suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-prefilter.h"
36 #include "detect-engine-content-inspection.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "app-layer.h"
43 #include "app-layer-dcerpc.h"
44 #include "queue.h"
45 #include "stream-tcp-reassemble.h"
46 
47 #include "detect-dce-stub-data.h"
48 #include "detect-dce-iface.h"
49 
50 #include "util-debug.h"
51 
52 #include "util-unittest.h"
53 #include "util-unittest-helper.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "rust.h"
58 
59 #define BUFFER_NAME "dce_stub_data"
60 #define KEYWORD_NAME "dce_stub_data"
61 
62 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
63 static void DetectDceStubDataRegisterTests(void);
64 static int g_dce_stub_data_buffer_id = 0;
65 
66 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
67  const DetectEngineTransforms *transforms,
68  Flow *_f, const uint8_t flow_flags,
69  void *txv, const int list_id)
70 {
71  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
72  if (buffer->inspect == NULL) {
73  uint32_t data_len = 0;
74  const uint8_t *data = NULL;
75  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
76  if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1)
77  return NULL;
78  SCLogDebug("have data!");
79 
80  InspectionBufferSetup(buffer, data, data_len);
81  InspectionBufferApplyTransforms(buffer, transforms);
82  }
83  return buffer;
84 }
85 
86 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
87  const DetectEngineTransforms *transforms,
88  Flow *_f, const uint8_t flow_flags,
89  void *txv, const int list_id)
90 {
91  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
92  if (buffer->inspect == NULL) {
93  uint32_t data_len = 0;
94  uint8_t *data = NULL;
95 
96  DCERPCState *dcerpc_state = txv;
97  if (dcerpc_state == NULL)
98  return NULL;
99 
100  if (flow_flags & STREAM_TOSERVER) {
101  data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len;
102  data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer;
103  } else if (flow_flags & STREAM_TOCLIENT) {
104  data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
105  data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
106  }
107  if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) {
108  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
109  } else {
110  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
111  }
112  InspectionBufferSetup(buffer, data, data_len);
113  InspectionBufferApplyTransforms(buffer, transforms);
114  }
115  return buffer;
116 }
117 
118 /**
119  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
120  */
121 void DetectDceStubDataRegister(void)
122 {
123  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
124  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
125  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
126  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
127  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
128 
129  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
130  ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
131  DetectEngineInspectBufferGeneric,
132  GetSMBData);
133  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
134  PrefilterGenericMpmRegister, GetSMBData,
135  ALPROTO_SMB, 0);
136  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
137  ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
138  DetectEngineInspectBufferGeneric,
139  GetSMBData);
140  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
141  PrefilterGenericMpmRegister, GetSMBData,
142  ALPROTO_SMB, 0);
143 
144  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
145  ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
146  DetectEngineInspectBufferGeneric,
147  GetDCEData);
148  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
149  PrefilterGenericMpmRegister, GetDCEData,
150  ALPROTO_DCERPC, 0);
151  DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
152  ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
153  DetectEngineInspectBufferGeneric,
154  GetDCEData);
155  DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
156  PrefilterGenericMpmRegister, GetDCEData,
157  ALPROTO_DCERPC, 0);
158 
159  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
160 }
161 
162 /**
163  * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
164  * and appends it to the Signature(s).
165  *
166  * \param de_ctx Pointer to the detection engine context
167  * \param s Pointer to signature for the current Signature being parsed
168  * from the rules
169  * \param arg Pointer to the string holding the keyword value
170  *
171  * \retval 0 on success, -1 on failure
172  */
173 
174 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
175 {
176  if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
177  return -1;
178  return 0;
179 }
180 
181 /************************************Unittests*********************************/
182 
183 #ifdef UNITTESTS
184 
185 static int DetectDceStubDataTestParse01(void)
186 {
187  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
188  FAIL_IF_NULL(de_ctx);
189  de_ctx->flags = DE_QUIET;
190  Signature *s = DetectEngineAppendSig(de_ctx,
191  "alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
192  FAIL_IF_NULL(s);
193  FAIL_IF_NULL(s->sm_lists[g_dce_stub_data_buffer_id]);
194  DetectEngineCtxFree(de_ctx);
195  PASS;
196 }
197 
198 /**
199  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
200  */
201 static int DetectDceStubDataTestParse02(void)
202 {
203  int result = 0;
204  Signature *s = NULL;
205  ThreadVars th_v;
206  Packet *p = NULL;
207  Flow f;
208  TcpSession ssn;
209  DetectEngineThreadCtx *det_ctx = NULL;
210  DetectEngineCtx *de_ctx = NULL;
211  DCERPCState *dcerpc_state = NULL;
212  int r = 0;
213 
214  uint8_t dcerpc_bind[] = {
215  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
216  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
217  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
218  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
219  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
220  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
221  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
222  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
223  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
224  };
225 
226  uint8_t dcerpc_bindack[] = {
227  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
228  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
229  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
230  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
231  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
232  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
234  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
235  0x02, 0x00, 0x00, 0x00
236  };
237 
238  /* todo chop the request frag length and change the
239  * length related parameters in the frag */
240  uint8_t dcerpc_request[] = {
241  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
242  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
243  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
244  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
246  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
247  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
248  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
249  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
250  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
251  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
252  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
253  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
254  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
255  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
256  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
257  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
258  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
259  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
260  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
261  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
262  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
263  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
264  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
265  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
266  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
267  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
268  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
269  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
270  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
271  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
272  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
273  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
274  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
275  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
276  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
277  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
278  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
279  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
280  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
281  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
282  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
283  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
284  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
285  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
286  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
287  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
288  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
289  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
290  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
291  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
292  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
293  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
294  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
295  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
296  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
297  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
298  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
299  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
300  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
301  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
302  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
303  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
304  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
305  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
306  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
307  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
308  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
309  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
310  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
311  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
312  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
313  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
314  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
315  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
316  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
317  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
318  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
319  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
320  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
321  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
322  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
323  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
324  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
466  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
467  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
468  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
469  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
470  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
471  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
472  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
473  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
474  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
475  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
476  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
477  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
478  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
479  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
480  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
481  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
482  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
483  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
484  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
485  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
486  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
487  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
488  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
489  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
490  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
491  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
492  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
493  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
494  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
495  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
496  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
497  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
498  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
499  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
500  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
501  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
502  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
503  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
504  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
505  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
506  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
507  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
508  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
509  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
510  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
512  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
513  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
514  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
515  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
516  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
517  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
518  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
519  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
520  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
521  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
522  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
567  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
568  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
569  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
570  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
571  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
572  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
573  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
574  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
575  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
576  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
577  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
578  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
579  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
580  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
581  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
582  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
583  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
584  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
585  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
586  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
587  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
588  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
633  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
634  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
635  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
636  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
637  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
638  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
639  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
640  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
641  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
642  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
643  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
644  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
645  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
646  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
647  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
648  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
649  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
650  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
651  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
652  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
653  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
654  0x01, 0x02, 0x03, 0x04
655  };
656 
657  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
658  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
659  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
660  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
661 
662  memset(&th_v, 0, sizeof(th_v));
663  memset(&f, 0, sizeof(f));
664  memset(&ssn, 0, sizeof(ssn));
665 
666  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
667 
668  FLOW_INITIALIZE(&f);
669  f.protoctx = (void *)&ssn;
670  f.proto = IPPROTO_TCP;
671  p->flow = &f;
672  p->flowflags |= FLOW_PKT_TOSERVER;
673  p->flowflags |= FLOW_PKT_ESTABLISHED;
674  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
675  f.alproto = ALPROTO_DCERPC;
676 
677  StreamTcpInitConfig(TRUE);
678 
679  de_ctx = DetectEngineCtxInit();
680  if (de_ctx == NULL)
681  goto end;
682 
683  de_ctx->flags |= DE_QUIET;
684 
685  s = de_ctx->sig_list = SigInit(de_ctx,
686  "alert tcp any any -> any any "
687  "(msg:\"DCERPC\"; "
688  "dce_stub_data; content:\"|42 42 42 42|\";"
689  "sid:1;)");
690  if (s == NULL)
691  goto end;
692 
693  SigGroupBuild(de_ctx);
694  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
695 
696  FLOWLOCK_WRLOCK(&f);
697  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
698  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
699  dcerpc_bind_len);
700  if (r != 0) {
701  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
702  FLOWLOCK_UNLOCK(&f);
703  goto end;
704  }
705  FLOWLOCK_UNLOCK(&f);
706 
707  dcerpc_state = f.alstate;
708  if (dcerpc_state == NULL) {
709  SCLogDebug("no dcerpc state: ");
710  goto end;
711  }
712 
713  p->flowflags &=~ FLOW_PKT_TOCLIENT;
714  p->flowflags |= FLOW_PKT_TOSERVER;
715  /* do detect */
716  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
717 
718  /* we shouldn't have any stub data */
719  if (PacketAlertCheck(p, 1))
720  goto end;
721 
722  /* do detect */
723  FLOWLOCK_WRLOCK(&f);
724  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
725  STREAM_TOCLIENT, dcerpc_bindack,
726  dcerpc_bindack_len);
727  if (r != 0) {
728  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
729  FLOWLOCK_UNLOCK(&f);
730  goto end;
731  }
732  FLOWLOCK_UNLOCK(&f);
733 
734  p->flowflags &=~ FLOW_PKT_TOSERVER;
735  p->flowflags |= FLOW_PKT_TOCLIENT;
736  /* do detect */
737  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
738 
739  /* we shouldn't have any stub data */
740  if (PacketAlertCheck(p, 1))
741  goto end;
742 
743  FLOWLOCK_WRLOCK(&f);
744  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
745  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
746  dcerpc_request_len);
747  if (r != 0) {
748  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
749  FLOWLOCK_UNLOCK(&f);
750  goto end;
751  }
752  FLOWLOCK_UNLOCK(&f);
753 
754  p->flowflags &=~ FLOW_PKT_TOCLIENT;
755  p->flowflags |= FLOW_PKT_TOSERVER;
756  /* do detect */
757  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
758 
759  /* we should have the stub data since we previously parsed a request frag */
760  if (!PacketAlertCheck(p, 1))
761  goto end;
762 
763  result = 1;
764 
765  end:
766  if (alp_tctx != NULL)
767  AppLayerParserThreadCtxFree(alp_tctx);
768  SigGroupCleanup(de_ctx);
769  SigCleanSignatures(de_ctx);
770 
771  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
772  DetectEngineCtxFree(de_ctx);
773 
774  StreamTcpFreeConfig(TRUE);
775  FLOW_DESTROY(&f);
776 
777  UTHFreePackets(&p, 1);
778  return result;
779 }
780 
781 /**
782  * \test Test a valid dce_stub_data with just a request frag.
783  */
784 static int DetectDceStubDataTestParse03(void)
785 {
786  Signature *s = NULL;
787  ThreadVars th_v;
788  Packet *p = NULL;
789  Flow f;
790  TcpSession ssn;
791  DetectEngineThreadCtx *det_ctx = NULL;
792  DetectEngineCtx *de_ctx = NULL;
793  DCERPCState *dcerpc_state = NULL;
794  int r = 0;
795 
796  /* todo chop the request frag length and change the
797  * length related parameters in the frag */
798  uint8_t dcerpc_request[] = {
799  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
800  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
801  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
802  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
803  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
804  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
805  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
806  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
807  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
808  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
809  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
810  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
811  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
812  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
813  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
814  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
815  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
816  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
817  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
818  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
819  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
820  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
821  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
822  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
823  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
824  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
825  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
826  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
827  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
828  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
829  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
830  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
831  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
832  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
833  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
834  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
835  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
836  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
837  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
838  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
839  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
840  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
841  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
842  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
843  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
844  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
845  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
846  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
847  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
848  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
849  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
850  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
851  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
852  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
853  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
854  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
855  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
856  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
857  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
858  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
859  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
860  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
861  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
862  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
863  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
864  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
865  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
866  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
867  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
868  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
869  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
870  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
871  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
872  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
873  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
874  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
875  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
876  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
877  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
878  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
879  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
880  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
881  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
882  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1016  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1017  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1018  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1019  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1020  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1021  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1022  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1023  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1024  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1025  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1026  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1027  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1028  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1029  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1030  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1031  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1032  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1033  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1034  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1035  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1036  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1037  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1038  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1039  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1040  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1041  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1042  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1043  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1044  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1045  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1046  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1047  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1048  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1049  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1050  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1051  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1052  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1053  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1054  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1055  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1056  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1057  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1058  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1059  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1060  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1061  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1062  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1063  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1065  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1066  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1067  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1068  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1070  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1071  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1072  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1073  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1074  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1075  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1076  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1077  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1078  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1079  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1080  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1117  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1118  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1119  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1120  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1121  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1122  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1123  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1124  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1125  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1126  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1127  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1128  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1129  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1130  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1131  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1132  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1133  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1134  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1135  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1136  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1137  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1138  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1139  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1140  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1141  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1142  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1143  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1144  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1145  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1146  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1183  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1184  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1185  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1186  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1187  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1188  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1189  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1190  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1191  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1192  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1193  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1194  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1195  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1196  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1197  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1198  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1199  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1200  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1201  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1202  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1203  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1204  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1205  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1206  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1207  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1208  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1209  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1210  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1211  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1212  0x01, 0x02, 0x03, 0x04
1213  };
1214 
1215  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1216 
1217  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1218 
1219  memset(&th_v, 0, sizeof(th_v));
1220  memset(&f, 0, sizeof(f));
1221  memset(&ssn, 0, sizeof(ssn));
1222 
1223  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1224 
1225  FLOW_INITIALIZE(&f);
1226  f.protoctx = (void *)&ssn;
1227  f.proto = IPPROTO_TCP;
1228  p->flow = &f;
1229  p->flowflags |= FLOW_PKT_TOSERVER;
1230  p->flowflags |= FLOW_PKT_ESTABLISHED;
1231  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1232  f.alproto = ALPROTO_DCERPC;
1233 
1234  StreamTcpInitConfig(TRUE);
1235 
1236  de_ctx = DetectEngineCtxInit();
1237  FAIL_IF(de_ctx == NULL);
1238 
1239  de_ctx->flags |= DE_QUIET;
1240 
1241  s = de_ctx->sig_list = SigInit(de_ctx,
1242  "alert tcp any any -> any any "
1243  "(msg:\"DCERPC\"; "
1244  "dce_stub_data; content:\"|42 42 42 42|\";"
1245  "sid:1;)");
1246  FAIL_IF(s == NULL);
1247 
1248  SigGroupBuild(de_ctx);
1249  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1250 
1251  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1252  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1253  dcerpc_request_len);
1254  FAIL_IF(r != 0);
1255 
1256  dcerpc_state = f.alstate;
1257  FAIL_IF (dcerpc_state == NULL);
1258 
1259  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1260  p->flowflags |= FLOW_PKT_TOSERVER;
1261  /* do detect */
1262  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1263  FAIL_IF(!PacketAlertCheck(p, 1));
1264 
1265  if (alp_tctx != NULL)
1266  AppLayerParserThreadCtxFree(alp_tctx);
1267  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1268  DetectEngineCtxFree(de_ctx);
1269  StreamTcpFreeConfig(TRUE);
1270  FLOW_DESTROY(&f);
1271 
1272  UTHFreePackets(&p, 1);
1273  PASS;
1274 }
1275 
1276 static int DetectDceStubDataTestParse04(void)
1277 {
1278  int result = 0;
1279  Signature *s = NULL;
1280  ThreadVars th_v;
1281  Packet *p = NULL;
1282  Flow f;
1283  TcpSession ssn;
1284  DetectEngineThreadCtx *det_ctx = NULL;
1285  DetectEngineCtx *de_ctx = NULL;
1286  DCERPCState *dcerpc_state = NULL;
1287  int r = 0;
1288 
1289  uint8_t dcerpc_bind[] = {
1290  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1291  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1292  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1293  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1294  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1295  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1296  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1297  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1298  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1299  };
1300 
1301  uint8_t dcerpc_bindack[] = {
1302  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1303  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1304  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1305  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1306  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1307  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1308  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1309  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1310  0x02, 0x00, 0x00, 0x00,
1311  };
1312 
1313  uint8_t dcerpc_request1[] = {
1314  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1315  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1316  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1317  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1318  0x00, 0x00, 0x00, 0x02,
1319  };
1320 
1321  uint8_t dcerpc_response1[] = {
1322  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1323  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1324  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1325  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1326  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1327  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1328  };
1329 
1330  uint8_t dcerpc_request2[] = {
1331  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1332  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1333  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1334  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1335  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1336  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1337  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1338  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1339  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1340  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1341  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1342  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1343  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1344  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1345  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1346  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1347  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1348  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1349  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1350  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1351  0x03, 0x00, 0x00, 0x00,
1352  };
1353 
1354  uint8_t dcerpc_response2[] = {
1355  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1356  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1357  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1359  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1360  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1361  };
1362 
1363  uint8_t dcerpc_request3[] = {
1364  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1365  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1366  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1367  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1368  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1369  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1370  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1371  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1372  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1373  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1374  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1375  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1376  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1377  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1378  };
1379 
1380  uint8_t dcerpc_response3[] = {
1381  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1382  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1383  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384  0x00, 0x00, 0x00, 0x00,
1385  };
1386 
1387  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1388  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1389 
1390  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1391  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1392 
1393  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1394  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1395 
1396  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1397  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1398 
1399  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1400 
1401  memset(&th_v, 0, sizeof(th_v));
1402  memset(&f, 0, sizeof(f));
1403  memset(&ssn, 0, sizeof(ssn));
1404 
1405  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1406 
1407  FLOW_INITIALIZE(&f);
1408  f.protoctx = (void *)&ssn;
1409  f.proto = IPPROTO_TCP;
1410  p->flow = &f;
1411  p->flowflags |= FLOW_PKT_TOSERVER;
1412  p->flowflags |= FLOW_PKT_ESTABLISHED;
1413  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1414  f.alproto = ALPROTO_DCERPC;
1415 
1416  StreamTcpInitConfig(TRUE);
1417 
1418  de_ctx = DetectEngineCtxInit();
1419  if (de_ctx == NULL)
1420  goto end;
1421 
1422  de_ctx->flags |= DE_QUIET;
1423 
1424  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1425  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1426  if (s == NULL)
1427  goto end;
1428  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1429  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1430  if (s == NULL)
1431  goto end;
1432  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1433  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1434  if (s == NULL)
1435  goto end;
1436 
1437  SigGroupBuild(de_ctx);
1438  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1439 
1440  FLOWLOCK_WRLOCK(&f);
1441  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1442  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1443  dcerpc_bind_len);
1444  if (r != 0) {
1445  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1446  FLOWLOCK_UNLOCK(&f);
1447  goto end;
1448  }
1449  FLOWLOCK_UNLOCK(&f);
1450  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1451  p->flowflags |= FLOW_PKT_TOSERVER;
1452  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1453 
1454  dcerpc_state = f.alstate;
1455  if (dcerpc_state == NULL) {
1456  SCLogDebug("no dcerpc state: ");
1457  goto end;
1458  }
1459 
1460  FLOWLOCK_WRLOCK(&f);
1461  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1462  STREAM_TOCLIENT, dcerpc_bindack,
1463  dcerpc_bindack_len);
1464  if (r != 0) {
1465  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1466  FLOWLOCK_UNLOCK(&f);
1467  goto end;
1468  }
1469  FLOWLOCK_UNLOCK(&f);
1470  p->flowflags &=~ FLOW_PKT_TOSERVER;
1471  p->flowflags |= FLOW_PKT_TOCLIENT;
1472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1473 
1474  /* request1 */
1475  FLOWLOCK_WRLOCK(&f);
1476  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1477  STREAM_TOSERVER, dcerpc_request1,
1478  dcerpc_request1_len);
1479  if (r != 0) {
1480  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1481  FLOWLOCK_UNLOCK(&f);
1482  goto end;
1483  }
1484  FLOWLOCK_UNLOCK(&f);
1485 
1486  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1487  p->flowflags |= FLOW_PKT_TOSERVER;
1488  /* do detect */
1489  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1490 
1491  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1492  goto end;
1493 
1494  /* response1 */
1495  FLOWLOCK_WRLOCK(&f);
1496  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1497  STREAM_TOCLIENT, dcerpc_response1,
1498  dcerpc_response1_len);
1499  if (r != 0) {
1500  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1501  FLOWLOCK_UNLOCK(&f);
1502  goto end;
1503  }
1504  FLOWLOCK_UNLOCK(&f);
1505 
1506  p->flowflags &=~ FLOW_PKT_TOSERVER;
1507  p->flowflags |= FLOW_PKT_TOCLIENT;
1508  /* do detect */
1509  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1510 
1511  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1512  goto end;
1513 
1514  /* request2 */
1515  FLOWLOCK_WRLOCK(&f);
1516  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1517  STREAM_TOSERVER, dcerpc_request2,
1518  dcerpc_request2_len);
1519  if (r != 0) {
1520  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1521  FLOWLOCK_UNLOCK(&f);
1522  goto end;
1523  }
1524  FLOWLOCK_UNLOCK(&f);
1525 
1526  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1527  p->flowflags |= FLOW_PKT_TOSERVER;
1528  /* do detect */
1529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1530 
1531  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1532  goto end;
1533 
1534  /* response2 */
1535  FLOWLOCK_WRLOCK(&f);
1536  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1537  STREAM_TOCLIENT, dcerpc_response2,
1538  dcerpc_response2_len);
1539  if (r != 0) {
1540  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1541  FLOWLOCK_UNLOCK(&f);
1542  goto end;
1543  }
1544  FLOWLOCK_UNLOCK(&f);
1545 
1546  p->flowflags &=~ FLOW_PKT_TOSERVER;
1547  p->flowflags |= FLOW_PKT_TOCLIENT;
1548  /* do detect */
1549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1550 
1551  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1552  goto end;
1553 
1554  /* request3 */
1555  FLOWLOCK_WRLOCK(&f);
1556  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1557  STREAM_TOSERVER, dcerpc_request3,
1558  dcerpc_request3_len);
1559  if (r != 0) {
1560  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1561  FLOWLOCK_UNLOCK(&f);
1562  goto end;
1563  }
1564  FLOWLOCK_UNLOCK(&f);
1565 
1566  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1567  p->flowflags |= FLOW_PKT_TOSERVER;
1568  /* do detect */
1569  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1570 
1571  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1572  goto end;
1573 
1574  /* response3 */
1575  FLOWLOCK_WRLOCK(&f);
1576  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1577  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1578  dcerpc_response3_len);
1579  if (r != 0) {
1580  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1581  FLOWLOCK_UNLOCK(&f);
1582  goto end;
1583  }
1584  FLOWLOCK_UNLOCK(&f);
1585 
1586  p->flowflags &=~ FLOW_PKT_TOSERVER;
1587  p->flowflags |= FLOW_PKT_TOCLIENT;
1588  /* do detect */
1589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1590 
1591  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1592  goto end;
1593 
1594  result = 1;
1595 
1596  end:
1597  if (alp_tctx != NULL)
1598  AppLayerParserThreadCtxFree(alp_tctx);
1599  SigGroupCleanup(de_ctx);
1600  SigCleanSignatures(de_ctx);
1601 
1602  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1603  DetectEngineCtxFree(de_ctx);
1604 
1605  StreamTcpFreeConfig(TRUE);
1606  FLOW_DESTROY(&f);
1607 
1608  UTHFreePackets(&p, 1);
1609  return result;
1610 }
1611 
1612 static int DetectDceStubDataTestParse05(void)
1613 {
1614  int result = 0;
1615  Signature *s = NULL;
1616  ThreadVars th_v;
1617  Packet *p = NULL;
1618  Flow f;
1619  TcpSession ssn;
1620  DetectEngineThreadCtx *det_ctx = NULL;
1621  DetectEngineCtx *de_ctx = NULL;
1622  DCERPCState *dcerpc_state = NULL;
1623  int r = 0;
1624 
1625  uint8_t dcerpc_request1[] = {
1626  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1627  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1628  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1629  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1630  0x00, 0x00, 0x00, 0x02,
1631  };
1632 
1633  uint8_t dcerpc_response1[] = {
1634  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1635  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1636  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1638  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1639  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1640  };
1641 
1642  uint8_t dcerpc_request2[] = {
1643  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1644  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1645  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1646  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1647  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1648  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1649  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1650  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1651  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1652  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1653  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1654  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1655  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1656  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1657  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1658  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1659  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1660  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1661  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1662  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1663  0x03, 0x00, 0x00, 0x00,
1664  };
1665 
1666  uint8_t dcerpc_response2[] = {
1667  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1668  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1669  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1671  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1672  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1673  };
1674 
1675  uint8_t dcerpc_request3[] = {
1676  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1677  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1678  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1679  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1680  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1681  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1682  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1683  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1684  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1685  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1686  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1687  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1688  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1689  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1690  };
1691 
1692  uint8_t dcerpc_response3[] = {
1693  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1694  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1695  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1696  0x00, 0x00, 0x00, 0x00,
1697  };
1698 
1699  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1700  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1701 
1702  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1703  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1704 
1705  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1706  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1707 
1708  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1709 
1710  memset(&th_v, 0, sizeof(th_v));
1711  memset(&f, 0, sizeof(f));
1712  memset(&ssn, 0, sizeof(ssn));
1713 
1714  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1715 
1716  FLOW_INITIALIZE(&f);
1717  f.protoctx = (void *)&ssn;
1718  f.proto = IPPROTO_TCP;
1719  p->flow = &f;
1720  p->flowflags |= FLOW_PKT_TOSERVER;
1721  p->flowflags |= FLOW_PKT_ESTABLISHED;
1722  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1723  f.alproto = ALPROTO_DCERPC;
1724 
1725  StreamTcpInitConfig(TRUE);
1726 
1727  de_ctx = DetectEngineCtxInit();
1728  if (de_ctx == NULL)
1729  goto end;
1730 
1731  de_ctx->flags |= DE_QUIET;
1732 
1733  s = de_ctx->sig_list = SigInit(de_ctx,
1734  "alert tcp any any -> any any "
1735  "(msg:\"DCERPC\"; "
1736  "dce_stub_data; content:\"|00 02|\"; "
1737  "sid:1;)");
1738  if (s == NULL)
1739  goto end;
1740  s = de_ctx->sig_list->next = SigInit(de_ctx,
1741  "alert tcp any any -> any any "
1742  "(msg:\"DCERPC\"; "
1743  "dce_stub_data; content:\"|00 75|\"; "
1744  "sid:2;)");
1745  if (s == NULL)
1746  goto end;
1747  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1748  "alert tcp any any -> any any "
1749  "(msg:\"DCERPC\"; "
1750  "dce_stub_data; content:\"|00 18|\"; "
1751  "sid:3;)");
1752  if (s == NULL)
1753  goto end;
1754 
1755  SigGroupBuild(de_ctx);
1756  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1757 
1758  /* request1 */
1759  FLOWLOCK_WRLOCK(&f);
1760  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1761  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1762  dcerpc_request1_len);
1763  if (r != 0) {
1764  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1765  FLOWLOCK_UNLOCK(&f);
1766  goto end;
1767  }
1768  FLOWLOCK_UNLOCK(&f);
1769 
1770  dcerpc_state = f.alstate;
1771  if (dcerpc_state == NULL) {
1772  SCLogDebug("no dcerpc state: ");
1773  goto end;
1774  }
1775 
1776  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1777  p->flowflags |= FLOW_PKT_TOSERVER;
1778  /* do detect */
1779  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1780 
1781  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1782  goto end;
1783 
1784  /* response1 */
1785  FLOWLOCK_WRLOCK(&f);
1786  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1787  STREAM_TOCLIENT, dcerpc_response1,
1788  dcerpc_response1_len);
1789  if (r != 0) {
1790  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1791  FLOWLOCK_UNLOCK(&f);
1792  goto end;
1793  }
1794  FLOWLOCK_UNLOCK(&f);
1795 
1796  p->flowflags &=~ FLOW_PKT_TOSERVER;
1797  p->flowflags |= FLOW_PKT_TOCLIENT;
1798  /* do detect */
1799  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1800 
1801  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1802  goto end;
1803 
1804  /* request2 */
1805  FLOWLOCK_WRLOCK(&f);
1806  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1807  STREAM_TOSERVER, dcerpc_request2,
1808  dcerpc_request2_len);
1809  if (r != 0) {
1810  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1811  FLOWLOCK_UNLOCK(&f);
1812  goto end;
1813  }
1814  FLOWLOCK_UNLOCK(&f);
1815 
1816  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1817  p->flowflags |= FLOW_PKT_TOSERVER;
1818  /* do detect */
1819  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1820 
1821  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1822  goto end;
1823 
1824  /* response2 */
1825  FLOWLOCK_WRLOCK(&f);
1826  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1827  STREAM_TOCLIENT, dcerpc_response2,
1828  dcerpc_response2_len);
1829  if (r != 0) {
1830  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1831  FLOWLOCK_UNLOCK(&f);
1832  goto end;
1833  }
1834  FLOWLOCK_UNLOCK(&f);
1835 
1836  p->flowflags &=~ FLOW_PKT_TOSERVER;
1837  p->flowflags |= FLOW_PKT_TOCLIENT;
1838  /* do detect */
1839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1840 
1841  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1842  goto end;
1843 
1844  /* request3 */
1845  FLOWLOCK_WRLOCK(&f);
1846  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1847  STREAM_TOSERVER, dcerpc_request3,
1848  dcerpc_request3_len);
1849  if (r != 0) {
1850  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1851  FLOWLOCK_UNLOCK(&f);
1852  goto end;
1853  }
1854  FLOWLOCK_UNLOCK(&f);
1855 
1856  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1857  p->flowflags |= FLOW_PKT_TOSERVER;
1858  /* do detect */
1859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1860 
1861  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1862  goto end;
1863 
1864  /* response3 */
1865  FLOWLOCK_WRLOCK(&f);
1866  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1867  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1868  dcerpc_response3_len);
1869  if (r != 0) {
1870  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1871  FLOWLOCK_UNLOCK(&f);
1872  goto end;
1873  }
1874  FLOWLOCK_UNLOCK(&f);
1875 
1876  p->flowflags &=~ FLOW_PKT_TOSERVER;
1877  p->flowflags |= FLOW_PKT_TOCLIENT;
1878  /* do detect */
1879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1880 
1881  if (PacketAlertCheck(p, 1))
1882  goto end;
1883 
1884  result = 1;
1885 
1886  end:
1887  if (alp_tctx != NULL)
1888  AppLayerParserThreadCtxFree(alp_tctx);
1889 
1890  SigGroupCleanup(de_ctx);
1891  SigCleanSignatures(de_ctx);
1892 
1893  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1894  DetectEngineCtxFree(de_ctx);
1895 
1896  StreamTcpFreeConfig(TRUE);
1897  FLOW_DESTROY(&f);
1898 
1899  UTHFreePackets(&p, 1);
1900  return result;
1901 }
1902 
1903 
1904 #endif
1905 
1906 static void DetectDceStubDataRegisterTests(void)
1907 {
1908 #ifdef UNITTESTS
1909  UtRegisterTest("DetectDceStubDataTestParse01",
1910  DetectDceStubDataTestParse01);
1911  UtRegisterTest("DetectDceStubDataTestParse02",
1912  DetectDceStubDataTestParse02);
1913  UtRegisterTest("DetectDceStubDataTestParse03",
1914  DetectDceStubDataTestParse03);
1915  UtRegisterTest("DetectDceStubDataTestParse04",
1916  DetectDceStubDataTestParse04);
1917  UtRegisterTest("DetectDceStubDataTestParse05",
1918  DetectDceStubDataTestParse05);
1919 #endif
1920 
1921  return;
1922 }
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:121
app-layer-dcerpc.h
DCERPC_::dcerpchdr
DCERPCHdr dcerpchdr
Definition: app-layer-dcerpc-common.h:188
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1394
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
DCERPCResponse_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:183
DetectEngineTransforms
Definition: detect.h:369
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Flow_::proto
uint8_t proto
Definition: flow.h:361
DCERPCRequest_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:172
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
InspectionBuffer
Definition: detect.h:342
Packet_::flags
uint32_t flags
Definition: decode.h:444
Flow_
Flow data structure.
Definition: flow.h:342
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:611
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DCERPC_::dcerpcrequest
DCERPCRequest dcerpcrequest
Definition: app-layer-dcerpc-common.h:190
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:346
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:42
detect-engine-prefilter.h
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1041
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
STREAM_START
#define STREAM_START
Definition: stream.h:29
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:860
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:594
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:172
DetectEngineInspectBufferGeneric
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1578
DCERPCRequest_::stub_data_buffer_len
uint32_t stub_data_buffer_len
Definition: app-layer-dcerpc-common.h:174
Packet_
Definition: decode.h:408
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:231
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
detect-engine-content-inspection.h
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2316
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
SigTableElmt_::alias
const char * alias
Definition: detect.h:1202
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1181
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1100
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1148
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
DCERPCState_::dcerpc
DCERPC dcerpc
Definition: app-layer-dcerpc.h:35
DCERPCHdr_::packed_drep
uint8_t packed_drep[4]
Definition: app-layer-dcerpc-common.h:102
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:343
DCERPC_::dcerpcresponse
DCERPCResponse dcerpcresponse
Definition: app-layer-dcerpc-common.h:191
Flow_::alstate
void * alstate
Definition: flow.h:454
DCERPCResponse_::stub_data_buffer
uint8_t * stub_data_buffer
Definition: app-layer-dcerpc-common.h:181
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:59
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
STREAM_EOF
#define STREAM_EOF
Definition: stream.h:30
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1370
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:972
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
DCERPCState_
Definition: app-layer-dcerpc.h:34
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:41
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1075
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393