suricata
detect-dce-stub-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements dce_stub_data keyword
25  */
26 
27 #include "suricata-common.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-buffer.h"
34 #include "detect-engine-build.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-prefilter.h"
38 #include "detect-engine-content-inspection.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "app-layer.h"
45 #include "app-layer-parser.h"
46 #include "queue.h"
47 #include "stream-tcp-reassemble.h"
48 
49 #include "detect-dce-stub-data.h"
50 #include "detect-dce-iface.h"
51 
52 #include "util-debug.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 
57 #include "stream-tcp.h"
58 
59 #include "rust.h"
60 
61 #define BUFFER_NAME "dce_stub_data"
62 
63 static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDceStubDataRegisterTests(void);
66 #endif
67 static int g_dce_stub_data_buffer_id = 0;
68 
69 static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t flow_flags,
72  void *txv, const int list_id)
73 {
74  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
75  if (!buffer->initialized) {
76  uint32_t data_len = 0;
77  const uint8_t *data = NULL;
78  uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
79  if (SCSmbTxGetStubData(txv, dir, &data, &data_len) != 1)
80  return NULL;
81  SCLogDebug("have data!");
82 
83  InspectionBufferSetupAndApplyTransforms(
84  det_ctx, list_id, buffer, data, data_len, transforms);
85  }
86  return buffer;
87 }
88 
89 static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx,
90  const DetectEngineTransforms *transforms,
91  Flow *_f, const uint8_t flow_flags,
92  void *txv, const int list_id)
93 {
94  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
95  if (!buffer->initialized) {
96  uint32_t data_len = 0;
97  const uint8_t *data = NULL;
98  uint8_t endianness;
99 
100  SCDcerpcGetStubData(txv, &data, &data_len, &endianness, flow_flags);
101  if (data == NULL || data_len == 0)
102  return NULL;
103 
104  if (endianness > 0) {
105  buffer->flags = DETECT_CI_FLAGS_DCE_LE;
106  } else {
107  buffer->flags |= DETECT_CI_FLAGS_DCE_BE;
108  }
109  InspectionBufferSetupAndApplyTransforms(
110  det_ctx, list_id, buffer, data, data_len, transforms);
111  }
112  return buffer;
113 }
114 
115 /**
116  * \brief Registers the keyword handlers for the "dce_stub_data" keyword.
117  */
118 void DetectDceStubDataRegister(void)
119 {
120  sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data";
121  sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data";
122  sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup;
123  sigmatch_table[DETECT_DCE_STUB_DATA].desc = "match on the stub data in a DCERPC packet";
124  sigmatch_table[DETECT_DCE_STUB_DATA].url = "/rules/dcerpc-keywords.html#dcerpc-stub-data";
125 #ifdef UNITTESTS
126  sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests;
127 #endif
128  sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
129 
130  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
131  DetectEngineInspectBufferGeneric, GetSMBData);
132  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
133  GetSMBData, ALPROTO_SMB, 0);
134  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0,
135  DetectEngineInspectBufferGeneric, GetSMBData);
136  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
137  GetSMBData, ALPROTO_SMB, 0);
138 
139  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0,
140  DetectEngineInspectBufferGeneric, GetDCEData);
141  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
142  GetDCEData, ALPROTO_DCERPC, 0);
143  DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0,
144  DetectEngineInspectBufferGeneric, GetDCEData);
145  DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
146  GetDCEData, ALPROTO_DCERPC, 0);
147 
148  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
149 }
150 
151 /**
152  * \brief setups the dce_stub_data list
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param s Pointer to signature for the current Signature being parsed
156  * from the rules
157  * \param arg Pointer to the string holding the keyword value
158  *
159  * \retval 0 on success, -1 on failure
160  */
161 
162 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
163 {
164  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
165  return -1;
166  if (SCDetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0)
167  return -1;
168  return 0;
169 }
170 
171 /************************************Unittests*********************************/
172 
173 #ifdef UNITTESTS
174 #include "detect-engine-alert.h"
175 
176 /**
177  * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags.
178  */
179 static int DetectDceStubDataTestParse02(void)
180 {
181  int result = 0;
182  Signature *s = NULL;
183  ThreadVars th_v;
184  Packet *p = NULL;
185  Flow f;
186  TcpSession ssn;
187  DetectEngineThreadCtx *det_ctx = NULL;
188  DetectEngineCtx *de_ctx = NULL;
189  DCERPCState *dcerpc_state = NULL;
190  int r = 0;
191 
192  uint8_t dcerpc_bind[] = {
193  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
194  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
195  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
196  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
197  0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
198  0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
199  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
200  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
201  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
202  };
203 
204  uint8_t dcerpc_bindack[] = {
205  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
206  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
207  0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
208  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
209  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
210  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
212  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
213  0x02, 0x00, 0x00, 0x00
214  };
215 
216  /* todo chop the request frag length and change the
217  * length related parameters in the frag */
218  uint8_t dcerpc_request[] = {
219  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
220  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
221  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
222  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
224  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
225  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
226  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
227  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
228  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
229  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
230  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
231  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
232  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
233  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
234  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
235  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
236  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
237  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
238  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
239  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
240  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
241  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
242  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
243  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
244  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
245  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
246  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
247  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
248  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
249  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
250  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
251  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
252  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
253  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
254  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
255  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
256  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
257  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
258  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
259  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
260  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
261  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
262  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
263  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
264  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
265  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
266  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
267  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
268  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
269  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
270  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
271  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
272  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
273  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
274  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
275  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
276  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
277  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
278  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
279  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
280  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
281  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
282  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
283  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
284  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
285  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
286  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
287  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
288  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
289  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
290  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
291  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
292  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
293  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
294  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
295  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
296  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
297  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
298  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
299  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
300  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
301  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
302  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
303  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
304  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
305  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
306  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
307  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
308  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
309  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
310  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
311  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
312  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
313  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
314  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
315  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
316  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
317  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
318  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
319  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
320  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
321  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
322  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
323  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
324  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
325  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
326  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
327  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
328  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
329  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
330  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
331  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
332  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
333  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
334  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
335  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
336  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
337  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
338  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
339  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
340  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
341  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
342  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
343  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
344  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
345  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
346  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
347  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
348  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
349  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
350  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
351  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
352  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
353  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
354  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
355  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
356  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
357  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
358  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
359  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
360  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
361  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
362  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
363  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
364  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
365  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
366  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
367  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
368  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
369  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
370  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
371  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
372  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
373  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
374  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
375  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
376  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
377  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
378  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
379  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
380  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
381  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
382  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
383  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
384  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
385  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
386  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
387  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
388  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
389  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
390  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
391  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
392  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
393  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
394  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
395  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
396  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
397  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
398  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
399  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
400  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
401  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
402  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
403  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
404  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
405  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
406  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
407  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
408  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
409  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
410  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
411  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
412  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
413  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
414  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
415  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
416  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
417  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
418  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
419  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
420  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
421  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
422  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
423  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
424  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
425  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
426  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
427  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
428  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
429  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
430  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
431  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
432  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
433  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
434  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
435  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
436  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
437  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
438  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
439  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
440  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
441  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
442  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
443  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
444  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
445  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
446  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
447  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
448  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
449  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
450  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
451  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
452  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
453  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
454  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
455  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
456  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
457  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
458  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
459  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
460  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
461  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
462  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
463  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
464  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
465  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
466  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
467  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
468  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
469  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
470  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
471  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
472  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
473  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
474  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
475  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
476  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
477  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
478  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
479  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
480  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
481  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
482  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
484  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
485  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
486  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
487  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
488  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
489  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
490  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
491  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
492  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
493  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
494  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
495  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
496  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
497  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
499  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
500  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
501  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
502  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
503  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
504  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
505  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
506  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
507  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
508  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
509  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
510  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
511  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
512  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
513  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
514  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
515  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
516  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
517  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
518  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
519  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
520  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
521  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
522  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
523  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
524  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
525  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
526  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
527  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
528  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
529  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
530  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
531  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
532  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
533  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
534  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
535  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
536  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
537  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
538  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
539  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
540  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
541  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
542  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
543  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
544  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
545  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
546  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
547  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
548  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
549  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
550  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
551  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
552  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
553  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
554  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
555  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
556  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
557  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
558  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
559  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
560  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
561  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
562  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
563  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
564  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
565  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
566  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
567  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
568  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
569  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
570  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
571  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
572  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
573  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
574  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
575  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
576  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
577  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
578  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
579  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
580  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
581  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
582  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
583  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
584  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
585  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
586  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
587  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
588  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
589  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
590  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
591  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
592  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
593  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
594  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
595  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
596  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
597  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
598  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
599  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
600  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
601  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
602  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
603  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
604  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
605  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
606  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
607  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
608  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
609  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
610  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
611  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
612  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
613  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
614  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
615  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
616  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
617  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
618  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
619  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
620  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
621  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
622  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
623  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
624  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
625  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
626  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
627  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
628  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
629  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
630  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
631  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
632  0x01, 0x02, 0x03, 0x04
633  };
634 
635  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
636  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
637  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
638  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
639 
640  memset(&th_v, 0, sizeof(th_v));
641  memset(&f, 0, sizeof(f));
642  memset(&ssn, 0, sizeof(ssn));
643 
644  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
645 
646  FLOW_INITIALIZE(&f);
647  f.protoctx = (void *)&ssn;
648  f.proto = IPPROTO_TCP;
649  p->flow = &f;
650  p->flowflags |= FLOW_PKT_TOSERVER;
651  p->flowflags |= FLOW_PKT_ESTABLISHED;
652  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
653  f.alproto = ALPROTO_DCERPC;
654 
655  StreamTcpInitConfig(true);
656 
657  de_ctx = DetectEngineCtxInit();
658  if (de_ctx == NULL)
659  goto end;
660 
661  de_ctx->flags |= DE_QUIET;
662 
663  s = de_ctx->sig_list = SigInit(de_ctx,
664  "alert tcp any any -> any any "
665  "(msg:\"DCERPC\"; "
666  "dce_stub_data; content:\"|42 42 42 42|\";"
667  "sid:1;)");
668  if (s == NULL)
669  goto end;
670 
671  SigGroupBuild(de_ctx);
672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
673 
674  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
675  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
676  dcerpc_bind_len);
677  if (r != 0) {
678  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
679  goto end;
680  }
681 
682  dcerpc_state = f.alstate;
683  if (dcerpc_state == NULL) {
684  SCLogDebug("no dcerpc state: ");
685  goto end;
686  }
687 
688  p->flowflags &=~ FLOW_PKT_TOCLIENT;
689  p->flowflags |= FLOW_PKT_TOSERVER;
690  /* do detect */
691  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
692 
693  /* we shouldn't have any stub data */
694  if (PacketAlertCheck(p, 1))
695  goto end;
696 
697  /* do detect */
698  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
699  STREAM_TOCLIENT, dcerpc_bindack,
700  dcerpc_bindack_len);
701  if (r != 0) {
702  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
703  goto end;
704  }
705 
706  p->flowflags &=~ FLOW_PKT_TOSERVER;
707  p->flowflags |= FLOW_PKT_TOCLIENT;
708  /* do detect */
709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
710 
711  /* we shouldn't have any stub data */
712  if (PacketAlertCheck(p, 1))
713  goto end;
714 
715  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
716  STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
717  dcerpc_request_len);
718  if (r != 0) {
719  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
720  goto end;
721  }
722 
723  p->flowflags &=~ FLOW_PKT_TOCLIENT;
724  p->flowflags |= FLOW_PKT_TOSERVER;
725  /* do detect */
726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
727 
728  /* we should have the stub data since we previously parsed a request frag */
729  if (!PacketAlertCheck(p, 1))
730  goto end;
731 
732  result = 1;
733 
734  end:
735  if (alp_tctx != NULL)
736  AppLayerParserThreadCtxFree(alp_tctx);
737  SigGroupCleanup(de_ctx);
738  SigCleanSignatures(de_ctx);
739 
740  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
741  DetectEngineCtxFree(de_ctx);
742 
743  StreamTcpFreeConfig(true);
744  FLOW_DESTROY(&f);
745 
746  UTHFreePackets(&p, 1);
747  return result;
748 }
749 
750 /**
751  * \test Test a valid dce_stub_data with just a request frag.
752  */
753 static int DetectDceStubDataTestParse03(void)
754 {
755  Signature *s = NULL;
756  ThreadVars th_v;
757  Packet *p = NULL;
758  Flow f;
759  TcpSession ssn;
760  DetectEngineThreadCtx *det_ctx = NULL;
761  DetectEngineCtx *de_ctx = NULL;
762  DCERPCState *dcerpc_state = NULL;
763  int r = 0;
764 
765  /* todo chop the request frag length and change the
766  * length related parameters in the frag */
767  uint8_t dcerpc_request[] = {
768  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
769  0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
770  0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
771  0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
772  0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
773  0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
774  0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
775  0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
776  0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
777  0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
778  0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
779  0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
780  0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
781  0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
782  0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
783  0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
784  0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
785  0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
786  0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
787  0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
788  0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
789  0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
790  0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
791  0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
792  0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
793  0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
794  0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
795  0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
796  0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
797  0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
798  0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
799  0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
800  0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
801  0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
802  0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
803  0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
804  0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
805  0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
806  0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
807  0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
808  0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
809  0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
810  0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
811  0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
812  0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
813  0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
814  0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
815  0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
816  0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
817  0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
818  0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
819  0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
820  0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
821  0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
822  0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
823  0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
824  0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
825  0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
826  0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
827  0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
828  0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
829  0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
830  0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
831  0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
832  0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
833  0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
834  0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
835  0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
836  0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
837  0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
838  0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
839  0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
840  0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
841  0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
842  0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
843  0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
844  0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
845  0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
846  0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
847  0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
848  0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
849  0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
850  0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
851  0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
852  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
853  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
854  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
855  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
856  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
857  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
858  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
859  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
860  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
861  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
862  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
863  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
864  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
865  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
866  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
867  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
868  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
869  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
870  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
871  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
872  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
873  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
874  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
875  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
876  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
877  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
878  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
879  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
880  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
881  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
882  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
883  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
884  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
885  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
886  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
887  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
888  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
889  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
890  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
891  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
892  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
893  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
894  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
895  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
896  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
897  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
898  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
899  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
900  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
901  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
902  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
903  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
904  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
905  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
906  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
907  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
908  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
909  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
910  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
911  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
912  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
913  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
914  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
915  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
916  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
917  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
918  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
919  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
920  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
921  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
922  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
923  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
924  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
925  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
926  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
927  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
928  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
929  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
930  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
931  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
932  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
933  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
934  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
935  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
936  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
937  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
938  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
939  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
940  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
941  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
942  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
943  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
944  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
945  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
946  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
947  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
948  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
949  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
950  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
951  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
952  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
953  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
954  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
955  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
956  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
957  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
958  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
959  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
960  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
961  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
962  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
963  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
964  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
965  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
966  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
967  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
968  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
969  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
970  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
971  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
972  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
973  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
974  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
975  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
976  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
977  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
978  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
979  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
980  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
981  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
982  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
983  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
984  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
985  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
986  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
987  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
988  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
989  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
990  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
991  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
992  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
993  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
994  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
995  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
996  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
997  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
998  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
999  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1000  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1001  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1002  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1003  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1004  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1005  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1006  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1007  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1008  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1009  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1010  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1011  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1012  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1013  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1014  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
1015  0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
1016  0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
1017  0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
1018  0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
1019  0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
1020  0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1021  0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1022  0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
1023  0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
1024  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1025  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
1026  0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
1027  0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
1028  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1029  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
1030  0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
1031  0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1032  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1033  0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
1034  0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
1035  0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
1036  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1037  0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1038  0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1039  0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
1040  0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
1041  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1042  0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1043  0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
1044  0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
1045  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
1046  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1047  0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
1048  0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
1049  0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
1050  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1051  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1052  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1053  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1054  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1055  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1056  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1057  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1058  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1059  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1060  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1061  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1062  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1063  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1064  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1065  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1066  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1067  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1068  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1069  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1070  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1071  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1072  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1073  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1074  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1075  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1076  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1077  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1078  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1079  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1080  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1081  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1082  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1083  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1084  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1085  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1086  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1087  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1088  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1089  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1090  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1091  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1092  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1093  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1094  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1095  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1096  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1097  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1098  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1099  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1100  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1101  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1102  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1103  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1104  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1105  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1106  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1107  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1108  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1109  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1110  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1111  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1112  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1113  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1114  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
1115  0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
1116  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1117  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1118  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1119  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1120  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1121  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1122  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1123  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1124  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1125  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1126  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1127  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1128  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1129  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1130  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1131  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1132  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1133  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1134  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1135  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1136  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1137  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1138  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1139  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1140  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1141  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1142  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1143  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1144  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1145  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1146  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1147  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1148  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1149  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1150  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1151  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1152  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1153  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1154  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1155  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1156  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1157  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1158  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1159  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1160  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1161  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1162  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1163  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1164  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1165  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1166  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1167  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1168  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1169  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1170  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1171  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1172  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1173  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1174  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1175  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1176  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1177  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1178  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1179  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1180  0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
1181  0x01, 0x02, 0x03, 0x04
1182  };
1183 
1184  uint32_t dcerpc_request_len = sizeof(dcerpc_request);
1185 
1186  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1187 
1188  memset(&th_v, 0, sizeof(th_v));
1189  memset(&f, 0, sizeof(f));
1190  memset(&ssn, 0, sizeof(ssn));
1191 
1192  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1193 
1194  FLOW_INITIALIZE(&f);
1195  f.protoctx = (void *)&ssn;
1196  f.proto = IPPROTO_TCP;
1197  p->flow = &f;
1198  p->flowflags |= FLOW_PKT_TOSERVER;
1199  p->flowflags |= FLOW_PKT_ESTABLISHED;
1200  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1201  f.alproto = ALPROTO_DCERPC;
1202 
1203  StreamTcpInitConfig(true);
1204 
1205  de_ctx = DetectEngineCtxInit();
1206  FAIL_IF(de_ctx == NULL);
1207 
1208  de_ctx->flags |= DE_QUIET;
1209 
1210  s = de_ctx->sig_list = SigInit(de_ctx,
1211  "alert tcp any any -> any any "
1212  "(msg:\"DCERPC\"; "
1213  "dce_stub_data; content:\"|42 42 42 42|\";"
1214  "sid:1;)");
1215  FAIL_IF(s == NULL);
1216 
1217  SigGroupBuild(de_ctx);
1218  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1219 
1220  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1221  STREAM_TOSERVER | STREAM_START, dcerpc_request,
1222  dcerpc_request_len);
1223  FAIL_IF(r != 0);
1224 
1225  dcerpc_state = f.alstate;
1226  FAIL_IF (dcerpc_state == NULL);
1227 
1228  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1229  p->flowflags |= FLOW_PKT_TOSERVER;
1230  /* do detect */
1231  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1232  FAIL_IF(!PacketAlertCheck(p, 1));
1233 
1234  if (alp_tctx != NULL)
1235  AppLayerParserThreadCtxFree(alp_tctx);
1236  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1237  DetectEngineCtxFree(de_ctx);
1238  StreamTcpFreeConfig(true);
1239  FLOW_DESTROY(&f);
1240 
1241  UTHFreePackets(&p, 1);
1242  PASS;
1243 }
1244 
1245 static int DetectDceStubDataTestParse04(void)
1246 {
1247  int result = 0;
1248  Signature *s = NULL;
1249  ThreadVars th_v;
1250  Packet *p = NULL;
1251  Flow f;
1252  TcpSession ssn;
1253  DetectEngineThreadCtx *det_ctx = NULL;
1254  DetectEngineCtx *de_ctx = NULL;
1255  DCERPCState *dcerpc_state = NULL;
1256  int r = 0;
1257 
1258  uint8_t dcerpc_bind[] = {
1259  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
1260  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1261  0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
1262  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1263  0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
1264  0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
1265  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1266  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1267  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1268  };
1269 
1270  uint8_t dcerpc_bindack[] = {
1271  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
1272  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1273  0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
1274  0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
1275  0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
1276  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1278  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1279  0x02, 0x00, 0x00, 0x00,
1280  };
1281 
1282  uint8_t dcerpc_request1[] = {
1283  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1284  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1285  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1286  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1287  0x00, 0x00, 0x00, 0x02,
1288  };
1289 
1290  uint8_t dcerpc_response1[] = {
1291  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1292  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1293  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1294  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1295  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1296  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1297  };
1298 
1299  uint8_t dcerpc_request2[] = {
1300  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1301  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1302  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1303  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1304  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1305  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1306  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1307  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1308  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1309  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1310  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1311  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1312  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1313  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1314  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1315  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1316  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1317  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1318  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1319  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1320  0x03, 0x00, 0x00, 0x00,
1321  };
1322 
1323  uint8_t dcerpc_response2[] = {
1324  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1325  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1326  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1327  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1328  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1329  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1330  };
1331 
1332  uint8_t dcerpc_request3[] = {
1333  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1334  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1335  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1336  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1337  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1338  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1339  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1340  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1341  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1342  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1343  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1344  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1345  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1346  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1347  };
1348 
1349  uint8_t dcerpc_response3[] = {
1350  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1351  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1352  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1353  0x00, 0x00, 0x00, 0x00,
1354  };
1355 
1356  uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
1357  uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
1358 
1359  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1360  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1361 
1362  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1363  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1364 
1365  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1366  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1367 
1368  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1369 
1370  memset(&th_v, 0, sizeof(th_v));
1371  memset(&f, 0, sizeof(f));
1372  memset(&ssn, 0, sizeof(ssn));
1373 
1374  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1375 
1376  FLOW_INITIALIZE(&f);
1377  f.protoctx = (void *)&ssn;
1378  f.proto = IPPROTO_TCP;
1379  p->flow = &f;
1380  p->flowflags |= FLOW_PKT_TOSERVER;
1381  p->flowflags |= FLOW_PKT_ESTABLISHED;
1382  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1383  f.alproto = ALPROTO_DCERPC;
1384 
1385  StreamTcpInitConfig(true);
1386 
1387  de_ctx = DetectEngineCtxInit();
1388  if (de_ctx == NULL)
1389  goto end;
1390 
1391  de_ctx->flags |= DE_QUIET;
1392 
1393  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1394  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)");
1395  if (s == NULL)
1396  goto end;
1397  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1398  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)");
1399  if (s == NULL)
1400  goto end;
1401  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
1402  "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)");
1403  if (s == NULL)
1404  goto end;
1405 
1406  SigGroupBuild(de_ctx);
1407  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1408 
1409  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1410  STREAM_TOSERVER | STREAM_START, dcerpc_bind,
1411  dcerpc_bind_len);
1412  if (r != 0) {
1413  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1414  goto end;
1415  }
1416  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1417  p->flowflags |= FLOW_PKT_TOSERVER;
1418  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1419 
1420  dcerpc_state = f.alstate;
1421  if (dcerpc_state == NULL) {
1422  SCLogDebug("no dcerpc state: ");
1423  goto end;
1424  }
1425 
1426  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1427  STREAM_TOCLIENT, dcerpc_bindack,
1428  dcerpc_bindack_len);
1429  if (r != 0) {
1430  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1431  goto end;
1432  }
1433  p->flowflags &=~ FLOW_PKT_TOSERVER;
1434  p->flowflags |= FLOW_PKT_TOCLIENT;
1435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1436 
1437  /* request1 */
1438  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1439  STREAM_TOSERVER, dcerpc_request1,
1440  dcerpc_request1_len);
1441  if (r != 0) {
1442  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1443  goto end;
1444  }
1445 
1446  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1447  p->flowflags |= FLOW_PKT_TOSERVER;
1448  /* do detect */
1449  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1450 
1451  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1452  goto end;
1453 
1454  /* response1 */
1455  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1456  STREAM_TOCLIENT, dcerpc_response1,
1457  dcerpc_response1_len);
1458  if (r != 0) {
1459  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1460  goto end;
1461  }
1462 
1463  p->flowflags &=~ FLOW_PKT_TOSERVER;
1464  p->flowflags |= FLOW_PKT_TOCLIENT;
1465  /* do detect */
1466  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1467 
1468  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1469  goto end;
1470 
1471  /* request2 */
1472  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1473  STREAM_TOSERVER, dcerpc_request2,
1474  dcerpc_request2_len);
1475  if (r != 0) {
1476  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1477  goto end;
1478  }
1479 
1480  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1481  p->flowflags |= FLOW_PKT_TOSERVER;
1482  /* do detect */
1483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1484 
1485  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1486  goto end;
1487 
1488  /* response2 */
1489  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1490  STREAM_TOCLIENT, dcerpc_response2,
1491  dcerpc_response2_len);
1492  if (r != 0) {
1493  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1494  goto end;
1495  }
1496 
1497  p->flowflags &=~ FLOW_PKT_TOSERVER;
1498  p->flowflags |= FLOW_PKT_TOCLIENT;
1499  /* do detect */
1500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1501 
1502  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1503  goto end;
1504  /* request3 */
1505  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1506  STREAM_TOSERVER, dcerpc_request3,
1507  dcerpc_request3_len);
1508  if (r != 0) {
1509  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1510  goto end;
1511  }
1512 
1513  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1514  p->flowflags |= FLOW_PKT_TOSERVER;
1515  /* do detect */
1516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1517 
1518  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1519  goto end;
1520 
1521  /* response3 */
1522  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1523  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1524  dcerpc_response3_len);
1525  if (r != 0) {
1526  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1527  goto end;
1528  }
1529 
1530  p->flowflags &=~ FLOW_PKT_TOSERVER;
1531  p->flowflags |= FLOW_PKT_TOCLIENT;
1532  /* do detect */
1533  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1534 
1535  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1536  goto end;
1537 
1538  result = 1;
1539 
1540  end:
1541  if (alp_tctx != NULL)
1542  AppLayerParserThreadCtxFree(alp_tctx);
1543  SigGroupCleanup(de_ctx);
1544  SigCleanSignatures(de_ctx);
1545 
1546  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1547  DetectEngineCtxFree(de_ctx);
1548 
1549  StreamTcpFreeConfig(true);
1550  FLOW_DESTROY(&f);
1551 
1552  UTHFreePackets(&p, 1);
1553  return result;
1554 }
1555 
1556 static int DetectDceStubDataTestParse05(void)
1557 {
1558  int result = 0;
1559  Signature *s = NULL;
1560  ThreadVars th_v;
1561  Packet *p = NULL;
1562  Flow f;
1563  TcpSession ssn;
1564  DetectEngineThreadCtx *det_ctx = NULL;
1565  DetectEngineCtx *de_ctx = NULL;
1566  DCERPCState *dcerpc_state = NULL;
1567  int r = 0;
1568 
1569  uint8_t dcerpc_request1[] = {
1570  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1571  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1572  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1573  0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
1574  0x00, 0x00, 0x00, 0x02,
1575  };
1576 
1577  uint8_t dcerpc_response1[] = {
1578  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1579  0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1580  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1581  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1582  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1583  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1584  };
1585 
1586  uint8_t dcerpc_request2[] = {
1587  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1588  0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1589  0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
1590  0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
1591  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1592  0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
1593  0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
1594  0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
1595  0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
1596  0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
1597  0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
1598  0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
1599  0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
1600  0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
1601  0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
1602  0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
1603  0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
1604  0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
1605  0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
1606  0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1607  0x03, 0x00, 0x00, 0x00,
1608  };
1609 
1610  uint8_t dcerpc_response2[] = {
1611  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1612  0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
1613  0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1614  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1615  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1616  0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
1617  };
1618 
1619  uint8_t dcerpc_request3[] = {
1620  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
1621  0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1622  0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
1623  0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
1624  0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
1625  0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
1626  0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
1627  0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
1628  0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
1629  0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1630  0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
1631  0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
1632  0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
1633  0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1634  };
1635 
1636  uint8_t dcerpc_response3[] = {
1637  0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
1638  0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
1639  0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1640  0x00, 0x00, 0x00, 0x00,
1641  };
1642 
1643  uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
1644  uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
1645 
1646  uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
1647  uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
1648 
1649  uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
1650  uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
1651 
1652  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1653 
1654  memset(&th_v, 0, sizeof(th_v));
1655  memset(&f, 0, sizeof(f));
1656  memset(&ssn, 0, sizeof(ssn));
1657 
1658  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1659 
1660  FLOW_INITIALIZE(&f);
1661  f.protoctx = (void *)&ssn;
1662  f.proto = IPPROTO_TCP;
1663  p->flow = &f;
1664  p->flowflags |= FLOW_PKT_TOSERVER;
1665  p->flowflags |= FLOW_PKT_ESTABLISHED;
1666  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1667  f.alproto = ALPROTO_DCERPC;
1668 
1669  StreamTcpInitConfig(true);
1670 
1671  de_ctx = DetectEngineCtxInit();
1672  if (de_ctx == NULL)
1673  goto end;
1674 
1675  de_ctx->flags |= DE_QUIET;
1676 
1677  s = de_ctx->sig_list = SigInit(de_ctx,
1678  "alert tcp any any -> any any "
1679  "(msg:\"DCERPC\"; "
1680  "dce_stub_data; content:\"|00 02|\"; "
1681  "sid:1;)");
1682  if (s == NULL)
1683  goto end;
1684  s = de_ctx->sig_list->next = SigInit(de_ctx,
1685  "alert tcp any any -> any any "
1686  "(msg:\"DCERPC\"; "
1687  "dce_stub_data; content:\"|00 75|\"; "
1688  "sid:2;)");
1689  if (s == NULL)
1690  goto end;
1691  s = de_ctx->sig_list->next->next = SigInit(de_ctx,
1692  "alert tcp any any -> any any "
1693  "(msg:\"DCERPC\"; "
1694  "dce_stub_data; content:\"|00 18|\"; "
1695  "sid:3;)");
1696  if (s == NULL)
1697  goto end;
1698 
1699  SigGroupBuild(de_ctx);
1700  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1701 
1702  /* request1 */
1703  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1704  STREAM_TOSERVER | STREAM_START, dcerpc_request1,
1705  dcerpc_request1_len);
1706  if (r != 0) {
1707  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1708  goto end;
1709  }
1710 
1711  dcerpc_state = f.alstate;
1712  if (dcerpc_state == NULL) {
1713  SCLogDebug("no dcerpc state: ");
1714  goto end;
1715  }
1716 
1717  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1718  p->flowflags |= FLOW_PKT_TOSERVER;
1719  /* do detect */
1720  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1721 
1722  if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1723  goto end;
1724 
1725  /* response1 */
1726  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1727  STREAM_TOCLIENT, dcerpc_response1,
1728  dcerpc_response1_len);
1729  if (r != 0) {
1730  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1731  goto end;
1732  }
1733 
1734  p->flowflags &=~ FLOW_PKT_TOSERVER;
1735  p->flowflags |= FLOW_PKT_TOCLIENT;
1736  /* do detect */
1737  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1738 
1739  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1740  goto end;
1741 
1742  /* request2 */
1743  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1744  STREAM_TOSERVER, dcerpc_request2,
1745  dcerpc_request2_len);
1746  if (r != 0) {
1747  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1748  goto end;
1749  }
1750 
1751  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1752  p->flowflags |= FLOW_PKT_TOSERVER;
1753  /* do detect */
1754  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1755 
1756  if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1757  goto end;
1758 
1759  /* response2 */
1760  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1761  STREAM_TOCLIENT, dcerpc_response2,
1762  dcerpc_response2_len);
1763  if (r != 0) {
1764  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1765  goto end;
1766  }
1767 
1768  p->flowflags &=~ FLOW_PKT_TOSERVER;
1769  p->flowflags |= FLOW_PKT_TOCLIENT;
1770  /* do detect */
1771  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1772 
1773  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3))
1774  goto end;
1775 
1776  /* request3 */
1777  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1778  STREAM_TOSERVER, dcerpc_request3,
1779  dcerpc_request3_len);
1780  if (r != 0) {
1781  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1782  goto end;
1783  }
1784 
1785  p->flowflags &=~ FLOW_PKT_TOCLIENT;
1786  p->flowflags |= FLOW_PKT_TOSERVER;
1787  /* do detect */
1788  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1789 
1790  if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3))
1791  goto end;
1792 
1793  /* response3 */
1794  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1795  STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3,
1796  dcerpc_response3_len);
1797  if (r != 0) {
1798  SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
1799  goto end;
1800  }
1801 
1802  p->flowflags &=~ FLOW_PKT_TOSERVER;
1803  p->flowflags |= FLOW_PKT_TOCLIENT;
1804  /* do detect */
1805  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1806 
1807  if (PacketAlertCheck(p, 1))
1808  goto end;
1809 
1810  result = 1;
1811 
1812  end:
1813  if (alp_tctx != NULL)
1814  AppLayerParserThreadCtxFree(alp_tctx);
1815 
1816  SigGroupCleanup(de_ctx);
1817  SigCleanSignatures(de_ctx);
1818 
1819  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1820  DetectEngineCtxFree(de_ctx);
1821 
1822  StreamTcpFreeConfig(true);
1823  FLOW_DESTROY(&f);
1824 
1825  UTHFreePackets(&p, 1);
1826  return result;
1827 }
1828 
1829 // invalid signature because of invalid protocol
1830 static int DetectDceStubDataTestParse06(void)
1831 {
1832  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1833  FAIL_IF_NULL(de_ctx);
1834  de_ctx->flags = DE_QUIET;
1835  Signature *s = DetectEngineAppendSig(de_ctx,
1836  "alert dns any any -> any any dce_stub_data;content:\"0\";");
1837  FAIL_IF_NOT_NULL(s);
1838  DetectEngineCtxFree(de_ctx);
1839  PASS;
1840 }
1841 
1842 static void DetectDceStubDataRegisterTests(void)
1843 {
1844  UtRegisterTest("DetectDceStubDataTestParse02",
1845  DetectDceStubDataTestParse02);
1846  UtRegisterTest("DetectDceStubDataTestParse03",
1847  DetectDceStubDataTestParse03);
1848  UtRegisterTest("DetectDceStubDataTestParse04",
1849  DetectDceStubDataTestParse04);
1850  UtRegisterTest("DetectDceStubDataTestParse05",
1851  DetectDceStubDataTestParse05);
1852  UtRegisterTest("DetectDceStubDataTestParse06",
1853  DetectDceStubDataTestParse06);
1854 }
1855 #endif
DetectDceStubDataRegister
void DetectDceStubDataRegister(void)
Registers the keyword handlers for the "dce_stub_data" keyword.
Definition: detect-dce-stub-data.c:118
SigTableElmt_::url
const char * url
Definition: detect.h:1462
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1676
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1266
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2057
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1459
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:391
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
Packet_::flags
uint32_t flags
Definition: decode.h:544
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1450
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2229
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
Flow_::protoctx
void * protoctx
Definition: flow.h:441
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:45
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1277
detect-dce-stub-data.h
Signature_::next
struct Signature_ * next
Definition: detect.h:750
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1584
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2275
DETECT_DCE_STUB_DATA
@ DETECT_DCE_STUB_DATA
Definition: detect-engine-register.h:219
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
queue.h
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:234
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
SigTableElmt_::alias
const char * alias
Definition: detect.h:1460
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
Flow_::alstate
void * alstate
Definition: flow.h:479
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-dce-stub-data.c:61
InspectionBufferSetupAndApplyTransforms
void InspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:235
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1651
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:272
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:44
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1262
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456