suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-build.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-prefilter.h"
38 #include "detect-engine-content-inspection.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
46 #include "queue.h"
47 #include "stream-tcp-reassemble.h"
48 
49 #include "detect-dce-stub-data.h"
50 
51 #include "util-debug.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 
56 #include "stream-tcp.h"
57 
58 #include "rust.h"
59 
60 #define BUFFER_NAME "dce_stub_data"
61 
62 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectDceStubDataRegisterTests(void);
65 #endif
66 static int g_dce_stub_data_buffer_id = 0;
67 
68 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
69  const DetectEngineTransforms *transforms,
70  Flow *_f, const uint8_t flow_flags,
71  void *txv, const int list_id)
72 {
73  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
74  if (!buffer->initialized) {
75  uint32_t data_len = 0;
76  const uint8_t *data = NULL;
77  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
78  if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
79  return NULL;
80  SCLogDebug("have data!");
81 
82  InspectionBufferSetupAndApplyTransforms(
83  det_ctx, list_id, buffer, data, data_len, transforms);
84  }
85  return buffer;
86 }
87 
88 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
89  const DetectEngineTransforms *transforms,
90  Flow *_f, const uint8_t flow_flags,
91  void *txv, const int list_id)
92 {
93  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
94  if (!buffer->initialized) {
95  uint32_t data_len = 0;
96  const uint8_t *data = NULL;
97  uint8_t endianness;
98 
99  SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
100  if (data == NULL || data_len == 0)
101  return NULL;
102 
103  if (endianness > 0) {
104  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
105  } else {
106  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
107  }
108  InspectionBufferSetupAndApplyTransforms(
109  det_ctx, list_id, buffer, data, data_len, transforms);
110  }
111  return buffer;
112 }
113 
114 /**
115  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
116  */
117 void DetectDceStubDataRegister(void)
118 {
119  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
120  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
122  sigmatch_table[DETECT_DCE_STUB_DATA].desc = "match on the stub data in a DCERPC packet";
123  sigmatch_table[DETECT_DCE_STUB_DATA].url = "/rules/dcerpc-keywords.html#dcerpc-stub-data";
124 #ifdef UNITTESTS
125  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
126 #endif
127  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
128 
129  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
130  DetectEngineInspectBufferGeneric, GetSMBData);
131  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
132  GetSMBData, ALPROTO_SMB, 0);
133  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
134  DetectEngineInspectBufferGeneric, GetSMBData);
135  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
136  GetSMBData, ALPROTO_SMB, 0);
137 
138  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
139  DetectEngineInspectBufferGeneric, GetDCEData);
140  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
141  GetDCEData, ALPROTO_DCERPC, 0);
142  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
143  DetectEngineInspectBufferGeneric, GetDCEData);
144  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
145  GetDCEData, ALPROTO_DCERPC, 0);
146 
147  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
148 }
149 
150 /**
151  * \brief setups the dce_stub_data list
152  *
153  * \param de_ctx Pointer to the detection engine context
154  * \param s Pointer to signature for the current Signature being parsed
155  * from the rules
156  * \param arg Pointer to the string holding the keyword value
157  *
158  * \retval 0 on success, -1 on failure
159  */
160 
161 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
162 {
163  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
164  return -1;
165  if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
166  return -1;
167  return 0;
168 }
169 
170 /************************************Unittests*********************************/
171 
172 #ifdef UNITTESTS
173 #include "detect-engine-alert.h"
174 
175 /**
176  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
177  */
178 static int DetectDceStubDataTestParse02(void)
179 {
180  int result = 0;
181  Signature *s = NULL;
182  ThreadVars th_v;
183  Packet *p = NULL;
184  Flow f;
185  TcpSession ssn;
186  DetectEngineThreadCtx *det_ctx = NULL;
187  DetectEngineCtx *de_ctx = NULL;
188  DCERPCState *dcerpc_state = NULL;
189  int r = 0;
190 
191  uint8_t dcerpc_bind[] = {
192  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
193  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
194  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
195  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
196  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
197  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
198  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
199  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
200  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
201  };
202 
203  uint8_t dcerpc_bindack[] = {
204  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
205  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
206  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
207  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
208  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
209  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
210  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
211  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
212  0x02, 0x00, 0x00, 0x00
213  };
214 
215  /* todo chop the request frag length and change the
216  * length related parameters in the frag */
217  uint8_t dcerpc_request[] = {
218  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
219  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
220  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
221  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
222  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
223  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
224  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
225  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
226  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
227  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
228  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
229  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
230  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
231  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
232  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
233  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
234  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
235  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
236  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
237  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
238  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
239  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
240  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
241  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
242  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
243  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
244  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
245  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
246  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
247  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
248  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
249  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
250  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
251  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
252  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
253  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
254  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
255  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
256  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
257  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
258  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
259  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
260  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
261  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
262  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
263  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
264  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
265  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
266  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
267  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
268  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
269  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
270  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
271  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
272  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
273  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
274  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
275  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
276  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
277  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
278  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
279  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
280  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
281  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
282  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
283  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
284  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
285  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
286  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
287  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
288  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
289  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
290  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
291  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
292  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
293  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
294  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
295  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
296  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
297  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
298  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
299  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
300  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
301  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
302  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
465  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
466  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
467  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
468  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
469  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
470  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
471  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
472  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
473  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
474  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
475  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
476  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
477  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
478  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
479  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
480  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
481  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
482  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
484  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
485  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
486  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
487  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
488  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
489  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
490  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
491  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
492  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
493  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
494  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
495  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
496  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
498  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
499  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
500  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
566  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x01, 0x02, 0x03, 0x04
632  };
633 
634  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
635  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
636  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
637  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
638 
639  memset(&th_v, 0, sizeof(th_v));
640  StatsThreadInit(&th_v.stats);
641  memset(&f, 0, sizeof(f));
642  memset(&ssn, 0, sizeof(ssn));
643 
644  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
645 
646  FLOW_INITIALIZE(&f);
647  f.protoctx = (void *)&ssn;
648  f.proto = IPPROTO_TCP;
649  p->flow = &f;
650  p->flowflags |= FLOW_PKT_TOSERVER;
651  p->flowflags |= FLOW_PKT_ESTABLISHED;
652  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
653  f.alproto = ALPROTO_DCERPC;
654 
655  StreamTcpInitConfig(true);
656 
657  de_ctx = DetectEngineCtxInit();
658  if (de_ctx == NULL)
659  goto end;
660 
661  de_ctx->flags |= DE_QUIET;
662 
663  s = de_ctx->sig_list = SigInit(de_ctx,
664  "alert tcp any any -> any any "
665  "(msg:\"DCERPC\"; "
666  "dce_stub_data; content:\"|42 42 42 42|\";"
667  "sid:1;)");
668  if (s == NULL)
669  goto end;
670 
671  SigGroupBuild(de_ctx);
672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
673 
674  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
675  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
676  dcerpc_bind_len);
677  if (r != 0) {
678  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
679  goto end;
680  }
681 
682  dcerpc_state = f.alstate;
683  if (dcerpc_state == NULL) {
684  SCLogDebug("no dcerpc state: ");
685  goto end;
686  }
687 
688  p->flowflags &=~ FLOW_PKT_TOCLIENT;
689  p->flowflags |= FLOW_PKT_TOSERVER;
690  /* do detect */
691  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
692 
693  /* we shouldn't have any stub data */
694  if (PacketAlertCheck(p, 1))
695  goto end;
696 
697  /* do detect */
698  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
699  STREAM_TOCLIENT, dcerpc_bindack,
700  dcerpc_bindack_len);
701  if (r != 0) {
702  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
703  goto end;
704  }
705 
706  p->flowflags &=~ FLOW_PKT_TOSERVER;
707  p->flowflags |= FLOW_PKT_TOCLIENT;
708  /* do detect */
709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
710 
711  /* we shouldn't have any stub data */
712  if (PacketAlertCheck(p, 1))
713  goto end;
714 
715  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
716  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
717  dcerpc_request_len);
718  if (r != 0) {
719  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
720  goto end;
721  }
722 
723  p->flowflags &=~ FLOW_PKT_TOCLIENT;
724  p->flowflags |= FLOW_PKT_TOSERVER;
725  /* do detect */
726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
727 
728  /* we should have the stub data since we previously parsed a request frag */
729  if (!PacketAlertCheck(p, 1))
730  goto end;
731 
732  result = 1;
733 
734  end:
735  if (alp_tctx != NULL)
736  AppLayerParserThreadCtxFree(alp_tctx);
737  SigGroupCleanup(de_ctx);
738  SigCleanSignatures(de_ctx);
739 
740  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
741  DetectEngineCtxFree(de_ctx);
742 
743  StreamTcpFreeConfig(true);
744  FLOW_DESTROY(&f);
745 
746  UTHFreePackets(&p, 1);
747  StatsThreadCleanup(&th_v.stats);
748  return result;
749 }
750 
751 /**
752  * \test Test a valid dce_stub_data with just a request frag.
753  */
754 static int DetectDceStubDataTestParse03(void)
755 {
756  Signature *s = NULL;
757  ThreadVars th_v;
758  Packet *p = NULL;
759  Flow f;
760  TcpSession ssn;
761  DetectEngineThreadCtx *det_ctx = NULL;
762  DetectEngineCtx *de_ctx = NULL;
763  DCERPCState *dcerpc_state = NULL;
764  int r = 0;
765 
766  /* todo chop the request frag length and change the
767  * length related parameters in the frag */
768  uint8_t dcerpc_request[] = {
769  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
770  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
771  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
772  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
773  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
774  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
775  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
776  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
777  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
778  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
779  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
780  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
781  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
782  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
783  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
784  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
785  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
786  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
787  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
788  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
789  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
790  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
791  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
792  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
793  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
794  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
795  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
796  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
797  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
798  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
799  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
800  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
801  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
802  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
803  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
804  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
805  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
806  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
807  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
808  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
809  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
810  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
811  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
812  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
813  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
814  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
815  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
816  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
817  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
818  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
819  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
820  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
821  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
822  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
823  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
824  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
825  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
826  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
827  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
828  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
829  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
830  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
831  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
832  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
833  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
834  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
835  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
836  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
837  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
838  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
839  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
840  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
841  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
842  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
843  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
844  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
845  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
846  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
847  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
848  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
849  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
850  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
851  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
852  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1016  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1017  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1018  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1019  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1020  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1021  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1022  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1023  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1024  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1025  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1026  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1027  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1028  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1029  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1030  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1031  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1032  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1033  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1035  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1036  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1037  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1038  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1040  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1041  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1042  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1043  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1044  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1045  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1046  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1047  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1048  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1049  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1050  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x01, 0x02, 0x03, 0x04
1183  };
1184 
1185  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1186 
1187  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1188 
1189  memset(&th_v, 0, sizeof(th_v));
1190  StatsThreadInit(&th_v.stats);
1191  memset(&f, 0, sizeof(f));
1192  memset(&ssn, 0, sizeof(ssn));
1193 
1194  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1195 
1196  FLOW_INITIALIZE(&f);
1197  f.protoctx = (void *)&ssn;
1198  f.proto = IPPROTO_TCP;
1199  p->flow = &f;
1200  p->flowflags |= FLOW_PKT_TOSERVER;
1201  p->flowflags |= FLOW_PKT_ESTABLISHED;
1202  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1203  f.alproto = ALPROTO_DCERPC;
1204 
1205  StreamTcpInitConfig(true);
1206 
1207  de_ctx = DetectEngineCtxInit();
1208  FAIL_IF(de_ctx == NULL);
1209 
1210  de_ctx->flags |= DE_QUIET;
1211 
1212  s = de_ctx->sig_list = SigInit(de_ctx,
1213  "alert tcp any any -> any any "
1214  "(msg:\"DCERPC\"; "
1215  "dce_stub_data; content:\"|42 42 42 42|\";"
1216  "sid:1;)");
1217  FAIL_IF(s == NULL);
1218 
1219  SigGroupBuild(de_ctx);
1220  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1221 
1222  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1223  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1224  dcerpc_request_len);
1225  FAIL_IF(r != 0);
1226 
1227  dcerpc_state = f.alstate;
1228  FAIL_IF (dcerpc_state == NULL);
1229 
1230  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1231  p->flowflags |= FLOW_PKT_TOSERVER;
1232  /* do detect */
1233  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1234  FAIL_IF(!PacketAlertCheck(p, 1));
1235 
1236  if (alp_tctx != NULL)
1237  AppLayerParserThreadCtxFree(alp_tctx);
1238  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1239  DetectEngineCtxFree(de_ctx);
1240  StreamTcpFreeConfig(true);
1241  FLOW_DESTROY(&f);
1242 
1243  UTHFreePackets(&p, 1);
1244  StatsThreadCleanup(&th_v.stats);
1245  PASS;
1246 }
1247 
1248 static int DetectDceStubDataTestParse04(void)
1249 {
1250  int result = 0;
1251  Signature *s = NULL;
1252  ThreadVars th_v;
1253  Packet *p = NULL;
1254  Flow f;
1255  TcpSession ssn;
1256  DetectEngineThreadCtx *det_ctx = NULL;
1257  DetectEngineCtx *de_ctx = NULL;
1258  DCERPCState *dcerpc_state = NULL;
1259  int r = 0;
1260 
1261  uint8_t dcerpc_bind[] = {
1262  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1263  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1264  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1265  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1266  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1267  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1268  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1269  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1270  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1271  };
1272 
1273  uint8_t dcerpc_bindack[] = {
1274  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1275  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1276  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1277  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1278  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1279  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1280  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1281  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1282  0x02, 0x00, 0x00, 0x00,
1283  };
1284 
1285  uint8_t dcerpc_request1[] = {
1286  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1287  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1288  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1289  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1290  0x00, 0x00, 0x00, 0x02,
1291  };
1292 
1293  uint8_t dcerpc_response1[] = {
1294  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1295  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1296  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1298  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1299  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1300  };
1301 
1302  uint8_t dcerpc_request2[] = {
1303  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1304  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1305  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1306  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1307  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1308  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1309  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1310  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1311  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1312  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1313  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1314  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1315  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1316  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1317  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1318  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1319  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1320  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1321  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1322  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1323  0x03, 0x00, 0x00, 0x00,
1324  };
1325 
1326  uint8_t dcerpc_response2[] = {
1327  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1328  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1329  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1330  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1331  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1332  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1333  };
1334 
1335  uint8_t dcerpc_request3[] = {
1336  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1337  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1338  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1339  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1340  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1341  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1342  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1343  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1344  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1345  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1346  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1347  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1348  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1349  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1350  };
1351 
1352  uint8_t dcerpc_response3[] = {
1353  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1354  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1355  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1356  0x00, 0x00, 0x00, 0x00,
1357  };
1358 
1359  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1360  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1361 
1362  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1363  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1364 
1365  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1366  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1367 
1368  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1369  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1370 
1371  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1372 
1373  memset(&th_v, 0, sizeof(th_v));
1374  StatsThreadInit(&th_v.stats);
1375  memset(&f, 0, sizeof(f));
1376  memset(&ssn, 0, sizeof(ssn));
1377 
1378  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1379 
1380  FLOW_INITIALIZE(&f);
1381  f.protoctx = (void *)&ssn;
1382  f.proto = IPPROTO_TCP;
1383  p->flow = &f;
1384  p->flowflags |= FLOW_PKT_TOSERVER;
1385  p->flowflags |= FLOW_PKT_ESTABLISHED;
1386  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1387  f.alproto = ALPROTO_DCERPC;
1388 
1389  StreamTcpInitConfig(true);
1390 
1391  de_ctx = DetectEngineCtxInit();
1392  if (de_ctx == NULL)
1393  goto end;
1394 
1395  de_ctx->flags |= DE_QUIET;
1396 
1397  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1398  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1399  if (s == NULL)
1400  goto end;
1401  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1402  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1403  if (s == NULL)
1404  goto end;
1405  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1406  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1407  if (s == NULL)
1408  goto end;
1409 
1410  SigGroupBuild(de_ctx);
1411  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1412 
1413  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1414  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1415  dcerpc_bind_len);
1416  if (r != 0) {
1417  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1418  goto end;
1419  }
1420  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1421  p->flowflags |= FLOW_PKT_TOSERVER;
1422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1423 
1424  dcerpc_state = f.alstate;
1425  if (dcerpc_state == NULL) {
1426  SCLogDebug("no dcerpc state: ");
1427  goto end;
1428  }
1429 
1430  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1431  STREAM_TOCLIENT, dcerpc_bindack,
1432  dcerpc_bindack_len);
1433  if (r != 0) {
1434  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1435  goto end;
1436  }
1437  p->flowflags &=~ FLOW_PKT_TOSERVER;
1438  p->flowflags |= FLOW_PKT_TOCLIENT;
1439  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1440 
1441  /* request1 */
1442  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1443  STREAM_TOSERVER, dcerpc_request1,
1444  dcerpc_request1_len);
1445  if (r != 0) {
1446  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1447  goto end;
1448  }
1449 
1450  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1451  p->flowflags |= FLOW_PKT_TOSERVER;
1452  /* do detect */
1453  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1454 
1455  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1456  goto end;
1457 
1458  /* response1 */
1459  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1460  STREAM_TOCLIENT, dcerpc_response1,
1461  dcerpc_response1_len);
1462  if (r != 0) {
1463  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1464  goto end;
1465  }
1466 
1467  p->flowflags &=~ FLOW_PKT_TOSERVER;
1468  p->flowflags |= FLOW_PKT_TOCLIENT;
1469  /* do detect */
1470  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1471 
1472  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1473  goto end;
1474 
1475  /* request2 */
1476  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1477  STREAM_TOSERVER, dcerpc_request2,
1478  dcerpc_request2_len);
1479  if (r != 0) {
1480  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1481  goto end;
1482  }
1483 
1484  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1485  p->flowflags |= FLOW_PKT_TOSERVER;
1486  /* do detect */
1487  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1488 
1489  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1490  goto end;
1491 
1492  /* response2 */
1493  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1494  STREAM_TOCLIENT, dcerpc_response2,
1495  dcerpc_response2_len);
1496  if (r != 0) {
1497  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1498  goto end;
1499  }
1500 
1501  p->flowflags &=~ FLOW_PKT_TOSERVER;
1502  p->flowflags |= FLOW_PKT_TOCLIENT;
1503  /* do detect */
1504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1505 
1506  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1507  goto end;
1508  /* request3 */
1509  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1510  STREAM_TOSERVER, dcerpc_request3,
1511  dcerpc_request3_len);
1512  if (r != 0) {
1513  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1514  goto end;
1515  }
1516 
1517  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1518  p->flowflags |= FLOW_PKT_TOSERVER;
1519  /* do detect */
1520  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1521 
1522  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1523  goto end;
1524 
1525  /* response3 */
1526  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1527  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1528  dcerpc_response3_len);
1529  if (r != 0) {
1530  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1531  goto end;
1532  }
1533 
1534  p->flowflags &=~ FLOW_PKT_TOSERVER;
1535  p->flowflags |= FLOW_PKT_TOCLIENT;
1536  /* do detect */
1537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1538 
1539  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1540  goto end;
1541 
1542  result = 1;
1543 
1544  end:
1545  if (alp_tctx != NULL)
1546  AppLayerParserThreadCtxFree(alp_tctx);
1547  SigGroupCleanup(de_ctx);
1548  SigCleanSignatures(de_ctx);
1549 
1550  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1551  DetectEngineCtxFree(de_ctx);
1552 
1553  StreamTcpFreeConfig(true);
1554  FLOW_DESTROY(&f);
1555 
1556  UTHFreePackets(&p, 1);
1557  StatsThreadCleanup(&th_v.stats);
1558  return result;
1559 }
1560 
1561 static int DetectDceStubDataTestParse05(void)
1562 {
1563  int result = 0;
1564  Signature *s = NULL;
1565  ThreadVars th_v;
1566  Packet *p = NULL;
1567  Flow f;
1568  TcpSession ssn;
1569  DetectEngineThreadCtx *det_ctx = NULL;
1570  DetectEngineCtx *de_ctx = NULL;
1571  DCERPCState *dcerpc_state = NULL;
1572  int r = 0;
1573 
1574  uint8_t dcerpc_request1[] = {
1575  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1576  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1577  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1578  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1579  0x00, 0x00, 0x00, 0x02,
1580  };
1581 
1582  uint8_t dcerpc_response1[] = {
1583  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1584  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1585  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1586  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1587  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1588  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1589  };
1590 
1591  uint8_t dcerpc_request2[] = {
1592  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1593  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1594  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1595  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1596  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1597  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1598  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1599  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1600  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1601  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1602  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1603  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1604  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1605  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1606  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1607  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1608  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1609  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1610  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1611  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612  0x03, 0x00, 0x00, 0x00,
1613  };
1614 
1615  uint8_t dcerpc_response2[] = {
1616  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1617  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1618  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1619  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1620  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1621  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1622  };
1623 
1624  uint8_t dcerpc_request3[] = {
1625  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1626  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1627  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1628  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1629  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1630  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1631  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1632  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1633  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1634  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1635  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1636  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1637  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1638  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1639  };
1640 
1641  uint8_t dcerpc_response3[] = {
1642  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1643  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1644  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1645  0x00, 0x00, 0x00, 0x00,
1646  };
1647 
1648  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1649  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1650 
1651  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1652  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1653 
1654  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1655  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1656 
1657  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1658 
1659  memset(&th_v, 0, sizeof(th_v));
1660  StatsThreadInit(&th_v.stats);
1661  memset(&f, 0, sizeof(f));
1662  memset(&ssn, 0, sizeof(ssn));
1663 
1664  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1665 
1666  FLOW_INITIALIZE(&f);
1667  f.protoctx = (void *)&ssn;
1668  f.proto = IPPROTO_TCP;
1669  p->flow = &f;
1670  p->flowflags |= FLOW_PKT_TOSERVER;
1671  p->flowflags |= FLOW_PKT_ESTABLISHED;
1672  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1673  f.alproto = ALPROTO_DCERPC;
1674 
1675  StreamTcpInitConfig(true);
1676 
1677  de_ctx = DetectEngineCtxInit();
1678  if (de_ctx == NULL)
1679  goto end;
1680 
1681  de_ctx->flags |= DE_QUIET;
1682 
1683  s = de_ctx->sig_list = SigInit(de_ctx,
1684  "alert tcp any any -> any any "
1685  "(msg:\"DCERPC\"; "
1686  "dce_stub_data; content:\"|00 02|\"; "
1687  "sid:1;)");
1688  if (s == NULL)
1689  goto end;
1690  s = de_ctx->sig_list->next = SigInit(de_ctx,
1691  "alert tcp any any -> any any "
1692  "(msg:\"DCERPC\"; "
1693  "dce_stub_data; content:\"|00 75|\"; "
1694  "sid:2;)");
1695  if (s == NULL)
1696  goto end;
1697  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1698  "alert tcp any any -> any any "
1699  "(msg:\"DCERPC\"; "
1700  "dce_stub_data; content:\"|00 18|\"; "
1701  "sid:3;)");
1702  if (s == NULL)
1703  goto end;
1704 
1705  SigGroupBuild(de_ctx);
1706  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1707 
1708  /* request1 */
1709  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1710  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1711  dcerpc_request1_len);
1712  if (r != 0) {
1713  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1714  goto end;
1715  }
1716 
1717  dcerpc_state = f.alstate;
1718  if (dcerpc_state == NULL) {
1719  SCLogDebug("no dcerpc state: ");
1720  goto end;
1721  }
1722 
1723  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1724  p->flowflags |= FLOW_PKT_TOSERVER;
1725  /* do detect */
1726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1727 
1728  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1729  goto end;
1730 
1731  /* response1 */
1732  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1733  STREAM_TOCLIENT, dcerpc_response1,
1734  dcerpc_response1_len);
1735  if (r != 0) {
1736  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1737  goto end;
1738  }
1739 
1740  p->flowflags &=~ FLOW_PKT_TOSERVER;
1741  p->flowflags |= FLOW_PKT_TOCLIENT;
1742  /* do detect */
1743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1744 
1745  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1746  goto end;
1747 
1748  /* request2 */
1749  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1750  STREAM_TOSERVER, dcerpc_request2,
1751  dcerpc_request2_len);
1752  if (r != 0) {
1753  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1754  goto end;
1755  }
1756 
1757  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1758  p->flowflags |= FLOW_PKT_TOSERVER;
1759  /* do detect */
1760  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1761 
1762  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1763  goto end;
1764 
1765  /* response2 */
1766  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1767  STREAM_TOCLIENT, dcerpc_response2,
1768  dcerpc_response2_len);
1769  if (r != 0) {
1770  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1771  goto end;
1772  }
1773 
1774  p->flowflags &=~ FLOW_PKT_TOSERVER;
1775  p->flowflags |= FLOW_PKT_TOCLIENT;
1776  /* do detect */
1777  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1778 
1779  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1780  goto end;
1781 
1782  /* request3 */
1783  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1784  STREAM_TOSERVER, dcerpc_request3,
1785  dcerpc_request3_len);
1786  if (r != 0) {
1787  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1788  goto end;
1789  }
1790 
1791  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1792  p->flowflags |= FLOW_PKT_TOSERVER;
1793  /* do detect */
1794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1795 
1796  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1797  goto end;
1798 
1799  /* response3 */
1800  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1801  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1802  dcerpc_response3_len);
1803  if (r != 0) {
1804  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1805  goto end;
1806  }
1807 
1808  p->flowflags &=~ FLOW_PKT_TOSERVER;
1809  p->flowflags |= FLOW_PKT_TOCLIENT;
1810  /* do detect */
1811  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1812 
1813  if (PacketAlertCheck(p, 1))
1814  goto end;
1815 
1816  result = 1;
1817 
1818  end:
1819  if (alp_tctx != NULL)
1820  AppLayerParserThreadCtxFree(alp_tctx);
1821 
1822  SigGroupCleanup(de_ctx);
1823  SigCleanSignatures(de_ctx);
1824 
1825  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1826  DetectEngineCtxFree(de_ctx);
1827 
1828  StreamTcpFreeConfig(true);
1829  FLOW_DESTROY(&f);
1830 
1831  UTHFreePackets(&p, 1);
1832  StatsThreadCleanup(&th_v.stats);
1833  return result;
1834 }
1835 
1836 // invalid signature because of invalid protocol
1837 static int DetectDceStubDataTestParse06(void)
1838 {
1839  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1840  FAIL_IF_NULL(de_ctx);
1841  de_ctx->flags = DE_QUIET;
1842  Signature *s = DetectEngineAppendSig(
1843  de_ctx, "alert dns any any -> any any dce_stub_data;content:\"0\"; sid:1;");
1844  FAIL_IF_NOT_NULL(s);
1845  DetectEngineCtxFree(de_ctx);
1846  PASS;
1847 }
1848 
1849 static void DetectDceStubDataRegisterTests(void)
1850 {
1851  UtRegisterTest("DetectDceStubDataTestParse02",
1852  DetectDceStubDataTestParse02);
1853  UtRegisterTest("DetectDceStubDataTestParse03",
1854  DetectDceStubDataTestParse03);
1855  UtRegisterTest("DetectDceStubDataTestParse04",
1856  DetectDceStubDataTestParse04);
1857  UtRegisterTest("DetectDceStubDataTestParse05",
1858  DetectDceStubDataTestParse05);
1859  UtRegisterTest("DetectDceStubDataTestParse06",
1860  DetectDceStubDataTestParse06);
1861 }
1862 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:117
SigTableElmt_::url
const char * url
Definition: detect.h:1471
detect-engine.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect-engine-register.h:308
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1470
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1293
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2049
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1468
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1459
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:369
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:143
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
Packet_::flags
uint32_t flags
Definition: decode.h:551
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:937
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2652
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:224
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2435
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2234
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3478
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:536
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
Flow_::protoctx
void * protoctx
Definition: flow.h:426
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1450
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:754
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1252
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3386
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1580
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3136
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2345
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:212
Packet_
Definition: decode.h:505
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:225
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2274
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1331
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:553
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:869
SigTableElmt_::alias
const char * alias
Definition: detect.h:1469
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1315
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3625
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:946
Flow_::alstate
void * alstate
Definition: flow.h:472
detect-parse.h
Signature_
Signature container.
Definition: detect.h:672
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:60
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect-engine-register.h:330
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:226
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2613
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:939
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:443
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1427
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1289
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1457
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456