From 45ea0d914ec3a677b7d469a74afcc9c405e58ff9 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Mon, 14 Jun 2010 17:10:27 +0530 Subject: [PATCH] dce stub content keywords support using dcepayload.c support for all dce related content keywords --- src/Makefile.am | 1 + src/detect-bytejump.c | 289 +- src/detect-bytejump.h | 10 +- src/detect-bytetest.c | 356 +- src/detect-bytetest.h | 8 +- src/detect-content.c | 307 +- src/detect-dce-stub-data.c | 9 +- src/detect-depth.c | 40 +- src/detect-distance.c | 66 +- src/detect-engine-dcepayload.c | 6060 ++++++++++++++++++++++++++++++++ src/detect-engine-dcepayload.h | 31 + src/detect-isdataat.c | 196 +- src/detect-offset.c | 39 +- src/detect-parse.c | 78 + src/detect-parse.h | 2 + src/detect-pcre.c | 269 +- src/detect-pcre.h | 3 + src/detect-uricontent.c | 8 +- src/detect-within.c | 107 +- src/detect.c | 7 + src/detect.h | 10 + src/stream-tcp-reassemble.h | 1 + src/stream-tcp.c | 12 +- src/stream-tcp.h | 17 + src/suricata-common.h | 1 + src/suricata.c | 2 + 26 files changed, 7798 insertions(+), 131 deletions(-) create mode 100644 src/detect-engine-dcepayload.c create mode 100644 src/detect-engine-dcepayload.h diff --git a/src/Makefile.am b/src/Makefile.am index 487b4301ef..70ea3557b6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -58,6 +58,7 @@ detect-engine-siggroup.c detect-engine-siggroup.h \ detect-engine-mpm.c detect-engine-mpm.h \ detect-engine-iponly.c detect-engine-iponly.h \ detect-engine-payload.c detect-engine-payload.h \ +detect-engine-dcepayload.c detect-engine-dcepayload.h \ detect-engine-uri.c detect-engine-uri.h \ detect-engine-state.c detect-engine-state.h \ detect-parse.c detect-parse.h \ diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index ecd0378bda..c91ab2d732 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -28,6 +28,8 @@ #include "decode.h" #include "detect.h" #include "detect-parse.h" +#include "detect-engine.h" +#include "app-layer.h" #include "detect-bytejump.h" #include "detect-content.h" @@ -50,6 +52,7 @@ "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ + "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \ "\\s*$" static pcre *parse_regex; @@ -431,6 +434,7 @@ DetectBytejumpData *DetectBytejumpParse(char *optstr) if (data->flags & DETECT_BYTEJUMP_LITTLE) { data->flags ^= DETECT_BYTEJUMP_LITTLE; } + data->flags |= DETECT_BYTEJUMP_BIG; } else if (strcasecmp("little", args[i]) == 0) { data->flags |= DETECT_BYTEJUMP_LITTLE; } else if (strcasecmp("from_beginning", args[i]) == 0) { @@ -453,6 +457,8 @@ DetectBytejumpData *DetectBytejumpParse(char *optstr) SCLogError(SC_ERR_INVALID_VALUE, "Malformed post_offset: %s", optstr); goto error; } + } else if (strcasecmp("dce", args[i]) == 0) { + data->flags |= DETECT_BYTEJUMP_DCE; } else { SCLogError(SC_ERR_INVALID_VALUE, "Unknown option: \"%s\"", args[i]); goto error; @@ -507,16 +513,52 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) { DetectBytejumpData *data = NULL; SigMatch *sm = NULL; + SigMatch *match = NULL; + SigMatch *match_tail = NULL; data = DetectBytejumpParse(optstr); - if (data == NULL) goto error; + if (data == NULL) + goto error; + + /* check bytejump modifiers against the signature alproto. In case they conflict + * chuck out invalid signature */ + if (data->flags & DETECT_BYTEJUMP_DCE) { + if (s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "bytetest with dce enabled"); + goto error; + } + if ( (data->flags & DETECT_BYTEJUMP_STRING) || + (data->flags & DETECT_BYTEJUMP_LITTLE) || + (data->flags & DETECT_BYTEJUMP_BIG) || + (data->flags & DETECT_BYTEJUMP_BEGIN) || + (data->base == DETECT_BYTEJUMP_BASE_DEC) || + (data->base == DETECT_BYTEJUMP_BASE_HEX) || + (data->base == DETECT_BYTEJUMP_BASE_OCT) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "DCERPC rule holds an invalid modifier for bytejump."); + goto error; + } + } if (data->flags & DETECT_BYTEJUMP_RELATIVE) { - /** Search for the first previous DetectContent - * SigMatch (it can be the same as this one) */ + + switch (s->alproto) { + case ALPROTO_DCERPC: + match = s->dmatch; + match_tail = s->dmatch_tail; + break; + + default: + match = s->pmatch; + match_tail = s->pmatch_tail; + break; + } + + /* Search for the first previous DetectContent SigMatch (it can be the + * same as this one) */ SigMatch *pm = NULL; - pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT); - if (pm != NULL) { + if ( (pm = SigMatchGetLastSM(match_tail, DETECT_CONTENT)) != NULL) { DetectContentData *cd = (DetectContentData *)pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytejump match " @@ -524,7 +566,8 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE)) != NULL) { + + } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_PCRE)) != NULL) { DetectPcreData *pe = NULL; pe = (DetectPcreData *) pm->ctx; if (pe == NULL) { @@ -532,9 +575,8 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } pe->flags |= DETECT_PCRE_RELATIVE; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_BYTEJUMP)) != - NULL) - { + + } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_BYTEJUMP)) != NULL) { DetectBytejumpData *data = NULL; data = (DetectBytejumpData *)pm->ctx; if (data == NULL) { @@ -542,6 +584,7 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else { SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytejump match " "needs a previous content option"); @@ -556,7 +599,18 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) sm->type = DETECT_BYTEJUMP; sm->ctx = (void *)data; - SigMatchAppendPayload(s,sm); + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + SigMatchAppendDcePayload(s, sm); + break; + + default: + SigMatchAppendPayload(s, sm); + break; + } return 0; @@ -737,6 +791,218 @@ int DetectBytejumpTestParse08(void) { return result; } +/** + * \test Test dce option. + */ +int DetectBytejumpTestParse09(void) { + Signature *s = SigAlloc(); + int result = 1; + + s->alproto = ALPROTO_DCERPC; + + result &= (DetectBytejumpSetup(NULL, s, "4,0, align, multiplier 2, " + "post_offset -16,dce") == 0); + result &= (DetectBytejumpSetup(NULL, s, "4,0, multiplier 2, " + "post_offset -16,dce") == 0); + result &= (DetectBytejumpSetup(NULL, s, "4,0,post_offset -16,dce") == 0); + result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0); + result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0); + result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, big, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, little, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dec, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1); + result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1); + + SigFree(s); + return result; +} + +int DetectBytejumpTestParse10(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + DetectBytejumpData *bd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,dce; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + s = de_ctx->sig_list; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->dmatch_tail->ctx; + if (!(bd->flags & DETECT_BYTEJUMP_DCE) && + (bd->flags & DETECT_BYTEJUMP_RELATIVE) && + (bd->flags & DETECT_BYTEJUMP_STRING) && + (bd->flags & DETECT_BYTEJUMP_BIG) && + (bd->flags & DETECT_BYTEJUMP_LITTLE) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,relative,dce; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->dmatch_tail->ctx; + if (!(bd->flags & DETECT_BYTEJUMP_DCE) && + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) && + (bd->flags & DETECT_BYTEJUMP_STRING) && + (bd->flags & DETECT_BYTEJUMP_BIG) && + (bd->flags & DETECT_BYTEJUMP_LITTLE) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTEJUMP); + bd = (DetectBytejumpData *)s->dmatch_tail->ctx; + if ((bd->flags & DETECT_BYTEJUMP_DCE) && + (bd->flags & DETECT_BYTEJUMP_RELATIVE) && + (bd->flags & DETECT_BYTEJUMP_STRING) && + (bd->flags & DETECT_BYTEJUMP_BIG) && + (bd->flags & DETECT_BYTEJUMP_LITTLE) ) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +int DetectBytejumpTestParse11(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,string,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,big,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,little,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,string,hex,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,string,dec,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,string,oct,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_jump:4,0,align,multiplier 2, " + "post_offset -16,from_beginning,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + /** * \test DetectByteJumpTestPacket01 is a test to check matches of * byte_jump and byte_jump relative works if the previous keyword is pcre @@ -815,6 +1081,9 @@ void DetectBytejumpRegisterTests(void) { UtRegisterTest("DetectBytejumpTestParse06", DetectBytejumpTestParse06, 1); UtRegisterTest("DetectBytejumpTestParse07", DetectBytejumpTestParse07, 1); UtRegisterTest("DetectBytejumpTestParse08", DetectBytejumpTestParse08, 1); + UtRegisterTest("DetectBytejumpTestParse09", DetectBytejumpTestParse09, 1); + UtRegisterTest("DetectBytejumpTestParse10", DetectBytejumpTestParse10, 1); + UtRegisterTest("DetectBytejumpTestParse11", DetectBytejumpTestParse11, 1); UtRegisterTest("DetectByteJumpTestPacket01", DetectByteJumpTestPacket01, 1); UtRegisterTest("DetectByteJumpTestPacket02", DetectByteJumpTestPacket02, 1); #endif /* UNITTESTS */ diff --git a/src/detect-bytejump.h b/src/detect-bytejump.h index 6797cff144..ca0afbf00e 100644 --- a/src/detect-bytejump.h +++ b/src/detect-bytejump.h @@ -32,10 +32,12 @@ /** Bytejump Flags */ #define DETECT_BYTEJUMP_BEGIN 0x01 /**< "from_beginning" jump */ -#define DETECT_BYTEJUMP_LITTLE 0x02 /**< "little" endian value (default "big") */ -#define DETECT_BYTEJUMP_STRING 0x04 /**< "string" value */ -#define DETECT_BYTEJUMP_RELATIVE 0x08 /**< "relative" offset */ -#define DETECT_BYTEJUMP_ALIGN 0x10 /**< "align" offset */ +#define DETECT_BYTEJUMP_LITTLE 0x02 /**< "little" endian value */ +#define DETECT_BYTEJUMP_BIG 0x04 /**< "big" endian value */ +#define DETECT_BYTEJUMP_STRING 0x08 /**< "string" value */ +#define DETECT_BYTEJUMP_RELATIVE 0x10 /**< "relative" offset */ +#define DETECT_BYTEJUMP_ALIGN 0x20 /**< "align" offset */ +#define DETECT_BYTEJUMP_DCE 0x40 /**< "dce" enabled */ typedef struct DetectBytejumpData_ { uint8_t nbytes; /**< Number of bytes to compare */ diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index 206b366f12..9f815befbd 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -27,11 +27,13 @@ #include "debug.h" #include "decode.h" #include "detect.h" +#include "detect-engine.h" #include "detect-parse.h" #include "detect-content.h" #include "detect-bytetest.h" #include "detect-bytejump.h" +#include "app-layer.h" #include "util-byte.h" #include "util-unittest.h" @@ -52,6 +54,7 @@ "(?:\\s*,\\s*([^\\s,]+))?" \ "(?:\\s*,\\s*([^\\s,]+))?" \ "(?:\\s*,\\s*([^\\s,]+))?" \ + "(?:\\s*,\\s*([^\\s,]+))?" \ "\\s*$" static pcre *parse_regex; @@ -469,8 +472,11 @@ DetectBytetestData *DetectBytetestParse(char *optstr) if (data->flags & DETECT_BYTETEST_LITTLE) { data->flags ^= DETECT_BYTETEST_LITTLE; } + data->flags |= DETECT_BYTETEST_BIG; } else if (strcasecmp("little", args[i]) == 0) { data->flags |= DETECT_BYTETEST_LITTLE; + } else if (strcasecmp("dce", args[i]) == 0) { + data->flags |= DETECT_BYTETEST_DCE; } else { SCLogError(SC_ERR_UNKNOWN_VALUE, "Unknown value: \"%s\"", args[i]); @@ -524,18 +530,53 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) { DetectBytetestData *data = NULL; SigMatch *sm = NULL; + SigMatch *match = NULL; + SigMatch *match_tail = NULL; //printf("DetectBytetestSetup: \'%s\'\n", optstr); data = DetectBytetestParse(optstr); - if (data == NULL) goto error; + if (data == NULL) + goto error; + + /* check bytetest modifiers against the signature alproto. In case they conflict + * chuck out invalid signature */ + if (data-> flags & DETECT_BYTETEST_DCE) { + if (s->alproto != ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has " + "bytetest with dce enabled"); + goto error; + } + if ( (data->flags & DETECT_BYTETEST_STRING) || + (data->flags & DETECT_BYTETEST_LITTLE) || + (data->flags & DETECT_BYTETEST_BIG) || + (data->base == DETECT_BYTETEST_BASE_DEC) || + (data->base == DETECT_BYTETEST_BASE_HEX) || + (data->base == DETECT_BYTETEST_BASE_OCT) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "a byte_test keyword with dce holds other invalid modifiers."); + goto error; + } + } if (data->flags & DETECT_BYTETEST_RELATIVE) { - /** Search for the first previous DetectContent - * SigMatch (it can be the same as this one) */ + + switch (s->alproto) { + case ALPROTO_DCERPC: + match = s->dmatch; + match_tail = s->dmatch_tail; + break; + + default: + match = s->pmatch; + match_tail = s->pmatch_tail; + break; + } + + /* Search for the first previous DetectContent SigMatch (it can be the + * same as this one) */ SigMatch *pm = NULL; - pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT); - if (pm != NULL) { + if ( (pm = SigMatchGetLastSM(match_tail, DETECT_CONTENT)) != NULL) { DetectContentData *cd = (DetectContentData *) pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytetest match " @@ -543,7 +584,8 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE)) != NULL) { + + } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_PCRE)) != NULL) { DetectPcreData *pe = NULL; pe = (DetectPcreData *) pm->ctx; if (pe == NULL) { @@ -551,9 +593,8 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } pe->flags |= DETECT_PCRE_RELATIVE; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_BYTEJUMP)) != - NULL) - { + + } else if ( (pm = SigMatchGetLastSM(match_tail, DETECT_BYTEJUMP)) != NULL) { DetectBytejumpData *data = NULL; data = (DetectBytejumpData *)pm->ctx; if (data == NULL) { @@ -561,6 +602,7 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) goto error; } data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else { SCLogError(SC_ERR_INVALID_SIGNATURE, "relative bytetest match " "needs a previous content option"); @@ -575,7 +617,18 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) sm->type = DETECT_BYTETEST; sm->ctx = (void *)data; - SigMatchAppendPayload(s,sm); + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + SigMatchAppendDcePayload(s, sm); + break; + + default: + SigMatchAppendPayload(s, sm); + break; + } return 0; @@ -745,7 +798,7 @@ int DetectBytetestTestParse07(void) { && (data->nbytes == 4) && (data->value == 5) && (data->offset == 0) - && (data->flags == 0) + && (data->flags == 4) && (data->base == DETECT_BYTETEST_BASE_UNSET)) { result = 1; @@ -930,6 +983,282 @@ int DetectBytetestTestParse16(void) { return result; } +/** + * \test Test dce option. + */ +int DetectBytetestTestParse17(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, <, 5, 0, dce"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_LT) && + (data->nbytes == 4) && + (data->value == 5) && + (data->offset == 0) && + (data->flags & DETECT_BYTETEST_DCE) ) { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test Test dce option. + */ +int DetectBytetestTestParse18(void) { + int result = 0; + DetectBytetestData *data = NULL; + data = DetectBytetestParse("4, <, 5, 0"); + if (data != NULL) { + if ( (data->op == DETECT_BYTETEST_OP_LT) && + (data->nbytes == 4) && + (data->value == 5) && + (data->offset == 0) && + !(data->flags & DETECT_BYTETEST_DCE) ) { + result = 1; + } + DetectBytetestFree(data); + } + + return result; +} + +/** + * \test Test dce option. + */ +int DetectBytetestTestParse19(void) { + Signature *s = SigAlloc(); + int result = 1; + + s->alproto = ALPROTO_DCERPC; + + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dce") == 0); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,string,dce") == -1); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,big,dce") == -1); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,little,dce") == -1); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,hex,dce") == -1); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,oct,dce") == -1); + result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dec,dce") == -1); + + SigFree(s); + return result; +} + +int DetectBytetestTestParse20(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + DetectBytetestData *bd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,dce; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + s = de_ctx->sig_list; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->dmatch_tail->ctx; + if (!(bd->flags & DETECT_BYTETEST_DCE) && + (bd->flags & DETECT_BYTETEST_RELATIVE) && + (bd->flags & DETECT_BYTETEST_STRING) && + (bd->flags & DETECT_BYTETEST_BIG) && + (bd->flags & DETECT_BYTETEST_LITTLE) && + (bd->flags & DETECT_BYTETEST_NEGOP) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,relative,dce; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->dmatch_tail->ctx; + if (!(bd->flags & DETECT_BYTETEST_DCE) && + !(bd->flags & DETECT_BYTETEST_RELATIVE) && + (bd->flags & DETECT_BYTETEST_STRING) && + (bd->flags & DETECT_BYTETEST_BIG) && + (bd->flags & DETECT_BYTETEST_LITTLE) && + (bd->flags & DETECT_BYTETEST_NEGOP) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_BYTETEST); + bd = (DetectBytetestData *)s->dmatch_tail->ctx; + if ((bd->flags & DETECT_BYTETEST_DCE) && + (bd->flags & DETECT_BYTETEST_RELATIVE) && + (bd->flags & DETECT_BYTETEST_STRING) && + (bd->flags & DETECT_BYTETEST_BIG) && + (bd->flags & DETECT_BYTETEST_LITTLE) && + (bd->flags & DETECT_BYTETEST_NEGOP) ) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +int DetectBytetestTestParse21(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,string,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,big,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,little,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,hex,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,dec,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,oct,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,string,hex,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytetest_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)"); + if (s != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + /** * \test DetectByteTestTestPacket01 is a test to check matches of * byte_test and byte_test relative works if the previous keyword is pcre @@ -1014,6 +1343,11 @@ void DetectBytetestRegisterTests(void) { UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13, 1); UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14, 1); UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15, 1); + UtRegisterTest("DetectBytetestTestParse17", DetectBytetestTestParse17, 1); + UtRegisterTest("DetectBytetestTestParse18", DetectBytetestTestParse18, 1); + UtRegisterTest("DetectBytetestTestParse19", DetectBytetestTestParse19, 1); + UtRegisterTest("DetectBytetestTestParse20", DetectBytetestTestParse20, 1); + UtRegisterTest("DetectBytetestTestParse21", DetectBytetestTestParse21, 1); UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1); UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02, 1); #endif /* UNITTESTS */ diff --git a/src/detect-bytetest.h b/src/detect-bytetest.h index 9b812c85d6..8cc2e01dcf 100644 --- a/src/detect-bytetest.h +++ b/src/detect-bytetest.h @@ -39,9 +39,11 @@ /** Bytetest Flags */ #define DETECT_BYTETEST_NEGOP 0x01 /**< "!" negated operator */ -#define DETECT_BYTETEST_LITTLE 0x02 /**< "little" endian value (default "big") */ -#define DETECT_BYTETEST_STRING 0x04 /**< "string" value */ -#define DETECT_BYTETEST_RELATIVE 0x08 /**< "relative" offset */ +#define DETECT_BYTETEST_LITTLE 0x02 /**< "little" endian value */ +#define DETECT_BYTETEST_BIG 0x04 /**< "bi" endian value */ +#define DETECT_BYTETEST_STRING 0x08 /**< "string" value */ +#define DETECT_BYTETEST_RELATIVE 0x10 /**< "relative" offset */ +#define DETECT_BYTETEST_DCE 0x20 /**< dce enabled */ typedef struct DetectBytetestData_ { uint8_t nbytes; /**< Number of bytes to compare */ diff --git a/src/detect-content.c b/src/detect-content.c index 4c72a3114c..bb1299e291 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -35,6 +35,7 @@ #include "flow.h" #include "flow-var.h" #include "detect-flow.h" +#include "app-layer.h" #include "util-unittest.h" #include "util-print.h" #include "util-debug.h" @@ -434,7 +435,19 @@ static int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, char *cont DetectContentPrint(cd); - SigMatchAppendPayload(s,sm); + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + SigMatchAppendDcePayload(s, sm); + break; + + default: + SigMatchAppendPayload(s, sm); + break; + } + return 0; error: @@ -1060,6 +1073,296 @@ end: return result; } +int DetectContentParseTest18(void) +{ + Signature *s = SigAlloc(); + int result = 1; + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + result = 0; + goto end; + } + + s->alproto = ALPROTO_DCERPC; + + result &= (DetectContentSetup(de_ctx, s, "one") == 0); + result &= (s->dmatch != NULL); + + SigFree(s); + + s = SigAlloc(); + /* failure since we have no preceding content/pcre/bytejump */ + result &= (DetectContentSetup(de_ctx, s, "one") == 0); + result &= (s->dmatch == NULL); + result &= (s->pmatch != NULL); + + end: + SigFree(s); + DetectEngineCtxFree(de_ctx); + + return result; +} + +int DetectContentParseTest19(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + DetectContentData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + s = de_ctx->sig_list; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; content:two; within:10; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->within == 10); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; offset:5; depth:9; content:two; within:10; offset:10; depth:13; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->within == 10 && data->offset == 10 && data->depth == 13); + data = (DetectContentData *)s->dmatch->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->offset == 5 && data->depth == 9); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; content:two; distance:2; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->distance == 2); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; content:two; within:10; distance:2; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->within == 10 && data->distance == 2); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; offset:10; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->offset == 10); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; depth:10; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->depth == 10); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; offset:10; depth:2; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_CONTENT); + result &= (s->pmatch == NULL); + data = (DetectContentData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (data->offset == 10 && data->depth == 13); + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "content:one; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail != NULL) { + result = 0; + goto end; + } + result &= (s->pmatch != NULL); + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + static int SigTestPositiveTestContent(char *rule, uint8_t *buf) { uint16_t buflen = strlen((char *)buf); @@ -1502,6 +1805,8 @@ void DetectContentRegisterTests(void) UtRegisterTest("DetectContentParseTest15", DetectContentParseNegTest15, 1); UtRegisterTest("DetectContentParseTest16", DetectContentParseNegTest16, 1); UtRegisterTest("DetectContentParseTest17", DetectContentParseTest17, 1); + UtRegisterTest("DetectContentParseTest18", DetectContentParseTest18, 1); + UtRegisterTest("DetectContentParseTest19", DetectContentParseTest19, 1); /* The reals */ UtRegisterTest("DetectContentLongPatternMatchTest01", DetectContentLongPatternMatchTest01, 1); diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 138b818a3b..699c7cb22a 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -98,16 +98,19 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow * dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 1) { return 0; } - dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed = 1; + //dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed = 1; + det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; + det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; } else { if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL || dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 1) { return 0; } - dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed = 1; + //dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed = 1; + det_ctx->dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; + det_ctx->dce_stub_data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len; } - return 1; } diff --git a/src/detect-depth.c b/src/detect-depth.c index 5c36fe0028..39f959e475 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -31,8 +31,10 @@ #include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" +#include "detect-parse.h" #include "flow-var.h" +#include "app-layer.h" #include "util-debug.h" @@ -52,6 +54,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths { char *str = depthstr; char dubbed = 0; + SigMatch *pm = NULL; /* strip "'s */ if (depthstr[0] == '\"' && depthstr[strlen(depthstr)-1] == '\"') { @@ -60,14 +63,35 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths dubbed = 1; } - /** Search for the first previous DetectContent or uricontent - * SigMatch (it can be the same as this one) */ - SigMatch *pm = SigMatchGetLastPattern(s); - if (pm == NULL) { - SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs a preceeding " - "content or uricontent option"); - if (dubbed) SCFree(str); - return -1; + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->dmatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "depth needs" + "preceeding content option for dcerpc sig"); + if (dubbed) + SCFree(str); + return -1; + } + + break; + + default: + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->pmatch_tail, + DETECT_URICONTENT, s->umatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "distance needs" + "preceeding content or uricontent option"); + if (dubbed) + SCFree(str); + return -1; + } + + break; } switch (pm->type) { diff --git a/src/detect-distance.c b/src/detect-distance.c index 2ad6654c04..17c92d370f 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -30,6 +30,8 @@ #include "detect.h" #include "detect-parse.h" #include "detect-engine.h" +#include "app-layer.h" +#include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" @@ -59,6 +61,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, { char *str = distancestr; char dubbed = 0; + SigMatch *pm = NULL; + SigMatch *match_tail = NULL; /* strip "'s */ if (distancestr[0] == '\"' && distancestr[strlen(distancestr)-1] == '\"') { @@ -67,14 +71,35 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, dubbed = 1; } - /** Search for the first previous DetectContent - * SigMatch (it can be the same as this one) */ - SigMatch *pm = SigMatchGetLastPattern(s); - if (pm == NULL) { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceeding content or uricontent options"); - if (dubbed) SCFree(str); - return -1; + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->dmatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "distance needs" + "preceeding content option for dcerpc sig"); + if (dubbed) + SCFree(str); + return -1; + } + + break; + + default: + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->pmatch_tail, + DETECT_URICONTENT, s->umatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "distance needs" + "preceeding content or uricontent option"); + if (dubbed) + SCFree(str); + return -1; + } + + break; } DetectUricontentData *ud = NULL; @@ -130,8 +155,17 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } } - pm = SigMatchGetLastSM(s->pmatch_tail->prev, DETECT_CONTENT); - if (pm != NULL) { + switch (s->alproto) { + case ALPROTO_DCERPC: + match_tail = s->dmatch_tail; + break; + + default: + match_tail = s->pmatch_tail; + break; + } + + if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_CONTENT)) != NULL) { /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)pm->ctx; if (cd == NULL) { @@ -140,9 +174,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto error; } cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_BYTEJUMP)) - != NULL) - { + + } else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_BYTEJUMP)) != NULL) { DetectBytejumpData *data = NULL; data = (DetectBytejumpData *) pm->ctx; if (data == NULL) { @@ -150,9 +183,10 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto error; } data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else { - SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two" - " preceeding content or uricontent options"); + SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " + "preceeding content or uricontent options"); goto error; } @@ -160,7 +194,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, default: SCLogError(SC_ERR_DISTANCE_MISSING_CONTENT, "distance needs two " - "preceeding content or uricontent options"); + "preceeding content or uricontent options"); if (dubbed) SCFree(str); return -1; break; diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c new file mode 100644 index 0000000000..da095c778e --- /dev/null +++ b/src/detect-engine-dcepayload.c @@ -0,0 +1,6060 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Anoop Saldanha + */ + +#include "suricata-common.h" +#include "suricata.h" + +#include "decode.h" + +#include "detect.h" +#include "detect-engine.h" +#include "detect-parse.h" +#include "detect-content.h" +#include "detect-pcre.h" +#include "detect-isdataat.h" +#include "detect-bytetest.h" +#include "detect-bytejump.h" + +#include "util-spm.h" +#include "util-spm-bm.h" + +#include "stream-tcp-reassemble.h" +#include "stream-tcp.h" + +#include "app-layer.h" +#include "app-layer-dcerpc.h" +#include "decode-tcp.h" +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +/** + * \brief Run the dce stub match functions for the dce stub based keywords. + * + * The following keywords are inspected: + * - content + * - isdaatat + * - pcre + * - bytejump + * - bytetest + * + * All keywords are evaluated against the dce stub data. + * + * For accounting the last match in relative matching, + * det_ctx->payload_offset var is used. + * + * \param de_ctx Detection engine context. + * \param det_ctx Detection engine thread context. + * \param s Signature to inspect. + * \param sm SigMatch to inspect. + * \param p Packet. + * \param payload Pointer to the dce stub to inspect. + * \param payload_len Length of the payload + * + * \retval 0 No match. + * \retval 1 Match. + */ +static int DoInspectDcePayload(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Signature *s, + SigMatch *sm, Packet *p, uint8_t *stub, + uint32_t stub_len) +{ + SCEnter(); + + if (sm == NULL) { + SCReturnInt(0); + } + + switch(sm->type) { + case DETECT_CONTENT: + { + if (stub_len == 0) { + SCReturnInt(0); + } + + DetectContentData *cd = NULL; + cd = (DetectContentData *)sm->ctx; + SCLogDebug("inspecting content %"PRIu32" stub_len %"PRIu32, + cd->id, stub_len); + + /* rule parsers should take care of this */ + BUG_ON(cd->depth != 0 && cd->depth <= cd->offset); + + /* search for our pattern, checking the matches recursively. + * if we match we look for the next SigMatch as well */ + uint8_t *found = NULL; + uint32_t offset = 0; + uint32_t depth = stub_len; + uint32_t prev_offset = 0; /**< used in recursive searching */ + + do { + if (cd->flags & DETECT_CONTENT_DISTANCE || + cd->flags & DETECT_CONTENT_WITHIN) { + SCLogDebug("det_ctx->payload_offset %"PRIu32, + det_ctx->payload_offset); + + offset = det_ctx->payload_offset; + depth = stub_len; + + if (cd->flags & DETECT_CONTENT_DISTANCE) { + if (cd->distance < 0 && (uint32_t)(abs(cd->distance)) > offset) { + offset = 0; + } else { + offset += cd->distance; + } + + SCLogDebug("cd->distance %"PRIi32", offset %"PRIu32", depth %"PRIu32, + cd->distance, offset, depth); + } + + if (cd->flags & DETECT_CONTENT_WITHIN) { + if ((int32_t)depth > (int32_t)(det_ctx->payload_offset + cd->within)) { + depth = det_ctx->payload_offset + cd->within; + } + + SCLogDebug("cd->within %"PRIi32", det_ctx->payload_offset " + "%"PRIu32", depth %"PRIu32, cd->within, + det_ctx->payload_offset, depth); + } + + if (cd->depth != 0) { + if ((cd->depth + det_ctx->payload_offset) < depth) { + depth = det_ctx->payload_offset + cd->depth; + } + + SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, + cd->depth, depth); + } + + if (cd->offset > offset) { + offset = cd->offset; + SCLogDebug("setting offset %"PRIu32, offset); + } + + /* implied no relative matches */ + } else { + /* set depth */ + if (cd->depth != 0) { + depth = cd->depth; + } + + /* set offset */ + offset = cd->offset; + } + + /* update offset with prev_offset if we're searching for + * matches after the first occurence. */ + SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, + prev_offset); + offset += prev_offset; + + SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth); + + if (depth > stub_len) + depth = stub_len; + + /* if offset is bigger than depth we can never match on a + * pattern. We can however, "match" on a negated pattern. */ + if (offset > depth || depth == 0) { + if (cd->flags & DETECT_CONTENT_NEGATED) { + goto match; + } else { + SCReturnInt(0); + } + } + + uint8_t *sstub = stub + offset; + uint32_t sstub_len = depth - offset; + uint32_t match_offset = 0; + SCLogDebug("sstub_len %"PRIu32, sstub_len); + BUG_ON(sstub_len > stub_len); + + /* do the actual search */ + if (cd->flags & DETECT_CONTENT_NOCASE) { + found = BoyerMooreNocase(cd->content, cd->content_len, sstub, + sstub_len, cd->bm_ctx->bmGs, + cd->bm_ctx->bmBc); + } else { + found = BoyerMoore(cd->content, cd->content_len, sstub, + sstub_len, cd->bm_ctx->bmGs, + cd->bm_ctx->bmBc); + } + + /* next we evaluate the result in combination with the + * negation flag. */ + SCLogDebug("found %p cd negated %s", found, + cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false"); + + if (found == NULL && !(cd->flags & DETECT_CONTENT_NEGATED)) { + SCReturnInt(0); + } else if (found == NULL && cd->flags & DETECT_CONTENT_NEGATED) { + goto match; + } else if (found != NULL && cd->flags & DETECT_CONTENT_NEGATED) { + match_offset = (uint32_t)((found - stub) + cd->content_len); + SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but " + "negated so no match", cd->id, match_offset); + SCReturnInt(0); + } else { + match_offset = (uint32_t)((found - stub) + cd->content_len); + SCLogDebug("content %"PRIu32" matched at offset %"PRIu32"", + cd->id, match_offset); + det_ctx->payload_offset = match_offset; + + if (!(cd->flags & DETECT_CONTENT_RELATIVE_NEXT)) { + SCLogDebug("no relative match coming up, so this is a match"); + goto match; + } + + BUG_ON(sm->next == NULL); + SCLogDebug("content %"PRIu32, cd->id); + + /* see if the next payload keywords match. If not, we will + * search for another occurence of this content and see + * if the others match then until we run out of matches */ + int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p, + stub, stub_len); + if (r == 1) { + SCReturnInt(1); + } + + /* set the previous match offset to the start of this match + 1 */ + prev_offset += (match_offset - (cd->content_len - 1)); + SCLogDebug("trying to see if there is another match after " + "prev_offset %"PRIu32, prev_offset); + } + + } while(1); + } + + case DETECT_ISDATAAT: + { + SCLogDebug("inspecting isdataat"); + + DetectIsdataatData *id = (DetectIsdataatData *)sm->ctx; + if (id->flags & ISDATAAT_RELATIVE) { + if (det_ctx->payload_offset + id->dataat > stub_len) { + SCLogDebug("det_ctx->payload_offset + id->dataat " + "%"PRIu32" > %"PRIu32, + det_ctx->payload_offset + id->dataat, stub_len); + SCReturnInt(0); + } else { + SCLogDebug("relative isdataat match"); + goto match; + } + } else { + if (id->dataat < stub_len) { + SCLogDebug("absolute isdataat match"); + goto match; + } else { + SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", " + "stub_len %"PRIu32"", id->dataat, stub_len); + SCReturnInt(0); + } + } + } + + case DETECT_PCRE: + { + SCLogDebug("inspecting pcre"); + + int r = DetectPcrePayloadDoMatch(det_ctx, s, sm, p, stub, stub_len); + if (r == 1) { + goto match; + } + + SCReturnInt(0); + } + + case DETECT_BYTETEST: + { + if (DetectBytetestDoMatch(det_ctx, s, sm, stub, stub_len) != 1) { + SCReturnInt(0); + } + + goto match; + } + + case DETECT_BYTEJUMP: + { + if (DetectBytejumpDoMatch(det_ctx, s, sm, stub, stub_len) != 1) { + SCReturnInt(0); + } + + goto match; + } + + /* we should never get here, but bail out just in case */ + default: + { + BUG_ON(1); + } + } + + SCReturnInt(0); + +match: + /* this sigmatch matched, inspect the next one. If it was the last, + * the payload portion of the signature matched. */ + if (sm->next != NULL) { + int r = DoInspectDcePayload(de_ctx, det_ctx, s, sm->next, p, stub, + stub_len); + SCReturnInt(r); + } else { + SCReturnInt(1); + } +} + +/** + * \brief Do the content inspection & validation for a signature against dce stub. + * + * \param de_ctx Detection engine context. + * \param det_ctx Detection engine thread context. + * \param s Signature to inspect. + * \param sm SigMatch to inspect. + * \param f Flow. + * \param flags App layer flags. + * \param state App layer state. + * \param p Packet. + * + * \retval 0 No match. + * \retval 1 Match. + */ +int DetectEngineInspectDcePayload(DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, Signature *s, + Flow *f, uint8_t flags, void *alstate, Packet *p) +{ + SCEnter(); + DCERPCState *dcerpc_state = (DCERPCState *)alstate; + uint8_t *dce_stub_data = NULL; + uint16_t dce_stub_data_len; + int r = 0; + + if (s->dmatch == NULL || dcerpc_state == NULL) { + SCReturnInt(0); + } + + /* we are not relying on the stub pointer being set by the dce_stub_data + * match function. Instead we will retrieve it directly from the app layer. */ + if (flags & STREAM_TOSERVER) { + if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL || + dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 1) { + SCReturnInt(0); + } + dce_stub_data = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer; + dce_stub_data_len = dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len; + } else { + if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL || + dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 1) { + SCReturnInt(0); + } + dce_stub_data = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer; + dce_stub_data_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len; + } + + det_ctx->payload_offset = 0; + + r = DoInspectDcePayload(de_ctx, det_ctx, s, s->dmatch, p, + dce_stub_data, dce_stub_data_len); + if (r == 1) { + SCReturnInt(1); + } + + SCReturnInt(0); +} + +/**************************************Unittests*******************************/ + +#ifdef UNITTESTS + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest01(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + uint8_t request3[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x26, 0x65, 0x3c, 0x6e, 0x6d, 0x64, 0x24, 0x39, + 0x56, 0x43, 0x3e, 0x61, 0x5c, 0x54, 0x42, 0x23, + 0x75, 0x6b, 0x71, 0x27, 0x66, 0x2e, 0x6e, 0x3d, + 0x58, 0x23, 0x54, 0x77, 0x3b, 0x52, 0x6b, 0x50, + 0x3b, 0x74, 0x2c, 0x54, 0x25, 0x5c, 0x51, 0x7c, + 0x29, 0x7c, 0x5f, 0x4a, 0x35, 0x5c, 0x3d, 0x3f, + 0x33, 0x55, 0x3b, 0x5a, 0x57, 0x31, 0x59, 0x4f, + 0x6d, 0x6d, 0x7b, 0x3e, 0x38, 0x4d, 0x68, 0x75, + 0x64, 0x21, 0x50, 0x63, 0x47, 0x42, 0x56, 0x39, + 0x6c, 0x6f, 0x61, 0x53, 0x32, 0x56, 0x43, 0x52, + 0x43, 0x67, 0x26, 0x45, 0x28, 0x6b, 0x77, 0x28, + 0x7c, 0x64, 0x61, 0x24, 0x38, 0x6b, 0x59, 0x2a, + 0x4f, 0x6e, 0x5b, 0x57, 0x24, 0x54, 0x33, 0x37, + 0x47, 0x58, 0x4b, 0x58, 0x3d, 0x21, 0x38, 0x7c, + 0x2c, 0x24, 0x5f, 0x67, 0x3a, 0x41, 0x3e, 0x2a, + 0x72, 0x66, 0x2d, 0x6b, 0x66, 0x7b, 0x2b, 0x75, + 0x78, 0x2f, 0x4d, 0x4c, 0x51, 0x70, 0x5d, 0x55, + 0x54, 0x3c, 0x63, 0x46, 0x6b, 0x64, 0x4d, 0x25, + 0x45, 0x21, 0x34, 0x65, 0x48, 0x32, 0x58, 0x4c, + 0x70, 0x4c, 0x4c, 0x75, 0x5c, 0x77, 0x68, 0x78, + 0x34, 0x5c, 0x2d, 0x39, 0x58, 0x3b, 0x40, 0x71, + 0x77, 0x47, 0x32, 0x2e, 0x3c, 0x61, 0x6f, 0x6d, + 0x5f, 0x43, 0x74, 0x36, 0x4f, 0x21, 0x44, 0x66, + 0x36, 0x62, 0x30, 0x29, 0x5a, 0x34, 0x66, 0x4e, + 0x51, 0x23, 0x4e, 0x38, 0x51, 0x78, 0x74, 0x58, + 0x2e, 0x6d, 0x51, 0x49, 0x55, 0x73, 0x2a, 0x71, + 0x3c, 0x74, 0x38, 0x6f, 0x5d, 0x4b, 0x74, 0x68, + 0x65, 0x4a, 0x58, 0x41, 0x55, 0x29, 0x42, 0x69, + 0x55, 0x3b, 0x2b, 0x47, 0x64, 0x3b, 0x77, 0x72, + 0x74, 0x38, 0x53, 0x5c, 0x69, 0x49, 0x49, 0x5b, + 0x31, 0x41, 0x6a, 0x4e, 0x2c, 0x6a, 0x63, 0x3f, + 0x58, 0x4e, 0x25, 0x3e, 0x57, 0x41, 0x61, 0x26, + 0x5e, 0x24, 0x69, 0x7a, 0x38, 0x60, 0x73, 0x70, + 0x7d, 0x63, 0x34, 0x78, 0x4d, 0x50, 0x35, 0x69, + 0x49, 0x22, 0x45, 0x44, 0x3f, 0x6e, 0x75, 0x64, + 0x57, 0x3a, 0x61, 0x60, 0x34, 0x21, 0x61, 0x21, + 0x2a, 0x78, 0x7b, 0x52, 0x43, 0x50, 0x5b, 0x76, + 0x5f, 0x4b, 0x6a, 0x5d, 0x23, 0x5b, 0x57, 0x40, + 0x53, 0x51, 0x33, 0x21, 0x35, 0x7d, 0x31, 0x46, + 0x65, 0x52, 0x28, 0x25, 0x30, 0x5a, 0x37, 0x7c, + 0x2c, 0x3d, 0x2a, 0x48, 0x24, 0x5a, 0x2f, 0x47, + 0x64, 0x73, 0x64, 0x3d, 0x7a, 0x5b, 0x34, 0x5e, + 0x42, 0x22, 0x32, 0x47, 0x6e, 0x58, 0x3b, 0x3e, + 0x25, 0x2f, 0x58, 0x78, 0x42, 0x66, 0x71, 0x56, + 0x2a, 0x66, 0x66, 0x5b, 0x55, 0x35, 0x7a, 0x41, + 0x7c, 0x7c, 0x6a, 0x2d, 0x59, 0x25, 0x22, 0x34, + 0x5a, 0x61, 0x37, 0x48, 0x39, 0x31, 0x4a, 0x55, + 0x6a, 0x68, 0x40, 0x2f, 0x45, 0x69, 0x46, 0x25, + 0x51, 0x7d, 0x4f, 0x71, 0x21, 0x33, 0x55, 0x50, + 0x56, 0x5f, 0x75, 0x27, 0x64, 0x36, 0x7a, 0x39, + 0x40, 0x6a, 0x77, 0x38, 0x5d, 0x39, 0x30, 0x5e, + 0x74, 0x54, 0x24, 0x3f, 0x3d, 0x79, 0x3b, 0x27, + 0x7d, 0x68, 0x7d, 0x40, 0x71, 0x7a, 0x65, 0x54, + 0x50, 0x66, 0x33, 0x3c, 0x42, 0x69, 0x6e, 0x3c, + 0x63, 0x63, 0x69, 0x7a, 0x5e, 0x7b, 0x76, 0x26, + 0x71, 0x6f, 0x4a, 0x6d, 0x70, 0x73, 0x66, 0x3b, + 0x26, 0x70, 0x43, 0x5b, 0x52, 0x4c, 0x6d, 0x51, + 0x2a, 0x66, 0x6c, 0x3e, 0x68, 0x6a, 0x31, 0x41, + 0x79, 0x72, 0x37, 0x47, 0x7d, 0x2b, 0x3c, 0x40, + 0x6b, 0x75, 0x56, 0x70, 0x7b, 0x2d, 0x5f, 0x33, + 0x30, 0x30, 0x21, 0x35, 0x7a, 0x7a, 0x67, 0x48, + 0x5e, 0x3b, 0x73, 0x50, 0x54, 0x47, 0x23, 0x2b, + 0x4c, 0x4e, 0x2f, 0x24, 0x44, 0x34, 0x23, 0x5d, + 0x76, 0x51, 0x5a, 0x73, 0x72, 0x3e, 0x47, 0x77, + 0x40, 0x28, 0x65, 0x2e, 0x2a, 0x75, 0x3c, 0x2a, + 0x27, 0x4a, 0x3f, 0x3c, 0x66, 0x2d, 0x21, 0x79, + 0x2d, 0x2b, 0x78, 0x7c, 0x5a, 0x73, 0x46, 0x6b, + 0x39, 0x65, 0x5e, 0x3d, 0x38, 0x40, 0x32, 0x3e, + 0x21, 0x62, 0x34, 0x41, 0x58, 0x53, 0x67, 0x34, + 0x58, 0x56, 0x61, 0x5b, 0x3e, 0x4e, 0x2c, 0x5b, + 0x73, 0x35, 0x34, 0x35, 0x21, 0x3a, 0x61, 0x5f, + 0x6e, 0x45, 0x78, 0x44, 0x28, 0x23, 0x48, 0x65, + 0x53, 0x47, 0x6e, 0x2c, 0x38, 0x5e, 0x2c, 0x57, + 0x58, 0x30, 0x7a, 0x3b, 0x4b, 0x4a, 0x74, 0x7d, + 0x3e, 0x4d, 0x30, 0x24, 0x76, 0x66, 0x6d, 0x2e, + 0x74, 0x75, 0x28, 0x48, 0x5c, 0x23, 0x6c, 0x46, + 0x27, 0x46, 0x6e, 0x34, 0x63, 0x21, 0x58, 0x54, + 0x50, 0x2f, 0x40, 0x47, 0x40, 0x32, 0x36, 0x48, + 0x5f, 0x7d, 0x4a, 0x41, 0x6e, 0x60, 0x2c, 0x4a, + 0x6a, 0x67, 0x6c, 0x41, 0x27, 0x23, 0x30, 0x48, + 0x6a, 0x49, 0x73, 0x26, 0x77, 0x75, 0x4d, 0x65, + 0x5b, 0x34, 0x79, 0x67, 0x61, 0x5b, 0x5c, 0x2b, + 0x71, 0x3f, 0x62, 0x51, 0x3a, 0x53, 0x42, 0x26, + 0x6f, 0x36, 0x57, 0x3f, 0x2b, 0x34, 0x24, 0x30, + 0x60, 0x55, 0x70, 0x65, 0x70, 0x57, 0x5d, 0x68, + 0x36, 0x52, 0x5d, 0x3f, 0x6a, 0x3a, 0x33, 0x31, + 0x6c, 0x4e, 0x57, 0x79, 0x49, 0x79, 0x69, 0x71, + 0x6f, 0x70, 0x6a, 0x76, 0x4b, 0x2f, 0x33, 0x51, + 0x68, 0x30, 0x2e, 0x77, 0x78, 0x55, 0x2f, 0x53, + 0x52, 0x5e, 0x57, 0x60, 0x3b, 0x6f, 0x69, 0x61, + 0x6c, 0x60, 0x5a, 0x34, 0x5a, 0x35, 0x4b, 0x28, + 0x54, 0x32, 0x6a, 0x35, 0x36, 0x6d, 0x68, 0x47, + 0x5c, 0x74, 0x2e, 0x5f, 0x6c, 0x6d, 0x55, 0x42, + 0x77, 0x64, 0x7d, 0x53, 0x4d, 0x39, 0x2c, 0x41, + 0x42, 0x23, 0x3a, 0x73, 0x40, 0x60, 0x5d, 0x38, + 0x6d, 0x36, 0x56, 0x57, 0x2a, 0x28, 0x3d, 0x3b, + 0x5c, 0x75, 0x35, 0x2d, 0x69, 0x2d, 0x44, 0x51, + 0x27, 0x63, 0x66, 0x33, 0x46, 0x42, 0x2e, 0x36, + 0x6b, 0x7b, 0x2c, 0x23, 0x3b, 0x5a, 0x50, 0x2a, + 0x65, 0x28, 0x3b, 0x3c, 0x51, 0x3f, 0x4d, 0x63, + 0x38, 0x25, 0x74, 0x2e, 0x51, 0x22, 0x31, 0x74, + 0x35, 0x33, 0x23, 0x2d, 0x3f, 0x77, 0x26, 0x2c, + 0x55, 0x6d, 0x27, 0x39, 0x79, 0x76, 0x63, 0x4b, + 0x43, 0x4a, 0x3a, 0x6b, 0x59, 0x55, 0x65, 0x26, + 0x2f, 0x3f, 0x56, 0x67, 0x5a, 0x77, 0x71, 0x22, + 0x51, 0x2b, 0x6d, 0x4c, 0x2c, 0x57, 0x66, 0x76, + 0x37, 0x70, 0x5f, 0x52, 0x29, 0x44, 0x52, 0x22, + 0x57, 0x37, 0x27, 0x79, 0x29, 0x5c, 0x57, 0x3b, + 0x54, 0x3c, 0x3f, 0x53, 0x35, 0x27, 0x5e, 0x7c, + 0x49, 0x77, 0x57, 0x5a, 0x22, 0x76, 0x7c, 0x5b, + 0x2f, 0x53, 0x5e, 0x55, 0x6d, 0x64, 0x67, 0x34, + 0x41, 0x23, 0x76, 0x67, 0x23, 0x78, 0x6a, 0x63, + 0x27, 0x68, 0x43, 0x7d, 0x58, 0x49, 0x2d, 0x79, + 0x2e, 0x75, 0x60, 0x6b, 0x34, 0x48, 0x6f, 0x4a, + 0x6c, 0x48, 0x40, 0x68, 0x5f, 0x35, 0x25, 0x6c, + 0x38, 0x5c, 0x30, 0x32, 0x4c, 0x36, 0x31, 0x29, + 0x74, 0x4a, 0x55, 0x56, 0x6d, 0x4e, 0x23, 0x54, + 0x2e, 0x69, 0x78, 0x61, 0x76, 0x66, 0x22, 0x44, + 0x73, 0x25, 0x44, 0x29, 0x2a, 0x28, 0x3b, 0x67, + 0x48, 0x58, 0x37, 0x4a, 0x76, 0x76, 0x51, 0x4a, + 0x61, 0x70, 0x51, 0x74, 0x40, 0x23, 0x29, 0x63, + 0x69, 0x4a, 0x29, 0x23, 0x34, 0x6a, 0x3b, 0x25, + 0x28, 0x54, 0x45, 0x33, 0x28, 0x44, 0x30, 0x61, + 0x5b, 0x60, 0x51, 0x3f, 0x68, 0x50, 0x70, 0x3d, + 0x58, 0x2e, 0x6e, 0x59, 0x5a, 0x62, 0x66, 0x4d, + 0x7a, 0x2e, 0x37, 0x37, 0x3d, 0x7b, 0x74, 0x79, + 0x48, 0x45, 0x77, 0x56, 0x33, 0x76, 0x71, 0x60, + 0x74, 0x3f, 0x61, 0x22, 0x52, 0x51, 0x71, 0x69 + }; + uint32_t request3_len = sizeof(request3); + + uint8_t request4[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x75, 0x3e, 0x76, 0x3e, 0x66, 0x6b, 0x6b, 0x3e, + 0x6d, 0x59, 0x38, 0x2b, 0x63, 0x4d, 0x2c, 0x73, + 0x54, 0x57, 0x34, 0x25, 0x5b, 0x42, 0x7d, 0x5d, + 0x37, 0x34, 0x2c, 0x79, 0x24, 0x4b, 0x74, 0x73, + 0x25, 0x36, 0x73, 0x3a, 0x2c, 0x55, 0x69, 0x3c, + 0x58, 0x67, 0x33, 0x53, 0x67, 0x5c, 0x61, 0x7b, + 0x44, 0x2e, 0x42, 0x2d, 0x6b, 0x50, 0x55, 0x24, + 0x70, 0x58, 0x60, 0x38, 0x42, 0x45, 0x70, 0x6d, + 0x2f, 0x27, 0x27, 0x2c, 0x21, 0x6d, 0x57, 0x6e, + 0x43, 0x3c, 0x5b, 0x27, 0x7a, 0x34, 0x49, 0x5a, + 0x69, 0x30, 0x3f, 0x6f, 0x77, 0x70, 0x39, 0x2d, + 0x51, 0x74, 0x4b, 0x25, 0x70, 0x51, 0x64, 0x4d, + 0x75, 0x52, 0x5e, 0x3e, 0x37, 0x30, 0x5d, 0x3b, + 0x2c, 0x72, 0x25, 0x6c, 0x6f, 0x79, 0x69, 0x3c, + 0x5b, 0x73, 0x3d, 0x41, 0x28, 0x28, 0x64, 0x60, + 0x4b, 0x7a, 0x2c, 0x4a, 0x6b, 0x3d, 0x2e, 0x6c, + 0x7a, 0x54, 0x70, 0x61, 0x6f, 0x4b, 0x40, 0x28, + 0x59, 0x31, 0x25, 0x21, 0x57, 0x79, 0x4b, 0x31, + 0x6f, 0x4e, 0x71, 0x2b, 0x3c, 0x24, 0x30, 0x28, + 0x3c, 0x61, 0x28, 0x4b, 0x35, 0x61, 0x4d, 0x55, + 0x5e, 0x66, 0x34, 0x5f, 0x61, 0x70, 0x7b, 0x67, + 0x51, 0x55, 0x68, 0x78, 0x26, 0x3a, 0x27, 0x4e, + 0x71, 0x79, 0x4f, 0x67, 0x2c, 0x5a, 0x79, 0x75, + 0x59, 0x3a, 0x33, 0x4a, 0x36, 0x71, 0x72, 0x6d, + 0x49, 0x3e, 0x53, 0x59, 0x2b, 0x2b, 0x27, 0x4e, + 0x50, 0x5d, 0x21, 0x55, 0x64, 0x4b, 0x72, 0x73, + 0x25, 0x55, 0x26, 0x4f, 0x3a, 0x21, 0x54, 0x29, + 0x4f, 0x64, 0x51, 0x59, 0x60, 0x7b, 0x7c, 0x6f, + 0x3e, 0x65, 0x74, 0x6a, 0x5b, 0x52, 0x2c, 0x56, + 0x4e, 0x45, 0x53, 0x4b, 0x7c, 0x38, 0x49, 0x4b, + 0x4e, 0x4f, 0x4a, 0x47, 0x5e, 0x7c, 0x46, 0x3b, + 0x67, 0x2e, 0x43, 0x79, 0x35, 0x55, 0x59, 0x6d, + 0x38, 0x70, 0x2f, 0x59, 0x4f, 0x27, 0x63, 0x40, + 0x66, 0x2d, 0x39, 0x4f, 0x3d, 0x2e, 0x4c, 0x67, + 0x71, 0x7d, 0x34, 0x22, 0x52, 0x4e, 0x36, 0x7b, + 0x2c, 0x39, 0x4d, 0x42, 0x60, 0x75, 0x74, 0x72, + 0x4f, 0x72, 0x68, 0x3a, 0x51, 0x31, 0x2d, 0x21, + 0x4a, 0x35, 0x47, 0x6d, 0x69, 0x3c, 0x50, 0x4c, + 0x59, 0x66, 0x4c, 0x71, 0x24, 0x3a, 0x36, 0x67, + 0x24, 0x5a, 0x59, 0x28, 0x7c, 0x21, 0x5e, 0x77, + 0x68, 0x5e, 0x7b, 0x6e, 0x56, 0x62, 0x36, 0x29, + 0x6f, 0x4f, 0x5d, 0x57, 0x56, 0x2b, 0x75, 0x2a, + 0x2c, 0x69, 0x63, 0x51, 0x74, 0x6e, 0x5e, 0x46, + 0x50, 0x28, 0x2c, 0x3b, 0x32, 0x53, 0x28, 0x78, + 0x59, 0x72, 0x39, 0x5e, 0x44, 0x5c, 0x77, 0x60, + 0x72, 0x44, 0x3b, 0x75, 0x68, 0x39, 0x55, 0x3e, + 0x44, 0x50, 0x76, 0x3c, 0x48, 0x46, 0x43, 0x22, + 0x56, 0x27, 0x21, 0x31, 0x33, 0x4a, 0x5a, 0x74, + 0x41, 0x58, 0x3f, 0x39, 0x29, 0x71, 0x73, 0x30, + 0x57, 0x70, 0x33, 0x62, 0x7b, 0x4a, 0x75, 0x3e, + 0x4d, 0x4c, 0x4e, 0x55, 0x63, 0x38, 0x66, 0x7d, + 0x68, 0x7d, 0x6f, 0x23, 0x55, 0x50, 0x3d, 0x34, + 0x46, 0x5e, 0x2f, 0x55, 0x27, 0x62, 0x68, 0x7c, + 0x6c, 0x21, 0x2b, 0x63, 0x4b, 0x47, 0x6b, 0x6a, + 0x5b, 0x7b, 0x5c, 0x71, 0x37, 0x7c, 0x52, 0x2b, + 0x2f, 0x4a, 0x47, 0x70, 0x78, 0x50, 0x2f, 0x75, + 0x28, 0x4c, 0x60, 0x4c, 0x4c, 0x54, 0x6b, 0x68, + 0x63, 0x4f, 0x47, 0x39, 0x2a, 0x70, 0x51, 0x7d, + 0x28, 0x59, 0x52, 0x46, 0x4b, 0x38, 0x27, 0x49, + 0x50, 0x5d, 0x25, 0x22, 0x5f, 0x48, 0x2c, 0x2f, + 0x67, 0x59, 0x5d, 0x7d, 0x21, 0x3d, 0x72, 0x4f, + 0x5c, 0x5b, 0x41, 0x47, 0x5f, 0x56, 0x69, 0x42, + 0x55, 0x60, 0x68, 0x4b, 0x77, 0x44, 0x4c, 0x3b, + 0x7d, 0x5a, 0x58, 0x43, 0x7a, 0x33, 0x22, 0x58, + 0x58, 0x6f, 0x74, 0x53, 0x57, 0x6d, 0x6e, 0x29, + 0x6b, 0x33, 0x71, 0x68, 0x29, 0x48, 0x67, 0x35, + 0x52, 0x41, 0x6b, 0x36, 0x4f, 0x46, 0x31, 0x24, + 0x73, 0x56, 0x40, 0x48, 0x37, 0x51, 0x24, 0x2a, + 0x59, 0x21, 0x74, 0x76, 0x25, 0x2e, 0x4a, 0x74, + 0x32, 0x29, 0x5f, 0x57, 0x7c, 0x58, 0x30, 0x2c, + 0x7b, 0x70, 0x5b, 0x51, 0x73, 0x27, 0x4a, 0x28, + 0x77, 0x2a, 0x43, 0x28, 0x2e, 0x32, 0x3d, 0x38, + 0x36, 0x2e, 0x6b, 0x40, 0x6c, 0x76, 0x54, 0x66, + 0x4a, 0x5c, 0x25, 0x62, 0x2e, 0x61, 0x48, 0x30, + 0x28, 0x41, 0x40, 0x69, 0x3c, 0x39, 0x36, 0x4b, + 0x64, 0x50, 0x76, 0x3d, 0x52, 0x50, 0x77, 0x33, + 0x3b, 0x65, 0x59, 0x31, 0x5c, 0x48, 0x6a, 0x74, + 0x78, 0x5b, 0x74, 0x60, 0x47, 0x27, 0x60, 0x22, + 0x4a, 0x72, 0x25, 0x34, 0x5d, 0x3a, 0x21, 0x66, + 0x61, 0x7b, 0x34, 0x41, 0x3b, 0x3a, 0x27, 0x44, + 0x48, 0x7c, 0x7a, 0x74, 0x3a, 0x68, 0x59, 0x48, + 0x61, 0x32, 0x49, 0x61, 0x40, 0x22, 0x33, 0x75, + 0x29, 0x76, 0x5b, 0x24, 0x5b, 0x5c, 0x76, 0x5c, + 0x28, 0x75, 0x36, 0x26, 0x2c, 0x65, 0x5e, 0x51, + 0x7b, 0x3a, 0x7d, 0x4f, 0x35, 0x73, 0x6b, 0x5b, + 0x5c, 0x37, 0x35, 0x6b, 0x41, 0x35, 0x40, 0x3a, + 0x22, 0x28, 0x6c, 0x71, 0x46, 0x68, 0x7b, 0x66, + 0x56, 0x24, 0x7c, 0x54, 0x28, 0x30, 0x22, 0x4e, + 0x3c, 0x65, 0x69, 0x36, 0x44, 0x53, 0x3d, 0x6c, + 0x5f, 0x73, 0x6c, 0x6f, 0x5e, 0x27, 0x23, 0x4e, + 0x60, 0x45, 0x2f, 0x3d, 0x37, 0x28, 0x51, 0x29, + 0x77, 0x6a, 0x6b, 0x2a, 0x2a, 0x51, 0x26, 0x4c, + 0x4e, 0x71, 0x77, 0x73, 0x71, 0x2d, 0x5a, 0x2c, + 0x23, 0x3d, 0x5f, 0x62, 0x63, 0x2e, 0x72, 0x2a, + 0x75, 0x66, 0x43, 0x56, 0x5f, 0x21, 0x64, 0x66, + 0x35, 0x3b, 0x7a, 0x45, 0x3f, 0x4f, 0x57, 0x22, + 0x5a, 0x45, 0x65, 0x37, 0x58, 0x5b, 0x43, 0x66, + 0x4f, 0x5d, 0x6e, 0x41, 0x41, 0x62, 0x5e, 0x39, + 0x65, 0x6f, 0x43, 0x4b, 0x5e, 0x51, 0x42, 0x3f, + 0x2d, 0x68, 0x4b, 0x6e, 0x46, 0x6f, 0x21, 0x44, + 0x3c, 0x22, 0x46, 0x31, 0x31, 0x2e, 0x56, 0x2e, + 0x77, 0x48, 0x68, 0x23, 0x4a, 0x36, 0x52, 0x5d, + 0x61, 0x47, 0x71, 0x2e, 0x3a, 0x4a, 0x5b, 0x56, + 0x6b, 0x52, 0x2a, 0x4c, 0x4f, 0x24, 0x34, 0x60, + 0x70, 0x58, 0x7a, 0x76, 0x4b, 0x68, 0x24, 0x5f, + 0x51, 0x6d, 0x75, 0x45, 0x48, 0x21, 0x53, 0x4d, + 0x27, 0x75, 0x5f, 0x50, 0x3e, 0x40, 0x3f, 0x5e, + 0x64, 0x41, 0x5f, 0x68, 0x48, 0x30, 0x71, 0x4b, + 0x66, 0x2c, 0x2f, 0x76, 0x4b, 0x23, 0x46, 0x34, + 0x50, 0x58, 0x52, 0x69, 0x2b, 0x6e, 0x7a, 0x33, + 0x53, 0x43, 0x43, 0x35, 0x54, 0x30, 0x73, 0x63, + 0x3b, 0x43, 0x52, 0x29, 0x45, 0x37, 0x71, 0x79, + 0x5a, 0x26, 0x24, 0x72, 0x73, 0x4e, 0x44, 0x38, + 0x5b, 0x71, 0x36, 0x3a, 0x4f, 0x5b, 0x71, 0x28, + 0x71, 0x79, 0x72, 0x40, 0x6e, 0x51, 0x72, 0x29, + 0x3d, 0x4f, 0x33, 0x22, 0x73, 0x5a, 0x30, 0x71, + 0x58, 0x54, 0x59, 0x48, 0x29, 0x2b, 0x5c, 0x73, + 0x6f, 0x4e, 0x60, 0x2a, 0x72, 0x39, 0x50, 0x59, + 0x6f, 0x48, 0x3e, 0x62, 0x6c, 0x62, 0x49, 0x6c, + 0x2c, 0x3f, 0x43, 0x3f, 0x32, 0x7c, 0x6f, 0x6c, + 0x39, 0x26, 0x26, 0x7b, 0x5d, 0x65, 0x6f, 0x41, + 0x7c, 0x42, 0x2b, 0x65, 0x6f, 0x3e, 0x7b, 0x69, + 0x46, 0x4d, 0x68, 0x68, 0x5a, 0x33, 0x25, 0x5d, + 0x6f, 0x48, 0x7c, 0x77, 0x7d, 0x3f, 0x4e, 0x30, + 0x69, 0x65, 0x28, 0x2e, 0x34, 0x34, 0x41, 0x43, + 0x5e, 0x30, 0x23, 0x3b, 0x60, 0x79, 0x5b, 0x26, + 0x7c, 0x77, 0x3e, 0x43, 0x24, 0x31, 0x3a, 0x56, + 0x24, 0x3c, 0x60, 0x3f, 0x60, 0x55, 0x6a, 0x68 + }; + uint32_t request4_len = sizeof(request4); + + uint8_t request5[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x69, 0x3e, 0x72, 0x44, 0x31, 0x6b, 0x28, 0x2f, + 0x79, 0x37, 0x58, 0x5d, 0x5f, 0x68, 0x71, 0x47, + 0x7a, 0x68, 0x7c, 0x6c, 0x65, 0x3c, 0x74, 0x67, + 0x59, 0x5c, 0x3d, 0x28, 0x65, 0x28, 0x58, 0x74, + 0x44, 0x62, 0x2e, 0x36, 0x54, 0x2f, 0x24, 0x34, + 0x4b, 0x6d, 0x3a, 0x7b, 0x60, 0x71, 0x5a, 0x77, + 0x4a, 0x27, 0x25, 0x70, 0x75, 0x56, 0x78, 0x73, + 0x2e, 0x38, 0x6c, 0x70, 0x66, 0x7b, 0x7b, 0x2d, + 0x78, 0x27, 0x65, 0x63, 0x58, 0x4f, 0x7d, 0x5c, + 0x31, 0x3e, 0x36, 0x6e, 0x65, 0x61, 0x2e, 0x4e, + 0x26, 0x68, 0x2b, 0x33, 0x7d, 0x54, 0x2c, 0x28, + 0x47, 0x3a, 0x31, 0x47, 0x56, 0x32, 0x74, 0x51, + 0x79, 0x65, 0x42, 0x45, 0x60, 0x55, 0x6f, 0x48, + 0x61, 0x23, 0x72, 0x62, 0x74, 0x3a, 0x5a, 0x26, + 0x2d, 0x41, 0x58, 0x62, 0x75, 0x4b, 0x37, 0x2e, + 0x3f, 0x2a, 0x6e, 0x2e, 0x2c, 0x43, 0x6f, 0x53, + 0x5f, 0x48, 0x7a, 0x53, 0x7b, 0x54, 0x28, 0x30, + 0x2b, 0x7a, 0x34, 0x33, 0x28, 0x2b, 0x23, 0x23, + 0x72, 0x38, 0x25, 0x30, 0x35, 0x66, 0x76, 0x46, + 0x2a, 0x57, 0x7a, 0x60, 0x38, 0x5a, 0x26, 0x4f, + 0x78, 0x43, 0x2c, 0x7d, 0x3d, 0x76, 0x7d, 0x66, + 0x48, 0x7d, 0x3e, 0x59, 0x31, 0x58, 0x6b, 0x30, + 0x76, 0x45, 0x6e, 0x70, 0x72, 0x5f, 0x3c, 0x70, + 0x6d, 0x77, 0x42, 0x75, 0x42, 0x73, 0x68, 0x5e, + 0x5f, 0x72, 0x2b, 0x2a, 0x70, 0x38, 0x7a, 0x4c, + 0x58, 0x2e, 0x5e, 0x2d, 0x2d, 0x78, 0x67, 0x5a, + 0x77, 0x34, 0x5a, 0x50, 0x76, 0x2d, 0x2b, 0x77, + 0x37, 0x6e, 0x38, 0x2d, 0x7b, 0x44, 0x78, 0x67, + 0x52, 0x57, 0x79, 0x43, 0x7d, 0x6d, 0x4d, 0x32, + 0x23, 0x37, 0x51, 0x4b, 0x41, 0x60, 0x6e, 0x53, + 0x4e, 0x78, 0x37, 0x37, 0x60, 0x56, 0x64, 0x52, + 0x25, 0x46, 0x53, 0x5f, 0x2b, 0x56, 0x2b, 0x3b, + 0x40, 0x37, 0x33, 0x37, 0x23, 0x43, 0x36, 0x6b, + 0x6b, 0x5d, 0x35, 0x28, 0x7d, 0x6a, 0x2c, 0x68, + 0x28, 0x4b, 0x4a, 0x6c, 0x27, 0x35, 0x51, 0x66, + 0x30, 0x39, 0x28, 0x4d, 0x61, 0x2f, 0x64, 0x36, + 0x59, 0x39, 0x68, 0x4b, 0x24, 0x51, 0x7b, 0x6e, + 0x38, 0x49, 0x55, 0x72, 0x5f, 0x33, 0x5c, 0x26, + 0x45, 0x2f, 0x71, 0x66, 0x33, 0x3d, 0x36, 0x68, + 0x65, 0x48, 0x42, 0x40, 0x58, 0x61, 0x4f, 0x50, + 0x70, 0x5e, 0x3c, 0x5d, 0x56, 0x43, 0x4c, 0x41, + 0x45, 0x54, 0x76, 0x4b, 0x21, 0x25, 0x45, 0x4c, + 0x5e, 0x58, 0x23, 0x7d, 0x34, 0x61, 0x5c, 0x53, + 0x2a, 0x47, 0x37, 0x22, 0x6d, 0x31, 0x42, 0x6e, + 0x22, 0x72, 0x62, 0x55, 0x59, 0x66, 0x28, 0x73, + 0x55, 0x50, 0x5c, 0x6f, 0x52, 0x40, 0x3e, 0x3b, + 0x44, 0x2a, 0x51, 0x3d, 0x4d, 0x47, 0x3a, 0x57, + 0x3e, 0x29, 0x29, 0x7d, 0x40, 0x36, 0x41, 0x3f, + 0x58, 0x77, 0x3b, 0x41, 0x2d, 0x64, 0x5a, 0x72, + 0x7c, 0x7d, 0x30, 0x68, 0x54, 0x34, 0x40, 0x21, + 0x7d, 0x2b, 0x2d, 0x2b, 0x6d, 0x5f, 0x49, 0x57, + 0x68, 0x65, 0x79, 0x2c, 0x21, 0x41, 0x31, 0x55, + 0x27, 0x4d, 0x78, 0x55, 0x2f, 0x61, 0x62, 0x78, + 0x58, 0x25, 0x3a, 0x4b, 0x3e, 0x67, 0x44, 0x7c, + 0x7d, 0x52, 0x3d, 0x3e, 0x3b, 0x62, 0x2d, 0x28, + 0x48, 0x70, 0x2c, 0x79, 0x31, 0x5a, 0x5e, 0x3f, + 0x6a, 0x30, 0x78, 0x41, 0x44, 0x60, 0x4e, 0x63, + 0x63, 0x2e, 0x31, 0x79, 0x2b, 0x47, 0x57, 0x26, + 0x22, 0x6a, 0x46, 0x43, 0x70, 0x30, 0x51, 0x7d, + 0x21, 0x3c, 0x68, 0x74, 0x40, 0x5a, 0x6e, 0x71, + 0x3f, 0x76, 0x73, 0x2e, 0x29, 0x3f, 0x6a, 0x55, + 0x21, 0x72, 0x65, 0x75, 0x5e, 0x6b, 0x39, 0x6e, + 0x3e, 0x76, 0x42, 0x41, 0x65, 0x3f, 0x2b, 0x37, + 0x70, 0x7a, 0x7a, 0x29, 0x50, 0x66, 0x21, 0x67, + 0x3f, 0x54, 0x32, 0x5f, 0x73, 0x27, 0x59, 0x6f, + 0x39, 0x4b, 0x4e, 0x23, 0x54, 0x3b, 0x39, 0x21, + 0x38, 0x41, 0x33, 0x44, 0x57, 0x6b, 0x51, 0x30, + 0x6a, 0x76, 0x62, 0x2c, 0x5c, 0x5e, 0x49, 0x3e, + 0x59, 0x38, 0x5e, 0x4a, 0x59, 0x77, 0x34, 0x25, + 0x4f, 0x76, 0x6a, 0x68, 0x6f, 0x73, 0x7c, 0x3d, + 0x2d, 0x64, 0x6c, 0x7a, 0x3d, 0x2c, 0x26, 0x28, + 0x58, 0x2b, 0x4b, 0x45, 0x68, 0x38, 0x74, 0x63, + 0x7b, 0x4a, 0x63, 0x52, 0x26, 0x54, 0x3c, 0x46, + 0x77, 0x2d, 0x6b, 0x78, 0x63, 0x7b, 0x6a, 0x50, + 0x26, 0x42, 0x62, 0x63, 0x65, 0x6b, 0x63, 0x54, + 0x4d, 0x47, 0x59, 0x48, 0x2e, 0x60, 0x7c, 0x4d, + 0x33, 0x4d, 0x61, 0x72, 0x76, 0x72, 0x21, 0x4d, + 0x2b, 0x43, 0x58, 0x47, 0x4a, 0x36, 0x2d, 0x7b, + 0x32, 0x72, 0x21, 0x78, 0x22, 0x38, 0x2c, 0x7a, + 0x34, 0x44, 0x45, 0x66, 0x31, 0x7b, 0x37, 0x68, + 0x62, 0x65, 0x62, 0x6d, 0x4e, 0x7c, 0x75, 0x38, + 0x2a, 0x73, 0x27, 0x64, 0x33, 0x4f, 0x21, 0x41, + 0x7c, 0x41, 0x3f, 0x60, 0x68, 0x34, 0x72, 0x5b, + 0x38, 0x33, 0x6f, 0x65, 0x3e, 0x5a, 0x7d, 0x25, + 0x49, 0x50, 0x60, 0x36, 0x59, 0x5e, 0x6b, 0x25, + 0x66, 0x7a, 0x7d, 0x71, 0x40, 0x6c, 0x2c, 0x6e, + 0x6a, 0x5a, 0x24, 0x5a, 0x76, 0x21, 0x67, 0x39, + 0x4b, 0x4a, 0x31, 0x24, 0x66, 0x66, 0x2e, 0x58, + 0x43, 0x46, 0x75, 0x6c, 0x47, 0x28, 0x4f, 0x21, + 0x75, 0x77, 0x6f, 0x71, 0x48, 0x3f, 0x4d, 0x4c, + 0x51, 0x37, 0x3b, 0x41, 0x4d, 0x41, 0x48, 0x28, + 0x71, 0x24, 0x2f, 0x7a, 0x22, 0x49, 0x4a, 0x39, + 0x44, 0x43, 0x68, 0x21, 0x3a, 0x34, 0x4e, 0x52, + 0x7a, 0x60, 0x71, 0x61, 0x6d, 0x51, 0x58, 0x2a, + 0x59, 0x4c, 0x4a, 0x59, 0x6b, 0x77, 0x78, 0x2e, + 0x27, 0x78, 0x76, 0x48, 0x4f, 0x46, 0x79, 0x2c, + 0x54, 0x42, 0x7b, 0x2c, 0x52, 0x41, 0x54, 0x2b, + 0x2c, 0x33, 0x6b, 0x70, 0x77, 0x2e, 0x2e, 0x41, + 0x25, 0x7a, 0x48, 0x6e, 0x71, 0x55, 0x6a, 0x43, + 0x5a, 0x2c, 0x6c, 0x76, 0x6d, 0x71, 0x72, 0x4d, + 0x76, 0x5b, 0x7b, 0x22, 0x4b, 0x45, 0x31, 0x30, + 0x26, 0x53, 0x75, 0x3f, 0x26, 0x59, 0x36, 0x2f, + 0x68, 0x4f, 0x34, 0x5e, 0x2b, 0x30, 0x63, 0x68, + 0x7b, 0x32, 0x5e, 0x77, 0x7d, 0x7b, 0x53, 0x5f, + 0x63, 0x53, 0x77, 0x7a, 0x7d, 0x35, 0x28, 0x3e, + 0x41, 0x6f, 0x5b, 0x31, 0x78, 0x7b, 0x2b, 0x51, + 0x23, 0x43, 0x46, 0x6a, 0x32, 0x32, 0x25, 0x45, + 0x57, 0x43, 0x22, 0x50, 0x60, 0x32, 0x70, 0x2e, + 0x79, 0x2e, 0x6b, 0x33, 0x67, 0x6c, 0x43, 0x5b, + 0x3b, 0x68, 0x53, 0x53, 0x6a, 0x48, 0x59, 0x5f, + 0x30, 0x72, 0x7d, 0x6b, 0x37, 0x24, 0x75, 0x52, + 0x50, 0x2b, 0x75, 0x35, 0x24, 0x3b, 0x6e, 0x53, + 0x56, 0x34, 0x23, 0x54, 0x65, 0x4f, 0x78, 0x3e, + 0x46, 0x7d, 0x25, 0x3f, 0x2f, 0x49, 0x6b, 0x49, + 0x47, 0x45, 0x24, 0x38, 0x3b, 0x68, 0x6c, 0x4f, + 0x29, 0x21, 0x50, 0x32, 0x67, 0x47, 0x5a, 0x72, + 0x76, 0x21, 0x39, 0x67, 0x3c, 0x72, 0x47, 0x43, + 0x4a, 0x2e, 0x31, 0x32, 0x34, 0x3c, 0x53, 0x2d, + 0x22, 0x5b, 0x5b, 0x6a, 0x77, 0x75, 0x31, 0x68, + 0x30, 0x45, 0x43, 0x5f, 0x60, 0x5d, 0x56, 0x67, + 0x66, 0x55, 0x6a, 0x72, 0x77, 0x7b, 0x44, 0x61, + 0x22, 0x64, 0x36, 0x39, 0x6e, 0x44, 0x37, 0x54, + 0x45, 0x46, 0x6f, 0x58, 0x35, 0x51, 0x3c, 0x62, + 0x49, 0x3a, 0x50, 0x58, 0x56, 0x5d, 0x77, 0x6f, + 0x56, 0x64, 0x7b, 0x49, 0x39, 0x21, 0x31, 0x2d, + 0x5f, 0x56, 0x56, 0x33, 0x31, 0x69, 0x4a, 0x52, + 0x62, 0x5b, 0x6e, 0x65, 0x7c, 0x3d, 0x31, 0x55, + 0x3d, 0x75, 0x25, 0x61, 0x50, 0x71, 0x45, 0x29 + }; + uint32_t request5_len = sizeof(request5); + + uint8_t request6[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x5b, 0x56, 0x3d, 0x5a, 0x6b, 0x43, 0x73, 0x26, + 0x65, 0x3b, 0x38, 0x79, 0x26, 0x5e, 0x60, 0x59, + 0x40, 0x71, 0x7c, 0x72, 0x28, 0x29, 0x69, 0x32, + 0x72, 0x5a, 0x6c, 0x55, 0x43, 0x65, 0x3f, 0x4a, + 0x21, 0x66, 0x59, 0x30, 0x76, 0x39, 0x21, 0x69, + 0x4b, 0x25, 0x5d, 0x6e, 0x5f, 0x24, 0x2b, 0x38, + 0x70, 0x78, 0x35, 0x7d, 0x39, 0x36, 0x31, 0x72, + 0x44, 0x49, 0x45, 0x3d, 0x25, 0x50, 0x24, 0x3b, + 0x52, 0x27, 0x66, 0x46, 0x5d, 0x4f, 0x34, 0x50, + 0x26, 0x5a, 0x25, 0x3e, 0x3f, 0x34, 0x4b, 0x35, + 0x77, 0x3a, 0x3f, 0x3e, 0x23, 0x4e, 0x30, 0x23, + 0x70, 0x72, 0x33, 0x34, 0x60, 0x2a, 0x4a, 0x32, + 0x6e, 0x29, 0x54, 0x73, 0x5f, 0x26, 0x71, 0x3a, + 0x78, 0x5d, 0x3f, 0x31, 0x48, 0x59, 0x61, 0x44, + 0x5c, 0x38, 0x4f, 0x41, 0x73, 0x67, 0x62, 0x73, + 0x33, 0x52, 0x77, 0x73, 0x57, 0x49, 0x7a, 0x59, + 0x26, 0x21, 0x34, 0x38, 0x2b, 0x5f, 0x5f, 0x37, + 0x74, 0x28, 0x46, 0x3d, 0x43, 0x42, 0x26, 0x66, + 0x63, 0x37, 0x6d, 0x2a, 0x65, 0x3f, 0x71, 0x2d, + 0x4c, 0x72, 0x29, 0x4b, 0x3a, 0x77, 0x64, 0x6a, + 0x6b, 0x42, 0x70, 0x5c, 0x51, 0x38, 0x71, 0x25, + 0x4c, 0x7c, 0x6f, 0x74, 0x71, 0x39, 0x71, 0x25, + 0x3f, 0x62, 0x23, 0x45, 0x5f, 0x77, 0x59, 0x56, + 0x56, 0x67, 0x78, 0x3a, 0x2e, 0x4e, 0x27, 0x59, + 0x65, 0x2f, 0x64, 0x3c, 0x62, 0x40, 0x69, 0x52, + 0x36, 0x49, 0x3e, 0x3b, 0x2c, 0x47, 0x4f, 0x3e, + 0x61, 0x78, 0x2d, 0x45, 0x71, 0x3f, 0x7b, 0x55, + 0x34, 0x36, 0x47, 0x5e, 0x36, 0x51, 0x3d, 0x5a, + 0x4b, 0x75, 0x44, 0x72, 0x61, 0x44, 0x71, 0x4e, + 0x42, 0x6a, 0x2c, 0x34, 0x40, 0x3b, 0x40, 0x31, + 0x31, 0x75, 0x4b, 0x32, 0x71, 0x69, 0x3a, 0x5d, + 0x31, 0x25, 0x53, 0x2a, 0x61, 0x54, 0x68, 0x2a, + 0x76, 0x71, 0x57, 0x67, 0x56, 0x23, 0x7d, 0x70, + 0x7d, 0x28, 0x57, 0x5f, 0x2f, 0x4c, 0x71, 0x2e, + 0x40, 0x63, 0x49, 0x5b, 0x7c, 0x7b, 0x56, 0x76, + 0x77, 0x46, 0x69, 0x56, 0x3d, 0x75, 0x31, 0x3b, + 0x35, 0x40, 0x37, 0x2c, 0x51, 0x37, 0x49, 0x6a, + 0x79, 0x68, 0x53, 0x31, 0x4c, 0x6f, 0x57, 0x4c, + 0x48, 0x31, 0x6a, 0x30, 0x2b, 0x69, 0x30, 0x56, + 0x58, 0x4b, 0x76, 0x3b, 0x60, 0x6d, 0x35, 0x4d, + 0x74, 0x2f, 0x74, 0x2c, 0x54, 0x4f, 0x6e, 0x3f, + 0x38, 0x56, 0x5c, 0x67, 0x2b, 0x4a, 0x35, 0x30, + 0x67, 0x7d, 0x58, 0x24, 0x59, 0x54, 0x48, 0x2e, + 0x28, 0x7d, 0x6e, 0x51, 0x55, 0x68, 0x56, 0x54, + 0x59, 0x31, 0x4a, 0x65, 0x5a, 0x5e, 0x27, 0x76, + 0x76, 0x65, 0x6d, 0x2f, 0x75, 0x63, 0x67, 0x52, + 0x5e, 0x29, 0x58, 0x3d, 0x5c, 0x3f, 0x54, 0x7c, + 0x67, 0x21, 0x6e, 0x75, 0x67, 0x35, 0x77, 0x31, + 0x3d, 0x26, 0x3f, 0x60, 0x45, 0x2d, 0x2b, 0x45, + 0x5d, 0x3f, 0x55, 0x73, 0x59, 0x4c, 0x5e, 0x6c, + 0x30, 0x4a, 0x4e, 0x47, 0x55, 0x42, 0x6a, 0x4b, + 0x32, 0x3c, 0x75, 0x6e, 0x36, 0x51, 0x5f, 0x4c, + 0x68, 0x72, 0x72, 0x27, 0x3b, 0x51, 0x59, 0x7b, + 0x68, 0x7b, 0x3b, 0x54, 0x35, 0x37, 0x7c, 0x44, + 0x43, 0x36, 0x4c, 0x4f, 0x67, 0x62, 0x4e, 0x39, + 0x4b, 0x7a, 0x49, 0x36, 0x68, 0x38, 0x4c, 0x4a, + 0x64, 0x33, 0x35, 0x2f, 0x3e, 0x5c, 0x58, 0x61, + 0x23, 0x5b, 0x50, 0x6e, 0x34, 0x44, 0x60, 0x28, + 0x54, 0x41, 0x5c, 0x31, 0x53, 0x2d, 0x58, 0x58, + 0x54, 0x28, 0x77, 0x51, 0x6f, 0x64, 0x4c, 0x68, + 0x34, 0x79, 0x45, 0x66, 0x2c, 0x26, 0x77, 0x64, + 0x5f, 0x6c, 0x3b, 0x71, 0x28, 0x4d, 0x68, 0x2a, + 0x6b, 0x37, 0x6a, 0x34, 0x51, 0x27, 0x2a, 0x46, + 0x3a, 0x2e, 0x35, 0x21, 0x21, 0x79, 0x51, 0x44, + 0x58, 0x5d, 0x6f, 0x65, 0x6b, 0x76, 0x68, 0x3a, + 0x43, 0x70, 0x36, 0x41, 0x6b, 0x56, 0x64, 0x75, + 0x5b, 0x37, 0x24, 0x56, 0x7c, 0x6e, 0x6c, 0x41, + 0x3a, 0x60, 0x56, 0x38, 0x55, 0x63, 0x77, 0x4d, + 0x6e, 0x50, 0x3c, 0x3d, 0x7a, 0x44, 0x71, 0x42, + 0x4b, 0x55, 0x75, 0x72, 0x61, 0x60, 0x65, 0x6f, + 0x7a, 0x26, 0x64, 0x46, 0x67, 0x74, 0x29, 0x2a, + 0x5b, 0x62, 0x41, 0x28, 0x62, 0x30, 0x34, 0x33, + 0x40, 0x79, 0x7a, 0x38, 0x56, 0x38, 0x73, 0x22, + 0x7a, 0x7d, 0x73, 0x2a, 0x2a, 0x28, 0x2b, 0x63, + 0x27, 0x6f, 0x3d, 0x3e, 0x2c, 0x56, 0x23, 0x32, + 0x4b, 0x3b, 0x58, 0x4d, 0x72, 0x4c, 0x49, 0x6f, + 0x30, 0x76, 0x23, 0x21, 0x21, 0x3c, 0x49, 0x56, + 0x7a, 0x56, 0x79, 0x2f, 0x50, 0x7a, 0x5b, 0x21, + 0x21, 0x4a, 0x48, 0x61, 0x33, 0x52, 0x49, 0x2e, + 0x30, 0x7d, 0x2c, 0x2d, 0x67, 0x23, 0x55, 0x62, + 0x66, 0x52, 0x5a, 0x61, 0x75, 0x63, 0x3c, 0x39, + 0x69, 0x41, 0x31, 0x6b, 0x4e, 0x6f, 0x25, 0x34, + 0x74, 0x30, 0x21, 0x3a, 0x40, 0x72, 0x44, 0x40, + 0x60, 0x4c, 0x53, 0x74, 0x42, 0x64, 0x44, 0x49, + 0x76, 0x67, 0x21, 0x79, 0x36, 0x3c, 0x37, 0x70, + 0x4f, 0x58, 0x29, 0x71, 0x2a, 0x3a, 0x4d, 0x5d, + 0x67, 0x68, 0x52, 0x63, 0x23, 0x24, 0x4b, 0x21, + 0x3f, 0x68, 0x69, 0x6c, 0x66, 0x66, 0x42, 0x28, + 0x59, 0x35, 0x34, 0x6f, 0x2d, 0x6a, 0x25, 0x66, + 0x34, 0x54, 0x5d, 0x50, 0x26, 0x41, 0x22, 0x4f, + 0x34, 0x79, 0x3c, 0x50, 0x68, 0x2d, 0x5f, 0x7b, + 0x63, 0x7d, 0x58, 0x2e, 0x73, 0x46, 0x2f, 0x54, + 0x61, 0x27, 0x74, 0x45, 0x23, 0x72, 0x31, 0x7d, + 0x63, 0x4b, 0x43, 0x5e, 0x44, 0x54, 0x2c, 0x38, + 0x58, 0x24, 0x75, 0x6c, 0x50, 0x3c, 0x23, 0x5f, + 0x35, 0x57, 0x4f, 0x7b, 0x2f, 0x57, 0x29, 0x73, + 0x58, 0x2a, 0x66, 0x3e, 0x49, 0x42, 0x5a, 0x6b, + 0x75, 0x6a, 0x38, 0x3f, 0x73, 0x44, 0x42, 0x46, + 0x2d, 0x39, 0x66, 0x5b, 0x28, 0x3e, 0x63, 0x62, + 0x53, 0x75, 0x65, 0x64, 0x79, 0x32, 0x35, 0x71, + 0x22, 0x6a, 0x7b, 0x41, 0x2b, 0x26, 0x43, 0x79, + 0x58, 0x6f, 0x71, 0x25, 0x24, 0x34, 0x72, 0x5b, + 0x4a, 0x2c, 0x5c, 0x77, 0x23, 0x42, 0x27, 0x6a, + 0x67, 0x51, 0x5f, 0x3c, 0x75, 0x2c, 0x3f, 0x43, + 0x45, 0x5b, 0x48, 0x65, 0x6f, 0x6c, 0x27, 0x65, + 0x21, 0x3e, 0x33, 0x37, 0x5f, 0x2b, 0x2e, 0x24, + 0x22, 0x47, 0x4e, 0x33, 0x5b, 0x7b, 0x21, 0x3c, + 0x53, 0x69, 0x2e, 0x31, 0x3d, 0x48, 0x57, 0x3a, + 0x56, 0x48, 0x6b, 0x47, 0x5d, 0x33, 0x41, 0x6c, + 0x66, 0x4c, 0x61, 0x67, 0x32, 0x69, 0x53, 0x2c, + 0x2f, 0x3e, 0x36, 0x68, 0x37, 0x28, 0x40, 0x21, + 0x76, 0x27, 0x44, 0x26, 0x24, 0x6a, 0x30, 0x75, + 0x2a, 0x73, 0x48, 0x36, 0x52, 0x4a, 0x3b, 0x51, + 0x4e, 0x2f, 0x23, 0x36, 0x4b, 0x49, 0x33, 0x5a, + 0x70, 0x2c, 0x54, 0x5b, 0x67, 0x48, 0x53, 0x5d, + 0x21, 0x3e, 0x6b, 0x52, 0x6a, 0x3c, 0x48, 0x29, + 0x68, 0x27, 0x32, 0x75, 0x61, 0x7c, 0x51, 0x2e, + 0x7b, 0x49, 0x2f, 0x5b, 0x3d, 0x74, 0x5a, 0x28, + 0x26, 0x29, 0x2c, 0x30, 0x54, 0x74, 0x45, 0x55, + 0x4a, 0x3d, 0x39, 0x35, 0x66, 0x56, 0x28, 0x6d, + 0x6e, 0x38, 0x7b, 0x2b, 0x40, 0x31, 0x56, 0x61, + 0x74, 0x2b, 0x79, 0x5f, 0x63, 0x51, 0x53, 0x52, + 0x7d, 0x73, 0x4e, 0x2e, 0x45, 0x3b, 0x22, 0x28, + 0x6c, 0x2b, 0x47, 0x21, 0x50, 0x2a, 0x7c, 0x45, + 0x48, 0x57, 0x3e, 0x2f, 0x6d, 0x66, 0x6c, 0x51, + 0x23, 0x6c, 0x37, 0x4d, 0x4b, 0x4b, 0x66, 0x55, + 0x69, 0x2e, 0x4a, 0x69, 0x71, 0x7c, 0x71, 0x30, + 0x5c, 0x43, 0x46, 0x63, 0x5a, 0x23, 0x75, 0x40 + }; + uint32_t request6_len = sizeof(request6); + + uint8_t request7[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x5d, 0x32, 0x55, 0x71, 0x51, 0x45, 0x4e, 0x54, + 0x34, 0x21, 0x46, 0x77, 0x5e, 0x5b, 0x75, 0x62, + 0x2b, 0x5c, 0x34, 0x26, 0x72, 0x2b, 0x2c, 0x64, + 0x4b, 0x65, 0x56, 0x72, 0x31, 0x7d, 0x6a, 0x5f, + 0x70, 0x26, 0x32, 0x29, 0x7d, 0x21, 0x5b, 0x3e, + 0x5e, 0x53, 0x3d, 0x48, 0x5e, 0x2a, 0x4c, 0x37, + 0x3d, 0x59, 0x79, 0x21, 0x4f, 0x56, 0x79, 0x2a, + 0x4e, 0x28, 0x61, 0x7d, 0x2c, 0x58, 0x2f, 0x78, + 0x5c, 0x3f, 0x5c, 0x42, 0x6d, 0x2f, 0x71, 0x54, + 0x25, 0x31, 0x73, 0x38, 0x6c, 0x31, 0x5a, 0x2e, + 0x42, 0x5b, 0x2d, 0x41, 0x24, 0x4c, 0x37, 0x40, + 0x39, 0x7d, 0x2a, 0x67, 0x60, 0x6a, 0x7a, 0x62, + 0x24, 0x4e, 0x3f, 0x2e, 0x69, 0x35, 0x28, 0x65, + 0x77, 0x53, 0x23, 0x44, 0x59, 0x71, 0x31, 0x5c, + 0x40, 0x5d, 0x3a, 0x27, 0x46, 0x55, 0x30, 0x56, + 0x21, 0x74, 0x3e, 0x73, 0x41, 0x22, 0x52, 0x68, + 0x40, 0x6c, 0x37, 0x3e, 0x62, 0x5a, 0x2e, 0x21, + 0x23, 0x33, 0x27, 0x73, 0x68, 0x26, 0x60, 0x67, + 0x70, 0x58, 0x50, 0x42, 0x58, 0x27, 0x3a, 0x35, + 0x6f, 0x51, 0x62, 0x78, 0x25, 0x2c, 0x7b, 0x66, + 0x34, 0x6a, 0x5a, 0x39, 0x60, 0x70, 0x41, 0x2d, + 0x65, 0x26, 0x5a, 0x67, 0x58, 0x2d, 0x3e, 0x56, + 0x6d, 0x30, 0x4b, 0x4d, 0x5d, 0x45, 0x41, 0x3d, + 0x6e, 0x27, 0x4e, 0x5a, 0x7d, 0x2e, 0x62, 0x4d, + 0x42, 0x70, 0x31, 0x24, 0x73, 0x5c, 0x78, 0x77, + 0x50, 0x73, 0x27, 0x48, 0x3d, 0x35, 0x2c, 0x4b, + 0x40, 0x2d, 0x25, 0x77, 0x5d, 0x3d, 0x6b, 0x50, + 0x6f, 0x57, 0x73, 0x2f, 0x4f, 0x6e, 0x4c, 0x6e, + 0x56, 0x7b, 0x55, 0x3c, 0x6d, 0x60, 0x47, 0x53, + 0x56, 0x39, 0x3b, 0x51, 0x61, 0x71, 0x75, 0x73, + 0x6b, 0x70, 0x58, 0x5f, 0x2c, 0x27, 0x74, 0x49, + 0x2c, 0x2b, 0x53, 0x2d, 0x5b, 0x79, 0x43, 0x34, + 0x39, 0x5a, 0x38, 0x3e, 0x2d, 0x66, 0x70, 0x3d, + 0x49, 0x51, 0x29, 0x4d, 0x5d, 0x4c, 0x57, 0x4a, + 0x2f, 0x41, 0x69, 0x56, 0x57, 0x77, 0x49, 0x58, + 0x75, 0x28, 0x29, 0x4a, 0x6d, 0x54, 0x4f, 0x4f, + 0x3f, 0x58, 0x5f, 0x58, 0x6f, 0x39, 0x22, 0x4d, + 0x5d, 0x31, 0x75, 0x43, 0x2f, 0x7d, 0x31, 0x3d, + 0x4c, 0x4d, 0x76, 0x74, 0x4d, 0x57, 0x3b, 0x56, + 0x57, 0x48, 0x2b, 0x5d, 0x32, 0x67, 0x51, 0x6e, + 0x60, 0x39, 0x6f, 0x64, 0x38, 0x37, 0x52, 0x4b, + 0x52, 0x42, 0x32, 0x4f, 0x24, 0x53, 0x31, 0x6e, + 0x4a, 0x68, 0x2f, 0x28, 0x2e, 0x27, 0x49, 0x75, + 0x77, 0x75, 0x26, 0x47, 0x7c, 0x5d, 0x72, 0x5a, + 0x77, 0x50, 0x2e, 0x6c, 0x27, 0x68, 0x6b, 0x7b, + 0x27, 0x63, 0x21, 0x3d, 0x30, 0x2d, 0x5c, 0x67, + 0x4d, 0x41, 0x79, 0x47, 0x42, 0x50, 0x6d, 0x32, + 0x74, 0x39, 0x62, 0x4d, 0x5f, 0x65, 0x78, 0x4f, + 0x67, 0x3a, 0x60, 0x26, 0x45, 0x61, 0x7c, 0x61, + 0x63, 0x40, 0x46, 0x79, 0x52, 0x47, 0x57, 0x49, + 0x53, 0x4c, 0x48, 0x36, 0x67, 0x47, 0x5c, 0x71, + 0x50, 0x4d, 0x4f, 0x58, 0x26, 0x40, 0x6d, 0x54, + 0x55, 0x67, 0x66, 0x23, 0x70, 0x23, 0x68, 0x70, + 0x4d, 0x2c, 0x7a, 0x3d, 0x60, 0x51, 0x35, 0x64, + 0x56, 0x2f, 0x26, 0x6d, 0x72, 0x6a, 0x59, 0x34, + 0x3a, 0x73, 0x4b, 0x27, 0x33, 0x61, 0x26, 0x45, + 0x61, 0x28, 0x74, 0x22, 0x54, 0x50, 0x2e, 0x39, + 0x6a, 0x2c, 0x27, 0x59, 0x26, 0x73, 0x44, 0x71, + 0x67, 0x4c, 0x37, 0x74, 0x2c, 0x63, 0x52, 0x2a, + 0x60, 0x4f, 0x7b, 0x32, 0x39, 0x21, 0x79, 0x54, + 0x79, 0x6d, 0x28, 0x27, 0x3a, 0x6a, 0x7d, 0x40, + 0x6a, 0x4f, 0x4b, 0x46, 0x61, 0x36, 0x6a, 0x22, + 0x3f, 0x77, 0x2d, 0x6a, 0x3b, 0x73, 0x71, 0x72, + 0x3c, 0x21, 0x2e, 0x3f, 0x33, 0x25, 0x76, 0x64, + 0x64, 0x70, 0x43, 0x32, 0x44, 0x73, 0x61, 0x51, + 0x3c, 0x3b, 0x45, 0x3a, 0x68, 0x46, 0x5b, 0x6e, + 0x36, 0x47, 0x4d, 0x38, 0x26, 0x4f, 0x5c, 0x7d, + 0x73, 0x29, 0x24, 0x78, 0x44, 0x75, 0x40, 0x42, + 0x41, 0x2a, 0x73, 0x2b, 0x24, 0x38, 0x51, 0x67, + 0x36, 0x67, 0x2f, 0x70, 0x58, 0x54, 0x6e, 0x5d, + 0x3b, 0x41, 0x59, 0x76, 0x7d, 0x2d, 0x40, 0x70, + 0x29, 0x4a, 0x4a, 0x31, 0x79, 0x2c, 0x4e, 0x22, + 0x31, 0x59, 0x31, 0x3c, 0x2f, 0x21, 0x29, 0x3f, + 0x65, 0x6c, 0x38, 0x55, 0x4f, 0x27, 0x66, 0x66, + 0x34, 0x45, 0x49, 0x41, 0x56, 0x24, 0x2e, 0x40, + 0x36, 0x23, 0x5a, 0x46, 0x40, 0x23, 0x7b, 0x2d, + 0x69, 0x54, 0x6c, 0x51, 0x58, 0x73, 0x56, 0x60, + 0x5f, 0x60, 0x63, 0x5f, 0x77, 0x6a, 0x4c, 0x2c, + 0x35, 0x39, 0x60, 0x73, 0x63, 0x3e, 0x2d, 0x55, + 0x5a, 0x26, 0x4b, 0x43, 0x3b, 0x56, 0x33, 0x58, + 0x74, 0x51, 0x4f, 0x5c, 0x2a, 0x44, 0x78, 0x66, + 0x78, 0x71, 0x40, 0x29, 0x5e, 0x26, 0x57, 0x51, + 0x49, 0x30, 0x29, 0x73, 0x38, 0x56, 0x6c, 0x41, + 0x78, 0x3d, 0x61, 0x3d, 0x2c, 0x33, 0x46, 0x57, + 0x54, 0x63, 0x3e, 0x79, 0x55, 0x4a, 0x7d, 0x2e, + 0x2a, 0x3c, 0x77, 0x47, 0x35, 0x29, 0x5a, 0x6d, + 0x69, 0x48, 0x6b, 0x73, 0x7d, 0x4f, 0x5f, 0x6f, + 0x3a, 0x7a, 0x4e, 0x54, 0x59, 0x38, 0x62, 0x44, + 0x72, 0x51, 0x57, 0x6a, 0x74, 0x54, 0x4f, 0x77, + 0x6b, 0x66, 0x4a, 0x6b, 0x39, 0x29, 0x69, 0x60, + 0x71, 0x52, 0x6a, 0x32, 0x66, 0x6c, 0x25, 0x76, + 0x27, 0x7a, 0x2c, 0x38, 0x72, 0x4e, 0x5f, 0x40, + 0x26, 0x74, 0x6a, 0x5e, 0x42, 0x38, 0x78, 0x34, + 0x4f, 0x4f, 0x35, 0x27, 0x39, 0x62, 0x52, 0x61, + 0x37, 0x54, 0x47, 0x38, 0x70, 0x31, 0x7a, 0x66, + 0x69, 0x72, 0x24, 0x52, 0x2a, 0x2a, 0x78, 0x72, + 0x2b, 0x2e, 0x2a, 0x57, 0x4a, 0x21, 0x52, 0x3c, + 0x2a, 0x2f, 0x24, 0x58, 0x34, 0x3c, 0x42, 0x5c, + 0x5b, 0x78, 0x27, 0x55, 0x63, 0x58, 0x3e, 0x26, + 0x50, 0x2c, 0x72, 0x60, 0x36, 0x6c, 0x46, 0x58, + 0x63, 0x59, 0x23, 0x2a, 0x2d, 0x63, 0x6a, 0x68, + 0x69, 0x74, 0x3f, 0x49, 0x4f, 0x48, 0x4a, 0x3b, + 0x59, 0x56, 0x77, 0x43, 0x6d, 0x57, 0x28, 0x5f, + 0x39, 0x73, 0x28, 0x74, 0x3c, 0x4f, 0x43, 0x48, + 0x6a, 0x57, 0x5d, 0x41, 0x73, 0x3f, 0x41, 0x7c, + 0x65, 0x5e, 0x2d, 0x38, 0x72, 0x3a, 0x53, 0x3e, + 0x33, 0x47, 0x69, 0x6a, 0x6e, 0x78, 0x67, 0x5d, + 0x35, 0x3b, 0x3f, 0x23, 0x7c, 0x71, 0x3d, 0x7c, + 0x3a, 0x3c, 0x75, 0x6e, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x6a, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x50, 0x6a, 0x40, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x6a, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x50, 0x6a, 0x40, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x80, 0x23, 0x00, 0xdf, 0xaf, 0xff, 0x33, + 0x9b, 0x78, 0x70, 0x43, 0xc5, 0x0a, 0x4d, 0x98, + 0x96, 0x02, 0x64, 0x92, 0xc1, 0xee, 0x70, 0x32 + }; + uint32_t request7_len = sizeof(request7); + + uint8_t request8[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x65, 0xc1, 0xef, 0x7b, 0xd6, 0xaa, 0xd6, 0x09, + 0x21, 0xf6, 0xe7, 0xd1, 0x4c, 0xdf, 0x6a, 0x2d, + 0x0a, 0xfb, 0x43, 0xea, 0xda, 0x07, 0x24, 0x84, + 0x88, 0x52, 0x9e, 0xa8, 0xa1, 0x7f, 0x4b, 0x60, + 0xec, 0x94, 0x57, 0x33, 0x06, 0x93, 0x92, 0x25, + 0xd6, 0xac, 0xdc, 0x89, 0x68, 0x5e, 0xbb, 0x32, + 0x2b, 0x17, 0x68, 0xf2, 0x06, 0xb7, 0x86, 0xac, + 0x81, 0xfe, 0x52, 0x27, 0xf5, 0x80, 0x11, 0x0d, + 0x4e, 0x2e, 0x1b, 0xa3, 0x44, 0x8a, 0x58, 0xed, + 0xf3, 0x9c, 0xe9, 0x31, 0x01, 0x72, 0xa6, 0xab, + 0xfa, 0xa8, 0x05, 0x00, 0x37, 0x60, 0x6b, 0x81, + 0xef, 0xf4, 0x96, 0x9a, 0xf7, 0x67, 0x95, 0x27, + 0x7a, 0x25, 0xef, 0x6f, 0x0e, 0xff, 0x2d, 0x15, + 0x7f, 0x23, 0x1c, 0xa7, 0x56, 0x94, 0x4a, 0x18, + 0x98, 0xc6, 0xd8, 0xd2, 0x29, 0x5b, 0x57, 0xb8, + 0x5d, 0x3a, 0x93, 0x58, 0x45, 0x77, 0x36, 0xe3, + 0xd1, 0x36, 0x87, 0xff, 0xe3, 0x94, 0x0f, 0x00, + 0xe6, 0x7c, 0x1a, 0x92, 0xc1, 0x5f, 0x40, 0xc3, + 0xa3, 0x25, 0xce, 0xd4, 0xaf, 0x39, 0xeb, 0x17, + 0xcf, 0x22, 0x43, 0xd9, 0x0c, 0xce, 0x37, 0x86, + 0x46, 0x54, 0xd6, 0xce, 0x00, 0x30, 0x36, 0xae, + 0xf9, 0xb5, 0x2b, 0x11, 0xa0, 0xfe, 0xa3, 0x4b, + 0x2e, 0x05, 0xbe, 0x54, 0xa9, 0xd8, 0xa5, 0x76, + 0x83, 0x5b, 0x63, 0x01, 0x1c, 0xd4, 0x56, 0x72, + 0xcd, 0xdc, 0x4a, 0x1d, 0x77, 0xda, 0x8a, 0x9e, + 0xba, 0xcb, 0x6c, 0xe8, 0x19, 0x5d, 0x68, 0xef, + 0x8e, 0xbc, 0x6a, 0x05, 0x53, 0x0b, 0xc7, 0xc5, + 0x96, 0x84, 0x04, 0xd9, 0xda, 0x4c, 0x42, 0x31, + 0xd9, 0xbd, 0x99, 0x06, 0xf7, 0xa3, 0x0a, 0x19, + 0x49, 0x07, 0x77, 0xf0, 0xdb, 0x7c, 0x43, 0xfa, + 0xb2, 0xad, 0xb0, 0xfa, 0x87, 0x52, 0xba, 0xc9, + 0x94, 0x61, 0xdc, 0xcf, 0x16, 0xac, 0x0f, 0x4a, + 0xa3, 0x6b, 0x5b, 0x6e, 0x27, 0x86, 0x1f, 0xfe, + 0x4d, 0x28, 0x3a, 0xa5, 0x10, 0x54, 0x6d, 0xed, + 0x53, 0xf9, 0x73, 0xc6, 0x6e, 0xa8, 0xc0, 0x97, + 0xcf, 0x56, 0x3b, 0x61, 0xdf, 0xab, 0x83, 0x18, + 0xe8, 0x09, 0xee, 0x6a, 0xb7, 0xf5, 0xc9, 0x62, + 0x55, 0x2d, 0xc7, 0x0c, 0x0d, 0xa0, 0x22, 0xd8, + 0xd4, 0xd6, 0xb2, 0x12, 0x21, 0xd7, 0x73, 0x3e, + 0x41, 0xb0, 0x5c, 0xd4, 0xcf, 0x98, 0xf3, 0x70, + 0xe6, 0x08, 0xe6, 0x2a, 0x4f, 0x24, 0x85, 0xe8, + 0x74, 0xa8, 0x41, 0x5f, 0x0e, 0xfd, 0xf1, 0xf3, + 0xbe, 0x9b, 0x14, 0xfd, 0xc0, 0x73, 0x11, 0xff, + 0xa5, 0x5b, 0x06, 0x34, 0xc3, 0x6c, 0x28, 0x42, + 0x07, 0xfe, 0x8a, 0xa5, 0xbe, 0x72, 0x7a, 0xf7, + 0xfa, 0x25, 0xec, 0x35, 0x5e, 0x98, 0x71, 0x50, + 0x60, 0x35, 0x76, 0x53, 0x40, 0x1a, 0x34, 0xa5, + 0x99, 0x09, 0xa2, 0xc6, 0xca, 0xa5, 0xce, 0x08, + 0x50, 0x45, 0xab, 0x8d, 0xfb, 0xe3, 0xb8, 0xe4, + 0x8a, 0x61, 0x48, 0x14, 0x6e, 0xf7, 0x58, 0x71, + 0xe5, 0x2e, 0xbc, 0x12, 0xd1, 0x25, 0xe9, 0x65, + 0x7a, 0xa1, 0x27, 0xbe, 0x3b, 0x8b, 0xe8, 0xe7, + 0xbc, 0xe1, 0x05, 0xe7, 0x92, 0xeb, 0xb9, 0xdf, + 0x5d, 0x53, 0x74, 0xc0, 0x63, 0x97, 0x80, 0xb8, + 0x3c, 0xae, 0xf3, 0xf2, 0x09, 0x12, 0x81, 0x6c, + 0x69, 0x10, 0x6f, 0xf6, 0xbe, 0x03, 0x7b, 0x88, + 0xcf, 0x26, 0x6b, 0x51, 0x06, 0x23, 0x68, 0x03, + 0xa1, 0xb7, 0xd3, 0x0c, 0xca, 0xbf, 0x29, 0x01, + 0xa9, 0x61, 0x34, 0x75, 0x98, 0x1e, 0x05, 0x59, + 0xb3, 0x46, 0x44, 0xff, 0x2b, 0x98, 0x04, 0x88, + 0x89, 0xfd, 0x7f, 0xd5, 0x19, 0x8a, 0xa6, 0xf3, + 0xd9, 0x44, 0xd5, 0xf9, 0x3a, 0x3c, 0xec, 0xd9, + 0x9b, 0x8c, 0x93, 0x93, 0x2b, 0x44, 0x86, 0x8b, + 0x80, 0x83, 0x23, 0x00, 0xdf, 0xaf, 0xff, 0x33, + 0x9b, 0x78, 0x70, 0x43, 0xf1, 0x55, 0x87, 0xb1, + 0xa1, 0xb3, 0x8e, 0x79, 0x02, 0x70, 0x82, 0x6c, + 0x0b, 0xc1, 0xef, 0x96, 0xf1, 0xef, 0xdd, 0xa2, + 0x69, 0x86, 0xc7, 0x85, 0x09, 0x7e, 0xf0, 0x2f, + 0x8e, 0xa0, 0x5f, 0xea, 0x39, 0x2e, 0x24, 0xf0, + 0x82, 0x30, 0x26, 0xa8, 0xa1, 0x4f, 0xc6, 0x5c, + 0xec, 0x94, 0x87, 0x52, 0x9b, 0x93, 0x92, 0xf3, + 0xa3, 0x1b, 0xc7, 0x8f, 0x9e, 0xb3, 0xbb, 0x32, + 0x2b, 0x17, 0x54, 0xf2, 0x06, 0x0c, 0x86, 0x92, + 0x0f, 0xb8, 0xe0, 0x27, 0x50, 0xaa, 0xeb, 0xf5, + 0x4e, 0x2b, 0x1b, 0xb2, 0x44, 0xe6, 0x58, 0x02, + 0xd7, 0x65, 0xdc, 0x31, 0x01, 0xec, 0xa6, 0xab, + 0xfa, 0xa8, 0x05, 0x00, 0x37, 0x60, 0x4f, 0xa1, + 0x3c, 0x4f, 0x7a, 0x9a, 0x10, 0x67, 0x95, 0xc2, + 0x5b, 0x25, 0xef, 0x76, 0x0e, 0xff, 0x2d, 0x15, + 0x7f, 0x23, 0x1c, 0x77, 0x56, 0x94, 0x4a, 0x18, + 0x98, 0xc6, 0xd8, 0xd2, 0x29, 0x44, 0x57, 0xb8, + 0x40, 0x3a, 0x93, 0x58, 0x45, 0x77, 0x36, 0x36, + 0x07, 0x35, 0x2a, 0xff, 0x00, 0x94, 0x5c, 0x80, + 0xe6, 0x7c, 0x1a, 0x92, 0xc1, 0x5f, 0x40, 0xc3, + 0xbc, 0xf8, 0xce, 0x05, 0x77, 0x39, 0x40, 0x17, + 0xcf, 0x63, 0x43, 0x77, 0x27, 0xce, 0x37, 0x86, + 0x46, 0x54, 0xd6, 0xce, 0x00, 0x30, 0x36, 0xae, + 0x9f, 0x24, 0x2b, 0x5a, 0xa0, 0xfe, 0xa3, 0x4b, + 0x2e, 0x7e, 0xf7, 0x54, 0xa9, 0xd8, 0xa5, 0x76, + 0x83, 0x7b, 0x63, 0x01, 0x1c, 0xd4, 0x56, 0x17, + 0x02, 0xdc, 0x4a, 0x89, 0x77, 0xda, 0x8f, 0x9e, + 0xba, 0xcb, 0x37, 0xe8, 0x19, 0x5d, 0x68, 0x38, + 0x8e, 0xbc, 0x6a, 0x05, 0x53, 0x0b, 0xc7, 0xc5, + 0x96, 0x84, 0x5a, 0xd9, 0x6d, 0x4c, 0x42, 0x31, + 0xd9, 0xf2, 0x99, 0x06, 0xf7, 0x0c, 0x99, 0xbe, + 0x49, 0x07, 0x77, 0xf0, 0x8b, 0x7c, 0x43, 0xfa, + 0xb2, 0xad, 0xb0, 0xfa, 0x87, 0x52, 0xba, 0xc9, + 0x94, 0x61, 0xdc, 0xcf, 0x16, 0xac, 0x0f, 0x4a, + 0xa3, 0x6b, 0x5b, 0x6e, 0x27, 0x86, 0x1f, 0xfe, + 0x4d, 0x28, 0x3a, 0xa5, 0x10, 0x98, 0x6d, 0xed, + 0x53, 0xf9, 0x73, 0xc6, 0xa5, 0xa8, 0xf7, 0x66, + 0xcf, 0x56, 0x3b, 0x61, 0xdf, 0xab, 0x83, 0x18, + 0xe8, 0x09, 0xee, 0x6a, 0xb7, 0xf5, 0xc9, 0x62, + 0x55, 0x2d, 0xc7, 0x0c, 0x0d, 0xa0, 0x22, 0xd8, + 0xd4, 0xd6, 0xb2, 0x12, 0x21, 0xd7, 0x73, 0x3e, + 0x41, 0xb0, 0x5c, 0xd4, 0xcf, 0x98, 0xf3, 0x70, + 0xe6, 0x08, 0xe6, 0x2a, 0x4f, 0x92, 0x85, 0xe8, + 0x74, 0xa8, 0x41, 0x5f, 0x0e, 0xfd, 0xf1, 0xf3, + 0xbe, 0x9b, 0x14, 0xfd, 0xc0, 0x73, 0x11, 0xff, + 0xa5, 0x5b, 0x06, 0x34, 0xc3, 0x5d, 0x28, 0x42, + 0x34, 0xfe, 0x8a, 0xa5, 0xbe, 0x72, 0x7a, 0xf7, + 0xfa, 0x25, 0x2b, 0x35, 0x5e, 0x98, 0x71, 0x50, + 0x2c, 0x35, 0x76, 0x53, 0x4e, 0x1a, 0x34, 0xa5, + 0x99, 0x09, 0xa2, 0xc6, 0xca, 0xa5, 0xce, 0x08, + 0x50, 0x45, 0xab, 0x8d, 0xfb, 0xe3, 0xb8, 0xe4, + 0x8a, 0x61, 0x48, 0x14, 0x6e, 0xf7, 0x58, 0x71, + 0xe5, 0x2e, 0xbc, 0x12, 0xd1, 0x25, 0xe9, 0x65, + 0x7a, 0xa1, 0x27, 0xbe, 0x3b, 0x8b, 0xe8, 0xe7, + 0xbc, 0x77, 0x05, 0xe7, 0x92, 0xeb, 0xb9, 0xdf, + 0x5d, 0x53, 0x74, 0xc0, 0x63, 0x97, 0x80, 0xb8, + 0x3c, 0xae, 0xf3, 0xf2, 0x09, 0x12, 0x81, 0x6c, + 0x69, 0x10, 0x6f, 0xf6, 0xbe, 0x03, 0x7b, 0x88, + 0xcf, 0x26, 0x6b, 0x51, 0x06, 0x23, 0x68, 0x03, + 0xa1, 0xb7, 0xd3, 0x0c, 0xca, 0xbf, 0x29, 0x01, + 0xa9, 0x61, 0x34, 0x75, 0x98, 0x1e, 0x6f, 0x59, + 0xb3, 0x46, 0x44, 0xff, 0x2b, 0x98, 0x04, 0x88, + 0x89, 0xfd, 0x1c, 0xd5, 0x19, 0x8a, 0xa6, 0xf3, + 0xd9, 0x44, 0xd5, 0xf9, 0x79, 0x26, 0x46, 0xf7 + }; + uint32_t request8_len = sizeof(request8); + + uint8_t request9[] = { + 0x05, 0x00, 0x00, 0x02, 0x10, 0x00, 0x00, 0x00, + 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xbf, 0xa1, 0x12, 0x73, 0x23, 0x44, 0x86, 0x8b, + 0x50, 0x6a, 0x40, 0x00 + }; + uint32_t request9_len = sizeof(request9); + + TcpSession ssn; + Packet p[11]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any (dce_stub_data; " + "content:|26 d0 cf 80|; sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|43 5b 67 26 65|; sid:2;)"; + char *sig3 = "alert tcp any any -> any any (dce_stub_data; " + "content:|71 69 75 3e|; sid:3;)"; + char *sig4 = "alert tcp any any -> any any (dce_stub_data; " + "content:|6a 68 69 3e 72|; sid:4;)"; + char *sig5 = "alert tcp any any -> any any (dce_stub_data; " + "content:|61 50 71 45 29 5b 56 3d 5a|; sid:5;)"; + char *sig6 = "alert tcp any any -> any any (dce_stub_data; " + "content:|23 75 40 5d 32 55|; sid:6;)"; + char *sig7 = "alert tcp any any -> any any (dce_stub_data; " + "content:|ee 70 32 65 c1|; sid:7;)"; + char *sig8 = "alert tcp any any -> any any (dce_stub_data; " + "content:|79 26 46 f7 bf a1|; sid:8;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 11; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig3); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig4); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig5); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig6); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig7); + s = s->next; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig8); + s = s->next; + if (s == NULL) + goto end; + + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if (!(PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request3, request3_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[4]); + if ((PacketAlertCheck(&p[4], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[4], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[4], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request4, request4_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[5]); + if ((PacketAlertCheck(&p[5], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[5], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[5], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request5, request5_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[6]); + if ((PacketAlertCheck(&p[6], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[6], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[6], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request6, request6_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[7]); + if ((PacketAlertCheck(&p[7], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[7], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[7], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request7, request7_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[8]); + if ((PacketAlertCheck(&p[8], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[8], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[8], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request8, request8_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[9]); + if ((PacketAlertCheck(&p[9], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[9], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[9], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request9, request9_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[10]); + if ((PacketAlertCheck(&p[10], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 3))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 4))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 5))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 6))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[10], 7))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[10], 8))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest02(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 2a 4c|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if (!(PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest03(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef4; " + "sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 2a 4c|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest04(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:|91 27 27 40|; sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 2a 4c|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if (!(PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest05(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef4; " + "content:|91 27 27 40|; sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 2a 4c|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest06(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:|91 27 27 30|; sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 2a 4c|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if (!(PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Test the working of detection engien with respect to dce keywords. + */ +int DcePayloadTest07(void) +{ + int result = 0; + uint8_t bind[] = { + 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, + 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_len = sizeof(bind); + + uint8_t bind_ack[] = { + 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, + 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00, + 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, + 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, + 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, + 0x02, 0x00, 0x00, 0x00 + }; + uint32_t bind_ack_len = sizeof(bind_ack); + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + TcpSession ssn; + Packet p[4]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:|91 27 27 30|; sid:1;)"; + char *sig2 = "alert tcp any any -> any any (dce_stub_data; " + "content:|2d 5e 63 35 25|; sid:2;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 4; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + p[1].flowflags |= FLOW_PKT_TOCLIENT; + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + s->next = SigInit(de_ctx, sig2); + s = s->next; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, bind, bind_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[0], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, bind_ack, bind_ack_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[1], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[2]); + if ((PacketAlertCheck(&p[2], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[2], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[3]); + if ((PacketAlertCheck(&p[3], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + if ((PacketAlertCheck(&p[3], 2))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Positive test, to test the working of distance and within. + */ +int DcePayloadTest08(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p[1]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_stub_data; content:|5d 5b 35|; content:|9e a3|; " + "distance:0; within:2; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 1; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if (!(PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Positive test, to test the working of distance and within. + */ +int DcePayloadTest09(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x5d, 0x5b, 0x35, 0x46, 0x9e, 0xa3, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p[1]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_stub_data; content:|5d 5b 35|; content:|9e a3|; " + "distance:0; within:2; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 1; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if (!(PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Positive test, to test the working of distance and within. + */ +int DcePayloadTest10(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x5d, 0x5b, 0x35, 0x46, 0x9e, 0xa3, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + TcpSession ssn; + Packet p[1]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_stub_data; content:|ad 0d|; content:|ad 0d 00|; " + "distance:-10; within:3; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 1; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if (!(PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Postive test to check the working of disance and within across frags. + */ +int DcePayloadTest11(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + TcpSession ssn; + Packet p[2]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_stub_data; content:|af, 26, d0|; content:|80 98 6d|; " + "distance:1; within:3; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 2; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if (!(PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +/** + * \test Negative test the working of contents on stub data with invalid + * distance. + */ +int DcePayloadTest12(void) +{ + int result = 0; + + uint8_t request1[] = { + 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xad, 0x0d, 0x00, 0x00, 0x91, 0xfc, 0x27, 0x40, + 0x4a, 0x97, 0x4a, 0x98, 0x4b, 0x41, 0x3f, 0x48, + 0x99, 0x90, 0xf8, 0x27, 0xfd, 0x3f, 0x27, 0x37, + 0x40, 0xd6, 0x27, 0xfc, 0x3f, 0x9f, 0x4f, 0xfd, + 0x42, 0x47, 0x47, 0x49, 0x3f, 0xf9, 0x9b, 0xd6, + 0x48, 0x37, 0x27, 0x46, 0x93, 0x49, 0xfd, 0x93, + 0x91, 0xfd, 0x93, 0x90, 0x92, 0x96, 0xf5, 0x92, + 0x4e, 0x91, 0x98, 0x46, 0x4f, 0x4b, 0x46, 0xf5, + 0xf5, 0xfd, 0x40, 0xf9, 0x9b, 0x40, 0x9f, 0x93, + 0x4e, 0xf8, 0x40, 0x40, 0x4e, 0xf5, 0x4b, 0x98, + 0xf5, 0x91, 0xd6, 0x42, 0x99, 0x96, 0x27, 0x49, + 0x48, 0x47, 0x4f, 0x46, 0x99, 0x4b, 0x92, 0x92, + 0x90, 0x47, 0x46, 0x4e, 0x43, 0x9b, 0x43, 0x42, + 0x3f, 0x4b, 0x27, 0x97, 0x93, 0xf9, 0x42, 0x9b, + 0x46, 0x9b, 0x4b, 0x98, 0x41, 0x98, 0x37, 0x41, + 0x9f, 0x98, 0x4e, 0x93, 0x48, 0x46, 0x46, 0x9f, + 0x97, 0x9b, 0x42, 0x37, 0x90, 0x46, 0xf9, 0x97, + 0x91, 0xf5, 0x4e, 0x97, 0x4e, 0x99, 0xf8, 0x99, + 0x41, 0xf5, 0x41, 0x9f, 0x49, 0xfd, 0x92, 0x96, + 0x3f, 0x3f, 0x42, 0x27, 0x27, 0x93, 0x47, 0x49, + 0x91, 0x27, 0x27, 0x40, 0x42, 0x99, 0x9f, 0xfc, + 0x97, 0x47, 0x99, 0x4a, 0xf9, 0x3f, 0x48, 0x91, + 0x47, 0x97, 0x91, 0x42, 0x4b, 0x9b, 0x4a, 0x48, + 0x9f, 0x43, 0x43, 0x40, 0x99, 0xf9, 0x48, 0x4e, + 0x92, 0x93, 0x92, 0x41, 0x46, 0x4b, 0x4a, 0x4a, + 0x49, 0x96, 0x4a, 0x4f, 0xf5, 0x42, 0x47, 0x98, + 0x9b, 0xf5, 0x91, 0xf9, 0xd6, 0x9b, 0x48, 0x4e, + 0x9f, 0x91, 0xd6, 0x93, 0x4b, 0x37, 0x3f, 0x43, + 0xf5, 0x41, 0x41, 0xf5, 0x37, 0x4f, 0x43, 0x92, + 0x97, 0x27, 0x93, 0x92, 0x46, 0x47, 0x4b, 0x96, + 0x41, 0x90, 0x90, 0x3f, 0x96, 0x27, 0x41, 0xd6, + 0xd6, 0xd6, 0xf9, 0xf8, 0x47, 0x27, 0x46, 0x37, + 0x41, 0x90, 0x91, 0xfc, 0x46, 0x41, 0x43, 0x97, + 0x9f, 0x4a, 0x49, 0x92, 0x41, 0x91, 0x41, 0x92, + 0x42, 0x4a, 0x3f, 0x93, 0x99, 0x9b, 0x9f, 0x4e, + 0x47, 0x93, 0xd6, 0x37, 0x37, 0x40, 0x98, 0xfd, + 0x41, 0x42, 0x97, 0x4e, 0x4e, 0x98, 0x9f, 0x4e, + 0x48, 0x3f, 0x48, 0x42, 0x96, 0x9f, 0x99, 0x4f, + 0x4e, 0x42, 0x97, 0xf9, 0x3f, 0x37, 0x27, 0x46, + 0x41, 0xf9, 0x92, 0x96, 0x41, 0x93, 0x91, 0x4b, + 0x96, 0x4f, 0x43, 0xfd, 0xf5, 0x9f, 0x43, 0x27, + 0x99, 0xd6, 0xf5, 0x4e, 0xfd, 0x97, 0x4b, 0x47, + 0x47, 0x92, 0x98, 0x4f, 0x47, 0x49, 0x37, 0x97, + 0x3f, 0x4e, 0x40, 0x46, 0x4e, 0x9f, 0x4e, 0x4e, + 0xfc, 0x41, 0x47, 0xf8, 0x37, 0x9b, 0x41, 0x4e, + 0x96, 0x99, 0x46, 0x99, 0x46, 0xf9, 0x4e, 0x4f, + 0x48, 0x97, 0x97, 0x93, 0xd6, 0x9b, 0x41, 0x40, + 0x97, 0x97, 0x4f, 0x92, 0x91, 0xd6, 0x96, 0x40, + 0x4f, 0x4b, 0x91, 0x46, 0x27, 0x92, 0x3f, 0xf5, + 0xfc, 0x3f, 0x91, 0x97, 0xf8, 0x43, 0x4e, 0xfd, + 0x9b, 0x27, 0xfd, 0x9b, 0xf5, 0x27, 0x47, 0x42, + 0x46, 0x93, 0x37, 0x93, 0x91, 0x91, 0x91, 0xf8, + 0x4f, 0x92, 0x4f, 0xf8, 0x93, 0xf5, 0x49, 0x91, + 0x4b, 0x3f, 0xfc, 0x37, 0x4f, 0x46, 0x98, 0x97, + 0x9f, 0x40, 0xfd, 0x9f, 0x98, 0xfd, 0x4e, 0x97, + 0x4f, 0x47, 0x91, 0x27, 0x4a, 0x90, 0x96, 0x40, + 0x98, 0x97, 0x41, 0x3f, 0xd6, 0xfd, 0x41, 0xfd, + 0x42, 0x97, 0x4b, 0x9b, 0x46, 0x4e, 0xfc, 0x96, + 0xf9, 0x37, 0x4b, 0x96, 0x9f, 0x9b, 0x42, 0x9f, + 0x93, 0x40, 0x42, 0x43, 0xf5, 0x93, 0x48, 0x3f, + 0x4b, 0xfd, 0x9f, 0x4b, 0x41, 0x4a, 0x90, 0x9b, + 0x46, 0x97, 0x98, 0x96, 0x9b, 0x98, 0x92, 0xd6, + 0x4e, 0x4a, 0x27, 0x90, 0x96, 0x99, 0x91, 0x46, + 0x49, 0x41, 0x4b, 0x90, 0x43, 0x91, 0xd6, 0x48, + 0x42, 0x90, 0x4f, 0x96, 0x43, 0x9b, 0xf9, 0x9b, + 0x9f, 0x9f, 0x27, 0x47, 0x4b, 0xf5, 0x43, 0x99, + 0x99, 0x91, 0x4e, 0x41, 0x42, 0x46, 0x97, 0x46, + 0x47, 0xf9, 0xf5, 0x48, 0x4a, 0xf8, 0x4e, 0xd6, + 0x43, 0x4a, 0x27, 0x9b, 0x42, 0x90, 0x46, 0x46, + 0x3f, 0x99, 0x96, 0x9b, 0x91, 0x9f, 0xf5, 0x48, + 0x43, 0x9f, 0x4a, 0x99, 0x96, 0xfd, 0x92, 0x49, + 0x46, 0x91, 0x40, 0xfd, 0x4a, 0x48, 0x4f, 0x90, + 0x91, 0x98, 0x48, 0x4b, 0x9f, 0x42, 0x27, 0x93, + 0x47, 0xf8, 0x4f, 0x48, 0x3f, 0x90, 0x47, 0x41, + 0xf5, 0xfc, 0x27, 0xf8, 0x97, 0x4a, 0x49, 0x37, + 0x40, 0x4f, 0x40, 0x37, 0x41, 0x27, 0x96, 0x37, + 0xfc, 0x42, 0xd6, 0x4b, 0x48, 0x37, 0x42, 0xf5, + 0x27, 0xf9, 0xd6, 0x48, 0x9b, 0xfd, 0x40, 0x96, + 0x4e, 0x43, 0xf8, 0x90, 0x40, 0x40, 0x49, 0x3f, + 0xfc, 0x4a, 0x42, 0x47, 0xf8, 0x49, 0x42, 0x97, + 0x4f, 0x91, 0xfd, 0x4b, 0x46, 0x4b, 0xfc, 0x48, + 0x49, 0x96, 0x4b, 0x96, 0x43, 0x9f, 0x90, 0x37, + 0xd6, 0x4a, 0xd6, 0x3f, 0xd6, 0x90, 0x49, 0x27, + 0x4e, 0x96, 0x96, 0xf8, 0x49, 0x96, 0xf8, 0x37, + 0x90, 0x4e, 0x4b, 0x4f, 0x99, 0xf8, 0x6a, 0x52, + 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, + 0x81, 0x73, 0x13, 0x30, 0x50, 0xf0, 0x82, 0x83, + 0xeb, 0xfc, 0xe2, 0xf4, 0xb1, 0x94, 0x0f, 0x6d, + 0xcf, 0xaf, 0xb4, 0x7e, 0x5a, 0xbb, 0xbf, 0x6a, + 0xc9, 0xaf, 0x0f, 0x7d, 0x50, 0xdb, 0x9c, 0xa6, + 0x14, 0xdb, 0xb5, 0xbe, 0xbb, 0x2c, 0xf5, 0xfa, + 0x31, 0xbf, 0x7b, 0xcd, 0x28, 0xdb, 0xaf, 0xa2, + 0x31, 0xbb, 0x13, 0xb2, 0x79, 0xdb, 0xc4, 0x09, + 0x31, 0xbe, 0xc1, 0x42, 0xa9, 0xfc, 0x74, 0x42, + 0x44, 0x57, 0x31, 0x48, 0x3d, 0x51, 0x32, 0x69, + 0xc4, 0x6b, 0xa4, 0xa6, 0x18, 0x25, 0x13, 0x09, + 0x6f, 0x74, 0xf1, 0x69, 0x56, 0xdb, 0xfc, 0xc9, + 0xbb, 0x0f, 0xec, 0x83, 0xdb, 0x53, 0xdc, 0x09, + 0xb9, 0x3c, 0xd4, 0x9e, 0x51, 0x93, 0xc1, 0x42, + 0x54, 0xdb, 0xb0, 0xb2, 0xbb, 0x10, 0xfc, 0x09, + 0x40, 0x4c, 0x5d, 0x09, 0x70, 0x58, 0xae, 0xea, + 0xbe, 0x1e, 0xfe, 0x6e, 0x60, 0xaf, 0x26, 0xb3, + 0xeb, 0x36, 0xa3, 0xe4, 0x58, 0x63, 0xc2, 0xea, + 0x47, 0x23, 0xc2, 0xdd, 0x64, 0xaf, 0x20, 0xea, + 0xfb, 0xbd, 0x0c, 0xb9, 0x60, 0xaf, 0x26, 0xdd, + 0xb9, 0xb5, 0x96, 0x03, 0xdd, 0x58, 0xf2, 0xd7, + 0x5a, 0x52, 0x0f, 0x52, 0x58, 0x89, 0xf9, 0x77, + 0x9d, 0x07, 0x0f, 0x54, 0x63, 0x03, 0xa3, 0xd1, + 0x63, 0x13, 0xa3, 0xc1, 0x63, 0xaf, 0x20, 0xe4, + 0x58, 0x41, 0xac, 0xe4, 0x63, 0xd9, 0x11, 0x17, + 0x58, 0xf4, 0xea, 0xf2, 0xf7, 0x07, 0x0f, 0x54, + 0x5a, 0x40, 0xa1, 0xd7, 0xcf, 0x80, 0x98, 0x26, + 0x9d, 0x7e, 0x19, 0xd5, 0xcf, 0x86, 0xa3, 0xd7, + 0xcf, 0x80, 0x98, 0x67, 0x79, 0xd6, 0xb9, 0xd5, + 0xcf, 0x86, 0xa0, 0xd6, 0x64, 0x05, 0x0f, 0x52, + 0xa3, 0x38, 0x17, 0xfb, 0xf6, 0x29, 0xa7, 0x7d, + 0xe6, 0x05, 0x0f, 0x52, 0x56, 0x3a, 0x94, 0xe4, + 0x58, 0x33, 0x9d, 0x0b, 0xd5, 0x3a, 0xa0, 0xdb, + 0x19, 0x9c, 0x79, 0x65, 0x5a, 0x14, 0x79, 0x60, + 0x01, 0x90, 0x03, 0x28, 0xce, 0x12, 0xdd, 0x7c, + 0x72, 0x7c, 0x63, 0x0f, 0x4a, 0x68, 0x5b, 0x29, + 0x9b, 0x38, 0x82, 0x7c, 0x83, 0x46, 0x0f, 0xf7, + 0x74, 0xaf, 0x26, 0xd9, 0x67, 0x02, 0xa1, 0xd3, + 0x61, 0x3a, 0xf1, 0xd3, 0x61, 0x05, 0xa1, 0x7d, + 0xe0, 0x38, 0x5d, 0x5b, 0x35, 0x9e, 0xa3, 0x7d, + 0xe6, 0x3a, 0x0f, 0x7d, 0x07, 0xaf, 0x20, 0x09, + 0x67, 0xac, 0x73, 0x46, 0x54, 0xaf, 0x26, 0xd0 + }; + uint32_t request1_len = sizeof(request1); + + uint8_t request2[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, + 0xcf, 0x80, 0x98, 0x6d, 0xfe, 0xb0, 0x90, 0xd1, + 0xcf, 0x86, 0x0f, 0x52, 0x2c, 0x23, 0x66, 0x28, + 0x27, 0x30, 0x48, 0x55, 0x42, 0x6a, 0x48, 0x4b, + 0x68, 0x22, 0x2e, 0x23, 0x64, 0x33, 0x2c, 0x2d, + 0x5c, 0x51, 0x48, 0x55, 0x24, 0x67, 0x6c, 0x4c, + 0x45, 0x71, 0x35, 0x72, 0x5a, 0x48, 0x5e, 0x35, + 0x61, 0x78, 0x35, 0x42, 0x2c, 0x7a, 0x75, 0x61, + 0x5b, 0x4e, 0x76, 0x30, 0x26, 0x2f, 0x2a, 0x34, + 0x48, 0x29, 0x25, 0x6e, 0x5c, 0x3a, 0x6c, 0x3e, + 0x79, 0x4e, 0x2a, 0x21, 0x6f, 0x6f, 0x34, 0x46, + 0x43, 0x26, 0x5b, 0x35, 0x78, 0x27, 0x69, 0x23, + 0x72, 0x21, 0x69, 0x56, 0x6a, 0x7d, 0x4b, 0x5e, + 0x65, 0x37, 0x60, 0x44, 0x7c, 0x5d, 0x5b, 0x72, + 0x7d, 0x73, 0x7b, 0x47, 0x57, 0x21, 0x41, 0x38, + 0x76, 0x38, 0x76, 0x5c, 0x58, 0x32, 0x4a, 0x37, + 0x2f, 0x40, 0x4b, 0x4c, 0x3d, 0x41, 0x33, 0x56, + 0x73, 0x38, 0x61, 0x71, 0x24, 0x49, 0x4c, 0x4a, + 0x44, 0x2e, 0x3a, 0x3f, 0x74, 0x54, 0x4c, 0x65, + 0x54, 0x2d, 0x3b, 0x28, 0x41, 0x45, 0x49, 0x2c, + 0x6e, 0x48, 0x44, 0x43, 0x37, 0x3d, 0x7b, 0x6d, + 0x2b, 0x4b, 0x32, 0x5a, 0x31, 0x61, 0x6e, 0x2b, + 0x27, 0x50, 0x6b, 0x66, 0x76, 0x4e, 0x55, 0x35, + 0x2b, 0x72, 0x2d, 0x5e, 0x42, 0x3e, 0x5a, 0x5d, + 0x36, 0x45, 0x32, 0x3a, 0x58, 0x78, 0x78, 0x3e, + 0x60, 0x6c, 0x5d, 0x63, 0x41, 0x7c, 0x52, 0x21, + 0x75, 0x6a, 0x5a, 0x70, 0x55, 0x45, 0x76, 0x58, + 0x33, 0x40, 0x38, 0x39, 0x21, 0x37, 0x7d, 0x77, + 0x21, 0x70, 0x2b, 0x72, 0x29, 0x6a, 0x31, 0x5f, + 0x38, 0x4a, 0x66, 0x65, 0x62, 0x2c, 0x39, 0x52, + 0x5f, 0x2a, 0x2b, 0x63, 0x4f, 0x76, 0x43, 0x25, + 0x6a, 0x50, 0x37, 0x52, 0x5e, 0x23, 0x3c, 0x42, + 0x28, 0x75, 0x75, 0x42, 0x25, 0x23, 0x28, 0x56, + 0x6c, 0x46, 0x5c, 0x5e, 0x6b, 0x7d, 0x48, 0x24, + 0x77, 0x6c, 0x70, 0x62, 0x2e, 0x28, 0x7d, 0x6b, + 0x69, 0x4a, 0x75, 0x3d, 0x5d, 0x56, 0x21, 0x49, + 0x56, 0x47, 0x64, 0x2b, 0x4c, 0x52, 0x43, 0x60, + 0x77, 0x49, 0x46, 0x46, 0x33, 0x2c, 0x4b, 0x4b, + 0x3d, 0x63, 0x5d, 0x33, 0x78, 0x76, 0x51, 0x56, + 0x77, 0x3c, 0x72, 0x74, 0x52, 0x27, 0x40, 0x6c, + 0x42, 0x79, 0x49, 0x24, 0x62, 0x5e, 0x26, 0x31, + 0x5c, 0x22, 0x2b, 0x4c, 0x64, 0x49, 0x52, 0x45, + 0x47, 0x49, 0x3a, 0x2a, 0x51, 0x71, 0x22, 0x22, + 0x70, 0x24, 0x34, 0x67, 0x4b, 0x6d, 0x58, 0x29, + 0x63, 0x26, 0x7b, 0x6f, 0x38, 0x78, 0x25, 0x62, + 0x4d, 0x3a, 0x7d, 0x40, 0x23, 0x57, 0x67, 0x33, + 0x38, 0x31, 0x4e, 0x54, 0x3c, 0x4b, 0x48, 0x69, + 0x3c, 0x39, 0x31, 0x2b, 0x26, 0x70, 0x44, 0x66, + 0x4a, 0x37, 0x2b, 0x75, 0x36, 0x45, 0x59, 0x34, + 0x3e, 0x3e, 0x29, 0x70, 0x71, 0x5a, 0x55, 0x49, + 0x3e, 0x4b, 0x68, 0x4e, 0x75, 0x70, 0x3c, 0x5c, + 0x50, 0x58, 0x28, 0x75, 0x3c, 0x2a, 0x41, 0x70, + 0x2f, 0x2b, 0x37, 0x26, 0x75, 0x71, 0x55, 0x22, + 0x3a, 0x44, 0x30, 0x48, 0x5d, 0x2f, 0x6c, 0x44, + 0x28, 0x4b, 0x34, 0x45, 0x21, 0x60, 0x44, 0x36, + 0x7b, 0x32, 0x39, 0x5f, 0x6d, 0x3f, 0x68, 0x73, + 0x25, 0x45, 0x56, 0x7c, 0x78, 0x7a, 0x49, 0x6a, + 0x46, 0x3d, 0x2d, 0x33, 0x6c, 0x6f, 0x23, 0x77, + 0x38, 0x33, 0x36, 0x74, 0x7b, 0x57, 0x4b, 0x6d, + 0x27, 0x75, 0x24, 0x6e, 0x43, 0x61, 0x4d, 0x44, + 0x6d, 0x27, 0x48, 0x58, 0x5e, 0x7b, 0x26, 0x6a, + 0x50, 0x7c, 0x51, 0x23, 0x3c, 0x4f, 0x37, 0x4c, + 0x47, 0x3e, 0x45, 0x56, 0x22, 0x33, 0x7c, 0x66, + 0x35, 0x54, 0x7a, 0x6e, 0x5a, 0x24, 0x70, 0x62, + 0x29, 0x3f, 0x69, 0x79, 0x24, 0x43, 0x41, 0x24, + 0x65, 0x25, 0x62, 0x4f, 0x73, 0x3e, 0x2b, 0x36, + 0x46, 0x69, 0x27, 0x55, 0x2a, 0x6e, 0x24, 0x6c, + 0x7d, 0x64, 0x7c, 0x61, 0x26, 0x67, 0x2a, 0x53, + 0x73, 0x60, 0x28, 0x2d, 0x6b, 0x44, 0x54, 0x61, + 0x34, 0x53, 0x22, 0x59, 0x6d, 0x73, 0x56, 0x55, + 0x25, 0x2c, 0x38, 0x4a, 0x3b, 0x4e, 0x78, 0x46, + 0x54, 0x6e, 0x6d, 0x4f, 0x47, 0x4f, 0x4f, 0x5a, + 0x67, 0x77, 0x39, 0x66, 0x28, 0x29, 0x4e, 0x43, + 0x55, 0x6e, 0x60, 0x59, 0x28, 0x3b, 0x65, 0x62, + 0x61, 0x5a, 0x29, 0x6e, 0x79, 0x60, 0x41, 0x53, + 0x2f, 0x5d, 0x44, 0x36, 0x7b, 0x3e, 0x7c, 0x2b, + 0x77, 0x36, 0x70, 0x3f, 0x40, 0x55, 0x48, 0x67, + 0x4b, 0x4d, 0x5d, 0x51, 0x79, 0x76, 0x48, 0x4a, + 0x2d, 0x21, 0x60, 0x40, 0x46, 0x55, 0x7a, 0x60, + 0x22, 0x25, 0x3f, 0x4b, 0x54, 0x6a, 0x6a, 0x3c, + 0x77, 0x22, 0x5b, 0x43, 0x67, 0x58, 0x71, 0x22, + 0x79, 0x4b, 0x32, 0x61, 0x44, 0x4d, 0x6f, 0x42, + 0x33, 0x2d, 0x53, 0x35, 0x3d, 0x6f, 0x57, 0x48, + 0x33, 0x3b, 0x5a, 0x53, 0x3f, 0x4e, 0x3f, 0x6b, + 0x4c, 0x27, 0x26, 0x3b, 0x73, 0x49, 0x22, 0x55, + 0x79, 0x2f, 0x47, 0x2f, 0x55, 0x5a, 0x7a, 0x71, + 0x6c, 0x31, 0x43, 0x40, 0x56, 0x7b, 0x21, 0x7a, + 0x6d, 0x4c, 0x43, 0x5e, 0x38, 0x47, 0x29, 0x38, + 0x62, 0x49, 0x45, 0x78, 0x70, 0x2b, 0x2e, 0x65, + 0x47, 0x71, 0x58, 0x79, 0x39, 0x67, 0x7d, 0x6d, + 0x6a, 0x67, 0x4a, 0x71, 0x27, 0x35, 0x2a, 0x4c, + 0x3e, 0x58, 0x55, 0x30, 0x4d, 0x75, 0x77, 0x48, + 0x5f, 0x4b, 0x59, 0x34, 0x65, 0x68, 0x57, 0x59, + 0x63, 0x23, 0x47, 0x38, 0x47, 0x5e, 0x56, 0x28, + 0x79, 0x58, 0x3e, 0x39, 0x66, 0x77, 0x67, 0x33, + 0x29, 0x61, 0x24, 0x7d, 0x37, 0x44, 0x37, 0x67, + 0x3a, 0x58, 0x76, 0x21, 0x51, 0x59, 0x61, 0x73, + 0x66, 0x75, 0x71, 0x53, 0x4d, 0x24, 0x2d, 0x4b, + 0x29, 0x30, 0x32, 0x26, 0x59, 0x64, 0x27, 0x55, + 0x2c, 0x5a, 0x4c, 0x3c, 0x6c, 0x53, 0x56, 0x4b, + 0x3e, 0x55, 0x2e, 0x44, 0x38, 0x6b, 0x47, 0x76, + 0x2d, 0x2c, 0x3f, 0x4d, 0x22, 0x7b, 0x6d, 0x61, + 0x34, 0x6b, 0x50, 0x73, 0x28, 0x6d, 0x41, 0x71, + 0x21, 0x76, 0x52, 0x2a, 0x6d, 0x53, 0x2a, 0x74, + 0x28, 0x27, 0x62, 0x2a, 0x66, 0x25, 0x6e, 0x5e, + 0x37, 0x4f, 0x27, 0x72, 0x28, 0x47, 0x63, 0x6e, + 0x5a, 0x6a, 0x41, 0x35, 0x3a, 0x42, 0x3f, 0x27, + 0x75, 0x3e, 0x26, 0x3e, 0x6b, 0x55, 0x59, 0x60, + 0x24, 0x70, 0x49, 0x3c, 0x4e, 0x2c, 0x39, 0x7a, + 0x36, 0x6c, 0x27, 0x3e, 0x6a, 0x4a, 0x59, 0x5a, + 0x3e, 0x21, 0x73, 0x4e, 0x59, 0x6e, 0x3d, 0x32, + 0x27, 0x45, 0x49, 0x58, 0x7d, 0x37, 0x39, 0x77, + 0x28, 0x51, 0x79, 0x54, 0x2b, 0x78, 0x46, 0x5a, + 0x21, 0x75, 0x33, 0x21, 0x63, 0x5a, 0x7b, 0x3e, + 0x33, 0x4f, 0x67, 0x75, 0x3a, 0x50, 0x48, 0x60, + 0x26, 0x64, 0x76, 0x5c, 0x42, 0x5c, 0x72, 0x38, + 0x6c, 0x52, 0x21, 0x2b, 0x25, 0x6b, 0x7c, 0x6b, + 0x2d, 0x5e, 0x63, 0x2a, 0x4c, 0x26, 0x5b, 0x4c, + 0x58, 0x52, 0x51, 0x55, 0x31, 0x79, 0x6c, 0x53, + 0x62, 0x3a, 0x36, 0x46, 0x7a, 0x29, 0x27, 0x78, + 0x1a, 0xbf, 0x49, 0x74, 0x68, 0x24, 0x51, 0x44, + 0x5b, 0x3e, 0x34, 0x44, 0x29, 0x5e, 0x4f, 0x2a, + 0xe9, 0x3f, 0xf8, 0xff, 0xff, 0x52, 0x7d, 0x47, + 0x67, 0x40, 0x27, 0x5e, 0x47, 0x46, 0x6d, 0x72, + 0x5d, 0x49, 0x26, 0x45, 0x33, 0x6b, 0x4d, 0x4a, + 0x6f, 0x62, 0x60, 0x45, 0x62, 0x27, 0x27, 0x7d, + 0x6a, 0x41, 0x2c, 0x6c, 0x5b, 0x2a, 0x2b, 0x36, + 0x29, 0x58, 0x7a, 0x4c, 0x6e, 0x2d, 0x74, 0x5c, + 0x38, 0x22, 0x5f, 0x49, 0x63, 0x43, 0x5b, 0x67 + }; + uint32_t request2_len = sizeof(request2); + + TcpSession ssn; + Packet p[2]; + ThreadVars tv; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + Flow f; + int r; + int i = 0; + + char *sig1 = "alert tcp any any -> any any " + "(dce_stub_data; content:|af, 26, d0|; content:|80 98 6d|; " + "distance:2; within:3; sid:1;)"; + + Signature *s; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&f, 0, sizeof(Flow)); + memset(&ssn, 0, sizeof(TcpSession)); + + for (i = 0; i < 2; i++) { + memset(&p[i], 0, sizeof(Packet)); + p[i].src.family = AF_INET; + p[i].dst.family = AF_INET; + p[i].payload = NULL; + p[i].payload_len = 0; + p[i].proto = IPPROTO_TCP; + p[i].flow = &f; + p[i].flowflags |= FLOW_PKT_TOSERVER; + } + + f.protoctx = (void *)&ssn; + f.src.family = AF_INET; + f.dst.family = AF_INET; + f.alproto = ALPROTO_DCERPC; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, sig1); + s = de_ctx->sig_list; + if (s == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[0]); + if ((PacketAlertCheck(&p[0], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, request2, request2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + /* detection phase */ + SigMatchSignatures(&tv, de_ctx, det_ctx, &p[1]); + if ((PacketAlertCheck(&p[1], 1))) { + printf("sid 1 didn't match but should have: "); + goto end; + } + + result = 1; + +end: + return result; +} + +#endif /* UNITTESTS */ + +void DcePayloadRegisterTests(void) +{ + +#ifdef UNITTESTS + UtRegisterTest("DcePayloadTest01", DcePayloadTest01, 1); + UtRegisterTest("DcePayloadTest02", DcePayloadTest02, 1); + UtRegisterTest("DcePayloadTest03", DcePayloadTest03, 1); + UtRegisterTest("DcePayloadTest04", DcePayloadTest04, 1); + UtRegisterTest("DcePayloadTest05", DcePayloadTest05, 1); + UtRegisterTest("DcePayloadTest06", DcePayloadTest06, 1); + UtRegisterTest("DcePayloadTest07", DcePayloadTest07, 1); + UtRegisterTest("DcePayloadTest08", DcePayloadTest08, 1); + UtRegisterTest("DcePayloadTest09", DcePayloadTest09, 1); + UtRegisterTest("DcePayloadTest10", DcePayloadTest10, 1); + UtRegisterTest("DcePayloadTest11", DcePayloadTest11, 1); + UtRegisterTest("DcePayloadTest12", DcePayloadTest12, 1); +#endif /* UNITTESTS */ + + return; +} diff --git a/src/detect-engine-dcepayload.h b/src/detect-engine-dcepayload.h new file mode 100644 index 0000000000..0723bb4da5 --- /dev/null +++ b/src/detect-engine-dcepayload.h @@ -0,0 +1,31 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#ifndef __DETECT_ENGINE_DCEPAYLOAD_H__ +#define __DETECT_ENGINE_DCEPAYLOAD_H__ + +int DetectEngineInspectDcePayload(DetectEngineCtx *, DetectEngineThreadCtx *, + Signature *, Flow *, uint8_t, void *, Packet *); +void DcePayloadRegisterTests(void); + +#endif /* __DETECT_ENGINE_DCEPAYLOAD_H__ */ diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 365547bf9e..6bcfe77f38 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -27,7 +27,9 @@ #include "debug.h" #include "decode.h" #include "detect.h" +#include "detect-engine.h" #include "detect-parse.h" +#include "app-layer.h" #include "util-unittest.h" #include "util-unittest-helper.h" @@ -217,8 +219,8 @@ error: } /** - * \brief this function is used to add the parsed isdataatdata into the current signature - * + * \brief This function is used to add the parsed isdataatdata into the current + * signature. * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param isdataatstr pointer to the user provided isdataat options @@ -230,55 +232,70 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst { DetectIsdataatData *idad = NULL; SigMatch *sm = NULL; + SigMatch *match = NULL; + SigMatch *match_tail = NULL; DetectContentData *cd = NULL; idad = DetectIsdataatParse(isdataatstr); if (idad == NULL) goto error; - if(idad->flags & ISDATAAT_RELATIVE) { - /** Set it in the last parsed contet because it is relative to that content match */ - SCLogDebug("set it in the last parsed content because it is relative to that content match"); + if (idad->flags & ISDATAAT_RELATIVE) { + /* Set it in the last parsed contet because it is relative to that + * content match */ + SCLogDebug("set it in the last parsed content because it is relative " + "to that content match"); + + switch (s->alproto) { + case ALPROTO_DCERPC: + match = s->dmatch; + match_tail = s->dmatch_tail; + break; + + default: + match = s->pmatch; + match_tail = s->pmatch_tail; + break; + } + - if (s->pmatch_tail == NULL) { + if (match_tail == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "No previous content, the flag " - "'relative' cant be used without content"); + "'relative' cant be used without content"); goto error; } - SigMatch *pm = NULL; - /** Search for the first previous DetectContent - * SigMatch (it can be the same as this one) */ - pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_CONTENT); - if (pm != NULL) { - cd = (DetectContentData *)pm->ctx; + SigMatch *m = NULL; + /* Search for the first previous DetectContent SigMatch (it can be the + * same as this one) */ + if ( (m = SigMatchGetLastSM(match_tail, DETECT_CONTENT)) != NULL) { + cd = (DetectContentData *)m->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!"); goto error; } - cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE)) != NULL) { + } else if ( (m = SigMatchGetLastSM(match_tail, DETECT_PCRE)) != NULL) { DetectPcreData *pe = NULL; - pe = (DetectPcreData *) pm->ctx; + pe = (DetectPcreData *)m->ctx; if (pe == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!"); goto error; } pe->flags |= DETECT_PCRE_RELATIVE; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_BYTEJUMP)) != - NULL) - { + + } else if ( (m = SigMatchGetLastSM(match_tail, DETECT_BYTEJUMP)) != NULL) { DetectBytejumpData *data = NULL; - data = (DetectBytejumpData *)pm->ctx; + data = (DetectBytejumpData *)m->ctx; if (data == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!"); goto error; } data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else { - SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!"); - goto error; + SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous keyword!"); + goto error; } } @@ -289,15 +306,27 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst sm->type = DETECT_ISDATAAT; sm->ctx = (void *)idad; - SigMatchAppendPayload(s, sm); + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + SigMatchAppendDcePayload(s, sm); + break; + + default: + SigMatchAppendPayload(s, sm); + break; + } return 0; error: - if (idad != NULL) DetectIsdataatFree(idad); - if (sm != NULL) SCFree(sm); + if (idad != NULL) + DetectIsdataatFree(idad); + if (sm != NULL) + SCFree(sm); return -1; - } /** @@ -361,6 +390,119 @@ int DetectIsdataatTestParse03 (void) { return result; } +int DetectIsdataatTestParse04(void) +{ + Signature *s = SigAlloc(); + int result = 1; + + s->alproto = ALPROTO_DCERPC; + + result &= (DetectIsdataatSetup(NULL, s, "30") == 0); + result &= (s->dmatch != NULL); + /* failure since we have no preceding content/pcre/bytejump */ + result &= (DetectIsdataatSetup(NULL, s, "30,relative") == -1); + + SigFree(s); + + return result; +} + +int DetectIsdataatTestParse05(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + DetectIsdataatData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; isdataat:4; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + s = de_ctx->sig_list; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->dmatch_tail->ctx; + if ( !(!(data->flags & ISDATAAT_RELATIVE) && + !(data->flags & ISDATAAT_RAWBYTES)) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; isdataat:4,relative; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->dmatch_tail->ctx; + if ( !((data->flags & ISDATAAT_RELATIVE) && + !(data->flags & ISDATAAT_RAWBYTES)) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "content:one; isdataat:4,relative,rawbytes; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_ISDATAAT); + data = (DetectIsdataatData *)s->dmatch_tail->ctx; + if ( !((data->flags & ISDATAAT_RELATIVE) && + (data->flags & ISDATAAT_RAWBYTES)) ) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "content:one; isdataat:4,relative,rawbytes; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + /** * \test DetectIsdataatTestPacket01 is a test to check matches of * isdataat, and isdataat relative @@ -472,6 +614,8 @@ void DetectIsdataatRegisterTests(void) { UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01, 1); UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02, 1); UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03, 1); + UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04, 1); + UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05, 1); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1); UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1); UtRegisterTest("DetectIsdataatTestPacket03", DetectIsdataatTestPacket03, 1); diff --git a/src/detect-offset.c b/src/detect-offset.c index aa0d2e5fc4..8eceaba8df 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -31,6 +31,7 @@ #include "detect-parse.h" #include "detect-content.h" #include "detect-uricontent.h" +#include "app-layer.h" #include "flow-var.h" @@ -52,6 +53,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) { char *str = offsetstr; char dubbed = 0; + SigMatch *pm = NULL; /* strip "'s */ if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') { @@ -60,14 +62,35 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) dubbed = 1; } - /* Search for the first previous DetectContent or uricontent - * SigMatch (it can be the same as this one) */ - SigMatch *pm = SigMatchGetLastPattern(s); - if (pm == NULL) { - SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding " - "content or uricontent option"); - if (dubbed) SCFree(str); - return -1; + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->dmatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "offset needs" + "preceeding content option for dcerpc sig"); + if (dubbed) + SCFree(str); + return -1; + } + + break; + + default: + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->pmatch_tail, + DETECT_URICONTENT, s->umatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "distance needs" + "preceeding content or uricontent option"); + if (dubbed) + SCFree(str); + return -1; + } + + break; } DetectUricontentData *ud = NULL; diff --git a/src/detect-parse.c b/src/detect-parse.c index 40e816c86e..476487cf43 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -195,6 +195,27 @@ void SigMatchAppendPayload(Signature *s, SigMatch *new) { s->sm_cnt++; } +void SigMatchAppendDcePayload(Signature *s, SigMatch *new) { + SCLogDebug("Append SigMatch against Sigature->dmatch(dce) list"); + if (s->dmatch == NULL) { + s->dmatch = new; + s->dmatch_tail = new; + new->next = NULL; + new->prev = NULL; + } else { + SigMatch *cur = s->dmatch_tail; + cur->next = new; + new->prev = cur; + new->next = NULL; + s->dmatch_tail = new; + } + + new->idx = s->sm_cnt; + s->sm_cnt++; + + return; +} + /** \brief Append a sig match to the signatures non-payload match list * * \param s signature @@ -399,6 +420,63 @@ SigMatch *SigMatchGetLastSM(SigMatch *sm, uint8_t type) return NULL; } +SigMatch *SigMatchGetLastSMFromLists(Signature *s, int args, ...) +{ + if (args % 2 != 0) { + SCLogError(SC_ERR_INVALID_ARGUMENTS, "You need to send an even no of args " + "to this function, since we need a SigMatch list for every " + "SigMatch type(send a map of sm_type and sm_list) sent"); + return NULL; + } + + SigMatch *sm_list[args / 2]; + int sm_type[args / 2]; + int list_index = 0; + + va_list ap; + int i = 0, j = 0; + + va_start(ap, args); + + for (i = 0; i < args; i += 2) { + sm_type[list_index] = va_arg(ap, int); + + sm_list[list_index] = va_arg(ap, SigMatch *); + + if (sm_list[list_index] != NULL) + list_index++; + + } + + va_end(ap); + + SigMatch *sm[list_index]; + int sm_entries = 0; + for (i = 0; sm_entries < list_index; i++) { + sm[sm_entries] = SigMatchGetLastSM(sm_list[i], sm_type[i]); + if (sm[sm_entries] != NULL) + sm_entries++; + } + + if (sm_entries == 0) + return NULL; + + SigMatch *temp_sm = NULL; + for (i = 1; i < sm_entries; i++) { + for (j = i - 1; j >= 0; j--) { + if (sm[j + 1]->idx > sm[j]->idx) { + temp_sm = sm[j + 1]; + sm[j + 1] = sm[j]; + sm[j] = temp_sm; + continue; + } + break; + } + } + + return sm[0]; +} + void SigParsePrepare(void) { char *regexstr = CONFIG_PCRE; const char *eb; diff --git a/src/detect-parse.h b/src/detect-parse.h index 820dd91d50..98027e5ca1 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -45,6 +45,7 @@ Signature *SigAlloc(void); void SigFree(Signature *s); Signature *SigInit(DetectEngineCtx *,char *sigstr); SigMatch *SigMatchGetLastSM(SigMatch *, uint8_t); +SigMatch *SigMatchGetLastSMFromLists(Signature *, int, ...); void SigParsePrepare(void); void SigParseRegisterTests(void); @@ -55,6 +56,7 @@ void SigMatchReplaceContent(Signature *, SigMatch *, SigMatch *); void SigMatchReplaceContentToUricontent(Signature *, SigMatch *, SigMatch *); void SigMatchAppendPayload(Signature *, SigMatch *); +void SigMatchAppendDcePayload(Signature *, SigMatch *); void SigMatchAppendPacket(Signature *, SigMatch *); void SigMatchAppendUricontent(Signature *, SigMatch *); void SigMatchAppendAppLayer(Signature *, SigMatch *); diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 7c15b64c37..178e5164f8 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -449,6 +449,99 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign SCReturnInt(ret); } +/** + * \brief Match a regex on data sent as arg. + * + * \param det_ctx Thread detection ctx. + * \param s Signature. + * \param sm SigMatch to match against. + * \param data Data to match against. + * \param data_len Data length. + * + * \retval 1: match + * \retval 0: no match + */ +int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, + SigMatch *sm, Packet *p, uint8_t *data, + uint16_t data_len) +{ + SCEnter(); + +#define MAX_SUBSTRINGS 30 + int ret = 0; + int ov[MAX_SUBSTRINGS]; + uint8_t *ptr = NULL; + uint16_t len = 0; + + if (data_len == 0) + SCReturnInt(0); + + DetectPcreData *pe = (DetectPcreData *)sm->ctx; + + /* If we want to inspect the http body, we will use HTP L7 parser */ + if (pe->flags & DETECT_PCRE_HTTP_BODY_AL) + SCReturnInt(0); + + if (s->flags & SIG_FLAG_RECURSIVE) { + ptr = data + det_ctx->payload_offset; + len = data_len - det_ctx->payload_offset; + } else if (pe->flags & DETECT_PCRE_RELATIVE) { + ptr = data + det_ctx->payload_offset; + len = data_len - det_ctx->payload_offset; + if (ptr == NULL || len == 0) + SCReturnInt(0); + } else { + ptr = data; + len = data_len; + } + + /* run the actual pcre detection */ + ret = pcre_exec(pe->re, pe->sd, (char *)ptr, len, 0, 0, ov, MAX_SUBSTRINGS); + SCLogDebug("ret %d (negating %s)", ret, pe->negate ? "set" : "not set"); + + if (ret == PCRE_ERROR_NOMATCH) { + if (pe->negate == 1) { + /* regex didn't match with negate option means we + * consider it a match */ + ret = 1; + } else { + ret = 0; + } + } else if (ret >= 0) { + if (pe->negate == 1) { + /* regex matched but we're negated, so not + * considering it a match */ + ret = 0; + } else { + /* regex matched and we're not negated, + * considering it a match */ + + /* see if we need to do substring capturing. */ + if (ret > 1 && pe->capidx != 0) { + const char *str_ptr; + ret = pcre_get_substring((char *)ptr, ov, MAX_SUBSTRINGS, 1, &str_ptr); + if (ret) { + if (pe->flags & DETECT_PCRE_CAPTURE_PKT) { + PktVarAdd(p, pe->capname, (uint8_t *)str_ptr, ret); + } else if (pe->flags & DETECT_PCRE_CAPTURE_FLOW) { + FlowVarAddStr(p->flow, pe->capidx, (uint8_t *)str_ptr, ret); + } + } + } + + /* update offset for pcre RELATIVE */ + det_ctx->payload_offset = (ptr + ov[1]) - data; + + ret = 1; + } + + } else { + SCLogDebug("pcre had matching error"); + ret = 0; + } + SCReturnInt(ret); +} + /** * \brief DetectPcreMatch will try to match a regex on a single packet; * DetectPcreALMatch is used if we parse the option 'P' @@ -494,7 +587,8 @@ DetectPcreData *DetectPcreParse (char *regexstr) pos++; } - ret = pcre_exec(parse_regex, parse_regex_study, regexstr+pos, slen-pos, 0, 0, ov, MAX_SUBSTRINGS); + ret = pcre_exec(parse_regex, parse_regex_study, regexstr + pos, slen-pos, + 0, 0, ov, MAX_SUBSTRINGS); if (ret < 0) { SCLogError(SC_ERR_PCRE_MATCH, "parse error"); goto error; @@ -502,7 +596,8 @@ DetectPcreData *DetectPcreParse (char *regexstr) if (ret > 1) { const char *str_ptr; - res = pcre_get_substring((char *)regexstr+pos, ov, MAX_SUBSTRINGS, 1, &str_ptr); + res = pcre_get_substring((char *)regexstr + pos, ov, MAX_SUBSTRINGS, + 1, &str_ptr); if (res < 0) { SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); return NULL; @@ -510,7 +605,8 @@ DetectPcreData *DetectPcreParse (char *regexstr) re = (char *)str_ptr; if (ret > 2) { - res = pcre_get_substring((char *)regexstr+pos, ov, MAX_SUBSTRINGS, 2, &str_ptr); + res = pcre_get_substring((char *)regexstr + pos, ov, MAX_SUBSTRINGS, + 2, &str_ptr); if (res < 0) { SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); return NULL; @@ -705,10 +801,28 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SigMatch *sm = NULL; pd = DetectPcreParse(regexstr); - if (pd == NULL) goto error; + if (pd == NULL) + goto error; + + /* check pcre modifiers against the signature alproto. In case they conflict + * chuck out invalid signature */ + switch (s->alproto) { + case ALPROTO_DCERPC: + if ( (pd->flags & DETECT_PCRE_URI) || + (pd->flags & DETECT_PCRE_HTTP_BODY_AL) ) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " + "DCERPC rule has pcre keyword with http related modifier."); + goto error; + } + break; + + default: + break; + } pd = DetectPcreParseCapture(regexstr, de_ctx, pd); - if (pd == NULL) goto error; + if (pd == NULL) + goto error; sm = SigMatchAlloc(); if (sm == NULL) @@ -726,9 +840,19 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst SigMatchAppendAppLayer(s, sm); } else { - SigMatchAppendPayload(s, sm); - } + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + SigMatchAppendDcePayload(s, sm); + break; + default: + SigMatchAppendPayload(s, sm); + break; + } + } SCReturnInt(0); @@ -911,6 +1035,135 @@ static int DetectPcreParseTest09 (void) { return result; } +int DetectPcreParseTest10(void) +{ + Signature *s = SigAlloc(); + int result = 1; + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + result = 0; + goto end; + } + + s->alproto = ALPROTO_DCERPC; + + result &= (DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); + result &= (s->dmatch != NULL); + + SigFree(s); + + s = SigAlloc(); + /* failure since we have no preceding content/pcre/bytejump */ + result &= (DetectPcreSetup(de_ctx, s, "/bamboo/") == 0); + result &= (s->dmatch == NULL); + result &= (s->pmatch != NULL); + + end: + SigFree(s); + DetectEngineCtxFree(de_ctx); + + return result; +} + +int DetectPcreParseTest11(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + DetectPcreData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "pcre:/bamboo/; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + s = de_ctx->sig_list; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_PCRE); + data = (DetectPcreData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_PCRE_RAWBYTES || + data->flags & DETECT_PCRE_RELATIVE || + data->flags & DETECT_PCRE_URI) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "pcre:/bamboo/R; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_PCRE); + data = (DetectPcreData *)s->dmatch_tail->ctx; + if (data->flags & DETECT_PCRE_RAWBYTES || + !(data->flags & DETECT_PCRE_RELATIVE) || + data->flags & DETECT_PCRE_URI) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " + "pcre:/bamboo/RB; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + result &= (s->dmatch_tail->type == DETECT_PCRE); + data = (DetectPcreData *)s->dmatch_tail->ctx; + if (!(data->flags & DETECT_PCRE_RAWBYTES) || + !(data->flags & DETECT_PCRE_RELATIVE) || + data->flags & DETECT_PCRE_URI) { + result = 0; + goto end; + } + + s->next = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "content:one; pcre:/bamboo/; sid:1;)"); + if (s->next == NULL) { + result = 0; + goto end; + } + s = s->next; + if (s->dmatch_tail != NULL) { + result = 0; + goto end; + } + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + static int DetectPcreTestSig01Real(int mpm_type) { uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" @@ -1435,6 +1688,8 @@ void DetectPcreRegisterTests(void) { UtRegisterTest("DetectPcreParseTest07", DetectPcreParseTest07, 1); UtRegisterTest("DetectPcreParseTest08", DetectPcreParseTest08, 1); UtRegisterTest("DetectPcreParseTest09", DetectPcreParseTest09, 1); + UtRegisterTest("DetectPcreParseTest10", DetectPcreParseTest10, 1); + UtRegisterTest("DetectPcreParseTest11", DetectPcreParseTest11, 1); UtRegisterTest("DetectPcreTestSig01B2g -- pcre test", DetectPcreTestSig01B2g, 1); UtRegisterTest("DetectPcreTestSig01B3g -- pcre test", DetectPcreTestSig01B3g, 1); UtRegisterTest("DetectPcreTestSig01Wm -- pcre test", DetectPcreTestSig01Wm, 1); diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 28668980ff..e0bff1c450 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -50,6 +50,9 @@ typedef struct DetectPcreData_ { /* prototypes */ int DetectPcrePayloadMatch(DetectEngineThreadCtx *, Signature *, SigMatch *, Packet *, Flow *, uint8_t *, uint32_t); int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); +//int DetectPcrePayloadMatch(DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); +int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *, Signature *, SigMatch *, + Packet *, uint8_t *, uint16_t); void DetectPcreRegister (void); #endif /* __DETECT_PCRE_H__ */ diff --git a/src/detect-uricontent.c b/src/detect-uricontent.c index 34b92c71a8..765ae51717 100644 --- a/src/detect-uricontent.c +++ b/src/detect-uricontent.c @@ -333,6 +333,12 @@ int DetectUricontentSetup (DetectEngineCtx *de_ctx, Signature *s, char *contents SCEnter(); SigMatch *sm = NULL; + + if (s->alproto == ALPROTO_DCERPC) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "uri content specified in a dcerpc sig"); + goto error; + } + DetectUricontentData *cd = DoDetectUricontentSetup(contentstr); if (cd == NULL) goto error; @@ -1132,7 +1138,7 @@ static int DetectUriSigTest04(void) { s->pmatch == NULL || ((DetectContentData*) s->pmatch->ctx)->depth != 10 || ((DetectContentData*) s->pmatch->ctx)->offset != 5 || - ((DetectContentData*) s->umatch_tail->ctx)->within != 30 || + ((DetectUricontentData*) s->umatch_tail->ctx)->within != 30 || s->match != NULL) { printf("sig 8 failed to parse: "); diff --git a/src/detect-within.c b/src/detect-within.c index 2c0f3b1632..e804c05628 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -32,6 +32,8 @@ #include "detect-content.h" #include "detect-uricontent.h" #include "detect-bytejump.h" +#include "app-layer.h" +#include "detect-parse.h" #include "flow-var.h" @@ -63,6 +65,8 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi { char *str = withinstr; char dubbed = 0; + SigMatch *match_tail = NULL; + SigMatch *pm = NULL; /* strip "'s */ if (withinstr[0] == '\"' && withinstr[strlen(withinstr)-1] == '\"') { @@ -71,14 +75,35 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi dubbed = 1; } - /** Search for the first previous DetectContent - * SigMatch (it can be the same as this one) */ - SigMatch *pm = SigMatchGetLastPattern(s); - if (pm == NULL) { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "depth needs" - "two preceeding content or uricontent options"); - if (dubbed) SCFree(str); - return -1; + switch (s->alproto) { + case ALPROTO_DCERPC: + /* If we have a signature that is related to dcerpc, then we add the + * sm to Signature->dmatch. All content inspections for a dce rpc + * alproto is done inside detect-engine-dcepayload.c */ + pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->dmatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs" + "preceeding content options for this dcerpc sig"); + if (dubbed) + SCFree(str); + return -1; + } + + break; + + default: + pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->pmatch_tail, + DETECT_URICONTENT, s->umatch_tail); + if (pm == NULL) { + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs" + "preceeding content or uricontent option"); + if (dubbed) + SCFree(str); + return -1; + } + + break; } DetectUricontentData *ud = NULL; @@ -152,17 +177,27 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi } } - pm = SigMatchGetLastSM(s->pmatch_tail->prev, DETECT_CONTENT); - if (pm != NULL) { + switch (s->alproto) { + case ALPROTO_DCERPC: + match_tail = s->dmatch_tail; + break; + + default: + match_tail = s->pmatch_tail; + break; + } + + if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_CONTENT)) != NULL) { /* Set the relative next flag on the prev sigmatch */ cd = (DetectContentData *)pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" - "previous keyword!"); + "previous keyword!"); goto error; } cd->flags |= DETECT_CONTENT_RELATIVE_NEXT; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_PCRE)) != NULL) { + + } else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_PCRE)) != NULL) { DetectPcreData *pe = NULL; pe = (DetectPcreData *) pm->ctx; if (pe == NULL) { @@ -170,9 +205,8 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi goto error; } pe->flags |= DETECT_PCRE_RELATIVE; - } else if ((pm = SigMatchGetLastSM(s->pmatch_tail, DETECT_BYTEJUMP)) - != NULL) - { + + } else if ( (pm = SigMatchGetLastSM(match_tail->prev, DETECT_BYTEJUMP)) != NULL) { DetectBytejumpData *data = NULL; data = (DetectBytejumpData *) pm->ctx; if (data == NULL) { @@ -180,25 +214,31 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi goto error; } data->flags |= DETECT_BYTEJUMP_RELATIVE; + } else { - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two" - " preceeding content or uricontent options"); + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two " + "preceeding content or uricontent options"); goto error; } break; default: - SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two preceeding content or uricontent options"); - if (dubbed) SCFree(str); + SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs two " + "preceeding content or uricontent options"); + if (dubbed) + SCFree(str); return -1; break; } - if (dubbed) SCFree(str); + if (dubbed) + SCFree(str); return 0; + error: - if (dubbed) SCFree(str); + if (dubbed) + SCFree(str); return -1; } @@ -234,10 +274,33 @@ end: return result; } + +int DetectWithinTestPacket02 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Zero Five Ten Fourteen"; + uint16_t buflen = strlen((char *)buf); + Packet *p; + p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); + + if (p == NULL) + goto end; + + char sig[] = "alert tcp any any -> any any (msg:\"pcre with within " + "modifier\"; content:Five; content:Ten; within:3; distance:1; sid:1;)"; + + result = UTHPacketMatchSig(p, sig); + + UTHFreePacket(p); +end: + return result; +} + + #endif /* UNITTESTS */ void DetectWithinRegisterTests(void) { #ifdef UNITTESTS UtRegisterTest("DetectWithinTestPacket01", DetectWithinTestPacket01, 1); + UtRegisterTest("DetectWithinTestPacket02", DetectWithinTestPacket02, 1); #endif /* UNITTESTS */ -} +} \ No newline at end of file diff --git a/src/detect.c b/src/detect.c index a44891351d..0f5ea90a28 100644 --- a/src/detect.c +++ b/src/detect.c @@ -43,6 +43,7 @@ #include "detect-engine-threshold.h" #include "detect-engine-payload.h" +#include "detect-engine-dcepayload.h" #include "detect-engine-uri.h" #include "detect-engine-state.h" @@ -817,6 +818,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh goto next; } } + /* Check the dce keywords here */ + if (s->dmatch != NULL) { + if (DetectEngineInspectDcePayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) + goto next; + } + /* if we get here but have no sigmatches to match against, * we consider the sig matched. */ diff --git a/src/detect.h b/src/detect.h index 30e5a4d0e9..0518273c4e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -258,6 +258,8 @@ typedef struct Signature_ { struct SigMatch_ *umatch_tail; /* uricontent payload matches, tail of the list */ struct SigMatch_ *amatch; /* general app layer matches */ struct SigMatch_ *amatch_tail; /* general app layer matches, tail of the list */ + struct SigMatch_ *dmatch; /* dce app layer matches */ + struct SigMatch_ *dmatch_tail; /* dce app layer matches, tail of the list */ /** ptr to the next sig in the list */ struct Signature_ *next; @@ -466,6 +468,14 @@ typedef struct DetectionEngineThreadCtx_ { * uricontent */ uint32_t uricontent_payload_offset; + /* dce stub data */ + uint8_t *dce_stub_data; + /* dce stub data len */ + uint32_t dce_stub_data_len; + /* offset into the payload of the last match for dce related sigmatches, + * stored in Signature->dmatch, by content, pcre, etc */ + uint32_t dce_payload_offset; + /** recursive counter */ uint8_t pkt_cnt; diff --git a/src/stream-tcp-reassemble.h b/src/stream-tcp-reassemble.h index aa5e7846eb..a937bb1ba2 100644 --- a/src/stream-tcp-reassemble.h +++ b/src/stream-tcp-reassemble.h @@ -28,6 +28,7 @@ #include "stream-tcp-private.h" #include "stream.h" #include "app-layer-detect-proto.h" +#include "stream-tcp-private.h" /** Supported OS list and default OS policy is BSD */ enum diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 2be2783ba7..ce7bc71df8 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -55,16 +55,6 @@ //#define DEBUG -typedef struct StreamTcpThread_ { - uint64_t pkts; - - uint16_t counter_tcp_sessions; - /** sessions not picked up because memcap was reached */ - uint16_t counter_tcp_ssn_memcap; - - TcpReassemblyThreadCtx *ra_ctx; /**< tcp reassembly thread data */ -} StreamTcpThread; - TmEcode StreamTcp (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); TmEcode StreamTcpThreadInit(ThreadVars *, void *, void **); TmEcode StreamTcpThreadDeinit(ThreadVars *, void *); @@ -2520,7 +2510,7 @@ static int StreamTcpPacketStateTimeWait(ThreadVars *tv, Packet *p, } /* flow is and stays locked */ -static int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt) +int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt) { SCEnter(); TcpSession *ssn = (TcpSession *)p->flow->protoctx; diff --git a/src/stream-tcp.h b/src/stream-tcp.h index 28302e2b76..87bdc94caf 100644 --- a/src/stream-tcp.h +++ b/src/stream-tcp.h @@ -29,6 +29,11 @@ #define COUNTER_STREAMTCP_STREAMS 1 +#include "app-layer-detect-proto.h" +#include "util-mpm.h" +#include "stream.h" +#include "stream-tcp-reassemble.h" + #define STREAM_VERBOSE FALSE /*global flow data*/ typedef struct TcpStreamCnf_ { @@ -39,6 +44,16 @@ typedef struct TcpStreamCnf_ { int async_oneside; } TcpStreamCnf; +typedef struct StreamTcpThread_ { + uint64_t pkts; + + uint16_t counter_tcp_sessions; + /** sessions not picked up because memcap was reached */ + uint16_t counter_tcp_ssn_memcap; + + TcpReassemblyThreadCtx *ra_ctx; /**< tcp reassembly thread data */ +} StreamTcpThread; + TcpStreamCnf stream_config; void TmModuleStreamTcpRegister (void); void StreamTcpInitConfig (char); @@ -49,5 +64,7 @@ void StreamTcpIncrMemuse(uint32_t); void StreamTcpDecrMemuse(uint32_t); int StreamTcpCheckMemcap(uint32_t); +int StreamTcpPacket (ThreadVars *, Packet *, StreamTcpThread *); + #endif /* __STREAM_TCP_H__ */ diff --git a/src/suricata-common.h b/src/suricata-common.h index 0d367235ab..edf9dcb0f8 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -34,6 +34,7 @@ #include #include +#include #include #include #include diff --git a/src/suricata.c b/src/suricata.c index 6f540c11f8..69507032b3 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -50,6 +50,7 @@ #include "detect-engine-mpm.h" #include "detect-engine-sigorder.h" #include "detect-engine-payload.h" +#include "detect-engine-dcepayload.h" #include "detect-engine-state.h" #include "tm-queuehandlers.h" @@ -875,6 +876,7 @@ int main(int argc, char **argv) SCCudaRegisterTests(); #endif PayloadRegisterTests(); + DcePayloadRegisterTests(); #ifdef PROFILING SCProfilingRegisterTests(); #endif