From 0504f8f48f386afc01086e3cf13d808cbb9282af Mon Sep 17 00:00:00 2001 From: Kirby Kuehl Date: Tue, 16 Feb 2010 11:25:07 -0600 Subject: [PATCH] dcerpc udp support --- src/Makefile.am | 1 + src/app-layer-dcerpc-common.h | 39 ++- src/app-layer-dcerpc-udp.c | 888 +++++++++++++++++++++++++++++++++++++++++ src/app-layer-dcerpc-udp.h | 31 ++ src/app-layer-dcerpc.c | 2 - src/app-layer-protos.h | 1 + src/app-layer-smb.c | 2 - src/suricata.c | 3 + 8 files changed, 948 insertions(+), 19 deletions(-) create mode 100644 src/app-layer-dcerpc-udp.c create mode 100644 src/app-layer-dcerpc-udp.h diff --git a/src/Makefile.am b/src/Makefile.am index b078c99..e08e749 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -174,6 +174,7 @@ app-layer-tls.c app-layer-tls.h \ app-layer-smb.c app-layer-smb.h \ app-layer-smb2.c app-layer-smb2.h \ app-layer-dcerpc.c app-layer-dcerpc.h \ +app-layer-dcerpc-udp.c app-layer-dcerpc-udp.h \ app-layer-ftp.c app-layer-ftp.h \ defrag.c defrag.h \ output.c output.h diff --git a/src/app-layer-dcerpc-common.h b/src/app-layer-dcerpc-common.h index e32697f..8207b11 100644 --- a/src/app-layer-dcerpc-common.h +++ b/src/app-layer-dcerpc-common.h @@ -90,6 +90,30 @@ typedef struct dcerpc_hdr_ { #define DCERPC_HDR_LEN 16 +typedef struct dcerpc_hdr_udp_ { + uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/ + uint8_t ptype; /* Packet type (5 LSB only) */ + uint8_t flags1; /* Packet flags */ + uint8_t flags2; /* Packet flags */ + uint8_t drep[3]; /* Data representation format label */ + uint8_t serial_hi; /* High byte of serial number */ + uint8_t objectuuid[16]; + uint8_t interfaceuuid[16]; + uint8_t activityuuid[16]; + uint32_t server_boot;/* Server boot time */ + uint32_t if_vers; /* Interface version */ + uint32_t seqnum; /* Sequence number */ + uint16_t opnum; /* Operation number */ + uint16_t ihint; /* Interface hint */ + uint16_t ahint; /* Activity hint */ + uint16_t fraglen; /* Length of packet body */ + uint16_t fragnum; /* Fragment number */ + uint8_t auth_proto; /* Authentication protocol identifier*/ + uint8_t serial_lo; /* Low byte of serial number */ +}DCERPCHdrUdp; + +#define DCERPC_UDP_HDR_LEN 80 + struct uuid_entry { uint16_t ctxid; uint16_t result; @@ -153,21 +177,6 @@ typedef struct DCERPC_ { #define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */ #define USER_DATA_NOT_READABLE 6 /* not used */ #define NO_PSAP_AVAILABLE 7 /* not used */ -/* - typedef uint16_t p_context_id_t; - typedef struct { - uuid_t if_uuid; - uint32_t if_version; - } p_syntax_id_t; - - typedef struct { - p_context_id_t p_cont_id; - uint8_t n_transfer_syn; // number of items - uint8_t reserved; // alignment pad, m.b.z. - p_syntax_id_t abstract_syntax; // transfer syntax list - p_syntax_id_t [size_is(n_transfer_syn)] transfer_syntaxes[]; - } p_cont_elem_t; - */ int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len); void hexdump(const void *buf, size_t len); diff --git a/src/app-layer-dcerpc-udp.c b/src/app-layer-dcerpc-udp.c new file mode 100644 index 0000000..a0ff464 --- /dev/null +++ b/src/app-layer-dcerpc-udp.c @@ -0,0 +1,888 @@ +/* + * Copyright (c) 2009, 2010 Open Information Security Foundation + * app-layer-dcerpc.c + * + * \author Kirby Kuehl + */ +#include "suricata-common.h" +#include "suricata.h" + +#include "debug.h" +#include "decode.h" +#include "threads.h" + +#include "util-print.h" +#include "util-pool.h" +#include "util-debug.h" + +#include "stream-tcp-private.h" +#include "stream-tcp-reassemble.h" +#include "stream-tcp.h" +#include "stream.h" + +#include "app-layer-protos.h" +#include "app-layer-parser.h" + +#include "util-spm.h" +#include "util-unittest.h" + +#include "app-layer-dcerpc-udp.h" + +enum { + DCERPC_FIELD_NONE = 0, + DCERPC_PARSE_DCERPC_HEADER, + DCERPC_PARSE_DCERPC_BIND, + DCERPC_PARSE_DCERPC_BIND_ACK, + DCERPC_PARSE_DCERPC_REQUEST, + /* must be last */ + DCERPC_FIELD_MAX, +}; + +static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + uint8_t *p = input; + DCERPCUDPState *sstate = (DCERPCUDPState *) dcerpcudp_state; + sstate->frag_data = input; + while (sstate->fraglenleft-- && input_len--) { + SCLogDebug("0x%02x ", *p); + p++; + } + sstate->bytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); +} + +/** + * \brief DCERPCParseHeader parses the 16 byte DCERPC header + * A fast path for normal decoding is used when there is enough bytes + * present to parse the entire header. A slow path is used to parse + * fragmented packets. + */ +static uint32_t DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + uint8_t *p = input; + DCERPCUDPState *sstate = (DCERPCUDPState *) dcerpcudp_state; + if (input_len) { + switch (sstate->bytesprocessed) { + case 0: + if (input_len >= DCERPC_UDP_HDR_LEN) { + sstate->dcerpchdrudp.rpc_vers = *p; + sstate->dcerpchdrudp.ptype = *(p + 1); + sstate->dcerpchdrudp.flags1 = *(p + 2); + sstate->dcerpchdrudp.flags2 = *(p + 3); + sstate->dcerpchdrudp.drep[0] = *(p + 4); + sstate->dcerpchdrudp.drep[1] = *(p + 5); + sstate->dcerpchdrudp.drep[2] = *(p + 6); + sstate->dcerpchdrudp.serial_hi = *(p + 7); + sstate->dcerpchdrudp.objectuuid[3] = *(p + 8); + sstate->dcerpchdrudp.objectuuid[2] = *(p + 9); + sstate->dcerpchdrudp.objectuuid[1] = *(p + 10); + sstate->dcerpchdrudp.objectuuid[0] = *(p + 11); + sstate->dcerpchdrudp.objectuuid[5] = *(p + 12); + sstate->dcerpchdrudp.objectuuid[4] = *(p + 13); + sstate->dcerpchdrudp.objectuuid[7] = *(p + 14); + sstate->dcerpchdrudp.objectuuid[6] = *(p + 15); + sstate->dcerpchdrudp.objectuuid[8] = *(p + 16); + sstate->dcerpchdrudp.objectuuid[9] = *(p + 17); + sstate->dcerpchdrudp.objectuuid[10] = *(p + 18); + sstate->dcerpchdrudp.objectuuid[11] = *(p + 19); + sstate->dcerpchdrudp.objectuuid[12] = *(p + 20); + sstate->dcerpchdrudp.objectuuid[13] = *(p + 21); + sstate->dcerpchdrudp.objectuuid[14] = *(p + 22); + sstate->dcerpchdrudp.objectuuid[15] = *(p + 23); + sstate->dcerpchdrudp.interfaceuuid[3] = *(p + 24); + sstate->dcerpchdrudp.interfaceuuid[2] = *(p + 25); + sstate->dcerpchdrudp.interfaceuuid[1] = *(p + 26); + sstate->dcerpchdrudp.interfaceuuid[0] = *(p + 27); + sstate->dcerpchdrudp.interfaceuuid[5] = *(p + 28); + sstate->dcerpchdrudp.interfaceuuid[4] = *(p + 29); + sstate->dcerpchdrudp.interfaceuuid[7] = *(p + 30); + sstate->dcerpchdrudp.interfaceuuid[6] = *(p + 31); + sstate->dcerpchdrudp.interfaceuuid[8] = *(p + 32); + sstate->dcerpchdrudp.interfaceuuid[9] = *(p + 33); + sstate->dcerpchdrudp.interfaceuuid[10] = *(p + 34); + sstate->dcerpchdrudp.interfaceuuid[11] = *(p + 35); + sstate->dcerpchdrudp.interfaceuuid[12] = *(p + 36); + sstate->dcerpchdrudp.interfaceuuid[13] = *(p + 37); + sstate->dcerpchdrudp.interfaceuuid[14] = *(p + 38); + sstate->dcerpchdrudp.interfaceuuid[15] = *(p + 39); + sstate->dcerpchdrudp.activityuuid[3] = *(p + 40); + sstate->dcerpchdrudp.activityuuid[2] = *(p + 41); + sstate->dcerpchdrudp.activityuuid[1] = *(p + 42); + sstate->dcerpchdrudp.activityuuid[0] = *(p + 43); + sstate->dcerpchdrudp.activityuuid[5] = *(p + 44); + sstate->dcerpchdrudp.activityuuid[4] = *(p + 45); + sstate->dcerpchdrudp.activityuuid[7] = *(p + 46); + sstate->dcerpchdrudp.activityuuid[6] = *(p + 47); + sstate->dcerpchdrudp.activityuuid[8] = *(p + 48); + sstate->dcerpchdrudp.activityuuid[9] = *(p + 49); + sstate->dcerpchdrudp.activityuuid[10] = *(p + 50); + sstate->dcerpchdrudp.activityuuid[11] = *(p + 51); + sstate->dcerpchdrudp.activityuuid[12] = *(p + 52); + sstate->dcerpchdrudp.activityuuid[13] = *(p + 53); + sstate->dcerpchdrudp.activityuuid[14] = *(p + 54); + sstate->dcerpchdrudp.activityuuid[15] = *(p + 55); + if (sstate->dcerpchdrudp.drep[0] == 0x10) { + sstate->dcerpchdrudp.server_boot = *(p + 56); + sstate->dcerpchdrudp.server_boot |= *(p + 57) << 8; + sstate->dcerpchdrudp.server_boot |= *(p + 58) << 16; + sstate->dcerpchdrudp.server_boot |= *(p + 59) << 24; + sstate->dcerpchdrudp.if_vers = *(p + 60); + sstate->dcerpchdrudp.if_vers |= *(p + 61) << 8; + sstate->dcerpchdrudp.if_vers |= *(p + 62) << 16; + sstate->dcerpchdrudp.if_vers |= *(p + 63) >> 24; + sstate->dcerpchdrudp.seqnum = *(p + 64); + sstate->dcerpchdrudp.seqnum |= *(p + 65) << 8; + sstate->dcerpchdrudp.seqnum |= *(p + 66) << 16; + sstate->dcerpchdrudp.seqnum |= *(p + 67) << 24; + sstate->dcerpchdrudp.opnum = *(p + 68); + sstate->dcerpchdrudp.opnum |= *(p + 69) << 8; + sstate->dcerpchdrudp.ihint = *(p + 70); + sstate->dcerpchdrudp.ihint |= *(p + 71) << 8; + sstate->dcerpchdrudp.ahint = *(p + 72); + sstate->dcerpchdrudp.ahint |= *(p + 73) << 8; + sstate->dcerpchdrudp.fraglen = *(p + 74); + sstate->dcerpchdrudp.fraglen |= *(p + 75) << 8; + sstate->dcerpchdrudp.fragnum = *(p + 76); + sstate->dcerpchdrudp.fragnum |= *(p + 77) << 8; + } else { + sstate->dcerpchdrudp.server_boot = *(p + 56) << 24; + sstate->dcerpchdrudp.server_boot |= *(p + 57) << 16; + sstate->dcerpchdrudp.server_boot |= *(p + 58) << 8; + sstate->dcerpchdrudp.server_boot |= *(p + 59); + sstate->dcerpchdrudp.if_vers = *(p + 60) << 24; + sstate->dcerpchdrudp.if_vers |= *(p + 61) << 16; + sstate->dcerpchdrudp.if_vers |= *(p + 62) << 8; + sstate->dcerpchdrudp.if_vers |= *(p + 63); + sstate->dcerpchdrudp.seqnum = *(p + 64) << 24; + sstate->dcerpchdrudp.seqnum |= *(p + 65) << 16; + sstate->dcerpchdrudp.seqnum |= *(p + 66) << 8; + sstate->dcerpchdrudp.seqnum |= *(p + 67); + sstate->dcerpchdrudp.opnum = *(p + 68) << 24; + sstate->dcerpchdrudp.opnum |= *(p + 69) << 16; + sstate->dcerpchdrudp.ihint = *(p + 70) << 8; + sstate->dcerpchdrudp.ihint |= *(p + 71); + sstate->dcerpchdrudp.ahint = *(p + 72) << 8; + sstate->dcerpchdrudp.ahint |= *(p + 73); + sstate->dcerpchdrudp.fraglen = *(p + 74) << 8; + sstate->dcerpchdrudp.fraglen |= *(p + 75); + sstate->dcerpchdrudp.fragnum = *(p + 76) << 8; + sstate->dcerpchdrudp.fragnum |= *(p + 77); + } + sstate->fraglenleft = sstate->dcerpchdrudp.fraglen; + sstate->dcerpchdrudp.auth_proto = *(p + 78); + sstate->dcerpchdrudp.serial_lo = *(p + 79); + sstate->bytesprocessed = DCERPC_UDP_HDR_LEN; + sstate->uuid_entry = (struct uuid_entry *) calloc(1, + sizeof(struct uuid_entry)); + if (sstate->uuid_entry == NULL) { + SCReturnUInt(0); + } else { + memcpy(sstate->uuid_entry->uuid, + sstate->dcerpchdrudp.activityuuid, + sizeof(sstate->dcerpchdrudp.activityuuid)); + } + SCReturnUInt(80U); + break; + } else { + sstate->dcerpchdrudp.rpc_vers = *(p++); + if (!(--input_len)) + break; + } + case 1: + sstate->dcerpchdrudp.ptype = *(p++); + if (!(--input_len)) + break; + case 2: + sstate->dcerpchdrudp.flags1 = *(p++); + if (!(--input_len)) + break; + case 3: + sstate->dcerpchdrudp.flags2 = *(p++); + if (!(--input_len)) + break; + case 4: + sstate->dcerpchdrudp.drep[0] = *(p++); + if (!(--input_len)) + break; + case 5: + sstate->dcerpchdrudp.drep[1] = *(p++); + if (!(--input_len)) + break; + case 6: + sstate->dcerpchdrudp.drep[2] = *(p++); + if (!(--input_len)) + break; + case 7: + sstate->dcerpchdrudp.serial_hi = *(p++); + if (!(--input_len)) + break; + case 8: + sstate->dcerpchdrudp.objectuuid[3] = *(p++); + if (!(--input_len)) + break; + case 9: + sstate->dcerpchdrudp.objectuuid[2] = *(p++); + if (!(--input_len)) + break; + case 10: + sstate->dcerpchdrudp.objectuuid[1] = *(p++); + if (!(--input_len)) + break; + case 11: + sstate->dcerpchdrudp.objectuuid[0] = *(p++); + if (!(--input_len)) + break; + case 12: + sstate->dcerpchdrudp.objectuuid[5] = *(p++); + if (!(--input_len)) + break; + case 13: + sstate->dcerpchdrudp.objectuuid[4] = *(p++); + if (!(--input_len)) + break; + case 14: + sstate->dcerpchdrudp.objectuuid[7] = *(p++); + if (!(--input_len)) + break; + case 15: + sstate->dcerpchdrudp.objectuuid[6] = *(p++); + if (!(--input_len)) + break; + case 16: + sstate->dcerpchdrudp.objectuuid[8] = *(p++); + if (!(--input_len)) + break; + case 17: + sstate->dcerpchdrudp.objectuuid[9] = *(p++); + if (!(--input_len)) + break; + case 18: + sstate->dcerpchdrudp.objectuuid[10] = *(p++); + if (!(--input_len)) + break; + case 19: + sstate->dcerpchdrudp.objectuuid[11] = *(p++); + if (!(--input_len)) + break; + case 20: + sstate->dcerpchdrudp.objectuuid[12] = *(p++); + if (!(--input_len)) + break; + case 21: + sstate->dcerpchdrudp.objectuuid[13] = *(p++); + if (!(--input_len)) + break; + case 22: + sstate->dcerpchdrudp.objectuuid[14] = *(p++); + if (!(--input_len)) + break; + case 23: + sstate->dcerpchdrudp.objectuuid[15] = *(p++); + if (!(--input_len)) + break; + case 24: + sstate->dcerpchdrudp.interfaceuuid[3] = *(p++); + if (!(--input_len)) + break; + case 25: + sstate->dcerpchdrudp.interfaceuuid[2] = *(p++); + if (!(--input_len)) + break; + case 26: + sstate->dcerpchdrudp.interfaceuuid[1] = *(p++); + if (!(--input_len)) + break; + case 27: + sstate->dcerpchdrudp.interfaceuuid[0] = *(p++); + if (!(--input_len)) + break; + case 28: + sstate->dcerpchdrudp.interfaceuuid[5] = *(p++); + if (!(--input_len)) + break; + case 29: + sstate->dcerpchdrudp.interfaceuuid[4] = *(p++); + if (!(--input_len)) + break; + case 30: + sstate->dcerpchdrudp.interfaceuuid[7] = *(p++); + if (!(--input_len)) + break; + case 31: + sstate->dcerpchdrudp.interfaceuuid[6] = *(p++); + if (!(--input_len)) + break; + case 32: + sstate->dcerpchdrudp.interfaceuuid[8] = *(p++); + if (!(--input_len)) + break; + case 33: + sstate->dcerpchdrudp.interfaceuuid[9] = *(p++); + if (!(--input_len)) + break; + case 34: + sstate->dcerpchdrudp.interfaceuuid[10] = *(p++); + if (!(--input_len)) + break; + case 35: + sstate->dcerpchdrudp.interfaceuuid[11] = *(p++); + if (!(--input_len)) + break; + case 36: + sstate->dcerpchdrudp.interfaceuuid[12] = *(p++); + if (!(--input_len)) + break; + case 37: + sstate->dcerpchdrudp.interfaceuuid[13] = *(p++); + if (!(--input_len)) + break; + case 38: + sstate->dcerpchdrudp.interfaceuuid[14] = *(p++); + if (!(--input_len)) + break; + case 39: + sstate->dcerpchdrudp.interfaceuuid[15] = *(p++); + if (!(--input_len)) + break; + case 40: + sstate->dcerpchdrudp.activityuuid[3] = *(p++); + if (!(--input_len)) + break; + case 41: + sstate->dcerpchdrudp.activityuuid[2] = *(p++); + if (!(--input_len)) + break; + case 42: + sstate->dcerpchdrudp.activityuuid[1] = *(p++); + if (!(--input_len)) + break; + case 43: + sstate->dcerpchdrudp.activityuuid[0] = *(p++); + if (!(--input_len)) + break; + case 44: + sstate->dcerpchdrudp.activityuuid[5] = *(p++); + if (!(--input_len)) + break; + case 45: + sstate->dcerpchdrudp.activityuuid[4] = *(p++); + if (!(--input_len)) + break; + case 46: + sstate->dcerpchdrudp.activityuuid[7] = *(p++); + if (!(--input_len)) + break; + case 47: + sstate->dcerpchdrudp.activityuuid[6] = *(p++); + if (!(--input_len)) + break; + case 48: + sstate->dcerpchdrudp.activityuuid[8] = *(p++); + if (!(--input_len)) + break; + case 49: + sstate->dcerpchdrudp.activityuuid[9] = *(p++); + if (!(--input_len)) + break; + case 50: + sstate->dcerpchdrudp.activityuuid[10] = *(p++); + if (!(--input_len)) + break; + case 51: + sstate->dcerpchdrudp.activityuuid[11] = *(p++); + if (!(--input_len)) + break; + case 52: + sstate->dcerpchdrudp.activityuuid[12] = *(p++); + if (!(--input_len)) + break; + case 53: + sstate->dcerpchdrudp.activityuuid[13] = *(p++); + if (!(--input_len)) + break; + case 54: + sstate->dcerpchdrudp.activityuuid[14] = *(p++); + if (!(--input_len)) + break; + case 55: + sstate->dcerpchdrudp.activityuuid[15] = *(p++); + if (!(--input_len)) + break; + case 56: + sstate->dcerpchdrudp.server_boot = *(p++); + if (!(--input_len)) + break; + case 57: + sstate->dcerpchdrudp.server_boot |= *(p++) << 8; + if (!(--input_len)) + break; + case 58: + sstate->dcerpchdrudp.server_boot |= *(p++) << 16; + if (!(--input_len)) + break; + case 59: + sstate->dcerpchdrudp.server_boot |= *(p++) << 24; + if (!(--input_len)) + break; + case 60: + sstate->dcerpchdrudp.if_vers = *(p++); + if (!(--input_len)) + break; + case 61: + sstate->dcerpchdrudp.if_vers |= *(p++) << 8; + if (!(--input_len)) + break; + case 62: + sstate->dcerpchdrudp.if_vers |= *(p++) << 16; + if (!(--input_len)) + break; + case 63: + sstate->dcerpchdrudp.if_vers |= *(p++) << 24; + if (!(--input_len)) + break; + case 64: + sstate->dcerpchdrudp.seqnum = *(p++); + if (!(--input_len)) + break; + case 65: + sstate->dcerpchdrudp.seqnum |= *(p++) << 8; + if (!(--input_len)) + break; + case 66: + sstate->dcerpchdrudp.seqnum |= *(p++) << 16; + if (!(--input_len)) + break; + case 67: + sstate->dcerpchdrudp.seqnum |= *(p++) << 24; + if (!(--input_len)) + break; + case 68: + sstate->dcerpchdrudp.opnum = *(p++); + if (!(--input_len)) + break; + case 69: + sstate->dcerpchdrudp.opnum |= *(p++) << 8; + if (!(--input_len)) + break; + case 70: + sstate->dcerpchdrudp.ihint = *(p++); + if (!(--input_len)) + break; + case 71: + sstate->dcerpchdrudp.ihint |= *(p++) << 8; + if (!(--input_len)) + break; + case 72: + sstate->dcerpchdrudp.ahint = *(p++); + if (!(--input_len)) + break; + case 73: + sstate->dcerpchdrudp.ahint |= *(p++) << 8; + if (!(--input_len)) + break; + case 74: + sstate->dcerpchdrudp.fraglen = *(p++); + if (!(--input_len)) + break; + case 75: + sstate->dcerpchdrudp.fraglen |= *(p++) << 8; + if (!(--input_len)) + break; + case 76: + sstate->dcerpchdrudp.fragnum = *(p++); + if (!(--input_len)) + break; + case 77: + sstate->dcerpchdrudp.fragnum |= *(p++); + if (!(--input_len)) + break; + case 78: + sstate->dcerpchdrudp.auth_proto = *(p++); + if (!(--input_len)) + break; + case 79: + sstate->dcerpchdrudp.serial_lo = *(p++); + if (sstate->dcerpchdrudp.drep[0] != 0x10) { + SCByteSwap32(sstate->dcerpchdrudp.server_boot); + SCByteSwap32(sstate->dcerpchdrudp.if_vers); + SCByteSwap32(sstate->dcerpchdrudp.seqnum); + SCByteSwap16(sstate->dcerpchdrudp.opnum); + SCByteSwap16(sstate->dcerpchdrudp.ihint); + SCByteSwap16(sstate->dcerpchdrudp.ahint); + SCByteSwap16(sstate->dcerpchdrudp.fraglen); + SCByteSwap16(sstate->dcerpchdrudp.fragnum); + } + sstate->fraglenleft = sstate->dcerpchdrudp.fraglen; + sstate->uuid_entry = (struct uuid_entry *) calloc(1, + sizeof(struct uuid_entry)); + if (sstate->uuid_entry == NULL) { + SCReturnUInt(0); + } else { + memcpy(sstate->uuid_entry->uuid, + sstate->dcerpchdrudp.activityuuid, + sizeof(sstate->dcerpchdrudp.activityuuid)); + } + --input_len; + break; + } + } + sstate->bytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); +} + +static int DCERPCUDPParse(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + uint32_t retval = 0; + uint32_t parsed = 0; + SCEnter(); + + DCERPCUDPState *sstate = (DCERPCUDPState *) dcerpc_state; + while (sstate->bytesprocessed < DCERPC_UDP_HDR_LEN && input_len) { + retval = DCERPCUDPParseHeader(f, dcerpc_state, pstate, input, + input_len, output); + parsed += retval; + input_len -= retval; + } +#if 0 + printf("Done with DCERPCUDPParseHeader bytesprocessed %u/%u left %u\n", + sstate->bytesprocessed, sstate->dcerpchdrudp.fraglen, input_len); + printf("\nDCERPC Version:\t%u\n", sstate->dcerpchdrudp.rpc_vers); + printf("DCERPC Type:\t%u\n", sstate->dcerpchdrudp.ptype); + printf("DCERPC Flags1:\t0x%02x\n", sstate->dcerpchdrudp.flags1); + printf("DCERPC Flags2:\t0x%02x\n", sstate->dcerpchdrudp.flags2); + printf("DCERPC Packed Drep:\t%02x %02x %02x\n", + sstate->dcerpchdrudp.drep[0], sstate->dcerpchdrudp.drep[1], + sstate->dcerpchdrudp.drep[2]); + printf("DCERPC Frag Length:\t0x%04x %u\n", sstate->dcerpchdrudp.fraglen, + sstate->dcerpchdrudp.fraglen); + printf("DCERPC Frag Number:\t0x%04x\n", sstate->dcerpchdrudp.fragnum); + printf("DCERPC OpNum:\t0x%04x\n", sstate->dcerpchdrudp.opnum); +#endif + + while (sstate->bytesprocessed >= DCERPC_UDP_HDR_LEN + && sstate->bytesprocessed < sstate->dcerpchdrudp.fraglen + && input_len) { + retval = FragmentDataParser(f, dcerpc_state, pstate, input + parsed, + input_len, output); + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing DCERPC UDP Fragment Data"); + parsed -= input_len; + input_len = 0; + sstate->bytesprocessed = 0; + } + } + + if (sstate->bytesprocessed == sstate->dcerpchdrudp.fraglen) { + sstate->bytesprocessed = 0; + } + if (pstate == NULL) + SCReturnInt(-1); + + pstate->parse_field = 0; + + SCReturnInt(1); +} + +static void *DCERPCUDPStateAlloc(void) { + void *s = malloc(sizeof(DCERPCUDPState)); + if (s == NULL) + return NULL; + + memset(s, 0, sizeof(DCERPCUDPState)); + return s; +} + +static void DCERPCUDPStateFree(void *s) { + DCERPCUDPState *sstate = (DCERPCUDPState *) s; + + struct uuid_entry *item; + + while ((item = TAILQ_FIRST(&sstate->uuid_list))) { + //printUUID("Free", item); + TAILQ_REMOVE(&sstate->uuid_list, item, next); + free(item); + } + + if (s) { + free(s); + s = NULL; + } +} + +void RegisterDCERPCUDPParsers(void) { + AppLayerRegisterProto("dcerpcudp", ALPROTO_DCERPC_UDP, STREAM_TOSERVER, + DCERPCUDPParse); + AppLayerRegisterProto("dcerpcudp", ALPROTO_DCERPC_UDP, STREAM_TOCLIENT, + DCERPCUDPParse); + AppLayerRegisterStateFuncs(ALPROTO_DCERPC_UDP, DCERPCUDPStateAlloc, + DCERPCUDPStateFree); +} + +/* UNITTESTS */ +#ifdef UNITTESTS +/** \test DCERPC UDP Header Parsing and UUID handling + */ + +int DCERPCUDPParserTest01(void) { + int result = 1; + Flow f; + uint8_t dcerpcrequest[] = { + 0x04, 0x00, 0x2c, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x3f, 0x98, 0xf0, 0x5c, 0xd9, 0x63, 0xcc, 0x46, + 0xc2, 0x74, 0x51, 0x6c, 0x8a, 0x53, 0x7d, 0x6f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0xff, 0xff, + 0xff, 0xff, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, + 0xcc, 0x45, 0x64, 0x49, 0xb0, 0x70, 0xdd, 0xae, + 0x74, 0x2c, 0x96, 0xd2, 0x60, 0x5e, 0x0d, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x7c, 0x5e, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x80, 0x96, 0xf1, 0xf1, + 0x2a, 0x4d, 0xce, 0x11, 0xa6, 0x6a, 0x00, 0x20, + 0xaf, 0x6e, 0x72, 0xf4, 0x0c, 0x00, 0x00, 0x00, + 0x4d, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, + 0x00, 0x00, 0x00, 0x00, 0xa8, 0xf4, 0x0b, 0x00, + 0x10, 0x09, 0x00, 0x00, 0x10, 0x09, 0x00, 0x00, + 0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, + 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x00, 0x00, 0x00, 0x00, 0xe0, 0x08, 0x00, 0x00, + 0xd8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, + 0xd8, 0x08, 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, + 0x64, 0x29, 0xcd, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xab, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xa6, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xad, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, + 0x60, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, + 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x28, 0x06, 0x00, 0x00, + 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x50, 0x00, 0x00, 0x00, 0x4f, 0xb6, 0x88, 0x20, + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, 0x66, 0x00, + 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0c, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x70, 0xd8, 0x98, 0x93, + 0x98, 0x4f, 0xd2, 0x11, 0xa9, 0x3d, 0xbe, 0x57, + 0xb2, 0x00, 0x00, 0x00, 0x32, 0x00, 0x31, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x80, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x43, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, + 0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, + 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, + 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, + 0x80, 0x0e, 0xe9, 0x4a, 0x99, 0x99, 0xf1, 0x8a, + 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xd8, 0xda, 0x0d, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x20, 0x2f, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, + 0x46, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x10, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2e, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, + 0x68, 0x8b, 0x0b, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xfe, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xfe, 0x02, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, + 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, + 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, + 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, + 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, + 0x31, 0x00, 0x31, 0x00, 0x9d, 0x13, 0x00, 0x01, + 0xcc, 0xe0, 0xfd, 0x7f, 0xcc, 0xe0, 0xfd, 0x7f, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; + uint32_t requestlen = sizeof(dcerpcrequest); + + TcpSession ssn; + struct uuid_entry *uuid_entry; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + StreamL7DataPtrInit(&ssn); + + int r = AppLayerParse(&f, ALPROTO_DCERPC_UDP, STREAM_TOSERVER|STREAM_START, dcerpcrequest, requestlen); + if (r != 0) { + printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + DCERPCUDPState *dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC_UDP)]; + if (dcerpc_state == NULL) { + printf("no dcerpc state: "); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpchdrudp.rpc_vers != 4) { + printf("expected dcerpc version 0x04, got 0x%02x : ", + dcerpc_state->dcerpchdrudp.rpc_vers); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpchdrudp.ptype != REQUEST) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpchdrudp.ptype); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpchdrudp.fraglen != 1392) { + printf("expected dcerpc fraglen 0x%02x , got 0x%02x : ", 1392, dcerpc_state->dcerpchdrudp.fraglen); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpchdrudp.opnum != 4) { + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 4, dcerpc_state->dcerpchdrudp.opnum); + result = 0; + goto end; + } + + TAILQ_FOREACH(uuid_entry, &dcerpc_state->uuid_list, next) { + printUUID("REQUEST", uuid_entry); + } + + end: + StreamL7DataPtrFree(&ssn); + StreamTcpFreeConfig(TRUE); + return result; +} + +void DCERPCUDPParserRegisterTests(void) { + printf("DCERPCUDPParserRegisterTests\n"); + UtRegisterTest("DCERPCUDPParserTest01", DCERPCUDPParserTest01, 1); +} +#endif + diff --git a/src/app-layer-dcerpc-udp.h b/src/app-layer-dcerpc-udp.h new file mode 100644 index 0000000..b654ffd --- /dev/null +++ b/src/app-layer-dcerpc-udp.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2009,2010 Open Information Security Foundation + * app-layer-dcerpc.h + * + * \author Kirby Kuehl + */ + +#ifndef APPLAYERDCERPCUDP_H_ +#define APPLAYERDCERPCUDP_H_ +#include "app-layer-protos.h" +#include "app-layer-parser.h" +#include "app-layer-dcerpc-common.h" +#include "flow.h" +#include "queue.h" +#include "util-byte.h" + +typedef struct DCERPCUDPState_ { + DCERPCHdrUdp dcerpchdrudp; + uint16_t bytesprocessed; + uint16_t fraglenleft; + uint8_t *frag_data; + struct uuid_entry *uuid_entry; + TAILQ_HEAD(, uuid_entry) uuid_list; +}DCERPCUDPState; + +void RegisterDCERPCUDPParsers(void); +void DCERPCUDPParserTests(void); +void DCERPCUDPParserRegisterTests(void); + +#endif /* APPLAYERDCERPCUDP_H_ */ + diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index ad125e3..cc7d374 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -1277,8 +1277,6 @@ void RegisterDCERPCParsers(void) { /** \test DCERPC Header Parsing and BIND / BIND_ACK multiple UUID handling */ -/* set this to 1 to see problem */ - int DCERPCParserTest01(void) { int result = 1; Flow f; diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index ef4e493..238a072 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -15,6 +15,7 @@ enum { ALPROTO_SMB, ALPROTO_SMB2, ALPROTO_DCERPC, + ALPROTO_DCERPC_UDP, #ifdef UNITTESTS ALPROTO_TEST, #endif /* UNITESTS */ diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 5c32f9c..ad00846 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -1675,12 +1675,10 @@ end: #endif void SMBParserRegisterTests(void) { -#ifdef UNITTESTS printf("SMBParserRegisterTests\n"); UtRegisterTest("SMBParserTest01", SMBParserTest01, 1); UtRegisterTest("SMBParserTest02", SMBParserTest02, 1); UtRegisterTest("SMBParserTest03", SMBParserTest03, 1); UtRegisterTest("SMBParserTest04", SMBParserTest04, 1); -#endif } diff --git a/src/suricata.c b/src/suricata.c index 86799d7..71980c9 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -71,6 +71,7 @@ #include "app-layer-tls.h" #include "app-layer-smb.h" #include "app-layer-dcerpc.h" +#include "app-layer-dcerpc-udp.h" #include "app-layer-htp.h" #include "app-layer-ftp.h" @@ -625,6 +626,7 @@ int main(int argc, char **argv) RegisterTLSParsers(); RegisterSMBParsers(); RegisterDCERPCParsers(); + RegisterDCERPCUDPParsers(); RegisterFTPParsers(); AppLayerParsersInitPostProcess(); @@ -687,6 +689,7 @@ int main(int argc, char **argv) TLSParserRegisterTests(); SMBParserRegisterTests(); DCERPCParserRegisterTests(); + DCERPCUDPParserRegisterTests(); FTPParserRegisterTests(); DecodeRawRegisterTests(); DecodePPPOERegisterTests(); -- 1.6.6