From 1173429a9593d43880a6287b37ab3ddf41bd8f9b Mon Sep 17 00:00:00 2001 From: root Date: Fri, 15 Jan 2010 10:23:32 -0600 Subject: [PATCH] endianness handling update --- src/app-layer-dcerpc.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++- src/app-layer-dcerpc.h | 2 +- src/util-byte.h | 18 +++ 3 files changed, 400 insertions(+), 7 deletions(-) diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 2f815ca..f367a86 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -735,7 +735,7 @@ static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, case 25: sstate->secondaryaddrlen |= *(p++) << 8; if (sstate->dcerpc.packed_drep[0] == 0x01) { - bswap_16(sstate->secondaryaddrlen); + SCByteSwap16(sstate->secondaryaddrlen); } sstate->secondaryaddrlenleft = sstate->secondaryaddrlen; SCLogDebug("secondaryaddrlen %u 0x%04x\n", sstate->secondaryaddrlen, @@ -805,7 +805,7 @@ static uint32_t DCERPCParseREQUEST(Flow *f, void *dcerpc_state, case 23: sstate->opnum |= *(p++) << 8; if (sstate->dcerpc.packed_drep[0] == 0x01) { - bswap_16(sstate->opnum); + SCByteSwap16(sstate->opnum); } --input_len; break; @@ -943,9 +943,9 @@ static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, case 15: sstate->dcerpc.call_id |= *(p++); if (sstate->dcerpc.packed_drep[0] == 0x01) { - bswap_16(sstate->dcerpc.frag_length); - bswap_16(sstate->dcerpc.auth_length); - bswap_32(sstate->dcerpc.call_id); + SCByteSwap16(sstate->dcerpc.frag_length); + SCByteSwap16(sstate->dcerpc.auth_length); + SCByteSwap32(sstate->dcerpc.call_id); } --input_len; break; @@ -1155,6 +1155,9 @@ void RegisterDCERPCParsers(void) { /* UNITTESTS */ #ifdef UNITTESTS +/** \test DCERPC Header Parsing and BIND / BIND_ACK multiple UUID handling + */ + /* set this to 1 to see problem */ #define KNOWNFAILURE 0 int DCERPCParserTest01(void) { @@ -1576,7 +1579,8 @@ int DCERPCParserTest01(void) { printUUID("BIND_ACK", uuid_entry); } #if KNOWNFAILURE - r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpcrequest, requestlen, FALSE); + printf("Sending dcerpcrequest (%u)", requestlen); + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_EOF, dcerpcrequest, requestlen, FALSE); if (r != 0) { printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); result = 0; @@ -1592,9 +1596,380 @@ end: return result; } +/** \test DCERPC Request decoding and opnum parsing. + */ +int DCERPCParserTest02(void) { + int result = 1; + Flow f; + uint8_t dcerpcrequest[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b, + 0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d, + 0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a, + 0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58, + 0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41, + 0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48, + 0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60, + 0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b, + 0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24, + 0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68, + 0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c, + 0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61, + 0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d, + 0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67, + 0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45, + 0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c, + 0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e, + 0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73, + 0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e, + 0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71, + 0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35, + 0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37, + 0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37, + 0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69, + 0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72, + 0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e, + 0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31, + 0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b, + 0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e, + 0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f, + 0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59, + 0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e, + 0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79, + 0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49, + 0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72, + 0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24, + 0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27, + 0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e, + 0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28, + 0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64, + 0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, + 0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e, + 0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52, + 0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56, + 0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30, + 0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38, + 0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42, + 0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c, + 0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f, + 0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27, + 0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30, + 0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e, + 0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72, + 0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b, + 0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b, + 0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56, + 0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61, + 0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58, + 0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b, + 0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52, + 0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65, + 0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74, + 0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61, + 0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a, + 0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68, + 0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f, + 0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32, + 0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f, + 0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51, + 0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48, + 0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25, + 0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32, + 0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40, + 0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50, + 0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38, + 0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c, + 0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a, + 0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76, + 0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75, + 0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33, + 0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71, + 0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67, + 0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b, + 0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23, + 0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51, + 0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b, + 0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65, + 0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f, + 0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a, + 0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f, + 0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59, + 0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46, + 0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e, + 0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45, + 0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e, + 0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75, + 0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29, + 0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78, + 0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b, + 0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, + 0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68, + 0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53, + 0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36, + 0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75, + 0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73, + 0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e, + 0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d, + 0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f, + 0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63, + 0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61, + 0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c, + 0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37, + 0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a, + 0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a, + 0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a, + 0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b, + 0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c, + 0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b, + 0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22, + 0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44, + 0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c, + 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, + 0x00, 0x69, 0x00}; + uint32_t requestlen = sizeof(dcerpcrequest); + + TcpSession ssn; + struct uuid_entry *uuid_entry; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + + int r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_START, dcerpcrequest, requestlen, FALSE); + if (r != 0) { + printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + DCERPCState *dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + printf("no dcerpc state: "); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpc.rpc_vers != 5) { + printf("expected dcerpc version 0x05, got 0x%02x : ", + dcerpc_state->dcerpc.rpc_vers); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpc.type != REQUEST) { + printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.type); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpc.frag_length != 1024) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.frag_length); + result = 0; + goto end; + } + + if (dcerpc_state->opnum != 9) { + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->opnum); + result = 0; + goto end; + } + +end: + return result; +} + +/** \test Test endianness handling + */ +int DCERPCParserTest03(void) { + int result = 1; + Flow f; + uint8_t dcerpcrequest[] = { + 0x05, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x09, 0x45, 0x00, 0x2c, 0x00, 0x4d, + 0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a, + 0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58, + 0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41, + 0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48, + 0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60, + 0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b, + 0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24, + 0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68, + 0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c, + 0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61, + 0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d, + 0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67, + 0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45, + 0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c, + 0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e, + 0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73, + 0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e, + 0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71, + 0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35, + 0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37, + 0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37, + 0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69, + 0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72, + 0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e, + 0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31, + 0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b, + 0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e, + 0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f, + 0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59, + 0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e, + 0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79, + 0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49, + 0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72, + 0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24, + 0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27, + 0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e, + 0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28, + 0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64, + 0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, + 0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e, + 0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52, + 0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56, + 0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30, + 0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38, + 0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42, + 0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c, + 0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f, + 0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27, + 0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30, + 0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e, + 0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72, + 0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b, + 0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b, + 0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56, + 0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61, + 0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58, + 0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b, + 0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52, + 0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65, + 0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74, + 0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61, + 0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a, + 0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68, + 0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f, + 0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32, + 0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f, + 0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51, + 0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48, + 0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25, + 0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32, + 0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40, + 0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50, + 0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38, + 0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c, + 0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a, + 0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76, + 0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75, + 0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33, + 0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71, + 0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67, + 0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b, + 0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23, + 0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51, + 0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b, + 0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65, + 0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f, + 0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a, + 0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f, + 0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59, + 0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46, + 0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e, + 0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45, + 0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e, + 0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75, + 0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29, + 0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78, + 0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b, + 0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, + 0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68, + 0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53, + 0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36, + 0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75, + 0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73, + 0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e, + 0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d, + 0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f, + 0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63, + 0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61, + 0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c, + 0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37, + 0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a, + 0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a, + 0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a, + 0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b, + 0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c, + 0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b, + 0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22, + 0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44, + 0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c, + 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, + 0x00, 0x69, 0x00}; + uint32_t requestlen = sizeof(dcerpcrequest); + + TcpSession ssn; + struct uuid_entry *uuid_entry; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize()); + f.protoctx = (void *)&ssn; + + int r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_START, dcerpcrequest, requestlen, FALSE); + if (r != 0) { + printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + DCERPCState *dcerpc_state = ssn.aldata[AlpGetStateIdx(ALPROTO_DCERPC)]; + if (dcerpc_state == NULL) { + printf("no dcerpc state: "); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpc.packed_drep[0] != 0x01) { + printf("expected dcerpc data representation 0x01, got 0x%02x : ", + dcerpc_state->dcerpc.packed_drep[0]); + result = 0; + goto end; + } + + if (dcerpc_state->dcerpc.frag_length != 1024) { + printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.frag_length); + result = 0; + goto end; + } + + if (dcerpc_state->opnum != 9) { + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->opnum); + result = 0; + goto end; + } +end: + return result; +} + void DCERPCParserRegisterTests(void) { printf("DCERPCParserRegisterTests\n"); UtRegisterTest("DCERPCParserTest01", DCERPCParserTest01, 1); + UtRegisterTest("DCERPCParserTest02", DCERPCParserTest02, 1); + UtRegisterTest("DCERPCParserTest03", DCERPCParserTest03, 1); } #endif diff --git a/src/app-layer-dcerpc.h b/src/app-layer-dcerpc.h index e38a7eb..e65269c 100644 --- a/src/app-layer-dcerpc.h +++ b/src/app-layer-dcerpc.h @@ -11,7 +11,7 @@ #include "app-layer-parser.h" #include "flow.h" #include "queue.h" -#include +#include "util-byte.h" void RegisterDCERPCParsers(void); void DCERPCParserTests(void); diff --git a/src/util-byte.h b/src/util-byte.h index bf6945b..8bd92c5 100644 --- a/src/util-byte.h +++ b/src/util-byte.h @@ -11,6 +11,24 @@ #define BYTE_BIG_ENDIAN 0 #define BYTE_LITTLE_ENDIAN 1 +/** Wrappers for OS dependent byte swapping functions */ +#ifdef OS_FREEBSD +#include +#define SCByteSwap16(x) bswap16(x) +#define SCByteSwap32(x) bswap32(x) +#define SCByteSwap64(x) bswap64(x) +#elif OS_DARWIN +#include +#define SCByteSwap16(x) OSSwapInt16(x) +#define SCByteSwap32(x) OSSwapInt32(x) +#define SCByteSwap64(x) OSSwapInt64(x) +#else +#include +#define SCByteSwap16(x) bswap_16(x) +#define SCByteSwap32(x) bswap_32(x) +#define SCByteSwap64(x) bswap_64(x) +#endif /* OS_FREEBSD */ + /** * Extract bytes from a byte string and convert to a unint64_t. * -- 1.6.5.2