s Pointer to signature for the current Signature being parsed
166  * from the rules
167  * \param arg Pointer to the string holding the keyword value
168  *
169  * \retval 0 on success, -1 on failure
170  */
171 
172 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
173 {
174  if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
175  s->alproto != ALPROTO_SMB) {
176  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
177  return -1;
178  }
179  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
180  return -1;
181  return 0;
182 }
183 
184 /************************************Unittests*********************************/
185 
186 #ifdef UNITTESTS
187 
188 static int DetectDceStubDataTestParse01(void)
189 {
190  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
191  FAIL_IF_NULL(de_ctx);
192  de_ctx->flags = DE_QUIET;
193  Signature *s = DetectEngineAppendSig(de_ctx,
194  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
195  FAIL_IF_NULL(s);
196  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
197  DetectEngineCtxFree(de_ctx);
198  PASS;
199 }
200 
201 /**
202  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
203  */
204 static int DetectDceStubDataTestParse02(void)
205 {
206  int result = 0;
207  Signature *s = NULL;
208  ThreadVars th_v;
209  Packet *p = NULL;
210  Flow f;
211  TcpSession ssn;
212  DetectEngineThreadCtx *det_ctx = NULL;
213  DetectEngineCtx *de_ctx = NULL;
214  DCERPCState *dcerpc_state = NULL;
215  int r = 0;
216 
217  uint8_t dcerpc_bind[] = {
218  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
219  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
220  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
221  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
222  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
223  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
224  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
225  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
226  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
227  };
228 
229  uint8_t dcerpc_bindack[] = {
230  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
231  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
232  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
233  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
234  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
235  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
237  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
238  0x02, 0x00, 0x00, 0x00
239  };
240 
241  /* todo chop the request frag length and change the
242  * length related parameters in the frag */
243  uint8_t dcerpc_request[] = {
244  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
245  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
246  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
247  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
248  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
249  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
250  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
251  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
252  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
253  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
254  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
255  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
256  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
257  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
258  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
259  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
260  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
261  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
262  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
263  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
264  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
265  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
266  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
267  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
268  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
269  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
270  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
271  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
272  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
273  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
274  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
275  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
276  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
277  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
278  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
279  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
280  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
281  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
282  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
283  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
284  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
285  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
286  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
287  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
288  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
289  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
290  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
291  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
292  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
293  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
294  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
295  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
296  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
297  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
298  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
299  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
300  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
301  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
302  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
303  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
304  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
305  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
306  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
307  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
308  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
309  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
310  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
311  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
312  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
313  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
314  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
315  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
316  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
317  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
318  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
319  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
320  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
321  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
322  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
323  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
324  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
325  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
326  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
327  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
488  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
489  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
490  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
491  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
492  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
493  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
494  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
495  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
496  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
498  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
499  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
500  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
501  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
502  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
503  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
504  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
505  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
506  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
507  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
508  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
509  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
510  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
511  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
512  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
513  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
514  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
515  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
516  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
517  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
518  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
519  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
520  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
521  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
522  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
524  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
525  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
589  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
590  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
591  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
655  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
656  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
657  0x01, 0x02, 0x03, 0x04
658  };
659 
660  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
661  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
662  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
663  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
664 
665  memset(&th_v, 0, sizeof(th_v));
666  memset(&f, 0, sizeof(f));
667  memset(&ssn, 0, sizeof(ssn));
668 
669  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
670 
671  FLOW_INITIALIZE(&f);
672  f.protoctx = (void *)&ssn;
673  f.proto = IPPROTO_TCP;
674  p->flow = &f;
675  p->flowflags |= FLOW_PKT_TOSERVER;
676  p->flowflags |= FLOW_PKT_ESTABLISHED;
677  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
678  f.alproto = ALPROTO_DCERPC;
679 
680  StreamTcpInitConfig(TRUE);
681 
682  de_ctx = DetectEngineCtxInit();
683  if (de_ctx == NULL)
684  goto end;
685 
686  de_ctx->flags |= DE_QUIET;
687 
688  s = de_ctx->sig_list = SigInit(de_ctx,
689  "alert tcp any any -> any any "
690  "(msg:\"DCERPC\"; "
691  "dce_stub_data; content:\"|42 42 42 42|\";"
692  "sid:1;)");
693  if (s == NULL)
694  goto end;
695 
696  SigGroupBuild(de_ctx);
697  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
698 
699  FLOWLOCK_WRLOCK(&f);
700  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
701  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
702  dcerpc_bind_len);
703  if (r != 0) {
704  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
705  FLOWLOCK_UNLOCK(&f);
706  goto end;
707  }
708  FLOWLOCK_UNLOCK(&f);
709 
710  dcerpc_state = f.alstate;
711  if (dcerpc_state == NULL) {
712  SCLogDebug("no dcerpc state: ");
713  goto end;
714  }
715 
716  p->flowflags &=~ FLOW_PKT_TOCLIENT;
717  p->flowflags |= FLOW_PKT_TOSERVER;
718  /* do detect */
719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
720 
721  /* we shouldn't have any stub data */
722  if (PacketAlertCheck(p, 1))
723  goto end;
724 
725  /* do detect */
726  FLOWLOCK_WRLOCK(&f);
727  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
728  STREAM_TOCLIENT, dcerpc_bindack,
729  dcerpc_bindack_len);
730  if (r != 0) {
731  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
732  FLOWLOCK_UNLOCK(&f);
733  goto end;
734  }
735  FLOWLOCK_UNLOCK(&f);
736 
737  p->flowflags &=~ FLOW_PKT_TOSERVER;
738  p->flowflags |= FLOW_PKT_TOCLIENT;
739  /* do detect */
740  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
741 
742  /* we shouldn't have any stub data */
743  if (PacketAlertCheck(p, 1))
744  goto end;
745 
746  FLOWLOCK_WRLOCK(&f);
747  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
748  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
749  dcerpc_request_len);
750  if (r != 0) {
751  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
752  FLOWLOCK_UNLOCK(&f);
753  goto end;
754  }
755  FLOWLOCK_UNLOCK(&f);
756 
757  p->flowflags &=~ FLOW_PKT_TOCLIENT;
758  p->flowflags |= FLOW_PKT_TOSERVER;
759  /* do detect */
760  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
761 
762  /* we should have the stub data since we previously parsed a request frag */
763  if (!PacketAlertCheck(p, 1))
764  goto end;
765 
766  result = 1;
767 
768  end:
769  if (alp_tctx != NULL)
770  AppLayerParserThreadCtxFree(alp_tctx);
771  SigGroupCleanup(de_ctx);
772  SigCleanSignatures(de_ctx);
773 
774  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
775  DetectEngineCtxFree(de_ctx);
776 
777  StreamTcpFreeConfig(TRUE);
778  FLOW_DESTROY(&f);
779 
780  UTHFreePackets(&p, 1);
781  return result;
782 }
783 
784 /**
785  * \test Test a valid dce_stub_data with just a request frag.
786  */
787 static int DetectDceStubDataTestParse03(void)
788 {
789  Signature *s = NULL;
790  ThreadVars th_v;
791  Packet *p = NULL;
792  Flow f;
793  TcpSession ssn;
794  DetectEngineThreadCtx *det_ctx = NULL;
795  DetectEngineCtx *de_ctx = NULL;
796  DCERPCState *dcerpc_state = NULL;
797  int r = 0;
798 
799  /* todo chop the request frag length and change the
800  * length related parameters in the frag */
801  uint8_t dcerpc_request[] = {
802  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
803  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
804  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
805  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
806  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
807  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
808  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
809  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
810  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
811  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
812  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
813  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
814  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
815  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
816  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
817  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
818  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
819  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
820  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
821  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
822  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
823  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
824  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
825  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
826  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
827  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
828  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
829  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
830  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
831  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
832  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
833  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
834  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
835  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
836  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
837  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
838  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
839  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
840  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
841  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
842  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
843  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
844  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
845  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
846  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
847  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
848  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
849  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
850  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
851  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
852  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
853  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
854  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
855  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
856  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
857  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
858  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
859  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
860  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
861  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
862  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
863  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
864  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
865  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
866  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
867  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
868  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
869  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
870  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
871  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
872  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
873  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
874  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
875  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
876  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
877  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
878  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
879  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
880  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
881  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
882  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
883  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
884  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
885  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1046  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1047  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1048  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1049  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1050  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1051  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1052  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1053  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1054  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1055  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1056  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1057  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1058  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1059  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1060  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1061  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1062  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1063  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1064  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1065  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1066  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1067  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1068  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1069  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1070  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1071  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1072  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1073  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1074  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1075  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1076  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1077  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1078  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1079  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1080  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1081  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1082  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1083  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1147  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1148  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1149  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1205  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1206  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1207  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1208  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1209  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1210  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1211  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1212  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1213  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1214  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1215  0x01, 0x02, 0x03, 0x04
1216  };
1217 
1218  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1219 
1220  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1221 
1222  memset(&th_v, 0, sizeof(th_v));
1223  memset(&f, 0, sizeof(f));
1224  memset(&ssn, 0, sizeof(ssn));
1225 
1226  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1227 
1228  FLOW_INITIALIZE(&f);
1229  f.protoctx = (void *)&ssn;
1230  f.proto = IPPROTO_TCP;
1231  p->flow = &f;
1232  p->flowflags |= FLOW_PKT_TOSERVER;
1233  p->flowflags |= FLOW_PKT_ESTABLISHED;
1234  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1235  f.alproto = ALPROTO_DCERPC;
1236 
1237  StreamTcpInitConfig(TRUE);
1238 
1239  de_ctx = DetectEngineCtxInit();
1240  FAIL_IF(de_ctx == NULL);
1241 
1242  de_ctx->flags |= DE_QUIET;
1243 
1244  s = de_ctx->sig_list = SigInit(de_ctx,
1245  "alert tcp any any -> any any "
1246  "(msg:\"DCERPC\"; "
1247  "dce_stub_data; content:\"|42 42 42 42|\";"
1248  "sid:1;)");
1249  FAIL_IF(s == NULL);
1250 
1251  SigGroupBuild(de_ctx);
1252  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1253 
1254  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1255  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1256  dcerpc_request_len);
1257  FAIL_IF(r != 0);
1258 
1259  dcerpc_state = f.alstate;
1260  FAIL_IF (dcerpc_state == NULL);
1261 
1262  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1263  p->flowflags |= FLOW_PKT_TOSERVER;
1264  /* do detect */
1265  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1266  FAIL_IF(!PacketAlertCheck(p, 1));
1267 
1268  if (alp_tctx != NULL)
1269  AppLayerParserThreadCtxFree(alp_tctx);
1270  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1271  DetectEngineCtxFree(de_ctx);
1272  StreamTcpFreeConfig(TRUE);
1273  FLOW_DESTROY(&f);
1274 
1275  UTHFreePackets(&p, 1);
1276  PASS;
1277 }
1278 
1279 static int DetectDceStubDataTestParse04(void)
1280 {
1281  int result = 0;
1282  Signature *s = NULL;
1283  ThreadVars th_v;
1284  Packet *p = NULL;
1285  Flow f;
1286  TcpSession ssn;
1287  DetectEngineThreadCtx *det_ctx = NULL;
1288  DetectEngineCtx *de_ctx = NULL;
1289  DCERPCState *dcerpc_state = NULL;
1290  int r = 0;
1291 
1292  uint8_t dcerpc_bind[] = {
1293  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1294  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1295  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1296  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1297  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1298  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1299  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1300  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1301  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1302  };
1303 
1304  uint8_t dcerpc_bindack[] = {
1305  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1306  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1307  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1308  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1309  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1310  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1312  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1313  0x02, 0x00, 0x00, 0x00,
1314  };
1315 
1316  uint8_t dcerpc_request1[] = {
1317  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1318  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1319  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1320  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1321  0x00, 0x00, 0x00, 0x02,
1322  };
1323 
1324  uint8_t dcerpc_response1[] = {
1325  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1326  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1327  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1329  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1330  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1331  };
1332 
1333  uint8_t dcerpc_request2[] = {
1334  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1335  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1336  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1337  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1338  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1339  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1340  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1341  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1342  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1343  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1344  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1345  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1346  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1347  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1348  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1349  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1350  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1351  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1352  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1353  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1354  0x03, 0x00, 0x00, 0x00,
1355  };
1356 
1357  uint8_t dcerpc_response2[] = {
1358  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1359  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1360  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1362  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1363  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1364  };
1365 
1366  uint8_t dcerpc_request3[] = {
1367  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1368  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1369  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1370  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1371  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1372  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1373  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1374  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1375  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1376  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1377  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1378  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1379  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1380  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1381  };
1382 
1383  uint8_t dcerpc_response3[] = {
1384  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1385  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1386  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1387  0x00, 0x00, 0x00, 0x00,
1388  };
1389 
1390  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1391  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1392 
1393  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1394  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1395 
1396  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1397  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1398 
1399  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1400  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1401 
1402  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1403 
1404  memset(&th_v, 0, sizeof(th_v));
1405  memset(&f, 0, sizeof(f));
1406  memset(&ssn, 0, sizeof(ssn));
1407 
1408  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1409 
1410  FLOW_INITIALIZE(&f);
1411  f.protoctx = (void *)&ssn;
1412  f.proto = IPPROTO_TCP;
1413  p->flow = &f;
1414  p->flowflags |= FLOW_PKT_TOSERVER;
1415  p->flowflags |= FLOW_PKT_ESTABLISHED;
1416  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1417  f.alproto = ALPROTO_DCERPC;
1418 
1419  StreamTcpInitConfig(TRUE);
1420 
1421  de_ctx = DetectEngineCtxInit();
1422  if (de_ctx == NULL)
1423  goto end;
1424 
1425  de_ctx->flags |= DE_QUIET;
1426 
1427  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1428  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1429  if (s == NULL)
1430  goto end;
1431  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1432  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1433  if (s == NULL)
1434  goto end;
1435  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1436  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1437  if (s == NULL)
1438  goto end;
1439 
1440  SigGroupBuild(de_ctx);
1441  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1442 
1443  FLOWLOCK_WRLOCK(&f);
1444  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1445  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1446  dcerpc_bind_len);
1447  if (r != 0) {
1448  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1449  FLOWLOCK_UNLOCK(&f);
1450  goto end;
1451  }
1452  FLOWLOCK_UNLOCK(&f);
1453  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1454  p->flowflags |= FLOW_PKT_TOSERVER;
1455  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1456 
1457  dcerpc_state = f.alstate;
1458  if (dcerpc_state == NULL) {
1459  SCLogDebug("no dcerpc state: ");
1460  goto end;
1461  }
1462 
1463  FLOWLOCK_WRLOCK(&f);
1464  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1465  STREAM_TOCLIENT, dcerpc_bindack,
1466  dcerpc_bindack_len);
1467  if (r != 0) {
1468  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1469  FLOWLOCK_UNLOCK(&f);
1470  goto end;
1471  }
1472  FLOWLOCK_UNLOCK(&f);
1473  p->flowflags &=~ FLOW_PKT_TOSERVER;
1474  p->flowflags |= FLOW_PKT_TOCLIENT;
1475  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1476 
1477  /* request1 */
1478  FLOWLOCK_WRLOCK(&f);
1479  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1480  STREAM_TOSERVER, dcerpc_request1,
1481  dcerpc_request1_len);
1482  if (r != 0) {
1483  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1484  FLOWLOCK_UNLOCK(&f);
1485  goto end;
1486  }
1487  FLOWLOCK_UNLOCK(&f);
1488 
1489  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1490  p->flowflags |= FLOW_PKT_TOSERVER;
1491  /* do detect */
1492  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1493 
1494  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1495  goto end;
1496 
1497  /* response1 */
1498  FLOWLOCK_WRLOCK(&f);
1499  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1500  STREAM_TOCLIENT, dcerpc_response1,
1501  dcerpc_response1_len);
1502  if (r != 0) {
1503  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1504  FLOWLOCK_UNLOCK(&f);
1505  goto end;
1506  }
1507  FLOWLOCK_UNLOCK(&f);
1508 
1509  p->flowflags &=~ FLOW_PKT_TOSERVER;
1510  p->flowflags |= FLOW_PKT_TOCLIENT;
1511  /* do detect */
1512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1513 
1514  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1515  goto end;
1516 
1517  /* request2 */
1518  FLOWLOCK_WRLOCK(&f);
1519  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1520  STREAM_TOSERVER, dcerpc_request2,
1521  dcerpc_request2_len);
1522  if (r != 0) {
1523  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1524  FLOWLOCK_UNLOCK(&f);
1525  goto end;
1526  }
1527  FLOWLOCK_UNLOCK(&f);
1528 
1529  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1530  p->flowflags |= FLOW_PKT_TOSERVER;
1531  /* do detect */
1532  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1533 
1534  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1535  goto end;
1536 
1537  /* response2 */
1538  FLOWLOCK_WRLOCK(&f);
1539  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1540  STREAM_TOCLIENT, dcerpc_response2,
1541  dcerpc_response2_len);
1542  if (r != 0) {
1543  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1544  FLOWLOCK_UNLOCK(&f);
1545  goto end;
1546  }
1547  FLOWLOCK_UNLOCK(&f);
1548 
1549  p->flowflags &=~ FLOW_PKT_TOSERVER;
1550  p->flowflags |= FLOW_PKT_TOCLIENT;
1551  /* do detect */
1552  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1553 
1554  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1555  goto end;
1556  /* request3 */
1557  FLOWLOCK_WRLOCK(&f);
1558  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1559  STREAM_TOSERVER, dcerpc_request3,
1560  dcerpc_request3_len);
1561  if (r != 0) {
1562  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1563  FLOWLOCK_UNLOCK(&f);
1564  goto end;
1565  }
1566  FLOWLOCK_UNLOCK(&f);
1567 
1568  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1569  p->flowflags |= FLOW_PKT_TOSERVER;
1570  /* do detect */
1571  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1572 
1573  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1574  goto end;
1575 
1576  /* response3 */
1577  FLOWLOCK_WRLOCK(&f);
1578  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1579  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1580  dcerpc_response3_len);
1581  if (r != 0) {
1582  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1583  FLOWLOCK_UNLOCK(&f);
1584  goto end;
1585  }
1586  FLOWLOCK_UNLOCK(&f);
1587 
1588  p->flowflags &=~ FLOW_PKT_TOSERVER;
1589  p->flowflags |= FLOW_PKT_TOCLIENT;
1590  /* do detect */
1591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1592 
1593  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1594  goto end;
1595 
1596  result = 1;
1597 
1598  end:
1599  if (alp_tctx != NULL)
1600  AppLayerParserThreadCtxFree(alp_tctx);
1601  SigGroupCleanup(de_ctx);
1602  SigCleanSignatures(de_ctx);
1603 
1604  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1605  DetectEngineCtxFree(de_ctx);
1606 
1607  StreamTcpFreeConfig(TRUE);
1608  FLOW_DESTROY(&f);
1609 
1610  UTHFreePackets(&p, 1);
1611  return result;
1612 }
1613 
1614 static int DetectDceStubDataTestParse05(void)
1615 {
1616  int result = 0;
1617  Signature *s = NULL;
1618  ThreadVars th_v;
1619  Packet *p = NULL;
1620  Flow f;
1621  TcpSession ssn;
1622  DetectEngineThreadCtx *det_ctx = NULL;
1623  DetectEngineCtx *de_ctx = NULL;
1624  DCERPCState *dcerpc_state = NULL;
1625  int r = 0;
1626 
1627  uint8_t dcerpc_request1[] = {
1628  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1629  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1630  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1631  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1632  0x00, 0x00, 0x00, 0x02,
1633  };
1634 
1635  uint8_t dcerpc_response1[] = {
1636  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1637  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1638  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1640  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1641  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1642  };
1643 
1644  uint8_t dcerpc_request2[] = {
1645  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1646  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1647  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1648  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1649  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1650  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1651  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1652  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1653  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1654  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1655  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1656  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1657  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1658  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1659  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1660  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1661  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1662  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1663  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1664  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1665  0x03, 0x00, 0x00, 0x00,
1666  };
1667 
1668  uint8_t dcerpc_response2[] = {
1669  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1670  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1671  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1672  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1673  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1674  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1675  };
1676 
1677  uint8_t dcerpc_request3[] = {
1678  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1679  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1680  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1681  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1682  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1683  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1684  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1685  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1686  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1687  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1688  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1689  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1690  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1691  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1692  };
1693 
1694  uint8_t dcerpc_response3[] = {
1695  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1696  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1697  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1698  0x00, 0x00, 0x00, 0x00,
1699  };
1700 
1701  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1702  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1703 
1704  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1705  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1706 
1707  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1708  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1709 
1710  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1711 
1712  memset(&th_v, 0, sizeof(th_v));
1713  memset(&f, 0, sizeof(f));
1714  memset(&ssn, 0, sizeof(ssn));
1715 
1716  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1717 
1718  FLOW_INITIALIZE(&f);
1719  f.protoctx = (void *)&ssn;
1720  f.proto = IPPROTO_TCP;
1721  p->flow = &f;
1722  p->flowflags |= FLOW_PKT_TOSERVER;
1723  p->flowflags |= FLOW_PKT_ESTABLISHED;
1724  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1725  f.alproto = ALPROTO_DCERPC;
1726 
1727  StreamTcpInitConfig(TRUE);
1728 
1729  de_ctx = DetectEngineCtxInit();
1730  if (de_ctx == NULL)
1731  goto end;
1732 
1733  de_ctx->flags |= DE_QUIET;
1734 
1735  s = de_ctx->sig_list = SigInit(de_ctx,
1736  "alert tcp any any -> any any "
1737  "(msg:\"DCERPC\"; "
1738  "dce_stub_data; content:\"|00 02|\"; "
1739  "sid:1;)");
1740  if (s == NULL)
1741  goto end;
1742  s = de_ctx->sig_list->next = SigInit(de_ctx,
1743  "alert tcp any any -> any any "
1744  "(msg:\"DCERPC\"; "
1745  "dce_stub_data; content:\"|00 75|\"; "
1746  "sid:2;)");
1747  if (s == NULL)
1748  goto end;
1749  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1750  "alert tcp any any -> any any "
1751  "(msg:\"DCERPC\"; "
1752  "dce_stub_data; content:\"|00 18|\"; "
1753  "sid:3;)");
1754  if (s == NULL)
1755  goto end;
1756 
1757  SigGroupBuild(de_ctx);
1758  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1759 
1760  /* request1 */
1761  FLOWLOCK_WRLOCK(&f);
1762  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1763  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1764  dcerpc_request1_len);
1765  if (r != 0) {
1766  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1767  FLOWLOCK_UNLOCK(&f);
1768  goto end;
1769  }
1770  FLOWLOCK_UNLOCK(&f);
1771 
1772  dcerpc_state = f.alstate;
1773  if (dcerpc_state == NULL) {
1774  SCLogDebug("no dcerpc state: ");
1775  goto end;
1776  }
1777 
1778  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1779  p->flowflags |= FLOW_PKT_TOSERVER;
1780  /* do detect */
1781  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1782 
1783  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1784  goto end;
1785 
1786  /* response1 */
1787  FLOWLOCK_WRLOCK(&f);
1788  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1789  STREAM_TOCLIENT, dcerpc_response1,
1790  dcerpc_response1_len);
1791  if (r != 0) {
1792  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1793  FLOWLOCK_UNLOCK(&f);
1794  goto end;
1795  }
1796  FLOWLOCK_UNLOCK(&f);
1797 
1798  p->flowflags &=~ FLOW_PKT_TOSERVER;
1799  p->flowflags |= FLOW_PKT_TOCLIENT;
1800  /* do detect */
1801  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1802 
1803  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1804  goto end;
1805 
1806  /* request2 */
1807  FLOWLOCK_WRLOCK(&f);
1808  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1809  STREAM_TOSERVER, dcerpc_request2,
1810  dcerpc_request2_len);
1811  if (r != 0) {
1812  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1813  FLOWLOCK_UNLOCK(&f);
1814  goto end;
1815  }
1816  FLOWLOCK_UNLOCK(&f);
1817 
1818  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1819  p->flowflags |= FLOW_PKT_TOSERVER;
1820  /* do detect */
1821  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1822 
1823  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1824  goto end;
1825 
1826  /* response2 */
1827  FLOWLOCK_WRLOCK(&f);
1828  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1829  STREAM_TOCLIENT, dcerpc_response2,
1830  dcerpc_response2_len);
1831  if (r != 0) {
1832  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1833  FLOWLOCK_UNLOCK(&f);
1834  goto end;
1835  }
1836  FLOWLOCK_UNLOCK(&f);
1837 
1838  p->flowflags &=~ FLOW_PKT_TOSERVER;
1839  p->flowflags |= FLOW_PKT_TOCLIENT;
1840  /* do detect */
1841  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1842 
1843  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1844  goto end;
1845 
1846  /* request3 */
1847  FLOWLOCK_WRLOCK(&f);
1848  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1849  STREAM_TOSERVER, dcerpc_request3,
1850  dcerpc_request3_len);
1851  if (r != 0) {
1852  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1853  FLOWLOCK_UNLOCK(&f);
1854  goto end;
1855  }
1856  FLOWLOCK_UNLOCK(&f);
1857 
1858  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1859  p->flowflags |= FLOW_PKT_TOSERVER;
1860  /* do detect */
1861  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1862 
1863  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1864  goto end;
1865 
1866  /* response3 */
1867  FLOWLOCK_WRLOCK(&f);
1868  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1869  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1870  dcerpc_response3_len);
1871  if (r != 0) {
1872  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1873  FLOWLOCK_UNLOCK(&f);
1874  goto end;
1875  }
1876  FLOWLOCK_UNLOCK(&f);
1877 
1878  p->flowflags &=~ FLOW_PKT_TOSERVER;
1879  p->flowflags |= FLOW_PKT_TOCLIENT;
1880  /* do detect */
1881  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1882 
1883  if (PacketAlertCheck(p, 1))
1884  goto end;
1885 
1886  result = 1;
1887 
1888  end:
1889  if (alp_tctx != NULL)
1890  AppLayerParserThreadCtxFree(alp_tctx);
1891 
1892  SigGroupCleanup(de_ctx);
1893  SigCleanSignatures(de_ctx);
1894 
1895  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1896  DetectEngineCtxFree(de_ctx);
1897 
1898  StreamTcpFreeConfig(TRUE);
1899  FLOW_DESTROY(&f);
1900 
1901  UTHFreePackets(&p, 1);
1902  return result;
1903 }
1904 
1905 // invalid signature because of invalid protocol
1906 static int DetectDceStubDataTestParse06(void)
1907 {
1908  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1909  FAIL_IF_NULL(de_ctx);
1910  de_ctx->flags = DE_QUIET;
1911  Signature *s = DetectEngineAppendSig(de_ctx,
1912  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1913  FAIL_IF_NOT_NULL(s);
1914  DetectEngineCtxFree(de_ctx);
1915  PASS;
1916 }
1917 
1918 static void DetectDceStubDataRegisterTests(void)
1919 {
1920  UtRegisterTest("DetectDceStubDataTestParse01",
1921  DetectDceStubDataTestParse01);
1922  UtRegisterTest("DetectDceStubDataTestParse02",
1923  DetectDceStubDataTestParse02);
1924  UtRegisterTest("DetectDceStubDataTestParse03",
1925  DetectDceStubDataTestParse03);
1926  UtRegisterTest("DetectDceStubDataTestParse04",
1927  DetectDceStubDataTestParse04);
1928  UtRegisterTest("DetectDceStubDataTestParse05",
1929  DetectDceStubDataTestParse05);
1930  UtRegisterTest("DetectDceStubDataTestParse06",
1931  DetectDceStubDataTestParse06);
1932 }
1933 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:117
app-layer-dcerpc.h
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1403
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1104
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1210
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:375
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Signature_::alproto
AppProto alproto
Definition: detect.h:531
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
InspectionBuffer
Definition: detect.h:343
Packet_::flags
uint32_t flags
Definition: decode.h:447
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1204
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:347
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:443
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:42
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1061
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
STREAM_START
#define STREAM_START
Definition: stream.h:29
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:599
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:186
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1641
Packet_
Definition: decode.h:412
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:232
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
detect-engine-content-inspection.h
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2344
Packet_::flow
struct Flow_ * flow
Definition: decode.h:449
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
SigTableElmt_::alias
const char * alias
Definition: detect.h:1211
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1179
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1211
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:344
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:59
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1379
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:992
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
TcpSession_
Definition: stream-tcp-private.h:261
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:41
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1102
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
app-layer.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468