suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-build.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-prefilter.h"
38 #include "detect-engine-content-inspection.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
46 #include "queue.h"
47 #include "stream-tcp-reassemble.h"
48 
49 #include "detect-dce-stub-data.h"
50 #include "detect-dce-iface.h"
51 
52 #include "util-debug.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 #include "stream-tcp.h"
58 
59 #include "rust.h"
60 
61 #define BUFFER_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDceStubDataRegisterTests(void);
66 #endif
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t flow_flags,
72  void *txv, const int list_id)
73 {
74  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75  if (!buffer->initialized) {
76  uint32_t data_len = 0;
77  const uint8_t *data = NULL;
78  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79  if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
80  return NULL;
81  SCLogDebug("have data!");
82 
83  InspectionBufferSetupAndApplyTransforms(
84  det_ctx, list_id, buffer, data, data_len, transforms);
85  }
86  return buffer;
87 }
88 
89 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90  const DetectEngineTransforms *transforms,
91  Flow *_f, const uint8_t flow_flags,
92  void *txv, const int list_id)
93 {
94  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95  if (!buffer->initialized) {
96  uint32_t data_len = 0;
97  const uint8_t *data = NULL;
98  uint8_t endianness;
99 
100  SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
101  if (data == NULL || data_len == 0)
102  return NULL;
103 
104  if (endianness > 0) {
105  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
106  } else {
107  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108  }
109  InspectionBufferSetupAndApplyTransforms(
110  det_ctx, list_id, buffer, data, data_len, transforms);
111  }
112  return buffer;
113 }
114 
115 /**
116  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117  */
118 void DetectDceStubDataRegister(void)
119 {
120  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123  sigmatch_table[DETECT_DCE_STUB_DATA].desc = "match on the stub data in a DCERPC packet";
124  sigmatch_table[DETECT_DCE_STUB_DATA].url = "/rules/dcerpc-keywords.html#dcerpc-stub-data";
125 #ifdef UNITTESTS
126  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
127 #endif
128  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
129 
130  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
131  DetectEngineInspectBufferGeneric, GetSMBData);
132  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
133  GetSMBData, ALPROTO_SMB, 0);
134  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
135  DetectEngineInspectBufferGeneric, GetSMBData);
136  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
137  GetSMBData, ALPROTO_SMB, 0);
138 
139  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
140  DetectEngineInspectBufferGeneric, GetDCEData);
141  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
142  GetDCEData, ALPROTO_DCERPC, 0);
143  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
144  DetectEngineInspectBufferGeneric, GetDCEData);
145  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
146  GetDCEData, ALPROTO_DCERPC, 0);
147 
148  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
149 }
150 
151 /**
152  * \brief setups the dce_stub_data list
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param s Pointer to signature for the current Signature being parsed
156  * from the rules
157  * \param arg Pointer to the string holding the keyword value
158  *
159  * \retval 0 on success, -1 on failure
160  */
161 
162 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
163 {
164  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
165  return -1;
166  if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
167  return -1;
168  return 0;
169 }
170 
171 /************************************Unittests*********************************/
172 
173 #ifdef UNITTESTS
174 #include "detect-engine-alert.h"
175 
176 /**
177  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
178  */
179 static int DetectDceStubDataTestParse02(void)
180 {
181  int result = 0;
182  Signature *s = NULL;
183  ThreadVars th_v;
184  Packet *p = NULL;
185  Flow f;
186  TcpSession ssn;
187  DetectEngineThreadCtx *det_ctx = NULL;
188  DetectEngineCtx *de_ctx = NULL;
189  DCERPCState *dcerpc_state = NULL;
190  int r = 0;
191 
192  uint8_t dcerpc_bind[] = {
193  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
194  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
195  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
196  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
197  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
198  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
199  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
200  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
201  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
202  };
203 
204  uint8_t dcerpc_bindack[] = {
205  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
206  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
207  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
208  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
209  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
210  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
212  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
213  0x02, 0x00, 0x00, 0x00
214  };
215 
216  /* todo chop the request frag length and change the
217  * length related parameters in the frag */
218  uint8_t dcerpc_request[] = {
219  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
220  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
221  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
222  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
224  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
225  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
226  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
227  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
228  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
229  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
230  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
231  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
232  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
233  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
234  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
235  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
236  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
237  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
238  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
239  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
240  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
241  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
242  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
243  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
244  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
245  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
246  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
247  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
248  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
249  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
250  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
251  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
252  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
253  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
254  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
255  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
256  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
257  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
258  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
259  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
260  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
261  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
262  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
263  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
264  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
265  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
266  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
267  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
268  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
269  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
270  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
271  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
272  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
273  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
274  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
275  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
276  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
277  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
278  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
279  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
280  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
281  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
282  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
283  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
284  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
285  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
286  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
287  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
288  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
289  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
290  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
291  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
292  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
293  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
294  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
295  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
296  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
297  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
298  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
299  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
300  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
301  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
302  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
466  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
467  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
468  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
469  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
470  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
471  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
472  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
473  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
474  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
475  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
476  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
477  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
478  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
479  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
480  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
481  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
482  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
484  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
485  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
486  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
487  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
488  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
489  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
490  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
491  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
492  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
493  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
494  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
495  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
496  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
497  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
499  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
500  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x01, 0x02, 0x03, 0x04
633  };
634 
635  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
636  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
637  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
638  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
639 
640  memset(&th_v, 0, sizeof(th_v));
641  memset(&f, 0, sizeof(f));
642  memset(&ssn, 0, sizeof(ssn));
643 
644  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
645 
646  FLOW_INITIALIZE(&f);
647  f.protoctx = (void *)&ssn;
648  f.proto = IPPROTO_TCP;
649  p->flow = &f;
650  p->flowflags |= FLOW_PKT_TOSERVER;
651  p->flowflags |= FLOW_PKT_ESTABLISHED;
652  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
653  f.alproto = ALPROTO_DCERPC;
654 
655  StreamTcpInitConfig(true);
656 
657  de_ctx = DetectEngineCtxInit();
658  if (de_ctx == NULL)
659  goto end;
660 
661  de_ctx->flags |= DE_QUIET;
662 
663  s = de_ctx->sig_list = SigInit(de_ctx,
664  "alert tcp any any -> any any "
665  "(msg:\"DCERPC\"; "
666  "dce_stub_data; content:\"|42 42 42 42|\";"
667  "sid:1;)");
668  if (s == NULL)
669  goto end;
670 
671  SigGroupBuild(de_ctx);
672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
673 
674  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
675  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
676  dcerpc_bind_len);
677  if (r != 0) {
678  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
679  goto end;
680  }
681 
682  dcerpc_state = f.alstate;
683  if (dcerpc_state == NULL) {
684  SCLogDebug("no dcerpc state: ");
685  goto end;
686  }
687 
688  p->flowflags &=~ FLOW_PKT_TOCLIENT;
689  p->flowflags |= FLOW_PKT_TOSERVER;
690  /* do detect */
691  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
692 
693  /* we shouldn't have any stub data */
694  if (PacketAlertCheck(p, 1))
695  goto end;
696 
697  /* do detect */
698  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
699  STREAM_TOCLIENT, dcerpc_bindack,
700  dcerpc_bindack_len);
701  if (r != 0) {
702  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
703  goto end;
704  }
705 
706  p->flowflags &=~ FLOW_PKT_TOSERVER;
707  p->flowflags |= FLOW_PKT_TOCLIENT;
708  /* do detect */
709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
710 
711  /* we shouldn't have any stub data */
712  if (PacketAlertCheck(p, 1))
713  goto end;
714 
715  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
716  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
717  dcerpc_request_len);
718  if (r != 0) {
719  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
720  goto end;
721  }
722 
723  p->flowflags &=~ FLOW_PKT_TOCLIENT;
724  p->flowflags |= FLOW_PKT_TOSERVER;
725  /* do detect */
726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
727 
728  /* we should have the stub data since we previously parsed a request frag */
729  if (!PacketAlertCheck(p, 1))
730  goto end;
731 
732  result = 1;
733 
734  end:
735  if (alp_tctx != NULL)
736  AppLayerParserThreadCtxFree(alp_tctx);
737  SigGroupCleanup(de_ctx);
738  SigCleanSignatures(de_ctx);
739 
740  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
741  DetectEngineCtxFree(de_ctx);
742 
743  StreamTcpFreeConfig(true);
744  FLOW_DESTROY(&f);
745 
746  UTHFreePackets(&p, 1);
747  StatsThreadCleanup(&th_v);
748  return result;
749 }
750 
751 /**
752  * \test Test a valid dce_stub_data with just a request frag.
753  */
754 static int DetectDceStubDataTestParse03(void)
755 {
756  Signature *s = NULL;
757  ThreadVars th_v;
758  Packet *p = NULL;
759  Flow f;
760  TcpSession ssn;
761  DetectEngineThreadCtx *det_ctx = NULL;
762  DetectEngineCtx *de_ctx = NULL;
763  DCERPCState *dcerpc_state = NULL;
764  int r = 0;
765 
766  /* todo chop the request frag length and change the
767  * length related parameters in the frag */
768  uint8_t dcerpc_request[] = {
769  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
770  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
771  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
772  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
773  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
774  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
775  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
776  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
777  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
778  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
779  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
780  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
781  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
782  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
783  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
784  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
785  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
786  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
787  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
788  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
789  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
790  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
791  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
792  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
793  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
794  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
795  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
796  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
797  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
798  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
799  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
800  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
801  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
802  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
803  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
804  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
805  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
806  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
807  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
808  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
809  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
810  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
811  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
812  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
813  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
814  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
815  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
816  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
817  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
818  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
819  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
820  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
821  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
822  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
823  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
824  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
825  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
826  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
827  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
828  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
829  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
830  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
831  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
832  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
833  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
834  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
835  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
836  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
837  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
838  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
839  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
840  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
841  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
842  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
843  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
844  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
845  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
846  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
847  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
848  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
849  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
850  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
851  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
852  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1015  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1016  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1017  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1018  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1019  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1020  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1021  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1022  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1023  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1024  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1025  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1026  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1027  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1028  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1029  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1030  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1031  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1032  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1033  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1035  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1036  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1037  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1038  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1040  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1041  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1042  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1043  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1044  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1045  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1046  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1047  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1048  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1049  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1050  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1116  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1182  0x01, 0x02, 0x03, 0x04
1183  };
1184 
1185  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1186 
1187  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1188 
1189  memset(&th_v, 0, sizeof(th_v));
1190  memset(&f, 0, sizeof(f));
1191  memset(&ssn, 0, sizeof(ssn));
1192 
1193  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1194 
1195  FLOW_INITIALIZE(&f);
1196  f.protoctx = (void *)&ssn;
1197  f.proto = IPPROTO_TCP;
1198  p->flow = &f;
1199  p->flowflags |= FLOW_PKT_TOSERVER;
1200  p->flowflags |= FLOW_PKT_ESTABLISHED;
1201  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1202  f.alproto = ALPROTO_DCERPC;
1203 
1204  StreamTcpInitConfig(true);
1205 
1206  de_ctx = DetectEngineCtxInit();
1207  FAIL_IF(de_ctx == NULL);
1208 
1209  de_ctx->flags |= DE_QUIET;
1210 
1211  s = de_ctx->sig_list = SigInit(de_ctx,
1212  "alert tcp any any -> any any "
1213  "(msg:\"DCERPC\"; "
1214  "dce_stub_data; content:\"|42 42 42 42|\";"
1215  "sid:1;)");
1216  FAIL_IF(s == NULL);
1217 
1218  SigGroupBuild(de_ctx);
1219  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1220 
1221  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1222  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1223  dcerpc_request_len);
1224  FAIL_IF(r != 0);
1225 
1226  dcerpc_state = f.alstate;
1227  FAIL_IF (dcerpc_state == NULL);
1228 
1229  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1230  p->flowflags |= FLOW_PKT_TOSERVER;
1231  /* do detect */
1232  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1233  FAIL_IF(!PacketAlertCheck(p, 1));
1234 
1235  if (alp_tctx != NULL)
1236  AppLayerParserThreadCtxFree(alp_tctx);
1237  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1238  DetectEngineCtxFree(de_ctx);
1239  StreamTcpFreeConfig(true);
1240  FLOW_DESTROY(&f);
1241 
1242  UTHFreePackets(&p, 1);
1243  StatsThreadCleanup(&th_v);
1244  PASS;
1245 }
1246 
1247 static int DetectDceStubDataTestParse04(void)
1248 {
1249  int result = 0;
1250  Signature *s = NULL;
1251  ThreadVars th_v;
1252  Packet *p = NULL;
1253  Flow f;
1254  TcpSession ssn;
1255  DetectEngineThreadCtx *det_ctx = NULL;
1256  DetectEngineCtx *de_ctx = NULL;
1257  DCERPCState *dcerpc_state = NULL;
1258  int r = 0;
1259 
1260  uint8_t dcerpc_bind[] = {
1261  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1262  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1263  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1264  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1265  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1266  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1267  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1268  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1269  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1270  };
1271 
1272  uint8_t dcerpc_bindack[] = {
1273  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1274  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1275  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1276  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1277  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1278  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1279  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1280  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1281  0x02, 0x00, 0x00, 0x00,
1282  };
1283 
1284  uint8_t dcerpc_request1[] = {
1285  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1286  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1287  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1288  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1289  0x00, 0x00, 0x00, 0x02,
1290  };
1291 
1292  uint8_t dcerpc_response1[] = {
1293  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1294  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1295  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1297  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1298  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1299  };
1300 
1301  uint8_t dcerpc_request2[] = {
1302  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1303  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1304  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1305  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1306  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1307  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1308  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1309  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1310  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1311  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1312  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1313  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1314  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1315  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1316  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1317  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1318  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1319  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1320  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1321  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322  0x03, 0x00, 0x00, 0x00,
1323  };
1324 
1325  uint8_t dcerpc_response2[] = {
1326  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1327  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1328  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1329  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1330  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1331  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1332  };
1333 
1334  uint8_t dcerpc_request3[] = {
1335  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1336  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1337  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1338  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1339  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1340  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1341  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1342  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1343  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1344  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1345  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1346  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1347  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1348  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1349  };
1350 
1351  uint8_t dcerpc_response3[] = {
1352  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1353  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1354  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1355  0x00, 0x00, 0x00, 0x00,
1356  };
1357 
1358  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1359  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1360 
1361  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1362  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1363 
1364  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1365  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1366 
1367  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1368  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1369 
1370  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1371 
1372  memset(&th_v, 0, sizeof(th_v));
1373  memset(&f, 0, sizeof(f));
1374  memset(&ssn, 0, sizeof(ssn));
1375 
1376  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1377 
1378  FLOW_INITIALIZE(&f);
1379  f.protoctx = (void *)&ssn;
1380  f.proto = IPPROTO_TCP;
1381  p->flow = &f;
1382  p->flowflags |= FLOW_PKT_TOSERVER;
1383  p->flowflags |= FLOW_PKT_ESTABLISHED;
1384  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1385  f.alproto = ALPROTO_DCERPC;
1386 
1387  StreamTcpInitConfig(true);
1388 
1389  de_ctx = DetectEngineCtxInit();
1390  if (de_ctx == NULL)
1391  goto end;
1392 
1393  de_ctx->flags |= DE_QUIET;
1394 
1395  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1396  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1397  if (s == NULL)
1398  goto end;
1399  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1400  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1401  if (s == NULL)
1402  goto end;
1403  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1404  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1405  if (s == NULL)
1406  goto end;
1407 
1408  SigGroupBuild(de_ctx);
1409  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1410 
1411  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1412  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1413  dcerpc_bind_len);
1414  if (r != 0) {
1415  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1416  goto end;
1417  }
1418  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1419  p->flowflags |= FLOW_PKT_TOSERVER;
1420  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1421 
1422  dcerpc_state = f.alstate;
1423  if (dcerpc_state == NULL) {
1424  SCLogDebug("no dcerpc state: ");
1425  goto end;
1426  }
1427 
1428  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1429  STREAM_TOCLIENT, dcerpc_bindack,
1430  dcerpc_bindack_len);
1431  if (r != 0) {
1432  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1433  goto end;
1434  }
1435  p->flowflags &=~ FLOW_PKT_TOSERVER;
1436  p->flowflags |= FLOW_PKT_TOCLIENT;
1437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1438 
1439  /* request1 */
1440  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1441  STREAM_TOSERVER, dcerpc_request1,
1442  dcerpc_request1_len);
1443  if (r != 0) {
1444  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1445  goto end;
1446  }
1447 
1448  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1449  p->flowflags |= FLOW_PKT_TOSERVER;
1450  /* do detect */
1451  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1452 
1453  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1454  goto end;
1455 
1456  /* response1 */
1457  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1458  STREAM_TOCLIENT, dcerpc_response1,
1459  dcerpc_response1_len);
1460  if (r != 0) {
1461  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1462  goto end;
1463  }
1464 
1465  p->flowflags &=~ FLOW_PKT_TOSERVER;
1466  p->flowflags |= FLOW_PKT_TOCLIENT;
1467  /* do detect */
1468  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1469 
1470  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1471  goto end;
1472 
1473  /* request2 */
1474  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1475  STREAM_TOSERVER, dcerpc_request2,
1476  dcerpc_request2_len);
1477  if (r != 0) {
1478  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1479  goto end;
1480  }
1481 
1482  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1483  p->flowflags |= FLOW_PKT_TOSERVER;
1484  /* do detect */
1485  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1486 
1487  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1488  goto end;
1489 
1490  /* response2 */
1491  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1492  STREAM_TOCLIENT, dcerpc_response2,
1493  dcerpc_response2_len);
1494  if (r != 0) {
1495  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1496  goto end;
1497  }
1498 
1499  p->flowflags &=~ FLOW_PKT_TOSERVER;
1500  p->flowflags |= FLOW_PKT_TOCLIENT;
1501  /* do detect */
1502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1503 
1504  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1505  goto end;
1506  /* request3 */
1507  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1508  STREAM_TOSERVER, dcerpc_request3,
1509  dcerpc_request3_len);
1510  if (r != 0) {
1511  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1512  goto end;
1513  }
1514 
1515  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1516  p->flowflags |= FLOW_PKT_TOSERVER;
1517  /* do detect */
1518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1519 
1520  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1521  goto end;
1522 
1523  /* response3 */
1524  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1525  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1526  dcerpc_response3_len);
1527  if (r != 0) {
1528  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1529  goto end;
1530  }
1531 
1532  p->flowflags &=~ FLOW_PKT_TOSERVER;
1533  p->flowflags |= FLOW_PKT_TOCLIENT;
1534  /* do detect */
1535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1536 
1537  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1538  goto end;
1539 
1540  result = 1;
1541 
1542  end:
1543  if (alp_tctx != NULL)
1544  AppLayerParserThreadCtxFree(alp_tctx);
1545  SigGroupCleanup(de_ctx);
1546  SigCleanSignatures(de_ctx);
1547 
1548  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1549  DetectEngineCtxFree(de_ctx);
1550 
1551  StreamTcpFreeConfig(true);
1552  FLOW_DESTROY(&f);
1553 
1554  UTHFreePackets(&p, 1);
1555  StatsThreadCleanup(&th_v);
1556  return result;
1557 }
1558 
1559 static int DetectDceStubDataTestParse05(void)
1560 {
1561  int result = 0;
1562  Signature *s = NULL;
1563  ThreadVars th_v;
1564  Packet *p = NULL;
1565  Flow f;
1566  TcpSession ssn;
1567  DetectEngineThreadCtx *det_ctx = NULL;
1568  DetectEngineCtx *de_ctx = NULL;
1569  DCERPCState *dcerpc_state = NULL;
1570  int r = 0;
1571 
1572  uint8_t dcerpc_request1[] = {
1573  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1574  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1575  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1576  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1577  0x00, 0x00, 0x00, 0x02,
1578  };
1579 
1580  uint8_t dcerpc_response1[] = {
1581  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1582  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1583  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1584  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1585  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1586  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1587  };
1588 
1589  uint8_t dcerpc_request2[] = {
1590  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1591  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1592  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1593  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1594  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1595  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1596  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1597  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1598  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1599  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1600  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1601  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1602  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1603  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1604  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1605  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1606  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1607  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1608  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1609  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1610  0x03, 0x00, 0x00, 0x00,
1611  };
1612 
1613  uint8_t dcerpc_response2[] = {
1614  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1615  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1616  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1617  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1618  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1619  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1620  };
1621 
1622  uint8_t dcerpc_request3[] = {
1623  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1624  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1625  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1626  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1627  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1628  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1629  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1630  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1631  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1632  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1633  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1634  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1635  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1636  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1637  };
1638 
1639  uint8_t dcerpc_response3[] = {
1640  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1641  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1642  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643  0x00, 0x00, 0x00, 0x00,
1644  };
1645 
1646  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1647  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1648 
1649  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1650  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1651 
1652  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1653  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1654 
1655  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1656 
1657  memset(&th_v, 0, sizeof(th_v));
1658  memset(&f, 0, sizeof(f));
1659  memset(&ssn, 0, sizeof(ssn));
1660 
1661  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1662 
1663  FLOW_INITIALIZE(&f);
1664  f.protoctx = (void *)&ssn;
1665  f.proto = IPPROTO_TCP;
1666  p->flow = &f;
1667  p->flowflags |= FLOW_PKT_TOSERVER;
1668  p->flowflags |= FLOW_PKT_ESTABLISHED;
1669  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1670  f.alproto = ALPROTO_DCERPC;
1671 
1672  StreamTcpInitConfig(true);
1673 
1674  de_ctx = DetectEngineCtxInit();
1675  if (de_ctx == NULL)
1676  goto end;
1677 
1678  de_ctx->flags |= DE_QUIET;
1679 
1680  s = de_ctx->sig_list = SigInit(de_ctx,
1681  "alert tcp any any -> any any "
1682  "(msg:\"DCERPC\"; "
1683  "dce_stub_data; content:\"|00 02|\"; "
1684  "sid:1;)");
1685  if (s == NULL)
1686  goto end;
1687  s = de_ctx->sig_list->next = SigInit(de_ctx,
1688  "alert tcp any any -> any any "
1689  "(msg:\"DCERPC\"; "
1690  "dce_stub_data; content:\"|00 75|\"; "
1691  "sid:2;)");
1692  if (s == NULL)
1693  goto end;
1694  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1695  "alert tcp any any -> any any "
1696  "(msg:\"DCERPC\"; "
1697  "dce_stub_data; content:\"|00 18|\"; "
1698  "sid:3;)");
1699  if (s == NULL)
1700  goto end;
1701 
1702  SigGroupBuild(de_ctx);
1703  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1704 
1705  /* request1 */
1706  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1707  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1708  dcerpc_request1_len);
1709  if (r != 0) {
1710  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1711  goto end;
1712  }
1713 
1714  dcerpc_state = f.alstate;
1715  if (dcerpc_state == NULL) {
1716  SCLogDebug("no dcerpc state: ");
1717  goto end;
1718  }
1719 
1720  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1721  p->flowflags |= FLOW_PKT_TOSERVER;
1722  /* do detect */
1723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1724 
1725  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1726  goto end;
1727 
1728  /* response1 */
1729  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1730  STREAM_TOCLIENT, dcerpc_response1,
1731  dcerpc_response1_len);
1732  if (r != 0) {
1733  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1734  goto end;
1735  }
1736 
1737  p->flowflags &=~ FLOW_PKT_TOSERVER;
1738  p->flowflags |= FLOW_PKT_TOCLIENT;
1739  /* do detect */
1740  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1741 
1742  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1743  goto end;
1744 
1745  /* request2 */
1746  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1747  STREAM_TOSERVER, dcerpc_request2,
1748  dcerpc_request2_len);
1749  if (r != 0) {
1750  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1751  goto end;
1752  }
1753 
1754  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1755  p->flowflags |= FLOW_PKT_TOSERVER;
1756  /* do detect */
1757  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1758 
1759  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1760  goto end;
1761 
1762  /* response2 */
1763  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1764  STREAM_TOCLIENT, dcerpc_response2,
1765  dcerpc_response2_len);
1766  if (r != 0) {
1767  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1768  goto end;
1769  }
1770 
1771  p->flowflags &=~ FLOW_PKT_TOSERVER;
1772  p->flowflags |= FLOW_PKT_TOCLIENT;
1773  /* do detect */
1774  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1775 
1776  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1777  goto end;
1778 
1779  /* request3 */
1780  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1781  STREAM_TOSERVER, dcerpc_request3,
1782  dcerpc_request3_len);
1783  if (r != 0) {
1784  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1785  goto end;
1786  }
1787 
1788  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1789  p->flowflags |= FLOW_PKT_TOSERVER;
1790  /* do detect */
1791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1792 
1793  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1794  goto end;
1795 
1796  /* response3 */
1797  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1798  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1799  dcerpc_response3_len);
1800  if (r != 0) {
1801  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1802  goto end;
1803  }
1804 
1805  p->flowflags &=~ FLOW_PKT_TOSERVER;
1806  p->flowflags |= FLOW_PKT_TOCLIENT;
1807  /* do detect */
1808  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1809 
1810  if (PacketAlertCheck(p, 1))
1811  goto end;
1812 
1813  result = 1;
1814 
1815  end:
1816  if (alp_tctx != NULL)
1817  AppLayerParserThreadCtxFree(alp_tctx);
1818 
1819  SigGroupCleanup(de_ctx);
1820  SigCleanSignatures(de_ctx);
1821 
1822  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1823  DetectEngineCtxFree(de_ctx);
1824 
1825  StreamTcpFreeConfig(true);
1826  FLOW_DESTROY(&f);
1827 
1828  UTHFreePackets(&p, 1);
1829  StatsThreadCleanup(&th_v);
1830  return result;
1831 }
1832 
1833 // invalid signature because of invalid protocol
1834 static int DetectDceStubDataTestParse06(void)
1835 {
1836  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1837  FAIL_IF_NULL(de_ctx);
1838  de_ctx->flags = DE_QUIET;
1839  Signature *s = DetectEngineAppendSig(
1840  de_ctx, "alert dns any any -> any any dce_stub_data;content:\"0\"; sid:1;");
1841  FAIL_IF_NOT_NULL(s);
1842  DetectEngineCtxFree(de_ctx);
1843  PASS;
1844 }
1845 
1846 static void DetectDceStubDataRegisterTests(void)
1847 {
1848  UtRegisterTest("DetectDceStubDataTestParse02",
1849  DetectDceStubDataTestParse02);
1850  UtRegisterTest("DetectDceStubDataTestParse03",
1851  DetectDceStubDataTestParse03);
1852  UtRegisterTest("DetectDceStubDataTestParse04",
1853  DetectDceStubDataTestParse04);
1854  UtRegisterTest("DetectDceStubDataTestParse05",
1855  DetectDceStubDataTestParse05);
1856  UtRegisterTest("DetectDceStubDataTestParse06",
1857  DetectDceStubDataTestParse06);
1858 }
1859 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:118
SigTableElmt_::url
const char * url
Definition: detect.h:1460
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1674
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2049
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1457
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1448
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2229
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
Flow_::protoctx
void * protoctx
Definition: flow.h:433
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:750
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1577
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2265
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:218
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
SigTableElmt_::alias
const char * alias
Definition: detect.h:1458
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
Flow_::alstate
void * alstate
Definition: flow.h:471
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:61
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1649
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456