From 128bdef2cbcb0af6e6cba4eab513dea02e2aa8de Mon Sep 17 00:00:00 2001 From: Kirby Kuehl Date: Sun, 31 Jan 2010 10:59:29 -0600 Subject: [PATCH] refactor dcerpc in prep for dcerpc over smb --- src/app-layer-dcerpc-common.h | 175 +++++ src/app-layer-dcerpc.c | 766 ++++++++++---------- src/app-layer-dcerpc.h | 149 +---- src/detect-dce-iface.c | 677 +++++++++++++++++- src/detect-dce-iface.h | 3 +- src/detect-dce-opnum.c | 1634 ++++++++++++++++++++++++++++++++++++++++- src/detect-dce-opnum.h | 6 +- src/detect-dce-stub-data.c | 1611 ++++++++++++++++++++++++++++++++++++++++- 8 files changed, 4465 insertions(+), 556 deletions(-) create mode 100644 src/app-layer-dcerpc-common.h diff --git a/src/app-layer-dcerpc-common.h b/src/app-layer-dcerpc-common.h new file mode 100644 index 0000000..a1e3f0b --- /dev/null +++ b/src/app-layer-dcerpc-common.h @@ -0,0 +1,175 @@ +/* + * Copyright (c) 2009,2010 Open Information Security Foundation + * app-layer-dcerpc.h + * + * \author Kirby Kuehl + */ + +#ifndef APPLAYERDCERPCCOMMON_H_ +#define APPLAYERDCERPCCOMMON_H_ +#include "app-layer-protos.h" +#include "app-layer-parser.h" +#include "flow.h" +#include "queue.h" +#include "util-byte.h" + +void RegisterDCERPCParsers(void); +void DCERPCParserTests(void); +void DCERPCParserRegisterTests(void); + +// http://www.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06 +#define REQUEST 0 +#define PING 1 +#define RESPONSE 2 +#define FAULT 3 +#define WORKING 4 +#define NOCALL 5 +#define REJECT 6 +#define ACK 7 +#define CL_CANCEL 8 +#define FACK 9 +#define CANCEL_ACK 10 +#define BIND 11 +#define BIND_ACK 12 +#define BIND_NAK 13 +#define ALTER_CONTEXT 14 +#define ALTER_CONTEXT_RESP 15 +#define SHUTDOWN 17 +#define CO_CANCEL 18 +#define ORPHANED 19 +#if 0 +typedef struct { + uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/ + uint8_t ptype; /* Packet type (5 LSB only) */ + uint8_t flags1; /* Packet flags */ + uint8_t flags2; /* Packet flags */ + uint8_t drep[3]; /* Data representation format label */ + uint8_t serial_hi; /* High byte of serial number */ + uuid_t object; /* Object identifier */ + uuid_t if_id; /* Interface identifier */ + uuid_t act_id; /* Activity identifier */ + unsigned long server_boot;/* Server boot time */ + unsigned long if_vers; /* Interface version */ + unsigned long seqnum; /* Sequence number */ + unsigned short opnum; /* Operation number */ + unsigned short ihint; /* Interface hint */ + unsigned short ahint; /* Activity hint */ + unsigned short len; /* Length of packet body */ + unsigned short fragnum; /* Fragment number */ + unsigned small auth_proto; /* Authentication protocol identifier*/ + unsigned small serial_lo; /* Low byte of serial number */ +} dc_rpc_cl_pkt_hdr_t; +#endif + +#define RESERVED_01 0x01 +#define LASTFRAG 0x02 +#define FRAG 0x04 +#define NOFACK 0x08 +#define MAYBE 0x10 +#define IDEMPOTENT 0x20 +#define BROADCAST 0x40 +#define RESERVED_80 0x80 + +#define CANCEL_PENDING 0x02 +#define RESERVED_04 0x04 +#define RESERVED_10 0x10 +#define RESERVED_20 0x20 +#define RESERVED_40 0x40 +#define RESERVED_80 0x80 + +typedef struct dcerpc_hdr_ { + uint8_t rpc_vers; /* 00:01 RPC version should be 5 */ + uint8_t rpc_vers_minor; /* 01:01 minor version */ + uint8_t type; /* 02:01 packet type */ + uint8_t pfc_flags; /* 03:01 flags (see PFC_... ) */ + uint8_t packed_drep[4]; /* 04:04 NDR data representation format label */ + uint16_t frag_length; /* 08:02 total length of fragment */ + uint16_t auth_length; /* 10:02 length of auth_value */ + uint32_t call_id; /* 12:04 call identifier */ +}DCERPCHdr; + +#define DCERPC_HDR_LEN 16 + +struct uuid_entry { + uint16_t ctxid; + uint16_t result; + uint8_t uuid[16]; + uint16_t version; + uint16_t versionminor; + TAILQ_ENTRY(uuid_entry) next; +}; + +typedef struct dcerpc_bind_bind_ack_ { + uint8_t numctxitems; + uint8_t numctxitemsleft; + uint8_t ctxbytesprocessed; + uint16_t ctxid; + uint8_t uuid[16]; + uint16_t version; + uint16_t versionminor; + struct uuid_entry *uuid_entry; + TAILQ_HEAD(, uuid_entry) uuid_list; + uint16_t secondaryaddrlen; + uint16_t secondaryaddrlenleft; + uint16_t result; +}DCERPCBindBindAck; + +typedef struct dcerpc_request_ { + uint16_t opnum; + uint8_t *stub_data; +}DCERPCRequest; + + +typedef struct DCERPC_ { + DCERPCHdr dcerpchdr; + DCERPCBindBindAck dcerpcbindbindack; + DCERPCRequest dcerpcrequest; + uint16_t bytesprocessed; + uint8_t pad; + uint8_t padleft; +}DCERPC; + + +#define PFC_FIRST_FRAG 0x01/* First fragment */ +#define PFC_LAST_FRAG 0x02/* Last fragment */ +#define PFC_PENDING_CANCEL 0x04/* Cancel was pending at sender */ +#define PFC_RESERVED_1 0x08 +#define PFC_CONC_MPX 0x10/* supports concurrent multiplexing + * of a single connection. */ +#define PFC_DID_NOT_EXECUTE 0x20/* only meaningful on `fault' packet; + * if true, guaranteed call did not + * execute. */ +#define PFC_MAYBE 0x40/* `maybe' call semantics requested */ +#define PFC_OBJECT_UUID 0x80/* if true, a non-nil object UUID + * was specified in the handle, and + * is present in the optional object + * field. If false, the object field + * is omitted. */ +#define REASON_NOT_SPECIFIED 0 +#define TEMPORARY_CONGESTION 1 +#define LOCAL_LIMIT_EXCEEDED 2 +#define CALLED_PADDR_UNKNOWN 3 /* not used */ +#define PROTOCOL_VERSION_NOT_SUPPORTED 4 +#define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */ +#define USER_DATA_NOT_READABLE 6 /* not used */ +#define NO_PSAP_AVAILABLE 7 /* not used */ +/* + typedef uint16_t p_context_id_t; + typedef struct { + uuid_t if_uuid; + uint32_t if_version; + } p_syntax_id_t; + + typedef struct { + p_context_id_t p_cont_id; + uint8_t n_transfer_syn; // number of items + uint8_t reserved; // alignment pad, m.b.z. + p_syntax_id_t abstract_syntax; // transfer syntax list + p_syntax_id_t [size_is(n_transfer_syn)] transfer_syntaxes[]; + } p_cont_elem_t; + */ + +int DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len); + +#endif /* APPLAYERDCERPCCOMMON_H_ */ + diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index a9d6c57..7c1bf85 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -36,7 +36,7 @@ enum { DCERPC_FIELD_MAX, }; -#if 0 +#ifdef UNITTESTS /* \brief hexdump function from libdnet, used for debugging only */ void hexdump(const void *buf, size_t len) { /* dumps len bytes of *buf to stdout. Looks like: @@ -116,52 +116,43 @@ void printUUID(char *type, struct uuid_entry *uuid) { * \brief DCERPCParseSecondaryAddr reads secondaryaddrlen bytes from the BIND_ACK * DCERPC call. */ -static uint32_t DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseSecondaryAddr(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - while (sstate->secondaryaddrlenleft-- && input_len--) { + while (dcerpc->dcerpcbindbindack.secondaryaddrlenleft-- && input_len--) { SCLogDebug("0x%02x ", *p); p++; } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t PaddingParser(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t PaddingParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - while (sstate->padleft-- && input_len--) { + while (dcerpc->padleft-- && input_len--) { SCLogDebug("0x%02x ", *p); p++; } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCGetCTXItems(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch (sstate->ctxbytesprocessed) { + switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) { case 0: if (input_len >= 4) { - sstate->numctxitems = *p; - sstate->numctxitemsleft = sstate->numctxitems; - sstate->ctxbytesprocessed += 4; - sstate->bytesprocessed += 4; + dcerpc->dcerpcbindbindack.numctxitems = *p; + dcerpc->dcerpcbindbindack.numctxitemsleft = dcerpc->dcerpcbindbindack.numctxitems; + dcerpc->dcerpcbindbindack.ctxbytesprocessed += 4; + dcerpc->bytesprocessed += 4; SCReturnUInt(4U); } else { - sstate->numctxitems = *(p++); - sstate->numctxitemsleft = sstate->numctxitems; + dcerpc->dcerpcbindbindack.numctxitems = *(p++); + dcerpc->dcerpcbindbindack.numctxitemsleft = dcerpc->dcerpcbindbindack.numctxitems; if (!(--input_len)) break; } @@ -179,8 +170,8 @@ static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, break; } } - sstate->ctxbytesprocessed += (p - input); - sstate->bytesprocessed += (p - input); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } @@ -189,71 +180,68 @@ static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, * each UUID is added to a TAILQ. */ -static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch (sstate->ctxbytesprocessed) { + switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) { case 0: if (input_len >= 44) { - sstate->ctxid = *(p); - sstate->ctxid |= *(p + 1) << 8; - sstate->uuid[3] = *(p + 4); - sstate->uuid[2] = *(p + 5); - sstate->uuid[1] = *(p + 6); - sstate->uuid[0] = *(p + 7); - sstate->uuid[5] = *(p + 8); - sstate->uuid[4] = *(p + 9); - sstate->uuid[7] = *(p + 10); - sstate->uuid[6] = *(p + 11); - sstate->uuid[8] = *(p + 12); - sstate->uuid[9] = *(p + 13); - sstate->uuid[10] = *(p + 14); - sstate->uuid[11] = *(p + 15); - sstate->uuid[12] = *(p + 16); - sstate->uuid[13] = *(p + 17); - sstate->uuid[14] = *(p + 18); - sstate->uuid[15] = *(p + 19); - sstate->version = *(p + 20); - sstate->version |= *(p + 21) << 8; - sstate->versionminor = *(p + 22); - sstate->versionminor |= *(p + 23) << 8; - if (sstate->ctxid == sstate->numctxitems - - sstate->numctxitemsleft) { - sstate->uuid_entry = (struct uuid_entry *) calloc(1, + dcerpc->dcerpcbindbindack.ctxid = *(p); + dcerpc->dcerpcbindbindack.ctxid |= *(p + 1) << 8; + dcerpc->dcerpcbindbindack.uuid[3] = *(p + 4); + dcerpc->dcerpcbindbindack.uuid[2] = *(p + 5); + dcerpc->dcerpcbindbindack.uuid[1] = *(p + 6); + dcerpc->dcerpcbindbindack.uuid[0] = *(p + 7); + dcerpc->dcerpcbindbindack.uuid[5] = *(p + 8); + dcerpc->dcerpcbindbindack.uuid[4] = *(p + 9); + dcerpc->dcerpcbindbindack.uuid[7] = *(p + 10); + dcerpc->dcerpcbindbindack.uuid[6] = *(p + 11); + dcerpc->dcerpcbindbindack.uuid[8] = *(p + 12); + dcerpc->dcerpcbindbindack.uuid[9] = *(p + 13); + dcerpc->dcerpcbindbindack.uuid[10] = *(p + 14); + dcerpc->dcerpcbindbindack.uuid[11] = *(p + 15); + dcerpc->dcerpcbindbindack.uuid[12] = *(p + 16); + dcerpc->dcerpcbindbindack.uuid[13] = *(p + 17); + dcerpc->dcerpcbindbindack.uuid[14] = *(p + 18); + dcerpc->dcerpcbindbindack.uuid[15] = *(p + 19); + dcerpc->dcerpcbindbindack.version = *(p + 20); + dcerpc->dcerpcbindbindack.version |= *(p + 21) << 8; + dcerpc->dcerpcbindbindack.versionminor = *(p + 22); + dcerpc->dcerpcbindbindack.versionminor |= *(p + 23) << 8; + if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems + - dcerpc->dcerpcbindbindack.numctxitemsleft) { + dcerpc->dcerpcbindbindack.uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry)); - if (sstate->uuid_entry == NULL) { + if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { SCReturnUInt(0); } else { - memcpy(sstate->uuid_entry->uuid, sstate->uuid, - sizeof(sstate->uuid)); - sstate->uuid_entry->ctxid = sstate->ctxid; - sstate->uuid_entry->version = sstate->version; - sstate->uuid_entry->versionminor = sstate->versionminor; - TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, + memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, dcerpc->dcerpcbindbindack.uuid, + sizeof(dcerpc->dcerpcbindbindack.uuid)); + dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; + dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; + dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, dcerpc->dcerpcbindbindack.uuid_entry, next); - //printUUID("BIND", sstate->uuid_entry); - sstate->numctxitemsleft--; - sstate->bytesprocessed += (44); - sstate->ctxbytesprocessed += (44); + //printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry); + dcerpc->dcerpcbindbindack.numctxitemsleft--; + dcerpc->bytesprocessed += (44); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44); SCReturnUInt(44U); } } else { - SCLogDebug("ctxitem %u, expected %u\n", sstate->ctxid, - sstate->numctxitems - sstate->numctxitemsleft); + SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid, + dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft); SCReturnUInt(0); } } else { - sstate->ctxid = *(p++); + dcerpc->dcerpcbindbindack.ctxid = *(p++); if (!(--input_len)) break; } case 1: - sstate->ctxid |= *(p++) << 8; + dcerpc->dcerpcbindbindack.ctxid |= *(p++) << 8; if (!(--input_len)) break; case 2: @@ -267,83 +255,83 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, if (!(--input_len)) break; case 4: - sstate->uuid[3] = *(p++); + dcerpc->dcerpcbindbindack.uuid[3] = *(p++); if (!(--input_len)) break; case 5: - sstate->uuid[2] = *(p++); + dcerpc->dcerpcbindbindack.uuid[2] = *(p++); if (!(--input_len)) break; case 6: - sstate->uuid[1] = *(p++); + dcerpc->dcerpcbindbindack.uuid[1] = *(p++); if (!(--input_len)) break; case 7: - sstate->uuid[0] = *(p++); + dcerpc->dcerpcbindbindack.uuid[0] = *(p++); if (!(--input_len)) break; case 8: - sstate->uuid[5] = *(p++); + dcerpc->dcerpcbindbindack.uuid[5] = *(p++); if (!(--input_len)) break; case 9: - sstate->uuid[4] = *(p++); + dcerpc->dcerpcbindbindack.uuid[4] = *(p++); if (!(--input_len)) break; case 10: - sstate->uuid[7] = *(p++); + dcerpc->dcerpcbindbindack.uuid[7] = *(p++); if (!(--input_len)) break; case 11: - sstate->uuid[6] = *(p++); + dcerpc->dcerpcbindbindack.uuid[6] = *(p++); if (!(--input_len)) break; case 12: - sstate->uuid[8] = *(p++); + dcerpc->dcerpcbindbindack.uuid[8] = *(p++); if (!(--input_len)) break; case 13: - sstate->uuid[9] = *(p++); + dcerpc->dcerpcbindbindack.uuid[9] = *(p++); if (!(--input_len)) break; case 14: - sstate->uuid[10] = *(p++); + dcerpc->dcerpcbindbindack.uuid[10] = *(p++); if (!(--input_len)) break; case 15: - sstate->uuid[11] = *(p++); + dcerpc->dcerpcbindbindack.uuid[11] = *(p++); if (!(--input_len)) break; case 16: - sstate->uuid[12] = *(p++); + dcerpc->dcerpcbindbindack.uuid[12] = *(p++); if (!(--input_len)) break; case 17: - sstate->uuid[13] = *(p++); + dcerpc->dcerpcbindbindack.uuid[13] = *(p++); if (!(--input_len)) break; case 18: - sstate->uuid[14] = *(p++); + dcerpc->dcerpcbindbindack.uuid[14] = *(p++); if (!(--input_len)) break; case 19: - sstate->uuid[15] = *(p++); + dcerpc->dcerpcbindbindack.uuid[15] = *(p++); if (!(--input_len)) break; case 20: - sstate->version = *(p++); + dcerpc->dcerpcbindbindack.version = *(p++); if (!(--input_len)) break; case 21: - sstate->version |= *(p++); + dcerpc->dcerpcbindbindack.version |= *(p++); if (!(--input_len)) break; case 22: - sstate->versionminor = *(p++); + dcerpc->dcerpcbindbindack.versionminor = *(p++); if (!(--input_len)) break; case 23: - sstate->versionminor |= *(p++); + dcerpc->dcerpcbindbindack.versionminor |= *(p++); if (!(--input_len)) break; case 24: @@ -425,35 +413,35 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, case 43: p++; --input_len; - if (sstate->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { - sstate->uuid_entry = (struct uuid_entry *) calloc(1, + if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft) { + dcerpc->dcerpcbindbindack.uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry)); - if (sstate->uuid_entry == NULL) { + if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { SCReturnUInt(0); } else { - memcpy(sstate->uuid_entry->uuid, sstate->uuid, - sizeof(sstate->uuid)); - sstate->uuid_entry->ctxid = sstate->ctxid; - sstate->uuid_entry->version = sstate->version; - sstate->uuid_entry->versionminor = sstate->versionminor; - TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, + memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, dcerpc->dcerpcbindbindack.uuid, + sizeof(dcerpc->dcerpcbindbindack.uuid)); + dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; + dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; + dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, dcerpc->dcerpcbindbindack.uuid_entry, next); - //printUUID("BIND", sstate->uuid_entry); - sstate->numctxitemsleft--; - sstate->bytesprocessed += (44); - sstate->ctxbytesprocessed += (44); + //printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry); + dcerpc->dcerpcbindbindack.numctxitemsleft--; + dcerpc->bytesprocessed += (44); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44); SCReturnUInt(44U); } } else { - SCLogDebug("ctxitem %u, expected %u\n", sstate->ctxid, - sstate->numctxitems - sstate->numctxitemsleft); + SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid, + dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft); SCReturnUInt(0); } break; } } - sstate->ctxbytesprocessed += (p - input); - sstate->bytesprocessed += (p - input); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } @@ -462,39 +450,36 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, * the BIND_ACK call. The result (Accepted or Rejected) is added to the * correct UUID from the BIND call. */ -static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseBINDACKCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; struct uuid_entry *uuid_entry; if (input_len) { - switch (sstate->ctxbytesprocessed) { + switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) { case 0: if (input_len >= 24) { - sstate->result = *p; - sstate->result |= *(p + 1) << 8; - TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if (uuid_entry->ctxid == sstate->numctxitems - - sstate->numctxitemsleft) { - uuid_entry->result = sstate->result; + dcerpc->dcerpcbindbindack.result = *p; + dcerpc->dcerpcbindbindack.result |= *(p + 1) << 8; + TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) { + if (uuid_entry->ctxid == dcerpc->dcerpcbindbindack.numctxitems + - dcerpc->dcerpcbindbindack.numctxitemsleft) { + uuid_entry->result = dcerpc->dcerpcbindbindack.result; //printUUID("BIND_ACK", uuid_entry); break; } } - sstate->numctxitemsleft--; - sstate->bytesprocessed += (24); - sstate->ctxbytesprocessed += (24); + dcerpc->dcerpcbindbindack.numctxitemsleft--; + dcerpc->bytesprocessed += (24); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (24); SCReturnUInt(24U); } else { - sstate->result = *(p++); + dcerpc->dcerpcbindbindack.result = *(p++); if (!(--input_len)) break; } case 1: - sstate->result |= *(p++) << 8; + dcerpc->dcerpcbindbindack.result |= *(p++) << 8; if (!(--input_len)) break; case 2: @@ -584,41 +569,38 @@ static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, if (!(--input_len)) break; case 23: - TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if (uuid_entry->ctxid == sstate->numctxitems - - sstate->numctxitemsleft) { - uuid_entry->result = sstate->result; + TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) { + if (uuid_entry->ctxid == dcerpc->dcerpcbindbindack.numctxitems + - dcerpc->dcerpcbindbindack.numctxitemsleft) { + uuid_entry->result = dcerpc->dcerpcbindbindack.result; //printUUID("BIND_ACK", uuid_entry); break; } } - sstate->numctxitemsleft--; + dcerpc->dcerpcbindbindack.numctxitemsleft--; p++; --input_len; break; } } - sstate->ctxbytesprocessed += (p - input); - sstate->bytesprocessed += (p - input); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseBIND(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch (sstate->bytesprocessed) { + switch (dcerpc->bytesprocessed) { case 16: - sstate->numctxitems = 0; + dcerpc->dcerpcbindbindack.numctxitems = 0; if (input_len >= 12) { - TAILQ_INIT(&sstate->uuid_list); - sstate->numctxitems = *(p + 8); - sstate->numctxitemsleft = sstate->numctxitems; - sstate->bytesprocessed += 12; + TAILQ_INIT(&dcerpc->dcerpcbindbindack.uuid_list); + dcerpc->dcerpcbindbindack.numctxitems = *(p + 8); + dcerpc->dcerpcbindbindack.numctxitemsleft = dcerpc->dcerpcbindbindack.numctxitems; + dcerpc->bytesprocessed += 12; SCReturnUInt(12U); } else { /* max_xmit_frag */ @@ -662,9 +644,9 @@ static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, if (!(--input_len)) break; case 24: - sstate->numctxitems = *(p++); - sstate->numctxitemsleft = sstate->numctxitems; - TAILQ_INIT(&sstate->uuid_list); + dcerpc->dcerpcbindbindack.numctxitems = *(p++); + dcerpc->dcerpcbindbindack.numctxitemsleft = dcerpc->dcerpcbindbindack.numctxitems; + TAILQ_INIT(&dcerpc->dcerpcbindbindack.uuid_list); if (!(--input_len)) break; case 25: @@ -684,30 +666,27 @@ static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, break; } } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseBINDACK(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - switch (sstate->bytesprocessed) { + switch (dcerpc->bytesprocessed) { case 16: - sstate->numctxitems = 0; + dcerpc->dcerpcbindbindack.numctxitems = 0; if (input_len >= 10) { - if (sstate->dcerpc.packed_drep[0] == 0x10) { - sstate->secondaryaddrlen = *(p + 8); - sstate->secondaryaddrlen |= *(p + 9) << 8; + if (dcerpc->dcerpchdr.packed_drep[0] == 0x10) { + dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8); + dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9) << 8; } else { - sstate->secondaryaddrlen = *(p + 8) << 8; - sstate->secondaryaddrlen |= *(p + 9); + dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8) << 8; + dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9); } - sstate->secondaryaddrlenleft = sstate->secondaryaddrlen; - sstate->bytesprocessed += 10; + dcerpc->dcerpcbindbindack.secondaryaddrlenleft = dcerpc->dcerpcbindbindack.secondaryaddrlen; + dcerpc->bytesprocessed += 10; SCReturnUInt(10U); } else { /* max_xmit_frag */ @@ -751,43 +730,42 @@ static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, if (!(--input_len)) break; case 24: - sstate->secondaryaddrlen = *(p++); + dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p++); if (!(--input_len)) break; case 25: - sstate->secondaryaddrlen |= *(p++) << 8; - if (sstate->dcerpc.packed_drep[0] == 0x01) { - SCByteSwap16(sstate->secondaryaddrlen); + dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p++) << 8; + if (dcerpc->dcerpchdr.packed_drep[0] == 0x01) { + SCByteSwap16(dcerpc->dcerpcbindbindack.secondaryaddrlen); } - sstate->secondaryaddrlenleft = sstate->secondaryaddrlen; - SCLogDebug("secondaryaddrlen %u 0x%04x\n", sstate->secondaryaddrlen, - sstate->secondaryaddrlen); + dcerpc->dcerpcbindbindack.secondaryaddrlenleft = dcerpc->dcerpcbindbindack.secondaryaddrlen; + SCLogDebug("secondaryaddrlen %u 0x%04x\n", dcerpc->dcerpcbindbindack.secondaryaddrlen, + dcerpc->dcerpcbindbindack.secondaryaddrlen); --input_len; break; } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseREQUEST(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseREQUEST(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - switch (sstate->bytesprocessed) { + switch (dcerpc->bytesprocessed) { case 16: - sstate->numctxitems = 0; + dcerpc->dcerpcbindbindack.numctxitems = 0; if (input_len >= 8) { - if (sstate->dcerpc.packed_drep[0] == 0x10) { - sstate->opnum = *(p + 6); - sstate->opnum |= *(p + 7) << 8; - } else { - sstate->opnum = *(p + 6) << 8; - sstate->opnum |= *(p + 7); + if (dcerpc->dcerpchdr.type == REQUEST) { + if (dcerpc->dcerpchdr.packed_drep[0] == 0x10) { + dcerpc->dcerpcrequest.opnum = *(p + 6); + dcerpc->dcerpcrequest.opnum |= *(p + 7) << 8; + } else { + dcerpc->dcerpcrequest.opnum = *(p + 6) << 8; + dcerpc->dcerpcrequest.opnum |= *(p + 7); + } } - sstate->bytesprocessed += 8; + dcerpc->bytesprocessed += 8; SCReturnUInt(8U); } else { /* alloc hint 1 */ @@ -821,33 +799,38 @@ static uint32_t DCERPCParseREQUEST(Flow *f, void *dcerpc_state, if (!(--input_len)) break; case 22: - sstate->opnum = *(p++); + if (dcerpc->dcerpchdr.type == REQUEST) { + dcerpc->dcerpcrequest.opnum = *(p++); + } else { + p++; + } if (!(--input_len)) break; case 23: - sstate->opnum |= *(p++) << 8; - if (sstate->dcerpc.packed_drep[0] == 0x01) { - SCByteSwap16(sstate->opnum); + if (dcerpc->dcerpchdr.type == REQUEST) { + dcerpc->dcerpcrequest.opnum |= *(p++) << 8; + if (dcerpc->dcerpchdr.packed_drep[0] == 0x01) { + SCByteSwap16(dcerpc->dcerpcrequest.opnum); + } + } else { + p++; } --input_len; break; } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static uint32_t StubDataParser(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - sstate->stub_data = input; - while (sstate->padleft-- && input_len--) { + dcerpc->dcerpcrequest.stub_data = input; + while (dcerpc->padleft-- && input_len--) { SCLogDebug("0x%02x ", *p); p++; } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } @@ -857,155 +840,158 @@ static uint32_t StubDataParser(Flow *f, void *dcerpc_state, * present to parse the entire header. A slow path is used to parse * fragmented packets. */ -static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t DCERPCParseHeader(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch (sstate->bytesprocessed) { + switch (dcerpc->bytesprocessed) { case 0: if (input_len >= DCERPC_HDR_LEN) { //if (*p != 5) SCReturnUInt(); //if (!(*(p + 1 ) == 0 || (*(p + 1) == 1))) SCReturnInt(0); - sstate->dcerpc.rpc_vers = *p; - sstate->dcerpc.rpc_vers_minor = *(p + 1); - sstate->dcerpc.type = *(p + 2); - sstate->dcerpc.pfc_flags = *(p + 3); - sstate->dcerpc.packed_drep[0] = *(p + 4); - sstate->dcerpc.packed_drep[1] = *(p + 5); - sstate->dcerpc.packed_drep[2] = *(p + 6); - sstate->dcerpc.packed_drep[3] = *(p + 7); - if (sstate->dcerpc.packed_drep[0] == 0x10) { - sstate->dcerpc.frag_length = *(p + 8); - sstate->dcerpc.frag_length |= *(p + 9) << 8; - sstate->dcerpc.auth_length = *(p + 10); - sstate->dcerpc.auth_length |= *(p + 11) << 8; - sstate->dcerpc.call_id = *(p + 12) << 24; - sstate->dcerpc.call_id |= *(p + 13) << 16; - sstate->dcerpc.call_id |= *(p + 14) << 8; - sstate->dcerpc.call_id |= *(p + 15); + dcerpc->dcerpchdr.rpc_vers = *p; + dcerpc->dcerpchdr.rpc_vers_minor = *(p + 1); + dcerpc->dcerpchdr.type = *(p + 2); + dcerpc->dcerpchdr.pfc_flags = *(p + 3); + dcerpc->dcerpchdr.packed_drep[0] = *(p + 4); + dcerpc->dcerpchdr.packed_drep[1] = *(p + 5); + dcerpc->dcerpchdr.packed_drep[2] = *(p + 6); + dcerpc->dcerpchdr.packed_drep[3] = *(p + 7); + if (dcerpc->dcerpchdr.packed_drep[0] == 0x10) { + dcerpc->dcerpchdr.frag_length = *(p + 8); + dcerpc->dcerpchdr.frag_length |= *(p + 9) << 8; + dcerpc->dcerpchdr.auth_length = *(p + 10); + dcerpc->dcerpchdr.auth_length |= *(p + 11) << 8; + dcerpc->dcerpchdr.call_id = *(p + 12) << 24; + dcerpc->dcerpchdr.call_id |= *(p + 13) << 16; + dcerpc->dcerpchdr.call_id |= *(p + 14) << 8; + dcerpc->dcerpchdr.call_id |= *(p + 15); } else { - sstate->dcerpc.frag_length = *(p + 8) << 8; - sstate->dcerpc.frag_length |= *(p + 9); - sstate->dcerpc.auth_length = *(p + 10) << 8; - sstate->dcerpc.auth_length |= *(p + 11); - sstate->dcerpc.call_id = *(p + 12); - sstate->dcerpc.call_id |= *(p + 13) << 8; - sstate->dcerpc.call_id |= *(p + 14) << 16; - sstate->dcerpc.call_id |= *(p + 15) << 24; + dcerpc->dcerpchdr.frag_length = *(p + 8) << 8; + dcerpc->dcerpchdr.frag_length |= *(p + 9); + dcerpc->dcerpchdr.auth_length = *(p + 10) << 8; + dcerpc->dcerpchdr.auth_length |= *(p + 11); + dcerpc->dcerpchdr.call_id = *(p + 12); + dcerpc->dcerpchdr.call_id |= *(p + 13) << 8; + dcerpc->dcerpchdr.call_id |= *(p + 14) << 16; + dcerpc->dcerpchdr.call_id |= *(p + 15) << 24; } - sstate->bytesprocessed = DCERPC_HDR_LEN; + dcerpc->bytesprocessed = DCERPC_HDR_LEN; SCReturnUInt(16U); break; } else { - sstate->dcerpc.rpc_vers = *(p++); - // if (sstate->dcerpc.rpc_vers != 5) SCReturnInt(2); + dcerpc->dcerpchdr.rpc_vers = *(p++); + // if dcerpc->dcerpchdr.rpc_vers != 5) SCReturnInt(2); if (!(--input_len)) break; } case 1: - sstate->dcerpc.rpc_vers_minor = *(p++); - // if ((sstate->dcerpc.rpc_vers_minor != 0) || - // (sstate->dcerpc.rpc_vers_minor != 1)) SCReturnInt(3); + dcerpc->dcerpchdr.rpc_vers_minor = *(p++); + // if ((sdcerpc->dcerpchdr.rpc_vers_minor != 0) || + // (dcerpc->dcerpchdr.rpc_vers_minor != 1)) SCReturnInt(3); if (!(--input_len)) break; case 2: - sstate->dcerpc.type = *(p++); + dcerpc->dcerpchdr.type = *(p++); if (!(--input_len)) break; case 3: - sstate->dcerpc.pfc_flags = *(p++); + dcerpc->dcerpchdr.pfc_flags = *(p++); if (!(--input_len)) break; case 4: - sstate->dcerpc.packed_drep[0] = *(p++); + dcerpc->dcerpchdr.packed_drep[0] = *(p++); if (!(--input_len)) break; case 5: - sstate->dcerpc.packed_drep[1] = *(p++); + dcerpc->dcerpchdr.packed_drep[1] = *(p++); if (!(--input_len)) break; case 6: - sstate->dcerpc.packed_drep[2] = *(p++); + dcerpc->dcerpchdr.packed_drep[2] = *(p++); if (!(--input_len)) break; case 7: - sstate->dcerpc.packed_drep[3] = *(p++); + dcerpc->dcerpchdr.packed_drep[3] = *(p++); if (!(--input_len)) break; case 8: - sstate->dcerpc.frag_length = *(p++) << 8; + dcerpc->dcerpchdr.frag_length = *(p++) << 8; if (!(--input_len)) break; case 9: - sstate->dcerpc.frag_length |= *(p++); + dcerpc->dcerpchdr.frag_length |= *(p++); if (!(--input_len)) break; case 10: - sstate->dcerpc.auth_length = *(p++) << 8; + dcerpc->dcerpchdr.auth_length = *(p++) << 8; if (!(--input_len)) break; case 11: - sstate->dcerpc.auth_length |= *(p++); + dcerpc->dcerpchdr.auth_length |= *(p++); if (!(--input_len)) break; case 12: - sstate->dcerpc.call_id = *(p++) << 24; + dcerpc->dcerpchdr.call_id = *(p++) << 24; if (!(--input_len)) break; case 13: - sstate->dcerpc.call_id |= *(p++) << 16; + dcerpc->dcerpchdr.call_id |= *(p++) << 16; if (!(--input_len)) break; case 14: - sstate->dcerpc.call_id |= *(p++) << 8; - if (!(--input_len)) - break; + dcerpc->dcerpchdr.call_id |= *(p++) << 8; + if (!(--input_len)) + break; case 15: - sstate->dcerpc.call_id |= *(p++); - if (sstate->dcerpc.packed_drep[0] == 0x01) { - SCByteSwap16(sstate->dcerpc.frag_length); - SCByteSwap16(sstate->dcerpc.auth_length); - SCByteSwap32(sstate->dcerpc.call_id); - } - --input_len; - break; + dcerpc->dcerpchdr.call_id |= *(p++); + if (dcerpc->dcerpchdr.packed_drep[0] == 0x01) { + SCByteSwap16(dcerpc->dcerpchdr.frag_length); + SCByteSwap16(dcerpc->dcerpchdr.auth_length); + SCByteSwap32(dcerpc->dcerpchdr.call_id); + } + --input_len; + break; } } - sstate->bytesprocessed += (p - input); + dcerpc->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } -static int DCERPCParse(Flow *f, void *dcerpc_state, - AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +int DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { SCEnter(); - - DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint32_t retval = 0; uint32_t parsed = 0; - - if (pstate == NULL) - SCReturnInt(-1); - while (sstate->bytesprocessed < DCERPC_HDR_LEN && input_len) { - retval = DCERPCParseHeader(f, dcerpc_state, pstate, input, input_len, - output); + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN && input_len) { + retval = DCERPCParseHeader(dcerpc, input, input_len); parsed += retval; input_len -= retval; } SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u/%u left %u\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len); +#if 0 + printf("Done with DCERPCParseHeader bytesprocessed %u/%u left %u\n", + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len); + printf("\nDCERPC Version:\t%u\n", dcerpc->dcerpchdr.rpc_vers); + printf("DCERPC Version Minor:\t%u\n", dcerpc->dcerpchdr.rpc_vers_minor); + printf("DCERPC Type:\t%u\n", dcerpc->dcerpchdr.type); + printf("DCERPC Flags:\t0x%02x\n", dcerpc->dcerpchdr.pfc_flags); + printf("DCERPC Packed Drep:\t%02x %02x %02x %02x\n", + dcerpc->dcerpchdr.packed_drep[0], dcerpc->dcerpchdr.packed_drep[1], + dcerpc->dcerpchdr.packed_drep[2], dcerpc->dcerpchdr.packed_drep[3]); + printf("DCERPC Frag Length:\t0x%04x %u\n", + dcerpc->dcerpchdr.frag_length, dcerpc->dcerpchdr.frag_length); + printf("DCERPC Auth Length:\t0x%04x\n", dcerpc->dcerpchdr.auth_length); + printf("DCERPC Call Id:\t0x%08x\n", dcerpc->dcerpchdr.call_id); +#endif - switch (sstate->dcerpc.type) { + switch (dcerpc->dcerpchdr.type) { case BIND: case ALTER_CONTEXT: - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 12 - && sstate->bytesprocessed < sstate->dcerpc.frag_length + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 12 + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) { - retval = DCERPCParseBIND(f, dcerpc_state, pstate, input + parsed, - input_len, output); + retval = DCERPCParseBIND(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; @@ -1016,45 +1002,45 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } SCLogDebug( - "Done with DCERPCParseBIND bytesprocessed %u/%u -- Should be 12\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length); - - while (sstate->numctxitemsleft && sstate->bytesprocessed - < sstate->dcerpc.frag_length && input_len) { - retval = DCERPCParseBINDCTXItem(f, dcerpc_state, pstate, input - + parsed, input_len, output); + "Done with DCERPCParseBIND bytesprocessed %u/%u numctxitems %u\n", + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, + dcerpc->dcerpcbindbindack.numctxitems); + while (dcerpc->dcerpcbindbindack.numctxitemsleft && dcerpc->bytesprocessed + < dcerpc->dcerpchdr.frag_length && input_len) { + retval = DCERPCParseBINDCTXItem(dcerpc, input + parsed, input_len); if (retval) { - if (sstate->ctxbytesprocessed == 44) { - sstate->ctxbytesprocessed = 0; + if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 44) { + dcerpc->dcerpcbindbindack.ctxbytesprocessed = 0; } parsed += retval; input_len -= retval; - SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length); + SCLogDebug("BIND processed %u/%u ctxitems %u/%u\n", + dcerpc->bytesprocessed, + dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcbindbindack.numctxitemsleft, + dcerpc->dcerpcbindbindack.numctxitems); } else if (input_len) { SCLogDebug("Error Parsing CTX Item"); parsed -= input_len; input_len = 0; - sstate->numctxitemsleft = 0; + dcerpc->dcerpcbindbindack.numctxitemsleft = 0; } } - if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { - sstate->bytesprocessed = 0; - sstate->ctxbytesprocessed = 0; + if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) { + dcerpc->bytesprocessed = 0; + dcerpc->dcerpcbindbindack.ctxbytesprocessed = 0; } break; case BIND_ACK: case ALTER_CONTEXT_RESP: - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 9 - && sstate->bytesprocessed < sstate->dcerpc.frag_length + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 9 + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) { - retval = DCERPCParseBINDACK(f, dcerpc_state, pstate, - input + parsed, input_len, output); + retval = DCERPCParseBINDACK(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len); } else if (input_len) { SCLogDebug("Error parsing BIND_ACK"); parsed -= input_len; @@ -1062,18 +1048,17 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 - + sstate->secondaryaddrlen && input_len - && sstate->bytesprocessed < sstate->dcerpc.frag_length) { - retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input - + parsed, input_len, output); + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10 + + dcerpc->dcerpcbindbindack.secondaryaddrlen && input_len + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length) { + retval = DCERPCParseSecondaryAddr(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; SCLogDebug( "DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, - sstate->secondaryaddrlen); + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len, + dcerpc->dcerpcbindbindack.secondaryaddrlen); } else if (input_len) { SCLogDebug("Error parsing Secondary Address"); parsed -= input_len; @@ -1081,23 +1066,24 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } - if (sstate->bytesprocessed == DCERPC_HDR_LEN + 10 - + sstate->secondaryaddrlen) { - sstate->pad = sstate->bytesprocessed % 4; - sstate->padleft = sstate->pad; + if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 10 + + dcerpc->dcerpcbindbindack.secondaryaddrlen) { + if (dcerpc->bytesprocessed % 4) { + dcerpc->pad = (4 - dcerpc->bytesprocessed % 4); + dcerpc->padleft = dcerpc->pad; + } } - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 - + sstate->secondaryaddrlen + sstate->pad && input_len - && sstate->bytesprocessed < sstate->dcerpc.frag_length) { - retval = PaddingParser(f, dcerpc_state, pstate, input + parsed, - input_len, output); + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10 + + dcerpc->dcerpcbindbindack.secondaryaddrlen + dcerpc->pad && input_len + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length) { + retval = PaddingParser(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, - sstate->pad); + dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len, + dcerpc->pad); } else if (input_len) { SCLogDebug("Error parsing DCERPC Padding"); parsed -= input_len; @@ -1105,17 +1091,16 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } - while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad - + sstate->secondaryaddrlen && sstate->bytesprocessed - < DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen - && sstate->bytesprocessed < sstate->dcerpc.frag_length) { - retval = DCERPCGetCTXItems(f, dcerpc_state, pstate, input + parsed, - input_len, output); + while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 10 + dcerpc->pad + + dcerpc->dcerpcbindbindack.secondaryaddrlen && dcerpc->bytesprocessed + < DCERPC_HDR_LEN + 14 + dcerpc->pad + dcerpc->dcerpcbindbindack.secondaryaddrlen + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length) { + retval = DCERPCGetCTXItems(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; - SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length, sstate->numctxitems); + SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", dcerpc->bytesprocessed, + dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcbindbindack.numctxitems); } else if (input_len) { SCLogDebug("Error parsing CTX Items"); parsed -= input_len; @@ -1123,18 +1108,17 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } - if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad - + sstate->secondaryaddrlen) { - sstate->ctxbytesprocessed = 0; + if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 14 + dcerpc->pad + + dcerpc->dcerpcbindbindack.secondaryaddrlen) { + dcerpc->dcerpcbindbindack.ctxbytesprocessed = 0; } - while (sstate->numctxitemsleft && input_len && sstate->bytesprocessed - < sstate->dcerpc.frag_length) { - retval = DCERPCParseBINDACKCTXItem(f, dcerpc_state, pstate, input - + parsed, input_len, output); + while (dcerpc->dcerpcbindbindack.numctxitemsleft && input_len && dcerpc->bytesprocessed + < dcerpc->dcerpchdr.frag_length) { + retval = DCERPCParseBINDACKCTXItem(dcerpc, input + parsed, input_len); if (retval) { - if (sstate->ctxbytesprocessed == 24) { - sstate->ctxbytesprocessed = 0; + if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 24) { + dcerpc->dcerpcbindbindack.ctxbytesprocessed = 0; } parsed += retval; input_len -= retval; @@ -1142,38 +1126,38 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, SCLogDebug("Error parsing CTX Items"); parsed -= input_len; input_len = 0; - sstate->numctxitemsleft = 0; + dcerpc->dcerpcbindbindack.numctxitemsleft = 0; } } - SCLogDebug("BINDACK processed %u/%u\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length); - - if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { - sstate->bytesprocessed = 0; - sstate->ctxbytesprocessed = 0; + SCLogDebug("BINDACK processed %u/%u\n", dcerpc->bytesprocessed, + dcerpc->dcerpchdr.frag_length); + if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) { + dcerpc->bytesprocessed = 0; + dcerpc->dcerpcbindbindack.ctxbytesprocessed = 0; } break; case REQUEST: - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 8 - && sstate->bytesprocessed < sstate->dcerpc.frag_length + case RESPONSE: + hexdump(input + parsed, input_len); + while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 8 + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) { - retval = DCERPCParseREQUEST(f, dcerpc_state, pstate, - input + parsed, input_len, output); + retval = DCERPCParseREQUEST(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; + dcerpc->padleft = dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed; } else if (input_len) { SCLogDebug("Error parsing DCERPC Request"); parsed -= input_len; input_len = 0; } } - while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 8 - && sstate->bytesprocessed < sstate->dcerpc.frag_length + while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 8 + && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) { - retval = StubDataParser(f, dcerpc_state, pstate, input + parsed, - input_len, output); + retval = StubDataParser(dcerpc, input + parsed, input_len); if (retval) { parsed += retval; input_len -= retval; @@ -1184,18 +1168,35 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, } } - SCLogDebug("REQUEST processed %u/%u\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length); - if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { - sstate->bytesprocessed = 0; + SCLogDebug("REQUEST processed %u frag length %u opnum %u input_len %u\n", dcerpc->bytesprocessed, + dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcrequest.opnum, input_len); + + if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) { + dcerpc->bytesprocessed = 0; } break; default: - SCLogDebug("DCERPC Type 0x%02x not implemented yet\n", sstate->dcerpc.type); + SCLogDebug("DCERPC Type 0x%02x not implemented yet\n", dcerpc->dcerpchdr.type); + dcerpc->bytesprocessed = 0; break; } + + SCReturnInt(1); +} + +static int DCERPCParse(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + + DCERPCState *sstate = (DCERPCState *) dcerpc_state; + + DCERPCParser(&sstate->dcerpc, input, input_len); + + if (pstate == NULL) + SCReturnInt(-1); + pstate->parse_field = 0; - pstate->flags |= APP_LAYER_PARSER_DONE; SCReturnInt(1); } @@ -1214,9 +1215,9 @@ static void DCERPCStateFree(void *s) { struct uuid_entry *item; - while ((item = TAILQ_FIRST(&sstate->uuid_list))) { + while ((item = TAILQ_FIRST(&sstate->dcerpc.dcerpcbindbindack.uuid_list))) { //printUUID("Free", item); - TAILQ_REMOVE(&sstate->uuid_list, item, next); + TAILQ_REMOVE(&sstate->dcerpc.dcerpcbindbindack.uuid_list, item, next); free(item); } @@ -1238,10 +1239,10 @@ void RegisterDCERPCParsers(void) { /* UNITTESTS */ #ifdef UNITTESTS /** \test DCERPC Header Parsing and BIND / BIND_ACK multiple UUID handling - */ +*/ /* set this to 1 to see problem */ -#define KNOWNFAILURE 0 + int DCERPCParserTest01(void) { int result = 1; Flow f; @@ -1463,7 +1464,7 @@ int DCERPCParserTest01(void) { 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; -#if KNOWNFAILURE + uint8_t dcerpcrequest[] = { 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, @@ -1595,7 +1596,6 @@ int DCERPCParserTest01(void) { 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, 0x00, 0x69, 0x00}; uint32_t requestlen = sizeof(dcerpcrequest); -#endif uint32_t bindlen = sizeof(dcerpcbind); uint32_t bindacklen = sizeof(dcerpcbindack); @@ -1621,21 +1621,21 @@ int DCERPCParserTest01(void) { goto end; } - if (dcerpc_state->dcerpc.rpc_vers != 5) { + if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) { printf("expected dcerpc version 0x05, got 0x%02x : ", - dcerpc_state->dcerpc.rpc_vers); + dcerpc_state->dcerpc.dcerpchdr.rpc_vers); result = 0; goto end; } - if (dcerpc_state->dcerpc.type != BIND) { - printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND, dcerpc_state->dcerpc.type); + if (dcerpc_state->dcerpc.dcerpchdr.type != BIND) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND, dcerpc_state->dcerpc.dcerpchdr.type); result = 0; goto end; } - if (dcerpc_state->dcerpc.frag_length != 1084) { - printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1084, dcerpc_state->dcerpc.frag_length); + if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1084) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1084, dcerpc_state->dcerpc.dcerpchdr.frag_length); result = 0; goto end; } @@ -1646,41 +1646,39 @@ int DCERPCParserTest01(void) { result = 0; goto end; } - if (dcerpc_state->dcerpc.type != BIND_ACK) { - printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND_ACK, dcerpc_state->dcerpc.type); + if (dcerpc_state->dcerpc.dcerpchdr.type != BIND_ACK) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND_ACK, dcerpc_state->dcerpc.dcerpchdr.type); result = 0; goto end; } - if (dcerpc_state->dcerpc.frag_length != 620) { - printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 620, dcerpc_state->dcerpc.frag_length); + if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 620) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 620, dcerpc_state->dcerpc.dcerpchdr.frag_length); result = 0; goto end; } - TAILQ_FOREACH(uuid_entry, &dcerpc_state->uuid_list, next) { + TAILQ_FOREACH(uuid_entry, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) { printUUID("BIND_ACK", uuid_entry); } -#if KNOWNFAILURE - printf("Sending dcerpcrequest (%u)", requestlen); - hexdump(dcerpcrequest, requestlen); - r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_EOF, dcerpcrequest, requestlen, FALSE); + + //hexdump(dcerpcrequest, requestlen); + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_EOF, dcerpcrequest, requestlen); if (r != 0) { printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } - if (dcerpc_state->dcerpc.type != REQUEST) { - printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.type); + if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type); result = 0; goto end; } -#endif end: return result; } /** \test DCERPC Request decoding and opnum parsing. - */ +*/ int DCERPCParserTest02(void) { int result = 1; Flow f; @@ -1838,27 +1836,27 @@ int DCERPCParserTest02(void) { goto end; } - if (dcerpc_state->dcerpc.rpc_vers != 5) { + if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) { printf("expected dcerpc version 0x05, got 0x%02x : ", - dcerpc_state->dcerpc.rpc_vers); + dcerpc_state->dcerpc.dcerpchdr.rpc_vers); result = 0; goto end; } - if (dcerpc_state->dcerpc.type != REQUEST) { - printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.type); + if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type); result = 0; goto end; } - if (dcerpc_state->dcerpc.frag_length != 1024) { - printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.frag_length); + if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length); result = 0; goto end; } - if (dcerpc_state->opnum != 9) { - printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->opnum); + if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) { + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum); result = 0; goto end; } @@ -1868,7 +1866,7 @@ end: } /** \test Test endianness handling - */ +*/ int DCERPCParserTest03(void) { int result = 1; Flow f; @@ -2026,21 +2024,21 @@ int DCERPCParserTest03(void) { goto end; } - if (dcerpc_state->dcerpc.packed_drep[0] != 0x01) { + if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] != 0x01) { printf("expected dcerpc data representation 0x01, got 0x%02x : ", - dcerpc_state->dcerpc.packed_drep[0]); + dcerpc_state->dcerpc.dcerpchdr.packed_drep[0]); result = 0; goto end; } - if (dcerpc_state->dcerpc.frag_length != 1024) { - printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.frag_length); + if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length); result = 0; goto end; } - if (dcerpc_state->opnum != 9) { - printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->opnum); + if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) { + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum); result = 0; goto end; } diff --git a/src/app-layer-dcerpc.h b/src/app-layer-dcerpc.h index a4e07a8..d63cab8 100644 --- a/src/app-layer-dcerpc.h +++ b/src/app-layer-dcerpc.h @@ -9,157 +9,18 @@ #define APPLAYERDCERPC_H_ #include "app-layer-protos.h" #include "app-layer-parser.h" +#include "app-layer-dcerpc-common.h" #include "flow.h" #include "queue.h" #include "util-byte.h" -void RegisterDCERPCParsers(void); -void DCERPCParserTests(void); -void DCERPCParserRegisterTests(void); - -// http://www.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06 -#define REQUEST 0 -#define PING 1 -#define RESPONSE 2 -#define FAULT 3 -#define WORKING 4 -#define NOCALL 5 -#define REJECT 6 -#define ACK 7 -#define CL_CANCEL 8 -#define FACK 9 -#define CANCEL_ACK 10 -#define BIND 11 -#define BIND_ACK 12 -#define BIND_NAK 13 -#define ALTER_CONTEXT 14 -#define ALTER_CONTEXT_RESP 15 -#define SHUTDOWN 17 -#define CO_CANCEL 18 -#define ORPHANED 19 -#if 0 -typedef struct { - uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/ - uint8_t ptype; /* Packet type (5 LSB only) */ - uint8_t flags1; /* Packet flags */ - uint8_t flags2; /* Packet flags */ - uint8_t drep[3]; /* Data representation format label */ - uint8_t serial_hi; /* High byte of serial number */ - uuid_t object; /* Object identifier */ - uuid_t if_id; /* Interface identifier */ - uuid_t act_id; /* Activity identifier */ - unsigned long server_boot;/* Server boot time */ - unsigned long if_vers; /* Interface version */ - unsigned long seqnum; /* Sequence number */ - unsigned short opnum; /* Operation number */ - unsigned short ihint; /* Interface hint */ - unsigned short ahint; /* Activity hint */ - unsigned short len; /* Length of packet body */ - unsigned short fragnum; /* Fragment number */ - unsigned small auth_proto; /* Authentication protocol identifier*/ - unsigned small serial_lo; /* Low byte of serial number */ -} dc_rpc_cl_pkt_hdr_t; -#endif - -#define RESERVED_01 0x01 -#define LASTFRAG 0x02 -#define FRAG 0x04 -#define NOFACK 0x08 -#define MAYBE 0x10 -#define IDEMPOTENT 0x20 -#define BROADCAST 0x40 -#define RESERVED_80 0x80 - -#define CANCEL_PENDING 0x02 -#define RESERVED_04 0x04 -#define RESERVED_10 0x10 -#define RESERVED_20 0x20 -#define RESERVED_40 0x40 -#define RESERVED_80 0x80 - -typedef struct dcerpc_hdr_ { - uint8_t rpc_vers; /* 00:01 RPC version should be 5 */ - uint8_t rpc_vers_minor; /* 01:01 minor version */ - uint8_t type; /* 02:01 packet type */ - uint8_t pfc_flags; /* 03:01 flags (see PFC_... ) */ - uint8_t packed_drep[4]; /* 04:04 NDR data representation format label */ - uint16_t frag_length; /* 08:02 total length of fragment */ - uint16_t auth_length; /* 10:02 length of auth_value */ - uint32_t call_id; /* 12:04 call identifier */ -}DCERPCHdr; - -#define DCERPC_HDR_LEN 16 - -struct uuid_entry { - uint16_t ctxid; - uint16_t result; - uint8_t uuid[16]; - uint16_t version; - uint16_t versionminor; - TAILQ_ENTRY(uuid_entry) next; -}; - typedef struct DCERPCState_ { - DCERPCHdr dcerpc; - uint16_t bytesprocessed; - uint8_t numctxitems; - uint8_t numctxitemsleft; - uint8_t ctxbytesprocessed; - uint16_t ctxid; - uint16_t result; - uint8_t uuid[16]; - uint16_t version; - uint16_t versionminor; - uint8_t pad; - uint8_t padleft; - struct uuid_entry *uuid_entry; - TAILQ_HEAD(, uuid_entry) uuid_list; - uint16_t secondaryaddrlen; - uint16_t secondaryaddrlenleft; - uint16_t opnum; - uint8_t *stub_data; + DCERPC dcerpc; }DCERPCState; - -#define PFC_FIRST_FRAG 0x01/* First fragment */ -#define PFC_LAST_FRAG 0x02/* Last fragment */ -#define PFC_PENDING_CANCEL 0x04/* Cancel was pending at sender */ -#define PFC_RESERVED_1 0x08 -#define PFC_CONC_MPX 0x10/* supports concurrent multiplexing - * of a single connection. */ -#define PFC_DID_NOT_EXECUTE 0x20/* only meaningful on `fault' packet; - * if true, guaranteed call did not - * execute. */ -#define PFC_MAYBE 0x40/* `maybe' call semantics requested */ -#define PFC_OBJECT_UUID 0x80/* if true, a non-nil object UUID - * was specified in the handle, and - * is present in the optional object - * field. If false, the object field - * is omitted. */ -#define REASON_NOT_SPECIFIED 0 -#define TEMPORARY_CONGESTION 1 -#define LOCAL_LIMIT_EXCEEDED 2 -#define CALLED_PADDR_UNKNOWN 3 /* not used */ -#define PROTOCOL_VERSION_NOT_SUPPORTED 4 -#define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */ -#define USER_DATA_NOT_READABLE 6 /* not used */ -#define NO_PSAP_AVAILABLE 7 /* not used */ -/* - typedef uint16_t p_context_id_t; - typedef struct { - uuid_t if_uuid; - uint32_t if_version; - } p_syntax_id_t; - - typedef struct { - p_context_id_t p_cont_id; - uint8_t n_transfer_syn; // number of items - uint8_t reserved; // alignment pad, m.b.z. - p_syntax_id_t abstract_syntax; // transfer syntax list - p_syntax_id_t [size_is(n_transfer_syn)] transfer_syntaxes[]; - } p_cont_elem_t; - */ - +void RegisterDCERPCParsers(void); +void DCERPCParserTests(void); +void DCERPCParserRegisterTests(void); #endif /* APPLAYERDCERPC_H_ */ diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 883c8cb..f43aad6 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -5,9 +5,17 @@ #include "suricata-common.h" #include "detect.h" #include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" #include "detect-dce-iface.h" + +#include "flow.h" +#include "flow-var.h" + +#include "app-layer.h" #include "app-layer-dcerpc.h" #include "queue.h" +#include "stream-tcp-reassemble.h" #include "util-debug.h" #include "util-unittest.h" @@ -32,6 +40,7 @@ void DetectDceIfaceRegister(void) int opts = 0; sigmatch_table[DETECT_DCE_IFACE].name = "dce_iface"; + sigmatch_table[DETECT_DCE_IFACE].alproto = ALPROTO_DCERPC; sigmatch_table[DETECT_DCE_IFACE].Match = NULL; sigmatch_table[DETECT_DCE_IFACE].AppLayerMatch = DetectDceIfaceMatch; sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup; @@ -94,12 +103,14 @@ static inline DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg) } memset(did, 0, sizeof(DetectDceIfaceData)); + /* retrieve the iface uuid string. iface uuid is a compulsion in the keyword */ res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 1, &pcre_sub_str); if (res < 0) { SCLogError(SC_PCRE_GET_SUBSTRING_FAILED, "pcre_get_substring failed"); goto error; } + /* parse the iface uuid string */ len = strlen(pcre_sub_str); j = 0; temp_str[2] = '\0'; @@ -118,10 +129,32 @@ static inline DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg) j++; } + /* if the regex has 3 or 5, any_frag option is present in the signature */ if (ret == 3 || ret == 5) did->any_frag = 1; + /* if the regex has 4 or 5, version/operator is present in the signature */ if (ret == 4 || ret == 5) { + /* first handle the version number, so that we can do some additional + * validations of the version number, wrt. the operator */ + res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 3, &pcre_sub_str); + if (res < 0) { + SCLogError(SC_PCRE_GET_SUBSTRING_FAILED, "pcre_get_substring failed"); + goto error; + } + + version = atoi(pcre_sub_str); + if (version > UINT16_MAX) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version " + "invalid: %d\n", version); + goto error; + } + did->version = version; + + /* free the substring */ + pcre_free_substring(pcre_sub_str); + + /* now let us handle the operator supplied with the version number */ res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 2, &pcre_sub_str); if (res < 0) { SCLogError(SC_PCRE_GET_SUBSTRING_FAILED, "pcre_get_substring failed"); @@ -130,9 +163,24 @@ static inline DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg) switch (pcre_sub_str[0]) { case '<': + if (version == 0) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface " + "version invalid: %d. Version can't be less" + "than 0, with \"<\" operator", version); + goto error; + } + did->op = DETECT_DCE_IFACE_OP_LT; break; case '>': + if (version == UINT16_MAX) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface " + "version invalid: %d. Version can't be greater" + "than %d, with \">\" operator", version, + UINT16_MAX); + goto error; + } + did->op = DETECT_DCE_IFACE_OP_GT; break; case '=': @@ -143,19 +191,8 @@ static inline DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg) break; } - res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 3, &pcre_sub_str); - if (res < 0) { - SCLogError(SC_PCRE_GET_SUBSTRING_FAILED, "pcre_get_substring failed"); - goto error; - } - - version = atoi(pcre_sub_str); - if (version > 65535) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "DCE_IFACE interface version " - "invalid: %d\n", version); - goto error; - } - did->version = version; + /* free the substring */ + pcre_free_substring(pcre_sub_str); } return did; @@ -166,11 +203,53 @@ static inline DetectDceIfaceData *DetectDceIfaceArgParse(const char *arg) return NULL; } +/** + * \internal + * \brief Internal function that compares the dce interface version for this + * flow, to the signature's interface version specified using the + * dce_iface keyword. + * + * \param version The dce interface version for this flow. + * \param dce_data Pointer to the Signature's dce_iface keyword + * state(DetectDceIfaceData *). + */ +static inline int DetectDceIfaceMatchIfaceVersion(uint16_t version, + DetectDceIfaceData *dce_data) +{ + switch (dce_data->op) { + case DETECT_DCE_IFACE_OP_LT: + return (version < dce_data->version); + case DETECT_DCE_IFACE_OP_GT: + return (version > dce_data->version); + case DETECT_DCE_IFACE_OP_EQ: + return (version == dce_data->version); + case DETECT_DCE_IFACE_OP_NE: + return (version != dce_data->version); + default: + return 1; + } +} + +/** + * \brief App layer match function for the "dce_iface" keyword. + * + * \param t Pointer to the ThreadVars instance. + * \param det_ctx Pointer to the DetectEngineThreadCtx. + * \param f Pointer to the flow. + * \param flags Pointer to the flags indicating the flow direction. + * \param state Pointer to the app layer state data. + * \param s Pointer to the Signature instance. + * \param m Pointer to the SigMatch. + * + * \retval 1 On Match. + * \retval 0 On no match. + */ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { int ret = 1; struct uuid_entry *item = NULL; + int i = 0; DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx; DCERPCState *dcerpc_state = (DCERPCState *)state; if (dcerpc_state == NULL) { @@ -179,18 +258,46 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, } SCMutexLock(&f->m); - int i = 0; - TAILQ_FOREACH(item, &dcerpc_state->uuid_list, next) { + /* if any_frag is not enabled, we need to match only against the first + * fragment */ + if (!dce_data->any_frag && + !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) { + /* any_frag has not been set, and apparently it's not the first fragment */ + ret = 0; + goto end; + } + + TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) { + ret = 1; + + /* if the uuid has been rejected(item->result == 1), we skip to the + * next uuid */ + if (item->result == 1) + continue; + + /* check the interface uuid */ for (i = 0; i < 16; i++) { if (dce_data->uuid[i] != item->uuid[i]) { ret = 0; break; } } + + /* check the interface version */ + if (dce_data->op != DETECT_DCE_IFACE_OP_NONE && + !DetectDceIfaceMatchIfaceVersion(item->version, dce_data)) { + ret &= 0; + } + + /* we have a match. Time to leave with a match */ + if (ret == 1) + goto end; } - return 1; + end: + SCMutexUnlock(&f->m); + return ret; } /** @@ -581,18 +688,549 @@ static int DetectDceIfaceTestParse11(void) result &= (DetectDceIfaceSetup(NULL, s, NULL, "1234568-1234-1234-1234-123456789ABC,>1,any_frag") == -1); result &= (DetectDceIfaceSetup(NULL, s, NULL, "12345678-1234-1234-1234-123456789ABC,>65536,any_frag") == -1); result &= (DetectDceIfaceSetup(NULL, s, NULL, "12345678-1234-1234-1234-123456789ABC,>=1,any_frag") == -1); + result &= (DetectDceIfaceSetup(NULL, s, NULL, "12345678-1234-1234-1234-123456789ABC,<0,any_frag") == -1); + result &= (DetectDceIfaceSetup(NULL, s, NULL, "12345678-1234-1234-1234-123456789ABC,>65535,any_frag") == -1); SigFree(s); return result; } +/** + * \test Test a valid dce_iface entry for a bind and bind_ack + */ +static int DetectDceIfaceTestParse12(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, + dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses. + */ +static int DetectDceIfaceTestParse13(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, + 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, + 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00, + 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x02, + }; + + uint8_t dcerpc_response1[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request2[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, + 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, + 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, + 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, + 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, + 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, + 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, + 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, + 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, + 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, + 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, + 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response2[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request3[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, + 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, + 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, + 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response3[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + + uint32_t dcerpc_request1_len = sizeof(dcerpc_request1_len); + uint32_t dcerpc_response1_len = sizeof(dcerpc_response1_len); + + uint32_t dcerpc_request2_len = sizeof(dcerpc_request2_len); + uint32_t dcerpc_response2_len = sizeof(dcerpc_response2_len); + + uint32_t dcerpc_request3_len = sizeof(dcerpc_request3_len); + uint32_t dcerpc_response3_len = sizeof(dcerpc_response3_len); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, + dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1, + dcerpc_request1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1, + dcerpc_response1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2, + dcerpc_request2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2, + dcerpc_response2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3, + dcerpc_request3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, + dcerpc_response3, dcerpc_response3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_iface entry for a bind and bind_ack + */ +static int DetectDceIfaceTestParse14(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, + dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + #endif void DetectDceIfaceRegisterTests(void) { #ifdef UNITTESTS - UtRegisterTest("DetectDceIfaceTestParse01", DetectDceIfaceTestParse01, 1); UtRegisterTest("DetectDceIfaceTestParse02", DetectDceIfaceTestParse02, 1); UtRegisterTest("DetectDceIfaceTestParse03", DetectDceIfaceTestParse03, 1); @@ -604,7 +1242,10 @@ void DetectDceIfaceRegisterTests(void) UtRegisterTest("DetectDceIfaceTestParse09", DetectDceIfaceTestParse09, 1); UtRegisterTest("DetectDceIfaceTestParse10", DetectDceIfaceTestParse10, 1); UtRegisterTest("DetectDceIfaceTestParse11", DetectDceIfaceTestParse11, 1); - + UtRegisterTest("DetectDceIfaceTestParse12", DetectDceIfaceTestParse12, 1); + UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1); + UtRegisterTest("DetectDceIfaceTestParse14", DetectDceIfaceTestParse14, 1); #endif + return; } diff --git a/src/detect-dce-iface.h b/src/detect-dce-iface.h index 104c9ac..91f8836 100644 --- a/src/detect-dce-iface.h +++ b/src/detect-dce-iface.h @@ -6,7 +6,8 @@ #define __DETECT_DCE_IFACE_H__ typedef enum DetectDceIfaceOperators_ { - DETECT_DCE_IFACE_OP_LT = 1, + DETECT_DCE_IFACE_OP_NONE = 0, + DETECT_DCE_IFACE_OP_LT, DETECT_DCE_IFACE_OP_GT, DETECT_DCE_IFACE_OP_EQ, DETECT_DCE_IFACE_OP_NE, diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 06ed81a..77cb2b1 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -5,6 +5,16 @@ #include "suricata-common.h" #include "detect.h" #include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" + +#include "flow.h" +#include "flow-var.h" + +#include "app-layer.h" +#include "app-layer-dcerpc.h" +#include "queue.h" +#include "stream-tcp-reassemble.h" #include "detect-dce-opnum.h" #include "util-debug.h" @@ -30,6 +40,7 @@ void DetectDceOpnumRegister(void) int opts = 0; sigmatch_table[DETECT_DCE_OPNUM].name = "dce_opnum"; + sigmatch_table[DETECT_DCE_OPNUM].alproto = ALPROTO_DCERPC; sigmatch_table[DETECT_DCE_OPNUM].Match = NULL; sigmatch_table[DETECT_DCE_OPNUM].AppLayerMatch = DetectDceOpnumMatch; sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup; @@ -203,10 +214,44 @@ static inline DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg) return NULL; } +/** + * \brief App layer match function for the "dce_opnum" keyword. + * + * \param t Pointer to the ThreadVars instance. + * \param det_ctx Pointer to the DetectEngineThreadCtx. + * \param f Pointer to the flow. + * \param flags Pointer to the flags indicating the flow direction. + * \param state Pointer to the app layer state data. + * \param s Pointer to the Signature instance. + * \param m Pointer to the SigMatch. + * + * \retval 1 On Match. + * \retval 0 On no match. + */ int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { - return 1; + DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx; + DetectDceOpnumRange *dor = dce_data->range; + DCERPCState *dcerpc_state = (DCERPCState *)state; + if (dcerpc_state == NULL) { + SCLogDebug("No DCERPCState for the flow"); + return 0; + } + + for ( ; dor != NULL; dor = dor->next) { + if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) { + if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum) + return 1; + } else { + if (dor->range1 <= dcerpc_state->dcerpc.dcerpcrequest.opnum && + dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum) { + return 1; + } + } + } + + return 0; } /** @@ -581,13 +626,1592 @@ static int DetectDceOpnumTestParse07(void) return result; } +/** + * \test Test a valid dce_opnum entry with a bind, bind_ack and a request. + */ +static int DetectDceOpnumTestParse08(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + + /* todo chop the request frag length and change the + * length related parameters in the frag */ + uint8_t dcerpc_request[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, + 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, + 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, + 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, + 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, + 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, + 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, + 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, + 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, + 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, + 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, + 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, + 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, + 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, + 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, + 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, + 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, + 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, + 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, + 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, + 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, + 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, + 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, + 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, + 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, + 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, + 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, + 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, + 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, + 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, + 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, + 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, + 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, + 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, + 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, + 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, + 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, + 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, + 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, + 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, + 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, + 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, + 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, + 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, + 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, + 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, + 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, + 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, + 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, + 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, + 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, + 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, + 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, + 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, + 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, + 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, + 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, + 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, + 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, + 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, + 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, + 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, + 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, + 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, + 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, + 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, + 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, + 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, + 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, + 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, + 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, + 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, + 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, + 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, + 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, + 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, + 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, + 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, + 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, + 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, + 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, + 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, + 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, + 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, + 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, + 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, + 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, + 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, + 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x01, 0x02, 0x03, 0x04 + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + uint32_t dcerpc_request_len = sizeof(dcerpc_request); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_opnum:9; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_bindack, dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_EOF, + dcerpc_request, dcerpc_request_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_opnum entry with only a request frag. + */ +static int DetectDceOpnumTestParse09(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + /* todo chop the request frag length and change the + * length related parameters in the frag */ + uint8_t dcerpc_request[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, + 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, + 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, + 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, + 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, + 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, + 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, + 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, + 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, + 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, + 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, + 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, + 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, + 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, + 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, + 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, + 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, + 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, + 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, + 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, + 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, + 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, + 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, + 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, + 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, + 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, + 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, + 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, + 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, + 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, + 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, + 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, + 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, + 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, + 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, + 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, + 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, + 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, + 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, + 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, + 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, + 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, + 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, + 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, + 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, + 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, + 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, + 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, + 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, + 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, + 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, + 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, + 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, + 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, + 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, + 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, + 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, + 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, + 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, + 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, + 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, + 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, + 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, + 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, + 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, + 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, + 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, + 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, + 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, + 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, + 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, + 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, + 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, + 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, + 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, + 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, + 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, + 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, + 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, + 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, + 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, + 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, + 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, + 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, + 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, + 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, + 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, + 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, + 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x01, 0x02, 0x03, 0x04 + }; + + uint32_t dcerpc_request_len = sizeof(dcerpc_request); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_opnum:9; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_request, dcerpc_request_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack, + * and multiple request/responses with a match test after each frag parsing. + */ +static int DetectDceOpnumTestParse10(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, + 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, + 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00, + 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x02, + }; + + uint8_t dcerpc_response1[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request2[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, + 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, + 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, + 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, + 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, + 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, + 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, + 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, + 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, + 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, + 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, + 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response2[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request3[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, + 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, + 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, + 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response3[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + + uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); + uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); + + uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); + uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); + + uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); + uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_opnum:2,15,22; " + "sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_bindack, dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* request1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request1, dcerpc_request1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + printf("PacketAlertCheck 3\n"); + goto end; + } + + /* response1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response1, dcerpc_response1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + goto end; + } + + /* request2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request2, dcerpc_request2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + goto end; + } + + /* response2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response2, dcerpc_response2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + goto end; + } + + /* request3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request3, dcerpc_request3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + goto end; + } + + /* response3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, + dcerpc_response3, dcerpc_response3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) { + goto end; + } + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_opnum entry(with multiple values) with multiple + * request/responses. + */ +static int DetectDceOpnumTestParse11(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x02, + }; + + uint8_t dcerpc_response1[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request2[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, + 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, + 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, + 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, + 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, + 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, + 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, + 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, + 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, + 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, + 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, + 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response2[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request3[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, + 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, + 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, + 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response3[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + }; + + uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); + uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); + + uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); + uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); + + uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); + uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_opnum:2-22; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + /* request1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_request1, dcerpc_request1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + printf("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response1, dcerpc_response1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request2, dcerpc_request2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response2, dcerpc_response2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request3, dcerpc_request3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, + dcerpc_response3, dcerpc_response3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + #endif void DetectDceOpnumRegisterTests(void) { #ifdef UNITTESTS - UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01, 1); UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02, 1); UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03, 1); @@ -595,7 +2219,11 @@ void DetectDceOpnumRegisterTests(void) UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05, 1); UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06, 1); UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07, 1); - + UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08, 1); + UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09, 1); + UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1); + UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1); #endif + return; } diff --git a/src/detect-dce-opnum.h b/src/detect-dce-opnum.h index 7bf1b8e..4ae1e73 100644 --- a/src/detect-dce-opnum.h +++ b/src/detect-dce-opnum.h @@ -5,15 +5,15 @@ #ifndef __DETECT_DCE_OPNUM_H__ #define __DETECT_DCE_OPNUM_H__ +#define DCE_OPNUM_RANGE_MAX 65535 +#define DCE_OPNUM_RANGE_UNINITIALIZED 100000 + typedef struct DetectDceOpnumRange_ { uint32_t range1; uint32_t range2; struct DetectDceOpnumRange_ *next; } DetectDceOpnumRange; -#define DCE_OPNUM_RANGE_MAX 65535 -#define DCE_OPNUM_RANGE_UNINITIALIZED 100000 - typedef struct DetectDceOpnumData_ { DetectDceOpnumRange *range; } DetectDceOpnumData; diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 22a2f82..bd7d8b2 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -5,6 +5,16 @@ #include "suricata-common.h" #include "detect.h" #include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" + +#include "flow.h" +#include "flow-var.h" + +#include "app-layer.h" +#include "app-layer-dcerpc.h" +#include "queue.h" +#include "stream-tcp-reassemble.h" #include "detect-dce-stub-data.h" #include "util-debug.h" @@ -20,6 +30,7 @@ int DetectDceStubDataSetup(DetectEngineCtx *, Signature *s, SigMatch *m, char *a void DetectDceStubDataRegister(void) { sigmatch_table[DETECT_DCE_STUB_DATA].name = "dce_stub_data"; + sigmatch_table[DETECT_DCE_STUB_DATA].alproto = ALPROTO_DCERPC; sigmatch_table[DETECT_DCE_STUB_DATA].Match = NULL; sigmatch_table[DETECT_DCE_STUB_DATA].AppLayerMatch = DetectDceStubDataMatch; sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup; @@ -29,14 +40,39 @@ void DetectDceStubDataRegister(void) return; } +/** + * \brief App layer match function for the "dce_stub_data" keyword. + * + * \todo Check the need for passing a pointer to hold the address of the stub_data. + * + * \param t Pointer to the ThreadVars instance. + * \param det_ctx Pointer to the DetectEngineThreadCtx. + * \param f Pointer to the flow. + * \param flags Pointer to the flags indicating the flow direction. + * \param state Pointer to the app layer state data. + * \param s Pointer to the Signature instance. + * \param m Pointer to the SigMatch. + * + * \retval 1 On Match. + * \retval 0 On no match. + */ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { + DCERPCState *dcerpc_state = (DCERPCState *)state; + if (dcerpc_state == NULL) { + SCLogDebug("No DCERPCState for the flow"); + return 0; + } + + if (dcerpc_state->dcerpc.dcerpcrequest.stub_data == NULL) + return 0; + return 1; } /** - * \brief Creates a SigMatch for the "dce_stub_data" keyword being sent as argument, + * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument, * and appends it to the Signature(s). * * \param de_ctx Pointer to the detection engine context @@ -91,15 +127,1584 @@ static int DetectDceStubDataTestParse01(void) return result; } +/** + * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags. + */ +static int DetectDceStubDataTestParse02(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + + /* todo chop the request frag length and change the + * length related parameters in the frag */ + uint8_t dcerpc_request[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, + 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, + 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, + 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, + 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, + 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, + 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, + 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, + 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, + 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, + 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, + 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, + 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, + 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, + 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, + 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, + 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, + 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, + 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, + 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, + 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, + 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, + 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, + 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, + 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, + 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, + 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, + 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, + 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, + 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, + 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, + 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, + 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, + 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, + 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, + 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, + 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, + 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, + 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, + 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, + 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, + 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, + 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, + 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, + 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, + 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, + 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, + 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, + 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, + 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, + 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, + 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, + 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, + 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, + 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, + 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, + 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, + 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, + 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, + 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, + 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, + 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, + 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, + 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, + 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, + 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, + 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, + 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, + 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, + 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, + 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, + 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, + 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, + 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, + 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, + 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, + 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, + 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, + 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, + 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, + 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, + 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, + 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, + 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, + 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, + 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, + 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, + 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, + 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x01, 0x02, 0x03, 0x04 + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + uint32_t dcerpc_request_len = sizeof(dcerpc_request); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + /* we shouldn't have any stub data */ + if (PacketAlertCheck(&p, 1)) + goto end; + + /* do detect */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, + dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + /* we shouldn't have any stub data */ + if (PacketAlertCheck(&p, 1)) + goto end; + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_EOF, + dcerpc_request, dcerpc_request_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + /* we should have the stub data since we previously parsed a request frag */ + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test a valid dce_stub_data with just a request frag. + */ +static int DetectDceStubDataTestParse03(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + /* todo chop the request frag length and change the + * length related parameters in the frag */ + uint8_t dcerpc_request[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, + 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, + 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, + 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, + 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, + 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, + 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, + 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, + 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, + 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, + 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, + 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, + 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, + 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, + 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, + 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, + 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, + 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, + 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, + 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, + 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, + 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, + 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, + 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, + 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, + 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, + 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, + 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, + 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, + 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, + 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, + 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, + 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, + 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, + 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, + 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, + 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, + 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, + 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, + 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, + 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, + 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, + 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, + 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, + 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, + 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, + 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, + 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, + 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, + 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, + 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, + 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, + 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, + 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, + 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, + 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, + 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, + 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, + 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, + 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, + 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, + 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, + 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, + 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, + 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, + 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, + 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, + 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, + 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, + 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, + 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, + 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, + 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, + 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, + 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, + 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, + 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, + 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, + 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, + 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, + 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, + 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, + 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, + 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, + 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, + 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, + 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, + 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, + 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, + 0x01, 0x02, 0x03, 0x04 + }; + + uint32_t dcerpc_request_len = sizeof(dcerpc_request); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_request, dcerpc_request_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +static int DetectDceStubDataTestParse04(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, + 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, + 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_bindack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00, + 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x02, + }; + + uint8_t dcerpc_response1[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request2[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, + 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, + 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, + 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, + 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, + 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, + 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, + 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, + 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, + 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, + 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, + 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response2[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request3[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, + 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, + 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, + 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response3[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + }; + + uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); + uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); + + uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); + uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); + + uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); + uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); + + uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); + uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data; " + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_bind, dcerpc_bind_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, + dcerpc_bindack_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* request1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1, + dcerpc_request1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1, + dcerpc_response1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2, + dcerpc_request2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2, + dcerpc_response2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3, + dcerpc_request3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, + dcerpc_response3, dcerpc_response3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +static int DetectDceStubDataTestParse05(void) +{ + int result = 0; + Signature *s = NULL; + ThreadVars th_v; + Packet p; + Flow f; + TcpSession ssn; + DetectEngineThreadCtx *det_ctx = NULL; + DetectEngineCtx *de_ctx = NULL; + DCERPCState *dcerpc_state = NULL; + int r = 0; + + uint8_t dcerpc_request1[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x02, + }; + + uint8_t dcerpc_response1[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request2[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, + 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, + 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, + 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, + 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, + 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, + 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, + 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, + 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, + 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, + 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, + 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response2[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_request3[] = { + 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, + 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, + 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, + 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, + 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, + 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, + 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, + 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, + }; + + uint8_t dcerpc_response3[] = { + 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + }; + + uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); + uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); + + uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); + uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); + + uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); + uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = NULL; + p.payload_len = 0; + p.proto = IPPROTO_TCP; + + StreamL7DataPtrInit(&ssn, StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + p.flow = &f; + p.flowflags |= FLOW_PKT_TOSERVER; + ssn.alproto = ALPROTO_DCERPC; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx, + "alert tcp any any -> any any " + "(msg:\"DCERPC\"; " + "dce_stub_data;" + "sid:1;)"); + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + /* request1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, + dcerpc_request1, dcerpc_request1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + SCLogDebug("no dcerpc state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response1 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response1, dcerpc_response1_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request2, dcerpc_request2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response2 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, + dcerpc_response2, dcerpc_response2_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* request3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, + dcerpc_request3, dcerpc_request3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + /* response3 */ + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, + dcerpc_response3, dcerpc_response3_len); + if (r != 0) { + SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + if (!PacketAlertCheck(&p, 1)) + goto end; + + result = 1; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + + #endif void DetectDceStubDataRegisterTests(void) { #ifdef UNITTESTS - UtRegisterTest("DetectDceStubDataTestParse01", DetectDceStubDataTestParse01, 1); - + UtRegisterTest("DetectDceStubDataTestParse02", DetectDceStubDataTestParse02, 1); + UtRegisterTest("DetectDceStubDataTestParse03", DetectDceStubDataTestParse03, 1); + UtRegisterTest("DetectDceStubDataTestParse04", DetectDceStubDataTestParse04, 1); + UtRegisterTest("DetectDceStubDataTestParse05", DetectDceStubDataTestParse05, 1); #endif + return; } -- 1.6.6