/src/suricata7/src/detect-dce-iface.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 2007-2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Anoop Saldanha <anoopsaldanha@gmail.com> |
22 | | * |
23 | | * Implements dce_iface keyword. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | |
28 | | #include "detect.h" |
29 | | #include "detect-parse.h" |
30 | | |
31 | | #include "detect-engine.h" |
32 | | #include "detect-engine-mpm.h" |
33 | | #include "detect-engine-state.h" |
34 | | #include "detect-engine-build.h" |
35 | | #include "detect-dce-iface.h" |
36 | | |
37 | | #include "flow.h" |
38 | | #include "flow-var.h" |
39 | | #include "flow-util.h" |
40 | | |
41 | | #include "app-layer.h" |
42 | | #include "queue.h" |
43 | | #include "stream-tcp-reassemble.h" |
44 | | |
45 | | #include "util-debug.h" |
46 | | #include "util-unittest.h" |
47 | | #include "util-unittest-helper.h" |
48 | | #include "stream-tcp.h" |
49 | | |
50 | | #include "rust.h" |
51 | | |
52 | 73 | #define PARSE_REGEX "^\\s*([0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12})(?:\\s*,\\s*(<|>|=|!)([0-9]{1,5}))?(?:\\s*,\\s*(any_frag))?\\s*$" |
53 | | |
54 | | static DetectParseRegex parse_regex; |
55 | | |
56 | | static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx, |
57 | | Flow *f, uint8_t flags, void *state, void *txv, |
58 | | const Signature *s, const SigMatchCtx *m); |
59 | | static int DetectDceIfaceSetup(DetectEngineCtx *, Signature *, const char *); |
60 | | static void DetectDceIfaceFree(DetectEngineCtx *, void *); |
61 | | #ifdef UNITTESTS |
62 | | static void DetectDceIfaceRegisterTests(void); |
63 | | #endif |
64 | | static int g_dce_generic_list_id = 0; |
65 | | |
66 | | /** |
67 | | * \brief Registers the keyword handlers for the "dce_iface" keyword. |
68 | | */ |
69 | | void DetectDceIfaceRegister(void) |
70 | 73 | { |
71 | 73 | sigmatch_table[DETECT_DCE_IFACE].name = "dcerpc.iface"; |
72 | 73 | sigmatch_table[DETECT_DCE_IFACE].alias = "dce_iface"; |
73 | 73 | sigmatch_table[DETECT_DCE_IFACE].AppLayerTxMatch = DetectDceIfaceMatchRust; |
74 | 73 | sigmatch_table[DETECT_DCE_IFACE].Setup = DetectDceIfaceSetup; |
75 | 73 | sigmatch_table[DETECT_DCE_IFACE].Free = DetectDceIfaceFree; |
76 | | #ifdef UNITTESTS |
77 | | sigmatch_table[DETECT_DCE_IFACE].RegisterTests = DetectDceIfaceRegisterTests; |
78 | | #endif |
79 | 73 | DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); |
80 | | |
81 | 73 | g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic"); |
82 | | |
83 | 73 | DetectAppLayerInspectEngineRegister2("dce_generic", ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, |
84 | 73 | DetectEngineInspectGenericList, NULL); |
85 | 73 | DetectAppLayerInspectEngineRegister2( |
86 | 73 | "dce_generic", ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); |
87 | | |
88 | 73 | DetectAppLayerInspectEngineRegister2("dce_generic", ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, |
89 | 73 | DetectEngineInspectGenericList, NULL); |
90 | 73 | DetectAppLayerInspectEngineRegister2( |
91 | 73 | "dce_generic", ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL); |
92 | 73 | } |
93 | | |
94 | | /** |
95 | | * \brief App layer match function for the "dce_iface" keyword. |
96 | | * |
97 | | * \param t Pointer to the ThreadVars instance. |
98 | | * \param det_ctx Pointer to the DetectEngineThreadCtx. |
99 | | * \param f Pointer to the flow. |
100 | | * \param flags Pointer to the flags indicating the flow direction. |
101 | | * \param state Pointer to the app layer state data. |
102 | | * \param s Pointer to the Signature instance. |
103 | | * \param m Pointer to the SigMatch. |
104 | | * |
105 | | * \retval 1 On Match. |
106 | | * \retval 0 On no match. |
107 | | */ |
108 | | static int DetectDceIfaceMatchRust(DetectEngineThreadCtx *det_ctx, |
109 | | Flow *f, uint8_t flags, void *state, void *txv, |
110 | | const Signature *s, const SigMatchCtx *m) |
111 | 9.63k | { |
112 | 9.63k | SCEnter(); |
113 | | |
114 | 9.63k | if (f->alproto == ALPROTO_DCERPC) { |
115 | | // TODO check if state is NULL |
116 | 5.76k | return rs_dcerpc_iface_match(txv, state, (void *)m); |
117 | 5.76k | } |
118 | | |
119 | 3.87k | int ret = 0; |
120 | | |
121 | 3.87k | if (rs_smb_tx_get_dce_iface(f->alstate, txv, (void *)m) != 1) { |
122 | 3.19k | SCLogDebug("rs_smb_tx_get_dce_iface: didn't match"); |
123 | 3.19k | } else { |
124 | 681 | SCLogDebug("rs_smb_tx_get_dce_iface: matched!"); |
125 | 681 | ret = 1; |
126 | | // TODO validate frag |
127 | 681 | } |
128 | 3.87k | SCReturnInt(ret); |
129 | 9.63k | } |
130 | | |
131 | | /** |
132 | | * \brief Creates a SigMatch for the "dce_iface" keyword being sent as argument, |
133 | | * and appends it to the Signature(s). |
134 | | * |
135 | | * \param de_ctx Pointer to the detection engine context. |
136 | | * \param s Pointer to signature for the current Signature being parsed |
137 | | * from the rules. |
138 | | * \param arg Pointer to the string holding the keyword value. |
139 | | * |
140 | | * \retval 0 on success, -1 on failure. |
141 | | */ |
142 | | |
143 | | static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) |
144 | 8.21k | { |
145 | 8.21k | SCEnter(); |
146 | | |
147 | 8.21k | if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0) |
148 | 453 | return -1; |
149 | | |
150 | 7.76k | void *did = rs_dcerpc_iface_parse(arg); |
151 | 7.76k | if (did == NULL) { |
152 | 2.38k | SCLogError("Error parsing dce_iface option in " |
153 | 2.38k | "signature"); |
154 | 2.38k | return -1; |
155 | 2.38k | } |
156 | | |
157 | 5.37k | SigMatch *sm = SigMatchAlloc(); |
158 | 5.37k | if (sm == NULL) { |
159 | 0 | return -1; |
160 | 0 | } |
161 | | |
162 | 5.37k | sm->type = DETECT_DCE_IFACE; |
163 | 5.37k | sm->ctx = did; |
164 | | |
165 | 5.37k | SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); |
166 | 5.37k | return 0; |
167 | 5.37k | } |
168 | | |
169 | | static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr) |
170 | 5.37k | { |
171 | 5.37k | SCEnter(); |
172 | 5.37k | if (ptr != NULL) { |
173 | 5.37k | rs_dcerpc_iface_free(ptr); |
174 | 5.37k | } |
175 | 5.37k | SCReturn; |
176 | 5.37k | } |
177 | | |
178 | | /************************************Unittests*********************************/ |
179 | | |
180 | | #ifdef UNITTESTS |
181 | | |
182 | | /* Disabled because of bug_753. Would be enabled, once we rewrite |
183 | | * dce parser */ |
184 | | #if 0 |
185 | | |
186 | | /** |
187 | | * \test Test a valid dce_iface entry with a bind, bind_ack and 3 request/responses. |
188 | | */ |
189 | | static int DetectDceIfaceTestParse13(void) |
190 | | { |
191 | | int result = 0; |
192 | | Signature *s = NULL; |
193 | | ThreadVars th_v; |
194 | | Packet *p = NULL; |
195 | | Flow f; |
196 | | TcpSession ssn; |
197 | | DetectEngineThreadCtx *det_ctx = NULL; |
198 | | DetectEngineCtx *de_ctx = NULL; |
199 | | DCERPCState *dcerpc_state = NULL; |
200 | | int r = 0; |
201 | | |
202 | | uint8_t dcerpc_bind[] = { |
203 | | 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, |
204 | | 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
205 | | 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, |
206 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, |
207 | | 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, |
208 | | 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, |
209 | | 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, |
210 | | 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, |
211 | | 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, |
212 | | }; |
213 | | |
214 | | uint8_t dcerpc_bindack[] = { |
215 | | 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, |
216 | | 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
217 | | 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00, |
218 | | 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, |
219 | | 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d, |
220 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
221 | | 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, |
222 | | 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, |
223 | | 0x02, 0x00, 0x00, 0x00, |
224 | | }; |
225 | | |
226 | | uint8_t dcerpc_request1[] = { |
227 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
228 | | 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
229 | | 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, |
230 | | 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, |
231 | | 0x00, 0x00, 0x00, 0x02, |
232 | | }; |
233 | | |
234 | | uint8_t dcerpc_response1[] = { |
235 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
236 | | 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
237 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
238 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
239 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
240 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
241 | | }; |
242 | | |
243 | | uint8_t dcerpc_request2[] = { |
244 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
245 | | 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
246 | | 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, |
247 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
248 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
249 | | 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, |
250 | | 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, |
251 | | 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, |
252 | | 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, |
253 | | 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, |
254 | | 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, |
255 | | 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, |
256 | | 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, |
257 | | 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, |
258 | | 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, |
259 | | 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, |
260 | | 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, |
261 | | 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, |
262 | | 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, |
263 | | 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
264 | | 0x03, 0x00, 0x00, 0x00, |
265 | | }; |
266 | | |
267 | | uint8_t dcerpc_response2[] = { |
268 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
269 | | 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
270 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
271 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
272 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
273 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
274 | | }; |
275 | | |
276 | | uint8_t dcerpc_request3[] = { |
277 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
278 | | 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
279 | | 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, |
280 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
281 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
282 | | 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, |
283 | | 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, |
284 | | 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, |
285 | | 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, |
286 | | 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
287 | | 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, |
288 | | 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, |
289 | | 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, |
290 | | 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, |
291 | | }; |
292 | | |
293 | | uint8_t dcerpc_response3[] = { |
294 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
295 | | 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
296 | | 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
297 | | 0x00, 0x00, 0x00, 0x00, |
298 | | }; |
299 | | |
300 | | uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); |
301 | | uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); |
302 | | |
303 | | uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); |
304 | | uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); |
305 | | |
306 | | uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); |
307 | | uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); |
308 | | |
309 | | uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); |
310 | | uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); |
311 | | |
312 | | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); |
313 | | |
314 | | memset(&th_v, 0, sizeof(th_v)); |
315 | | memset(&p, 0, sizeof(p)); |
316 | | memset(&f, 0, sizeof(f)); |
317 | | memset(&ssn, 0, sizeof(ssn)); |
318 | | |
319 | | p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |
320 | | |
321 | | FLOW_INITIALIZE(&f); |
322 | | f.protoctx = (void *)&ssn; |
323 | | f.proto = IPPROTO_TCP; |
324 | | p->flow = &f; |
325 | | p->flowflags |= FLOW_PKT_TOSERVER; |
326 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
327 | | p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; |
328 | | f.alproto = ALPROTO_DCERPC; |
329 | | |
330 | | StreamTcpInitConfig(true); |
331 | | |
332 | | de_ctx = DetectEngineCtxInit(); |
333 | | if (de_ctx == NULL) |
334 | | goto end; |
335 | | |
336 | | de_ctx->flags |= DE_QUIET; |
337 | | |
338 | | s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any " |
339 | | "(msg:\"DCERPC\"; dce_iface:338cd001-2244-31f1-aaaa-900038001003,=1,any_frag; sid:1;)"); |
340 | | if (s == NULL) |
341 | | goto end; |
342 | | |
343 | | SigGroupBuild(de_ctx); |
344 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
345 | | |
346 | | SCLogDebug("chunk 1, bind"); |
347 | | |
348 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START, |
349 | | dcerpc_bind, dcerpc_bind_len); |
350 | | if (r != 0) { |
351 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
352 | | goto end; |
353 | | } |
354 | | |
355 | | dcerpc_state = f.alstate; |
356 | | if (dcerpc_state == NULL) { |
357 | | SCLogDebug("no dcerpc state: "); |
358 | | goto end; |
359 | | } |
360 | | |
361 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
362 | | p->flowflags |= FLOW_PKT_TOSERVER; |
363 | | /* do detect */ |
364 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
365 | | |
366 | | if (PacketAlertCheck(p, 1)) { |
367 | | SCLogDebug("sig 1 didn't match after bind request: "); |
368 | | goto end; |
369 | | } |
370 | | |
371 | | SCLogDebug("chunk 2, bind_ack"); |
372 | | |
373 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack, |
374 | | dcerpc_bindack_len); |
375 | | if (r != 0) { |
376 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
377 | | goto end; |
378 | | } |
379 | | |
380 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
381 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
382 | | /* do detect */ |
383 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
384 | | |
385 | | if (PacketAlertCheck(p, 1)) { |
386 | | SCLogDebug("sig 1 matched again after bind ack: "); |
387 | | goto end; |
388 | | } |
389 | | |
390 | | SCLogDebug("chunk 3, request 1"); |
391 | | |
392 | | /* request1 */ |
393 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1, |
394 | | dcerpc_request1_len); |
395 | | if (r != 0) { |
396 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
397 | | goto end; |
398 | | } |
399 | | |
400 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
401 | | p->flowflags |= FLOW_PKT_TOSERVER; |
402 | | /* do detect */ |
403 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
404 | | |
405 | | if (!(PacketAlertCheck(p, 1))) { |
406 | | SCLogDebug("sig 1 didn't match after request1: "); |
407 | | goto end; |
408 | | } |
409 | | |
410 | | SCLogDebug("sending response1"); |
411 | | |
412 | | /* response1 */ |
413 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1, |
414 | | dcerpc_response1_len); |
415 | | if (r != 0) { |
416 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
417 | | goto end; |
418 | | } |
419 | | |
420 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
421 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
422 | | /* do detect */ |
423 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
424 | | |
425 | | if (PacketAlertCheck(p, 1)) { |
426 | | SCLogDebug("sig 1 matched after response1, but shouldn't: "); |
427 | | goto end; |
428 | | } |
429 | | |
430 | | SCLogDebug("sending request2"); |
431 | | |
432 | | /* request2 */ |
433 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2, |
434 | | dcerpc_request2_len); |
435 | | if (r != 0) { |
436 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
437 | | goto end; |
438 | | } |
439 | | |
440 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
441 | | p->flowflags |= FLOW_PKT_TOSERVER; |
442 | | /* do detect */ |
443 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
444 | | |
445 | | if (!(PacketAlertCheck(p, 1))) { |
446 | | SCLogDebug("sig 1 didn't match after request2: "); |
447 | | goto end; |
448 | | } |
449 | | |
450 | | /* response2 */ |
451 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response2, |
452 | | dcerpc_response2_len); |
453 | | if (r != 0) { |
454 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
455 | | goto end; |
456 | | } |
457 | | |
458 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
459 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
460 | | /* do detect */ |
461 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
462 | | |
463 | | if (PacketAlertCheck(p, 1)) { |
464 | | SCLogDebug("sig 1 matched after response2, but shouldn't have: "); |
465 | | goto end; |
466 | | } |
467 | | |
468 | | /* request3 */ |
469 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request3, |
470 | | dcerpc_request3_len); |
471 | | if (r != 0) { |
472 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
473 | | goto end; |
474 | | } |
475 | | |
476 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
477 | | p->flowflags |= FLOW_PKT_TOSERVER; |
478 | | /* do detect */ |
479 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
480 | | |
481 | | if (!(PacketAlertCheck(p, 1))) { |
482 | | SCLogDebug("sig 1 didn't match after request3: "); |
483 | | goto end; |
484 | | } |
485 | | |
486 | | /* response3 */ |
487 | | r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, |
488 | | dcerpc_response3, dcerpc_response3_len); |
489 | | if (r != 0) { |
490 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
491 | | goto end; |
492 | | } |
493 | | |
494 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
495 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
496 | | /* do detect */ |
497 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
498 | | |
499 | | if (PacketAlertCheck(p, 1)) { |
500 | | SCLogDebug("sig 1 matched after response3, but shouldn't have: "); |
501 | | goto end; |
502 | | } |
503 | | |
504 | | result = 1; |
505 | | |
506 | | end: |
507 | | if (alp_tctx != NULL) |
508 | | AppLayerParserThreadCtxFree(alp_tctx); |
509 | | SigGroupCleanup(de_ctx); |
510 | | SigCleanSignatures(de_ctx); |
511 | | |
512 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
513 | | DetectEngineCtxFree(de_ctx); |
514 | | |
515 | | StreamTcpFreeConfig(true); |
516 | | UTHFreePackets(&p, 1); |
517 | | return result; |
518 | | } |
519 | | |
520 | | #endif |
521 | | |
522 | | static void DetectDceIfaceRegisterTests(void) |
523 | | { |
524 | | /* Disabled because of bug_753. Would be enabled, once we rewrite |
525 | | * dce parser */ |
526 | | #if 0 |
527 | | UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1); |
528 | | #endif |
529 | | } |
530 | | #endif /* UNITTESTS */ |