/src/suricata7/src/detect-dce-stub-data.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2018 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Anoop Saldanha <anoopsaldanha@gmail.com> |
22 | | * \author Victor Julien <victor@inliniac.net> |
23 | | * |
24 | | * Implements dce_stub_data keyword |
25 | | */ |
26 | | |
27 | | #include "suricata-common.h" |
28 | | |
29 | | #include "detect.h" |
30 | | #include "detect-parse.h" |
31 | | |
32 | | #include "detect-engine.h" |
33 | | #include "detect-engine-build.h" |
34 | | #include "detect-engine-mpm.h" |
35 | | #include "detect-engine-state.h" |
36 | | #include "detect-engine-prefilter.h" |
37 | | #include "detect-engine-content-inspection.h" |
38 | | |
39 | | #include "flow.h" |
40 | | #include "flow-var.h" |
41 | | #include "flow-util.h" |
42 | | |
43 | | #include "app-layer.h" |
44 | | #include "app-layer-parser.h" |
45 | | #include "queue.h" |
46 | | #include "stream-tcp-reassemble.h" |
47 | | |
48 | | #include "detect-dce-stub-data.h" |
49 | | #include "detect-dce-iface.h" |
50 | | |
51 | | #include "util-debug.h" |
52 | | |
53 | | #include "util-unittest.h" |
54 | | #include "util-unittest-helper.h" |
55 | | |
56 | | #include "stream-tcp.h" |
57 | | |
58 | | #include "rust.h" |
59 | | |
60 | 657 | #define BUFFER_NAME "dce_stub_data" |
61 | | #define KEYWORD_NAME "dce_stub_data" |
62 | | |
63 | | static int DetectDceStubDataSetup(DetectEngineCtx *, Signature *, const char *); |
64 | | #ifdef UNITTESTS |
65 | | static void DetectDceStubDataRegisterTests(void); |
66 | | #endif |
67 | | static int g_dce_stub_data_buffer_id = 0; |
68 | | |
69 | | static InspectionBuffer *GetSMBData(DetectEngineThreadCtx *det_ctx, |
70 | | const DetectEngineTransforms *transforms, |
71 | | Flow *_f, const uint8_t flow_flags, |
72 | | void *txv, const int list_id) |
73 | 560 | { |
74 | 560 | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
75 | 560 | if (!buffer->initialized) { |
76 | 560 | uint32_t data_len = 0; |
77 | 560 | const uint8_t *data = NULL; |
78 | 560 | uint8_t dir = flow_flags & (STREAM_TOSERVER|STREAM_TOCLIENT); |
79 | 560 | if (rs_smb_tx_get_stub_data(txv, dir, &data, &data_len) != 1) |
80 | 560 | return NULL; |
81 | 0 | SCLogDebug("have data!"); |
82 | |
|
83 | 0 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
84 | 0 | InspectionBufferApplyTransforms(buffer, transforms); |
85 | 0 | } |
86 | 0 | return buffer; |
87 | 560 | } |
88 | | |
89 | | static InspectionBuffer *GetDCEData(DetectEngineThreadCtx *det_ctx, |
90 | | const DetectEngineTransforms *transforms, |
91 | | Flow *_f, const uint8_t flow_flags, |
92 | | void *txv, const int list_id) |
93 | 1.62k | { |
94 | 1.62k | InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); |
95 | 1.62k | if (!buffer->initialized) { |
96 | 1.61k | uint32_t data_len = 0; |
97 | 1.61k | const uint8_t *data = NULL; |
98 | 1.61k | uint8_t endianness; |
99 | | |
100 | 1.61k | rs_dcerpc_get_stub_data(txv, &data, &data_len, &endianness, flow_flags); |
101 | 1.61k | if (data == NULL || data_len == 0) |
102 | 872 | return NULL; |
103 | | |
104 | 747 | if (endianness > 0) { |
105 | 747 | buffer->flags = DETECT_CI_FLAGS_DCE_LE; |
106 | 747 | } else { |
107 | 0 | buffer->flags |= DETECT_CI_FLAGS_DCE_BE; |
108 | 0 | } |
109 | 747 | InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); |
110 | 747 | InspectionBufferApplyTransforms(buffer, transforms); |
111 | 747 | } |
112 | 750 | return buffer; |
113 | 1.62k | } |
114 | | |
115 | | /** |
116 | | * \brief Registers the keyword handlers for the "dce_stub_data" keyword. |
117 | | */ |
118 | | void DetectDceStubDataRegister(void) |
119 | 73 | { |
120 | 73 | sigmatch_table[DETECT_DCE_STUB_DATA].name = "dcerpc.stub_data"; |
121 | 73 | sigmatch_table[DETECT_DCE_STUB_DATA].alias = "dce_stub_data"; |
122 | 73 | sigmatch_table[DETECT_DCE_STUB_DATA].Setup = DetectDceStubDataSetup; |
123 | | #ifdef UNITTESTS |
124 | | sigmatch_table[DETECT_DCE_STUB_DATA].RegisterTests = DetectDceStubDataRegisterTests; |
125 | | #endif |
126 | 73 | sigmatch_table[DETECT_DCE_STUB_DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; |
127 | | |
128 | 73 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, |
129 | 73 | ALPROTO_SMB, SIG_FLAG_TOSERVER, 0, |
130 | 73 | DetectEngineInspectBufferGeneric, |
131 | 73 | GetSMBData); |
132 | 73 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, |
133 | 73 | PrefilterGenericMpmRegister, GetSMBData, |
134 | 73 | ALPROTO_SMB, 0); |
135 | 73 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, |
136 | 73 | ALPROTO_SMB, SIG_FLAG_TOCLIENT, 0, |
137 | 73 | DetectEngineInspectBufferGeneric, |
138 | 73 | GetSMBData); |
139 | 73 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, |
140 | 73 | PrefilterGenericMpmRegister, GetSMBData, |
141 | 73 | ALPROTO_SMB, 0); |
142 | | |
143 | 73 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, |
144 | 73 | ALPROTO_DCERPC, SIG_FLAG_TOSERVER, 0, |
145 | 73 | DetectEngineInspectBufferGeneric, |
146 | 73 | GetDCEData); |
147 | 73 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, |
148 | 73 | PrefilterGenericMpmRegister, GetDCEData, |
149 | 73 | ALPROTO_DCERPC, 0); |
150 | 73 | DetectAppLayerInspectEngineRegister2(BUFFER_NAME, |
151 | 73 | ALPROTO_DCERPC, SIG_FLAG_TOCLIENT, 0, |
152 | 73 | DetectEngineInspectBufferGeneric, |
153 | 73 | GetDCEData); |
154 | 73 | DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, |
155 | 73 | PrefilterGenericMpmRegister, GetDCEData, |
156 | 73 | ALPROTO_DCERPC, 0); |
157 | | |
158 | 73 | g_dce_stub_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); |
159 | 73 | } |
160 | | |
161 | | /** |
162 | | * \brief setups the dce_stub_data list |
163 | | * |
164 | | * \param de_ctx Pointer to the detection engine context |
165 | | * \param s Pointer to signature for the current Signature being parsed |
166 | | * from the rules |
167 | | * \param arg Pointer to the string holding the keyword value |
168 | | * |
169 | | * \retval 0 on success, -1 on failure |
170 | | */ |
171 | | |
172 | | static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) |
173 | 5.45k | { |
174 | 5.45k | if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0) |
175 | 304 | return -1; |
176 | 5.15k | if (DetectBufferSetActiveList(de_ctx, s, g_dce_stub_data_buffer_id) < 0) |
177 | 1 | return -1; |
178 | 5.14k | return 0; |
179 | 5.15k | } |
180 | | |
181 | | /************************************Unittests*********************************/ |
182 | | |
183 | | #ifdef UNITTESTS |
184 | | #include "detect-engine-alert.h" |
185 | | |
186 | | /** |
187 | | * \test Test a valid dce_stub_data entry with bind, bind_ack, request frags. |
188 | | */ |
189 | | static int DetectDceStubDataTestParse02(void) |
190 | | { |
191 | | int result = 0; |
192 | | Signature *s = NULL; |
193 | | ThreadVars th_v; |
194 | | Packet *p = NULL; |
195 | | Flow f; |
196 | | TcpSession ssn; |
197 | | DetectEngineThreadCtx *det_ctx = NULL; |
198 | | DetectEngineCtx *de_ctx = NULL; |
199 | | DCERPCState *dcerpc_state = NULL; |
200 | | int r = 0; |
201 | | |
202 | | uint8_t dcerpc_bind[] = { |
203 | | 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, |
204 | | 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
205 | | 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, |
206 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, |
207 | | 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, |
208 | | 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, |
209 | | 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, |
210 | | 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, |
211 | | 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, |
212 | | }; |
213 | | |
214 | | uint8_t dcerpc_bindack[] = { |
215 | | 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, |
216 | | 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
217 | | 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, |
218 | | 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, |
219 | | 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, |
220 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
221 | | 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, |
222 | | 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, |
223 | | 0x02, 0x00, 0x00, 0x00 |
224 | | }; |
225 | | |
226 | | /* todo chop the request frag length and change the |
227 | | * length related parameters in the frag */ |
228 | | uint8_t dcerpc_request[] = { |
229 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
230 | | 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
231 | | 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, |
232 | | 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
233 | | 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, |
234 | | 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, |
235 | | 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, |
236 | | 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, |
237 | | 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, |
238 | | 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, |
239 | | 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, |
240 | | 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, |
241 | | 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, |
242 | | 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, |
243 | | 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, |
244 | | 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, |
245 | | 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, |
246 | | 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, |
247 | | 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, |
248 | | 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, |
249 | | 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, |
250 | | 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, |
251 | | 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, |
252 | | 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, |
253 | | 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, |
254 | | 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, |
255 | | 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, |
256 | | 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, |
257 | | 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, |
258 | | 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, |
259 | | 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, |
260 | | 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, |
261 | | 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, |
262 | | 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, |
263 | | 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, |
264 | | 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, |
265 | | 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, |
266 | | 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, |
267 | | 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, |
268 | | 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, |
269 | | 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, |
270 | | 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, |
271 | | 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, |
272 | | 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, |
273 | | 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, |
274 | | 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, |
275 | | 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, |
276 | | 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, |
277 | | 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, |
278 | | 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, |
279 | | 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, |
280 | | 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, |
281 | | 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, |
282 | | 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, |
283 | | 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, |
284 | | 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, |
285 | | 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, |
286 | | 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, |
287 | | 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, |
288 | | 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, |
289 | | 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, |
290 | | 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, |
291 | | 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, |
292 | | 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, |
293 | | 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, |
294 | | 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, |
295 | | 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, |
296 | | 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, |
297 | | 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, |
298 | | 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, |
299 | | 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, |
300 | | 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, |
301 | | 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, |
302 | | 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, |
303 | | 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, |
304 | | 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, |
305 | | 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, |
306 | | 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, |
307 | | 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, |
308 | | 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, |
309 | | 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, |
310 | | 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, |
311 | | 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, |
312 | | 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, |
313 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
314 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
315 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
316 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
317 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
318 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
319 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
320 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
321 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
322 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
323 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
324 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
325 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
326 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
327 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
328 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
329 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
330 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
331 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
332 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
333 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
334 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
335 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
336 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
337 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
338 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
339 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
340 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
341 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
342 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
343 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
344 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
345 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
346 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
347 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
348 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
349 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
350 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
351 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
352 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
353 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
354 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
355 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
356 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
357 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
358 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
359 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
360 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
361 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
362 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
363 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
364 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
365 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
366 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
367 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
368 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
369 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
370 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
371 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
372 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
373 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
374 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
375 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
376 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
377 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
378 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
379 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
380 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
381 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
382 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
383 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
384 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
385 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
386 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
387 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
388 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
389 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
390 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
391 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
392 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
393 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
394 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
395 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
396 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
397 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
398 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
399 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
400 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
401 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
402 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
403 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
404 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
405 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
406 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
407 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
408 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
409 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
410 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
411 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
412 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
413 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
414 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
415 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
416 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
417 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
418 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
419 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
420 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
421 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
422 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
423 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
424 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
425 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
426 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
427 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
428 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
429 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
430 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
431 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
432 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
433 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
434 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
435 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
436 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
437 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
438 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
439 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
440 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
441 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
442 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
443 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
444 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
445 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
446 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
447 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
448 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
449 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
450 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
451 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
452 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
453 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
454 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
455 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
456 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
457 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
458 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
459 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
460 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
461 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
462 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
463 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
464 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
465 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
466 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
467 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
468 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
469 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
470 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
471 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
472 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
473 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
474 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
475 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, |
476 | | 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, |
477 | | 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, |
478 | | 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, |
479 | | 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, |
480 | | 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, |
481 | | 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
482 | | 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, |
483 | | 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, |
484 | | 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, |
485 | | 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, |
486 | | 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, |
487 | | 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, |
488 | | 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, |
489 | | 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, |
490 | | 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, |
491 | | 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, |
492 | | 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
493 | | 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
494 | | 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, |
495 | | 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, |
496 | | 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, |
497 | | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
498 | | 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
499 | | 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, |
500 | | 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, |
501 | | 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, |
502 | | 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
503 | | 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
504 | | 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, |
505 | | 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, |
506 | | 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, |
507 | | 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
508 | | 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, |
509 | | 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, |
510 | | 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, |
511 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
512 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
513 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
514 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
515 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
516 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
517 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
518 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
519 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
520 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
521 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
522 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
523 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
524 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
525 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
526 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
527 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
528 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
529 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
530 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
531 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
532 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
533 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
534 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
535 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
536 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
537 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
538 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
539 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
540 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
541 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
542 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
543 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
544 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
545 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
546 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
547 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
548 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
549 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
550 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
551 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
552 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
553 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
554 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
555 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
556 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
557 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
558 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
559 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
560 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
561 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
562 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
563 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
564 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
565 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
566 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
567 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
568 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
569 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
570 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
571 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
572 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
573 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
574 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
575 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
576 | | 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, |
577 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
578 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
579 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
580 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
581 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
582 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
583 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
584 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
585 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
586 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
587 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
588 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
589 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
590 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
591 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
592 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
593 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
594 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
595 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
596 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
597 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
598 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
599 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
600 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
601 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
602 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
603 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
604 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
605 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
606 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
607 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
608 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
609 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
610 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
611 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
612 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
613 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
614 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
615 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
616 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
617 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
618 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
619 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
620 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
621 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
622 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
623 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
624 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
625 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
626 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
627 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
628 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
629 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
630 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
631 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
632 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
633 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
634 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
635 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
636 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
637 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
638 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
639 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
640 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
641 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
642 | | 0x01, 0x02, 0x03, 0x04 |
643 | | }; |
644 | | |
645 | | uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); |
646 | | uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); |
647 | | uint32_t dcerpc_request_len = sizeof(dcerpc_request); |
648 | | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); |
649 | | |
650 | | memset(&th_v, 0, sizeof(th_v)); |
651 | | memset(&f, 0, sizeof(f)); |
652 | | memset(&ssn, 0, sizeof(ssn)); |
653 | | |
654 | | p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |
655 | | |
656 | | FLOW_INITIALIZE(&f); |
657 | | f.protoctx = (void *)&ssn; |
658 | | f.proto = IPPROTO_TCP; |
659 | | p->flow = &f; |
660 | | p->flowflags |= FLOW_PKT_TOSERVER; |
661 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
662 | | p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; |
663 | | f.alproto = ALPROTO_DCERPC; |
664 | | |
665 | | StreamTcpInitConfig(true); |
666 | | |
667 | | de_ctx = DetectEngineCtxInit(); |
668 | | if (de_ctx == NULL) |
669 | | goto end; |
670 | | |
671 | | de_ctx->flags |= DE_QUIET; |
672 | | |
673 | | s = de_ctx->sig_list = SigInit(de_ctx, |
674 | | "alert tcp any any -> any any " |
675 | | "(msg:\"DCERPC\"; " |
676 | | "dce_stub_data; content:\"|42 42 42 42|\";" |
677 | | "sid:1;)"); |
678 | | if (s == NULL) |
679 | | goto end; |
680 | | |
681 | | SigGroupBuild(de_ctx); |
682 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
683 | | |
684 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
685 | | STREAM_TOSERVER | STREAM_START, dcerpc_bind, |
686 | | dcerpc_bind_len); |
687 | | if (r != 0) { |
688 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
689 | | goto end; |
690 | | } |
691 | | |
692 | | dcerpc_state = f.alstate; |
693 | | if (dcerpc_state == NULL) { |
694 | | SCLogDebug("no dcerpc state: "); |
695 | | goto end; |
696 | | } |
697 | | |
698 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
699 | | p->flowflags |= FLOW_PKT_TOSERVER; |
700 | | /* do detect */ |
701 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
702 | | |
703 | | /* we shouldn't have any stub data */ |
704 | | if (PacketAlertCheck(p, 1)) |
705 | | goto end; |
706 | | |
707 | | /* do detect */ |
708 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
709 | | STREAM_TOCLIENT, dcerpc_bindack, |
710 | | dcerpc_bindack_len); |
711 | | if (r != 0) { |
712 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
713 | | goto end; |
714 | | } |
715 | | |
716 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
717 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
718 | | /* do detect */ |
719 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
720 | | |
721 | | /* we shouldn't have any stub data */ |
722 | | if (PacketAlertCheck(p, 1)) |
723 | | goto end; |
724 | | |
725 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
726 | | STREAM_TOSERVER | STREAM_EOF, dcerpc_request, |
727 | | dcerpc_request_len); |
728 | | if (r != 0) { |
729 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
730 | | goto end; |
731 | | } |
732 | | |
733 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
734 | | p->flowflags |= FLOW_PKT_TOSERVER; |
735 | | /* do detect */ |
736 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
737 | | |
738 | | /* we should have the stub data since we previously parsed a request frag */ |
739 | | if (!PacketAlertCheck(p, 1)) |
740 | | goto end; |
741 | | |
742 | | result = 1; |
743 | | |
744 | | end: |
745 | | if (alp_tctx != NULL) |
746 | | AppLayerParserThreadCtxFree(alp_tctx); |
747 | | SigGroupCleanup(de_ctx); |
748 | | SigCleanSignatures(de_ctx); |
749 | | |
750 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
751 | | DetectEngineCtxFree(de_ctx); |
752 | | |
753 | | StreamTcpFreeConfig(true); |
754 | | FLOW_DESTROY(&f); |
755 | | |
756 | | UTHFreePackets(&p, 1); |
757 | | return result; |
758 | | } |
759 | | |
760 | | /** |
761 | | * \test Test a valid dce_stub_data with just a request frag. |
762 | | */ |
763 | | static int DetectDceStubDataTestParse03(void) |
764 | | { |
765 | | Signature *s = NULL; |
766 | | ThreadVars th_v; |
767 | | Packet *p = NULL; |
768 | | Flow f; |
769 | | TcpSession ssn; |
770 | | DetectEngineThreadCtx *det_ctx = NULL; |
771 | | DetectEngineCtx *de_ctx = NULL; |
772 | | DCERPCState *dcerpc_state = NULL; |
773 | | int r = 0; |
774 | | |
775 | | /* todo chop the request frag length and change the |
776 | | * length related parameters in the frag */ |
777 | | uint8_t dcerpc_request[] = { |
778 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
779 | | 0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
780 | | 0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, |
781 | | 0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
782 | | 0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47, |
783 | | 0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b, |
784 | | 0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd, |
785 | | 0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f, |
786 | | 0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5, |
787 | | 0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22, |
788 | | 0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1, |
789 | | 0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50, |
790 | | 0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22, |
791 | | 0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2, |
792 | | 0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56, |
793 | | 0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1, |
794 | | 0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76, |
795 | | 0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89, |
796 | | 0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a, |
797 | | 0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e, |
798 | | 0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e, |
799 | | 0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9, |
800 | | 0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a, |
801 | | 0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41, |
802 | | 0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6, |
803 | | 0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22, |
804 | | 0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43, |
805 | | 0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50, |
806 | | 0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99, |
807 | | 0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22, |
808 | | 0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e, |
809 | | 0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46, |
810 | | 0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76, |
811 | | 0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c, |
812 | | 0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74, |
813 | | 0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1, |
814 | | 0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c, |
815 | | 0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09, |
816 | | 0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15, |
817 | | 0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57, |
818 | | 0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56, |
819 | | 0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56, |
820 | | 0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48, |
821 | | 0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47, |
822 | | 0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56, |
823 | | 0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41, |
824 | | 0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1, |
825 | | 0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73, |
826 | | 0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a, |
827 | | 0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd, |
828 | | 0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21, |
829 | | 0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab, |
830 | | 0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3, |
831 | | 0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23, |
832 | | 0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23, |
833 | | 0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22, |
834 | | 0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76, |
835 | | 0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22, |
836 | | 0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71, |
837 | | 0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71, |
838 | | 0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06, |
839 | | 0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd, |
840 | | 0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78, |
841 | | 0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51, |
842 | | 0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50, |
843 | | 0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72, |
844 | | 0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1, |
845 | | 0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72, |
846 | | 0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72, |
847 | | 0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48, |
848 | | 0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57, |
849 | | 0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56, |
850 | | 0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78, |
851 | | 0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22, |
852 | | 0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06, |
853 | | 0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22, |
854 | | 0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92, |
855 | | 0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1, |
856 | | 0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22, |
857 | | 0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2, |
858 | | 0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70, |
859 | | 0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26, |
860 | | 0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2, |
861 | | 0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41, |
862 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
863 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
864 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
865 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
866 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
867 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
868 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
869 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
870 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
871 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
872 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
873 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
874 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
875 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
876 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
877 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
878 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
879 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
880 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
881 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
882 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
883 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
884 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
885 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
886 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
887 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
888 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
889 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
890 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
891 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
892 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
893 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
894 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
895 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
896 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
897 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
898 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
899 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
900 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
901 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
902 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
903 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
904 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
905 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
906 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
907 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
908 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
909 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
910 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
911 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
912 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
913 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
914 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
915 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
916 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
917 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
918 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
919 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
920 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
921 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
922 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
923 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
924 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
925 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
926 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
927 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
928 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
929 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
930 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
931 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
932 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
933 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
934 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
935 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
936 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
937 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
938 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
939 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
940 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
941 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
942 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
943 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
944 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
945 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
946 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
947 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
948 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
949 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
950 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
951 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
952 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
953 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
954 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
955 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
956 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
957 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
958 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
959 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
960 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
961 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
962 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
963 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
964 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
965 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
966 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
967 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
968 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
969 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
970 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
971 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
972 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
973 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
974 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
975 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
976 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
977 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
978 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
979 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
980 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
981 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
982 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
983 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
984 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
985 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
986 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
987 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
988 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
989 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
990 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
991 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
992 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
993 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
994 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
995 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
996 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
997 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
998 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
999 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1000 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1001 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1002 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1003 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1004 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1005 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1006 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1007 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1008 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1009 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1010 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1011 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1012 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1013 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1014 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1015 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1016 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1017 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1018 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1019 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1020 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1021 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1022 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1023 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1024 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58, |
1025 | | 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41, |
1026 | | 0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, |
1027 | | 0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3, |
1028 | | 0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78, |
1029 | | 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, |
1030 | | 0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1031 | | 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, |
1032 | | 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, |
1033 | | 0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, |
1034 | | 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, |
1035 | | 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, |
1036 | | 0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, |
1037 | | 0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, |
1038 | | 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, |
1039 | | 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, |
1040 | | 0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74, |
1041 | | 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1042 | | 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1043 | | 0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74, |
1044 | | 0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, |
1045 | | 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68, |
1046 | | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
1047 | | 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1048 | | 0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, |
1049 | | 0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d, |
1050 | | 0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00, |
1051 | | 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
1052 | | 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1053 | | 0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65, |
1054 | | 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, |
1055 | | 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, |
1056 | | 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1057 | | 0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f, |
1058 | | 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, |
1059 | | 0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41, |
1060 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1061 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1062 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1063 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1064 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1065 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1066 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1067 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1068 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1069 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1070 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1071 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1072 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1073 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1074 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1075 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1076 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1077 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1078 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1079 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1080 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1081 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1082 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1083 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1084 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1085 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1086 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1087 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1088 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1089 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1090 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1091 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1092 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1093 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1094 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1095 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1096 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1097 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1098 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1099 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1100 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1101 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1102 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1103 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1104 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1105 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1106 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1107 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1108 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1109 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1110 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1111 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1112 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1113 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1114 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1115 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1116 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1117 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1118 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1119 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1120 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1121 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1122 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1123 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1124 | | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, |
1125 | | 0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42, |
1126 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1127 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1128 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1129 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1130 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1131 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1132 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1133 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1134 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1135 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1136 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1137 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1138 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1139 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1140 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1141 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1142 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1143 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1144 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1145 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1146 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1147 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1148 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1149 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1150 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1151 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1152 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1153 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1154 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1155 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1156 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1157 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1158 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1159 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1160 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1161 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1162 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1163 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1164 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1165 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1166 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1167 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1168 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1169 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1170 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1171 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1172 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1173 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1174 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1175 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1176 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1177 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1178 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1179 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1180 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1181 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1182 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1183 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1184 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1185 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1186 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1187 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1188 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1189 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1190 | | 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, |
1191 | | 0x01, 0x02, 0x03, 0x04 |
1192 | | }; |
1193 | | |
1194 | | uint32_t dcerpc_request_len = sizeof(dcerpc_request); |
1195 | | |
1196 | | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); |
1197 | | |
1198 | | memset(&th_v, 0, sizeof(th_v)); |
1199 | | memset(&f, 0, sizeof(f)); |
1200 | | memset(&ssn, 0, sizeof(ssn)); |
1201 | | |
1202 | | p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |
1203 | | |
1204 | | FLOW_INITIALIZE(&f); |
1205 | | f.protoctx = (void *)&ssn; |
1206 | | f.proto = IPPROTO_TCP; |
1207 | | p->flow = &f; |
1208 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1209 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
1210 | | p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; |
1211 | | f.alproto = ALPROTO_DCERPC; |
1212 | | |
1213 | | StreamTcpInitConfig(true); |
1214 | | |
1215 | | de_ctx = DetectEngineCtxInit(); |
1216 | | FAIL_IF(de_ctx == NULL); |
1217 | | |
1218 | | de_ctx->flags |= DE_QUIET; |
1219 | | |
1220 | | s = de_ctx->sig_list = SigInit(de_ctx, |
1221 | | "alert tcp any any -> any any " |
1222 | | "(msg:\"DCERPC\"; " |
1223 | | "dce_stub_data; content:\"|42 42 42 42|\";" |
1224 | | "sid:1;)"); |
1225 | | FAIL_IF(s == NULL); |
1226 | | |
1227 | | SigGroupBuild(de_ctx); |
1228 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
1229 | | |
1230 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1231 | | STREAM_TOSERVER | STREAM_START, dcerpc_request, |
1232 | | dcerpc_request_len); |
1233 | | FAIL_IF(r != 0); |
1234 | | |
1235 | | dcerpc_state = f.alstate; |
1236 | | FAIL_IF (dcerpc_state == NULL); |
1237 | | |
1238 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1239 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1240 | | /* do detect */ |
1241 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1242 | | FAIL_IF(!PacketAlertCheck(p, 1)); |
1243 | | |
1244 | | if (alp_tctx != NULL) |
1245 | | AppLayerParserThreadCtxFree(alp_tctx); |
1246 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
1247 | | DetectEngineCtxFree(de_ctx); |
1248 | | StreamTcpFreeConfig(true); |
1249 | | FLOW_DESTROY(&f); |
1250 | | |
1251 | | UTHFreePackets(&p, 1); |
1252 | | PASS; |
1253 | | } |
1254 | | |
1255 | | static int DetectDceStubDataTestParse04(void) |
1256 | | { |
1257 | | int result = 0; |
1258 | | Signature *s = NULL; |
1259 | | ThreadVars th_v; |
1260 | | Packet *p = NULL; |
1261 | | Flow f; |
1262 | | TcpSession ssn; |
1263 | | DetectEngineThreadCtx *det_ctx = NULL; |
1264 | | DetectEngineCtx *de_ctx = NULL; |
1265 | | DCERPCState *dcerpc_state = NULL; |
1266 | | int r = 0; |
1267 | | |
1268 | | uint8_t dcerpc_bind[] = { |
1269 | | 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, |
1270 | | 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1271 | | 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, |
1272 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, |
1273 | | 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, |
1274 | | 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, |
1275 | | 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, |
1276 | | 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, |
1277 | | 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, |
1278 | | }; |
1279 | | |
1280 | | uint8_t dcerpc_bindack[] = { |
1281 | | 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, |
1282 | | 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1283 | | 0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00, |
1284 | | 0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, |
1285 | | 0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d, |
1286 | | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1287 | | 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, |
1288 | | 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, |
1289 | | 0x02, 0x00, 0x00, 0x00, |
1290 | | }; |
1291 | | |
1292 | | uint8_t dcerpc_request1[] = { |
1293 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1294 | | 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1295 | | 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, |
1296 | | 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, |
1297 | | 0x00, 0x00, 0x00, 0x02, |
1298 | | }; |
1299 | | |
1300 | | uint8_t dcerpc_response1[] = { |
1301 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1302 | | 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1303 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1304 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
1305 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1306 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
1307 | | }; |
1308 | | |
1309 | | uint8_t dcerpc_request2[] = { |
1310 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1311 | | 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
1312 | | 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, |
1313 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
1314 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1315 | | 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, |
1316 | | 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, |
1317 | | 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, |
1318 | | 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, |
1319 | | 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, |
1320 | | 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, |
1321 | | 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, |
1322 | | 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, |
1323 | | 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, |
1324 | | 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, |
1325 | | 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, |
1326 | | 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, |
1327 | | 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, |
1328 | | 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, |
1329 | | 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1330 | | 0x03, 0x00, 0x00, 0x00, |
1331 | | }; |
1332 | | |
1333 | | uint8_t dcerpc_response2[] = { |
1334 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1335 | | 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
1336 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1337 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
1338 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1339 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
1340 | | }; |
1341 | | |
1342 | | uint8_t dcerpc_request3[] = { |
1343 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1344 | | 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
1345 | | 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, |
1346 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
1347 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1348 | | 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, |
1349 | | 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, |
1350 | | 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, |
1351 | | 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, |
1352 | | 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1353 | | 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, |
1354 | | 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, |
1355 | | 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, |
1356 | | 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, |
1357 | | }; |
1358 | | |
1359 | | uint8_t dcerpc_response3[] = { |
1360 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1361 | | 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
1362 | | 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1363 | | 0x00, 0x00, 0x00, 0x00, |
1364 | | }; |
1365 | | |
1366 | | uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); |
1367 | | uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); |
1368 | | |
1369 | | uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); |
1370 | | uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); |
1371 | | |
1372 | | uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); |
1373 | | uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); |
1374 | | |
1375 | | uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); |
1376 | | uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); |
1377 | | |
1378 | | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); |
1379 | | |
1380 | | memset(&th_v, 0, sizeof(th_v)); |
1381 | | memset(&f, 0, sizeof(f)); |
1382 | | memset(&ssn, 0, sizeof(ssn)); |
1383 | | |
1384 | | p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |
1385 | | |
1386 | | FLOW_INITIALIZE(&f); |
1387 | | f.protoctx = (void *)&ssn; |
1388 | | f.proto = IPPROTO_TCP; |
1389 | | p->flow = &f; |
1390 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1391 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
1392 | | p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; |
1393 | | f.alproto = ALPROTO_DCERPC; |
1394 | | |
1395 | | StreamTcpInitConfig(true); |
1396 | | |
1397 | | de_ctx = DetectEngineCtxInit(); |
1398 | | if (de_ctx == NULL) |
1399 | | goto end; |
1400 | | |
1401 | | de_ctx->flags |= DE_QUIET; |
1402 | | |
1403 | | s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " |
1404 | | "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 02|\"; sid:1;)"); |
1405 | | if (s == NULL) |
1406 | | goto end; |
1407 | | s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " |
1408 | | "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 75|\"; sid:2;)"); |
1409 | | if (s == NULL) |
1410 | | goto end; |
1411 | | s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " |
1412 | | "(msg:\"DCERPC\"; dce_stub_data; content:\"|00 18|\"; sid:3;)"); |
1413 | | if (s == NULL) |
1414 | | goto end; |
1415 | | |
1416 | | SigGroupBuild(de_ctx); |
1417 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
1418 | | |
1419 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1420 | | STREAM_TOSERVER | STREAM_START, dcerpc_bind, |
1421 | | dcerpc_bind_len); |
1422 | | if (r != 0) { |
1423 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1424 | | goto end; |
1425 | | } |
1426 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1427 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1428 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1429 | | |
1430 | | dcerpc_state = f.alstate; |
1431 | | if (dcerpc_state == NULL) { |
1432 | | SCLogDebug("no dcerpc state: "); |
1433 | | goto end; |
1434 | | } |
1435 | | |
1436 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1437 | | STREAM_TOCLIENT, dcerpc_bindack, |
1438 | | dcerpc_bindack_len); |
1439 | | if (r != 0) { |
1440 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1441 | | goto end; |
1442 | | } |
1443 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1444 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1445 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1446 | | |
1447 | | /* request1 */ |
1448 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1449 | | STREAM_TOSERVER, dcerpc_request1, |
1450 | | dcerpc_request1_len); |
1451 | | if (r != 0) { |
1452 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1453 | | goto end; |
1454 | | } |
1455 | | |
1456 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1457 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1458 | | /* do detect */ |
1459 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1460 | | |
1461 | | if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1462 | | goto end; |
1463 | | |
1464 | | /* response1 */ |
1465 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1466 | | STREAM_TOCLIENT, dcerpc_response1, |
1467 | | dcerpc_response1_len); |
1468 | | if (r != 0) { |
1469 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1470 | | goto end; |
1471 | | } |
1472 | | |
1473 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1474 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1475 | | /* do detect */ |
1476 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1477 | | |
1478 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1479 | | goto end; |
1480 | | |
1481 | | /* request2 */ |
1482 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1483 | | STREAM_TOSERVER, dcerpc_request2, |
1484 | | dcerpc_request2_len); |
1485 | | if (r != 0) { |
1486 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1487 | | goto end; |
1488 | | } |
1489 | | |
1490 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1491 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1492 | | /* do detect */ |
1493 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1494 | | |
1495 | | if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1496 | | goto end; |
1497 | | |
1498 | | /* response2 */ |
1499 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1500 | | STREAM_TOCLIENT, dcerpc_response2, |
1501 | | dcerpc_response2_len); |
1502 | | if (r != 0) { |
1503 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1504 | | goto end; |
1505 | | } |
1506 | | |
1507 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1508 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1509 | | /* do detect */ |
1510 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1511 | | |
1512 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1513 | | goto end; |
1514 | | /* request3 */ |
1515 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1516 | | STREAM_TOSERVER, dcerpc_request3, |
1517 | | dcerpc_request3_len); |
1518 | | if (r != 0) { |
1519 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1520 | | goto end; |
1521 | | } |
1522 | | |
1523 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1524 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1525 | | /* do detect */ |
1526 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1527 | | |
1528 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3)) |
1529 | | goto end; |
1530 | | |
1531 | | /* response3 */ |
1532 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1533 | | STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3, |
1534 | | dcerpc_response3_len); |
1535 | | if (r != 0) { |
1536 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1537 | | goto end; |
1538 | | } |
1539 | | |
1540 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1541 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1542 | | /* do detect */ |
1543 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1544 | | |
1545 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1546 | | goto end; |
1547 | | |
1548 | | result = 1; |
1549 | | |
1550 | | end: |
1551 | | if (alp_tctx != NULL) |
1552 | | AppLayerParserThreadCtxFree(alp_tctx); |
1553 | | SigGroupCleanup(de_ctx); |
1554 | | SigCleanSignatures(de_ctx); |
1555 | | |
1556 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
1557 | | DetectEngineCtxFree(de_ctx); |
1558 | | |
1559 | | StreamTcpFreeConfig(true); |
1560 | | FLOW_DESTROY(&f); |
1561 | | |
1562 | | UTHFreePackets(&p, 1); |
1563 | | return result; |
1564 | | } |
1565 | | |
1566 | | static int DetectDceStubDataTestParse05(void) |
1567 | | { |
1568 | | int result = 0; |
1569 | | Signature *s = NULL; |
1570 | | ThreadVars th_v; |
1571 | | Packet *p = NULL; |
1572 | | Flow f; |
1573 | | TcpSession ssn; |
1574 | | DetectEngineThreadCtx *det_ctx = NULL; |
1575 | | DetectEngineCtx *de_ctx = NULL; |
1576 | | DCERPCState *dcerpc_state = NULL; |
1577 | | int r = 0; |
1578 | | |
1579 | | uint8_t dcerpc_request1[] = { |
1580 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1581 | | 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1582 | | 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, |
1583 | | 0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00, |
1584 | | 0x00, 0x00, 0x00, 0x02, |
1585 | | }; |
1586 | | |
1587 | | uint8_t dcerpc_response1[] = { |
1588 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1589 | | 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1590 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1591 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
1592 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1593 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
1594 | | }; |
1595 | | |
1596 | | uint8_t dcerpc_request2[] = { |
1597 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1598 | | 0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
1599 | | 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, |
1600 | | 0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c, |
1601 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1602 | | 0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00, |
1603 | | 0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00, |
1604 | | 0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, |
1605 | | 0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00, |
1606 | | 0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00, |
1607 | | 0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00, |
1608 | | 0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00, |
1609 | | 0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00, |
1610 | | 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, |
1611 | | 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00, |
1612 | | 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, |
1613 | | 0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00, |
1614 | | 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, |
1615 | | 0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00, |
1616 | | 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1617 | | 0x03, 0x00, 0x00, 0x00, |
1618 | | }; |
1619 | | |
1620 | | uint8_t dcerpc_response2[] = { |
1621 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1622 | | 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, |
1623 | | 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1624 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
1625 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1626 | | 0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00, |
1627 | | }; |
1628 | | |
1629 | | uint8_t dcerpc_request3[] = { |
1630 | | 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, |
1631 | | 0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
1632 | | 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, |
1633 | | 0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c, |
1634 | | 0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c, |
1635 | | 0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00, |
1636 | | 0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00, |
1637 | | 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, |
1638 | | 0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00, |
1639 | | 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, |
1640 | | 0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00, |
1641 | | 0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00, |
1642 | | 0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00, |
1643 | | 0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, |
1644 | | }; |
1645 | | |
1646 | | uint8_t dcerpc_response3[] = { |
1647 | | 0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, |
1648 | | 0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, |
1649 | | 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1650 | | 0x00, 0x00, 0x00, 0x00, |
1651 | | }; |
1652 | | |
1653 | | uint32_t dcerpc_request1_len = sizeof(dcerpc_request1); |
1654 | | uint32_t dcerpc_response1_len = sizeof(dcerpc_response1); |
1655 | | |
1656 | | uint32_t dcerpc_request2_len = sizeof(dcerpc_request2); |
1657 | | uint32_t dcerpc_response2_len = sizeof(dcerpc_response2); |
1658 | | |
1659 | | uint32_t dcerpc_request3_len = sizeof(dcerpc_request3); |
1660 | | uint32_t dcerpc_response3_len = sizeof(dcerpc_response3); |
1661 | | |
1662 | | AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); |
1663 | | |
1664 | | memset(&th_v, 0, sizeof(th_v)); |
1665 | | memset(&f, 0, sizeof(f)); |
1666 | | memset(&ssn, 0, sizeof(ssn)); |
1667 | | |
1668 | | p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |
1669 | | |
1670 | | FLOW_INITIALIZE(&f); |
1671 | | f.protoctx = (void *)&ssn; |
1672 | | f.proto = IPPROTO_TCP; |
1673 | | p->flow = &f; |
1674 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1675 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
1676 | | p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; |
1677 | | f.alproto = ALPROTO_DCERPC; |
1678 | | |
1679 | | StreamTcpInitConfig(true); |
1680 | | |
1681 | | de_ctx = DetectEngineCtxInit(); |
1682 | | if (de_ctx == NULL) |
1683 | | goto end; |
1684 | | |
1685 | | de_ctx->flags |= DE_QUIET; |
1686 | | |
1687 | | s = de_ctx->sig_list = SigInit(de_ctx, |
1688 | | "alert tcp any any -> any any " |
1689 | | "(msg:\"DCERPC\"; " |
1690 | | "dce_stub_data; content:\"|00 02|\"; " |
1691 | | "sid:1;)"); |
1692 | | if (s == NULL) |
1693 | | goto end; |
1694 | | s = de_ctx->sig_list->next = SigInit(de_ctx, |
1695 | | "alert tcp any any -> any any " |
1696 | | "(msg:\"DCERPC\"; " |
1697 | | "dce_stub_data; content:\"|00 75|\"; " |
1698 | | "sid:2;)"); |
1699 | | if (s == NULL) |
1700 | | goto end; |
1701 | | s = de_ctx->sig_list->next->next = SigInit(de_ctx, |
1702 | | "alert tcp any any -> any any " |
1703 | | "(msg:\"DCERPC\"; " |
1704 | | "dce_stub_data; content:\"|00 18|\"; " |
1705 | | "sid:3;)"); |
1706 | | if (s == NULL) |
1707 | | goto end; |
1708 | | |
1709 | | SigGroupBuild(de_ctx); |
1710 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
1711 | | |
1712 | | /* request1 */ |
1713 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1714 | | STREAM_TOSERVER | STREAM_START, dcerpc_request1, |
1715 | | dcerpc_request1_len); |
1716 | | if (r != 0) { |
1717 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1718 | | goto end; |
1719 | | } |
1720 | | |
1721 | | dcerpc_state = f.alstate; |
1722 | | if (dcerpc_state == NULL) { |
1723 | | SCLogDebug("no dcerpc state: "); |
1724 | | goto end; |
1725 | | } |
1726 | | |
1727 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1728 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1729 | | /* do detect */ |
1730 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1731 | | |
1732 | | if (!PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1733 | | goto end; |
1734 | | |
1735 | | /* response1 */ |
1736 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1737 | | STREAM_TOCLIENT, dcerpc_response1, |
1738 | | dcerpc_response1_len); |
1739 | | if (r != 0) { |
1740 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1741 | | goto end; |
1742 | | } |
1743 | | |
1744 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1745 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1746 | | /* do detect */ |
1747 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1748 | | |
1749 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1750 | | goto end; |
1751 | | |
1752 | | /* request2 */ |
1753 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1754 | | STREAM_TOSERVER, dcerpc_request2, |
1755 | | dcerpc_request2_len); |
1756 | | if (r != 0) { |
1757 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1758 | | goto end; |
1759 | | } |
1760 | | |
1761 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1762 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1763 | | /* do detect */ |
1764 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1765 | | |
1766 | | if (PacketAlertCheck(p, 1) || !PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1767 | | goto end; |
1768 | | |
1769 | | /* response2 */ |
1770 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1771 | | STREAM_TOCLIENT, dcerpc_response2, |
1772 | | dcerpc_response2_len); |
1773 | | if (r != 0) { |
1774 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1775 | | goto end; |
1776 | | } |
1777 | | |
1778 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1779 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1780 | | /* do detect */ |
1781 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1782 | | |
1783 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || PacketAlertCheck(p, 3)) |
1784 | | goto end; |
1785 | | |
1786 | | /* request3 */ |
1787 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1788 | | STREAM_TOSERVER, dcerpc_request3, |
1789 | | dcerpc_request3_len); |
1790 | | if (r != 0) { |
1791 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1792 | | goto end; |
1793 | | } |
1794 | | |
1795 | | p->flowflags &=~ FLOW_PKT_TOCLIENT; |
1796 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1797 | | /* do detect */ |
1798 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1799 | | |
1800 | | if (PacketAlertCheck(p, 1) || PacketAlertCheck(p, 2) || !PacketAlertCheck(p, 3)) |
1801 | | goto end; |
1802 | | |
1803 | | /* response3 */ |
1804 | | r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, |
1805 | | STREAM_TOCLIENT | STREAM_EOF, dcerpc_response3, |
1806 | | dcerpc_response3_len); |
1807 | | if (r != 0) { |
1808 | | SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); |
1809 | | goto end; |
1810 | | } |
1811 | | |
1812 | | p->flowflags &=~ FLOW_PKT_TOSERVER; |
1813 | | p->flowflags |= FLOW_PKT_TOCLIENT; |
1814 | | /* do detect */ |
1815 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1816 | | |
1817 | | if (PacketAlertCheck(p, 1)) |
1818 | | goto end; |
1819 | | |
1820 | | result = 1; |
1821 | | |
1822 | | end: |
1823 | | if (alp_tctx != NULL) |
1824 | | AppLayerParserThreadCtxFree(alp_tctx); |
1825 | | |
1826 | | SigGroupCleanup(de_ctx); |
1827 | | SigCleanSignatures(de_ctx); |
1828 | | |
1829 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
1830 | | DetectEngineCtxFree(de_ctx); |
1831 | | |
1832 | | StreamTcpFreeConfig(true); |
1833 | | FLOW_DESTROY(&f); |
1834 | | |
1835 | | UTHFreePackets(&p, 1); |
1836 | | return result; |
1837 | | } |
1838 | | |
1839 | | // invalid signature because of invalid protocol |
1840 | | static int DetectDceStubDataTestParse06(void) |
1841 | | { |
1842 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1843 | | FAIL_IF_NULL(de_ctx); |
1844 | | de_ctx->flags = DE_QUIET; |
1845 | | Signature *s = DetectEngineAppendSig(de_ctx, |
1846 | | "alert dns any any -> any any dce_stub_data;content:\"0\";"); |
1847 | | FAIL_IF_NOT_NULL(s); |
1848 | | DetectEngineCtxFree(de_ctx); |
1849 | | PASS; |
1850 | | } |
1851 | | |
1852 | | static void DetectDceStubDataRegisterTests(void) |
1853 | | { |
1854 | | UtRegisterTest("DetectDceStubDataTestParse02", |
1855 | | DetectDceStubDataTestParse02); |
1856 | | UtRegisterTest("DetectDceStubDataTestParse03", |
1857 | | DetectDceStubDataTestParse03); |
1858 | | UtRegisterTest("DetectDceStubDataTestParse04", |
1859 | | DetectDceStubDataTestParse04); |
1860 | | UtRegisterTest("DetectDceStubDataTestParse05", |
1861 | | DetectDceStubDataTestParse05); |
1862 | | UtRegisterTest("DetectDceStubDataTestParse06", |
1863 | | DetectDceStubDataTestParse06); |
1864 | | } |
1865 | | #endif |