You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
suricata/src/detect-dce-opnum.c

2913 lines
110 KiB
C

/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*
* Implements dce_opnum keyword
*/
#include "suricata-common.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "app-layer.h"
#include "app-layer-dcerpc.h"
#include "queue.h"
#include "stream-tcp-reassemble.h"
#include "detect-dce-opnum.h"
#include "detect-dce-iface.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "stream-tcp.h"
#define PARSE_REGEX "^\\s*([0-9]{1,5}(\\s*-\\s*[0-9]{1,5}\\s*)?)(,\\s*[0-9]{1,5}(\\s*-\\s*[0-9]{1,5})?\\s*)*$"
static pcre *parse_regex = NULL;
static pcre_extra *parse_regex_study = NULL;
static int DetectDceOpnumMatch(ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, void *, void *,
const Signature *, const SigMatchCtx *);
static int DetectDceOpnumSetup(DetectEngineCtx *, Signature *, const char *);
static void DetectDceOpnumFree(void *);
static void DetectDceOpnumRegisterTests(void);
static int g_dce_generic_list_id = 0;
/**
* \brief Registers the keyword handlers for the "dce_opnum" keyword.
*/
void DetectDceOpnumRegister(void)
{
sigmatch_table[DETECT_DCE_OPNUM].name = "dce_opnum";
sigmatch_table[DETECT_DCE_OPNUM].Match = NULL;
sigmatch_table[DETECT_DCE_OPNUM].AppLayerTxMatch = DetectDceOpnumMatch;
sigmatch_table[DETECT_DCE_OPNUM].Setup = DetectDceOpnumSetup;
sigmatch_table[DETECT_DCE_OPNUM].Free = DetectDceOpnumFree;
sigmatch_table[DETECT_DCE_OPNUM].RegisterTests = DetectDceOpnumRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_dce_generic_list_id = DetectBufferTypeRegister("dce_generic");
}
/**
* \internal
* \brief Creates and returns a new instance of DetectDceOpnumRange.
*
* \retval dor Pointer to the new instance DetectDceOpnumRange.
*/
static DetectDceOpnumRange *DetectDceOpnumAllocDetectDceOpnumRange(void)
{
DetectDceOpnumRange *dor = NULL;
if ( (dor = SCMalloc(sizeof(DetectDceOpnumRange))) == NULL)
return NULL;
memset(dor, 0, sizeof(DetectDceOpnumRange));
dor->range1 = dor->range2 = DCE_OPNUM_RANGE_UNINITIALIZED;
return dor;
}
/**
* \internal
* \brief Parses the argument sent along with the "dce_opnum" keyword.
*
* \param arg Pointer to the string containing the argument to be parsed.
*
* \retval did Pointer to a DetectDceIfaceData instance that holds the data
* from the parsed arg.
*/
static DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
{
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
DetectDceOpnumRange *prev_dor = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
const char *pcre_sub_str = NULL;
char *dup_str = NULL;
char *dup_str_temp = NULL;
char *dup_str_head = NULL;
char *comma_token = NULL;
char *hyphen_token = NULL;
if (arg == NULL) {
goto error;
}
ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov,
MAX_SUBSTRINGS);
if (ret < 2) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, arg);
goto error;
}
res = pcre_get_substring(arg, ov, MAX_SUBSTRINGS, 0, &pcre_sub_str);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
if ( (dod = SCMalloc(sizeof(DetectDceOpnumData))) == NULL)
goto error;
memset(dod, 0, sizeof(DetectDceOpnumData));
if ( (dup_str = SCStrdup(pcre_sub_str)) == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto error;
}
/* free the substring */
pcre_free_substring(pcre_sub_str);
/* keep a copy of the strdup string in dup_str_head so that we can free it
* once we are done using it */
dup_str_head = dup_str;
dup_str_temp = dup_str;
while ( (comma_token = index(dup_str, ',')) != NULL) {
comma_token[0] = '\0';
dup_str = comma_token + 1;
dor = DetectDceOpnumAllocDetectDceOpnumRange();
if (dor == NULL)
goto error;
if (prev_dor == NULL) {
prev_dor = dor;
dod->range = dor;
} else {
prev_dor->next = dor;
prev_dor = dor;
}
if ((hyphen_token = index(dup_str_temp, '-')) != NULL) {
hyphen_token[0] = '\0';
hyphen_token++;
dor->range1 = atoi(dup_str_temp);
if (dor->range1 > DCE_OPNUM_RANGE_MAX)
goto error;
dor->range2 = atoi(hyphen_token);
if (dor->range2 > DCE_OPNUM_RANGE_MAX)
goto error;
if (dor->range1 > dor->range2)
goto error;
}
dor->range1 = atoi(dup_str_temp);
if (dor->range1 > DCE_OPNUM_RANGE_MAX)
goto error;
dup_str_temp = dup_str;
}
dor = DetectDceOpnumAllocDetectDceOpnumRange();
if (dor == NULL)
goto error;
if (prev_dor == NULL) {
dod->range = dor;
} else {
prev_dor->next = dor;
}
if ( (hyphen_token = index(dup_str, '-')) != NULL) {
hyphen_token[0] = '\0';
hyphen_token++;
dor->range1 = atoi(dup_str);
if (dor->range1 > DCE_OPNUM_RANGE_MAX)
goto error;
dor->range2 = atoi(hyphen_token);
if (dor->range2 > DCE_OPNUM_RANGE_MAX)
goto error;
if (dor->range1 > dor->range2)
goto error;
}
dor->range1 = atoi(dup_str);
if (dor->range1 > DCE_OPNUM_RANGE_MAX)
goto error;
if (dup_str_head != NULL)
SCFree(dup_str_head);
return dod;
error:
if (dup_str_head != NULL)
SCFree(dup_str_head);
DetectDceOpnumFree(dod);
return NULL;
}
/**
* \brief App layer match function for the "dce_opnum" keyword.
*
* \param t Pointer to the ThreadVars instance.
* \param det_ctx Pointer to the DetectEngineThreadCtx.
* \param f Pointer to the flow.
* \param flags Pointer to the flags indicating the flow direction.
* \param state Pointer to the app layer state data.
* \param s Pointer to the Signature instance.
* \param m Pointer to the SigMatch.
*
* \retval 1 On Match.
* \retval 0 On no match.
*/
static int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state, void *txv,
const Signature *s, const SigMatchCtx *m)
{
SCEnter();
DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m;
DetectDceOpnumRange *dor = dce_data->range;
DCERPCState *dcerpc_state = DetectDceGetState(f->alproto, f->alstate);
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
SCReturnInt(0);
}
for ( ; dor != NULL; dor = dor->next) {
if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum) {
SCReturnInt(1);
}
} else {
if (dor->range1 <= dcerpc_state->dcerpc.dcerpcrequest.opnum &&
dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum)
{
SCReturnInt(1);
}
}
}
SCReturnInt(0);
}
/**
* \brief Creates a SigMatch for the "dce_opnum" keyword being sent as argument,
* and appends it to the Signature(s).
*
* \param de_ctx Pointer to the detection engine context.
* \param s Pointer to signature for the current Signature being parsed
* from the rules.
* \param arg Pointer to the string holding the keyword value.
*
* \retval 0 on success, -1 on failure
*/
static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
DetectDceOpnumData *dod = NULL;
SigMatch *sm = NULL;
if (arg == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
"signature, option needs a value");
return -1;
}
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
return -1;
dod = DetectDceOpnumArgParse(arg);
if (dod == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
"signature");
return -1;
}
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_DCE_OPNUM;
sm->ctx = (void *)dod;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
return 0;
error:
DetectDceOpnumFree(dod);
if (sm != NULL)
SCFree(sm);
return -1;
}
static void DetectDceOpnumFree(void *ptr)
{
DetectDceOpnumData *dod = ptr;
DetectDceOpnumRange *dor = NULL;
DetectDceOpnumRange *dor_temp = NULL;
if (dod != NULL) {
dor = dod->range;
while (dor != NULL) {
dor_temp = dor;
dor = dor->next;
SCFree(dor_temp);
}
SCFree(dod);
}
return;
}
/************************************Unittests*********************************/
#ifdef UNITTESTS
static int DetectDceOpnumTestParse01(void)
{
Signature *s = SigAlloc();
int result = 0;
result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-78") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513-6666") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,26,62,61,6513--") == -1);
result &= (DetectDceOpnumSetup(NULL, s, "12-14,12,121,62-8") == -1);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
SigFree(s);
result &= 1;
}
return result;
}
static int DetectDceOpnumTestParse02(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 12 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next == NULL);
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
static int DetectDceOpnumTestParse03(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 12 && dor->range2 == 24);
result &= (dor->next == NULL);
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
static int DetectDceOpnumTestParse04(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 12 && dor->range2 == 24);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 24 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 62 && dor->range2 == 72);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 623 && dor->range2 == 635);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 62 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 25 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 213 && dor->range2 == 235);
if (result == 0)
goto end;
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
static int DetectDceOpnumTestParse05(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 1 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 2 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 3 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 4 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 5 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 6 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 7 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
if (result == 0)
goto end;
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
static int DetectDceOpnumTestParse06(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 1 && dor->range2 == 2);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 3 && dor->range2 == 4);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 5 && dor->range2 == 6);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 7 && dor->range2 == 8);
if (result == 0)
goto end;
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
static int DetectDceOpnumTestParse07(void)
{
Signature *s = SigAlloc();
int result = 0;
DetectDceOpnumData *dod = NULL;
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
if (s->sm_lists[g_dce_generic_list_id] != NULL) {
temp = s->sm_lists[g_dce_generic_list_id];
dod = (DetectDceOpnumData *)temp->ctx;
if (dod == NULL)
goto end;
dor = dod->range;
result &= (dor->range1 == 1 && dor->range2 == 2);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 3 && dor->range2 == 4);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 5 && dor->range2 == 6);
result &= (dor->next != NULL);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 7 && dor->range2 == 8);
if (result == 0)
goto end;
dor = dor->next;
result &= (dor->range1 == 9 && dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED);
if (result == 0)
goto end;
} else {
result = 0;
}
end:
SigFree(s);
return result;
}
/**
* \test Test a valid dce_opnum entry with a bind, bind_ack and a request.
*/
static int DetectDceOpnumTestParse08(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
uint8_t dcerpc_bind[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11,
0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_bindack[] = {
0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00,
0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00
};
/* todo chop the request frag length and change the
* length related parameters in the frag */
uint8_t dcerpc_request[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x01, 0x02, 0x03, 0x04
};
uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
uint32_t dcerpc_request_len = sizeof(dcerpc_request);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_opnum:9; "
"sid:1;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOSERVER | STREAM_START, dcerpc_bind,
dcerpc_bind_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
goto end;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOCLIENT, dcerpc_bindack,
dcerpc_bindack_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOSERVER | STREAM_EOF, dcerpc_request,
dcerpc_request_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
/**
* \test Test a valid dce_opnum entry with only a request frag.
*/
static int DetectDceOpnumTestParse09(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
/* todo chop the request frag length and change the
* length related parameters in the frag */
uint8_t dcerpc_request[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xec, 0x0c, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd4, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00,
0xe1, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe1, 0x03, 0x00, 0x00, 0x83, 0xc7, 0x0b, 0x47,
0x47, 0x47, 0x47, 0x81, 0x37, 0x22, 0xa5, 0x9b,
0x4a, 0x75, 0xf4, 0xa3, 0x61, 0xd3, 0xbe, 0xdd,
0x5a, 0xfb, 0x20, 0x1e, 0xfc, 0x10, 0x8e, 0x0f,
0xa5, 0x9f, 0x4a, 0x22, 0x20, 0x9b, 0xa8, 0xd5,
0xc4, 0xff, 0xc1, 0x3f, 0xbd, 0x9b, 0x4a, 0x22,
0x2e, 0xc0, 0x7a, 0xa9, 0xfe, 0x97, 0xc9, 0xe1,
0xa9, 0xf3, 0x2f, 0x22, 0xc9, 0x9b, 0x22, 0x50,
0xa5, 0xf5, 0x4a, 0x4a, 0xce, 0x9b, 0x2f, 0x22,
0x2e, 0x6f, 0xc1, 0xe1, 0xf3, 0xa8, 0x83, 0xa2,
0x64, 0x98, 0xc1, 0x62, 0xa1, 0xa0, 0x89, 0x56,
0xa8, 0x1b, 0x8b, 0x2b, 0x2e, 0xe3, 0x7a, 0xd1,
0x03, 0xef, 0x58, 0x7c, 0x4e, 0x7d, 0x14, 0x76,
0xfa, 0xc3, 0x7f, 0x02, 0xa5, 0xbb, 0x4a, 0x89,
0x47, 0x6c, 0x12, 0xc9, 0x70, 0x18, 0x8e, 0x3a,
0x2e, 0xcb, 0x52, 0xa9, 0x67, 0x98, 0x0a, 0x1e,
0x2e, 0xc3, 0x32, 0x21, 0x7f, 0x10, 0x31, 0x3e,
0xa6, 0x61, 0xc1, 0x61, 0x85, 0x98, 0x88, 0xa9,
0xee, 0x83, 0x22, 0x51, 0xd6, 0xda, 0x4a, 0x4a,
0xc1, 0xff, 0x38, 0x47, 0xcd, 0xe9, 0x25, 0x41,
0xe4, 0xf3, 0x0d, 0x47, 0xd1, 0xcb, 0xc1, 0xd6,
0x1e, 0x95, 0x4a, 0x22, 0xa5, 0x73, 0x08, 0x22,
0xa5, 0x9b, 0xc9, 0xe6, 0xb5, 0xcd, 0x22, 0x43,
0xd7, 0xe2, 0x0b, 0x4a, 0xe9, 0xf2, 0x28, 0x50,
0xcd, 0xd7, 0x25, 0x43, 0xc1, 0x10, 0xbe, 0x99,
0xa9, 0x9b, 0x4a, 0x22, 0x4d, 0xb8, 0x4a, 0x22,
0xa5, 0x18, 0x8e, 0x2e, 0xf3, 0xc9, 0x22, 0x4e,
0xc9, 0x9b, 0x4a, 0x4a, 0x96, 0xa9, 0x64, 0x46,
0xcd, 0xec, 0x39, 0x10, 0xfa, 0xcf, 0xb5, 0x76,
0x81, 0x8f, 0xc9, 0xe6, 0xa9, 0x10, 0x82, 0x7c,
0xff, 0xc4, 0xa1, 0x0a, 0xf5, 0xcc, 0x1b, 0x74,
0xf4, 0x10, 0x81, 0xa9, 0x9d, 0x98, 0xb0, 0xa1,
0x65, 0x9f, 0xb9, 0x84, 0xd1, 0x9f, 0x13, 0x7c,
0x47, 0x76, 0x12, 0x7c, 0xfc, 0x10, 0xbb, 0x09,
0x55, 0x5a, 0xac, 0x20, 0xfa, 0x10, 0x7e, 0x15,
0xa6, 0x69, 0x12, 0xe1, 0xf7, 0xca, 0x22, 0x57,
0xd5, 0x9b, 0x4a, 0x4a, 0xd1, 0xfa, 0x38, 0x56,
0xcd, 0xcc, 0x19, 0x63, 0xf6, 0xf3, 0x2f, 0x56,
0xa5, 0x9b, 0x22, 0x51, 0xca, 0xf8, 0x21, 0x48,
0xa5, 0xf3, 0x28, 0x4b, 0xcb, 0xff, 0x22, 0x47,
0xcb, 0x9b, 0x4a, 0x4a, 0xc9, 0xf2, 0x39, 0x56,
0xcd, 0xeb, 0x3e, 0x22, 0xa5, 0xf3, 0x2b, 0x41,
0xc6, 0xfe, 0xc1, 0xfe, 0xf6, 0xca, 0xc9, 0xe1,
0xad, 0xc8, 0x1b, 0xa1, 0x66, 0x93, 0x19, 0x73,
0x26, 0x58, 0x42, 0x71, 0xf4, 0x18, 0x89, 0x2a,
0xf6, 0xca, 0xb5, 0xf5, 0x2c, 0xd8, 0x42, 0xdd,
0x72, 0x12, 0x09, 0x26, 0x5a, 0x4c, 0xc3, 0x21,
0x5a, 0x4c, 0xc3, 0x61, 0x59, 0x64, 0x9d, 0xab,
0xe6, 0x63, 0xc9, 0xc9, 0xad, 0x10, 0xa9, 0xa3,
0x49, 0x0b, 0x4b, 0x22, 0xa5, 0xcf, 0x22, 0x23,
0xa4, 0x9b, 0x4a, 0xdd, 0x31, 0xbf, 0xe2, 0x23,
0xa5, 0x9b, 0xcb, 0xe6, 0x35, 0x9a, 0x4a, 0x22,
0xcf, 0x9d, 0x20, 0x23, 0xcf, 0x99, 0xb5, 0x76,
0x81, 0x83, 0x20, 0x22, 0xcf, 0x9b, 0x20, 0x22,
0xcd, 0x99, 0x4a, 0xe6, 0x96, 0x10, 0x96, 0x71,
0xf6, 0xcb, 0x20, 0x23, 0xf5, 0xf1, 0x5a, 0x71,
0xf5, 0x64, 0x1e, 0x06, 0x9d, 0x64, 0x1e, 0x06,
0x8d, 0x5c, 0x49, 0x32, 0xa5, 0x9b, 0x4a, 0xdd,
0xf1, 0xbf, 0x56, 0xa1, 0x61, 0xbf, 0x13, 0x78,
0xf4, 0xc9, 0x1a, 0x11, 0x77, 0xc9, 0x22, 0x51,
0xc0, 0xf5, 0x2e, 0xa9, 0x61, 0xc9, 0x22, 0x50,
0xc0, 0xf8, 0x3c, 0xa9, 0x71, 0xc9, 0x1b, 0x72,
0xf4, 0x64, 0x9d, 0xb1, 0x5a, 0x4c, 0xdf, 0xa1,
0x61, 0x8b, 0x12, 0x78, 0xfc, 0xc8, 0x1f, 0x72,
0x2e, 0x77, 0x1a, 0x42, 0xcf, 0x9f, 0x10, 0x72,
0x2e, 0x47, 0xa2, 0x63, 0xa5, 0x9b, 0x4a, 0x48,
0xa5, 0xf3, 0x26, 0x4e, 0xca, 0xf8, 0x22, 0x57,
0xc4, 0xf7, 0x0b, 0x4a, 0xf3, 0xf2, 0x38, 0x56,
0xf1, 0xcd, 0xb5, 0xf5, 0x26, 0x5f, 0x5a, 0x78,
0xf7, 0xf1, 0x0a, 0x4a, 0xa5, 0x8b, 0x4a, 0x22,
0xf7, 0xf1, 0x4a, 0xdd, 0x75, 0x12, 0x0e, 0x06,
0x81, 0xc1, 0xd9, 0xca, 0xb5, 0x9b, 0x4a, 0x22,
0xc4, 0xc0, 0xb5, 0xc1, 0xc5, 0xa8, 0x8a, 0x92,
0xa1, 0x73, 0x5c, 0x22, 0xa5, 0x9b, 0x2b, 0xe1,
0xc5, 0xc9, 0x19, 0x11, 0x65, 0x73, 0x40, 0x22,
0xa5, 0x9b, 0x11, 0x78, 0xa6, 0x43, 0x61, 0xf2,
0xd0, 0x74, 0x2b, 0xe1, 0x96, 0x52, 0x1b, 0x70,
0xf6, 0x64, 0x3f, 0x22, 0x5a, 0xcf, 0x4f, 0x26,
0x20, 0x5b, 0x34, 0x23, 0x66, 0x64, 0x1f, 0xd2,
0xa5, 0x9b, 0x4a, 0x22, 0xa5, 0x9b, 0x4a, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x54, 0x58,
0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d, 0x6f, 0x41,
0x3f, 0x3f, 0x2d, 0x6f, 0x41, 0x3f, 0x3f, 0x2d,
0x6f, 0x43, 0x42, 0x42, 0x50, 0x5f, 0x57, 0xc3,
0x33, 0x5f, 0x37, 0x74, 0x78, 0x78, 0x78, 0x78,
0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78, 0x78,
0xeb, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x53, 0x69, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x44, 0x73, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61,
0x73, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x44, 0x73, 0x4c, 0x6f, 0x67, 0x50, 0x61, 0x74,
0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x53, 0x79, 0x73, 0x74,
0x65, 0x6d, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65,
0x52, 0x6f, 0x6f, 0x74, 0x50, 0x61, 0x74, 0x68,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
0x6e, 0x74, 0x44, 0x6e, 0x73, 0x44, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x50, 0x61, 0x72, 0x65,
0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x41, 0x63, 0x63, 0x6f,
0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
0x72, 0x65, 0x66, 0x31, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x72, 0x65, 0x66, 0x32, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x01, 0x02, 0x03, 0x04
};
uint32_t dcerpc_request_len = sizeof(dcerpc_request);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_opnum:9; "
"sid:1;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
STREAM_TOSERVER | STREAM_START, dcerpc_request,
dcerpc_request_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
/* Disabled because of bug_753. Would be enabled, once we rewrite
* dce parser */
#if 0
/**
* \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
* and multiple request/responses with a match test after each frag parsing.
*/
static int DetectDceOpnumTestParse10(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
uint8_t dcerpc_bind[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31,
0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_bindack[] = {
0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xb8, 0x10, 0xb8, 0x10, 0x65, 0x8e, 0x00, 0x00,
0x0d, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
0x77, 0x69, 0x6e, 0x72, 0x65, 0x67, 0x00, 0x6d,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
0x00, 0x00, 0x00, 0x02,
};
uint8_t dcerpc_response1[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_response2[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request3[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_response3[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"DCERPC\"; dce_opnum:2,15,22; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SCLogDebug("sending bind");
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
dcerpc_bind, dcerpc_bind_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc bind failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SCLogDebug("sending bind_ack");
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
dcerpc_bindack, dcerpc_bindack_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SCLogDebug("sending request1");
/* request1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
dcerpc_request1, dcerpc_request1_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sig 1 didn't match, but should have: ");
goto end;
}
SCLogDebug("sending response1");
/* response1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
dcerpc_response1, dcerpc_response1_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sig 1 did match, shouldn't have on response1: ");
goto end;
}
/* request2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
dcerpc_request2, dcerpc_request2_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sig 1 didn't match, but should have on request2: ");
goto end;
}
/* response2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
dcerpc_response2, dcerpc_response2_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sig 1 did match, shouldn't have on response2: ");
goto end;
}
/* request3 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
dcerpc_request3, dcerpc_request3_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sig 1 didn't match, but should have on request3: ");
goto end;
}
/* response3 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
dcerpc_response3, dcerpc_response3_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sig 1 did match, shouldn't have on response2: ");
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerDestroyCtxThread(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
/**
* \test Test a valid dce_opnum entry(with multiple values) with multiple
* request/responses.
*/
static int DetectDceOpnumTestParse11(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
uint8_t dcerpc_request1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
0x2c, 0xfd, 0xb5, 0x00, 0x40, 0xaa, 0x01, 0x00,
0x00, 0x00, 0x00, 0x02,
};
uint8_t dcerpc_response1[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xa4, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf6, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x5c, 0x00, 0x5c, 0x00,
0xa8, 0xb9, 0x14, 0x00, 0x2e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00,
0x53, 0x00, 0x4f, 0x00, 0x46, 0x00, 0x54, 0x00,
0x57, 0x00, 0x41, 0x00, 0x52, 0x00, 0x45, 0x00,
0x5c, 0x00, 0x4d, 0x00, 0x69, 0x00, 0x63, 0x00,
0x72, 0x00, 0x6f, 0x00, 0x73, 0x00, 0x6f, 0x00,
0x66, 0x00, 0x74, 0x00, 0x5c, 0x00, 0x57, 0x00,
0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x43, 0x00,
0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00,
0x6e, 0x00, 0x74, 0x00, 0x56, 0x00, 0x65, 0x00,
0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
0x6e, 0x00, 0x5c, 0x00, 0x52, 0x00, 0x75, 0x00,
0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_response2[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request3[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x70, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf7, 0x72, 0x28, 0x9c,
0xf0, 0x57, 0xd8, 0x11, 0xb0, 0x05, 0x00, 0x0c,
0x29, 0x87, 0xea, 0xe9, 0x0c, 0x00, 0x0c, 0x00,
0x98, 0xda, 0x14, 0x00, 0x06, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x4f, 0x00, 0x73, 0x00, 0x61, 0x00, 0x33, 0x00,
0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x54, 0x00,
0x4f, 0x00, 0x53, 0x00, 0x41, 0x00, 0x33, 0x00,
0x32, 0x00, 0x2e, 0x00, 0x45, 0x00, 0x58, 0x00,
0x45, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_response3[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x1c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
uint32_t dcerpc_request3_len = sizeof(dcerpc_request3);
uint32_t dcerpc_response3_len = sizeof(dcerpc_response3);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_opnum:2-22; "
"sid:1;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* request1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
dcerpc_request1, dcerpc_request1_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpcrequest1 failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
SCLogDebug("no dcerpc state: ");
printf("no dcerpc state: ");
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
/* response1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
dcerpc_response1, dcerpc_response1_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpcresponse1 failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
goto end;
/* request2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
dcerpc_request2, dcerpc_request2_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpcrequest2 failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
/* response2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT,
dcerpc_response2, dcerpc_response2_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpcresponse2 failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
goto end;
/* request3 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER,
dcerpc_request3, dcerpc_request3_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpc request3 failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
/* response3 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF,
dcerpc_response3, dcerpc_response3_len);
if (r != 0) {
SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
printf("AppLayerParse for dcerpc response3 failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
goto end;
result = 1;
end:
if (alp_tctx != NULL)
AppLayerDestroyCtxThread(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
/**
* \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
* and multiple request/responses with a match test after each frag parsing.
*/
static int DetectDceOpnumTestParse12(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
uint8_t dcerpc_bind[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_bindack[] = {
0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, //opnum is 0x28 0x00
0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x00, 0x00
};
uint8_t dcerpc_response1[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x4e, 0x6f, 0x6e, 0x65
};
uint8_t dcerpc_response2[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint32_t dcerpc_bind_len = sizeof(dcerpc_bind);
uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack);
uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"DCERPC\"; dce_opnum:30, 40; sid:1;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER | STREAM_START,
dcerpc_bind, dcerpc_bind_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_bindack,
dcerpc_bindack_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
/* request1 */
SCLogDebug("Sending request1");
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
dcerpc_request1_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
printf("dcerpc state holding invalid opnum. Holding %d, while we are "
"expecting 40: ", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("signature 1 didn't match, should have: ");
goto end;
}
/* response1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
dcerpc_response1_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
printf("dcerpc state holding invalid opnum. Holding %d, while we are "
"expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sig 1 matched on response 1, but shouldn't: ");
goto end;
}
/* request2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
dcerpc_request2_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
printf("dcerpc state holding invalid opnum. Holding %d, while we are "
"expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sig 1 didn't match on request 2: ");
goto end;
}
/* response2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
dcerpc_response2_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
printf("dcerpc state holding invalid opnum. Holding %d, while we are "
"expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sig 1 matched on response2, but shouldn't: ");
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerDestroyCtxThread(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
/**
* \test Test a valid dce_opnum(with multiple values) with a bind, bind_ack,
* and multiple request/responses with a match test after each frag parsing.
*/
static int DetectDceOpnumTestParse13(void)
{
int result = 0;
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
DCERPCState *dcerpc_state = NULL;
int r = 0;
uint8_t dcerpc_request1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
0xec, 0xaa, 0x9a, 0xd3, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x40, 0x80, 0x40, 0x00,
0x44, 0x80, 0x40, 0x00, 0x01, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x4d, 0x6f, 0x00, 0x4e,
0x61, 0x6d, 0x65, 0x00, 0x35, 0x39, 0x31, 0x63,
0x64, 0x30, 0x35, 0x38, 0x00, 0x00, 0x00, 0x00,
0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x17, 0x00, 0x00, 0x00, 0xd0, 0x2e, 0x08, 0x00,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x00, 0x00
};
uint8_t dcerpc_response1[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint8_t dcerpc_request2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x54, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x9f, 0x13, 0xd9,
0x2d, 0x97, 0xf4, 0x4a, 0xac, 0xc2, 0xbc, 0x70,
0xec, 0xaa, 0x9a, 0xd3, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x4e, 0x6f, 0x6e, 0x65
};
uint8_t dcerpc_response2[] = {
0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00,
0x8c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xd8, 0x17, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
0x58, 0x1d, 0x08, 0x00, 0xe8, 0x32, 0x08, 0x00,
0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x4d, 0x6f, 0x00, 0x4e, 0x61, 0x6d, 0x65, 0x00,
0x35, 0x39, 0x31, 0x63, 0x64, 0x30, 0x35, 0x38,
0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0xd0, 0x2e, 0x08, 0x00, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
};
uint32_t dcerpc_request1_len = sizeof(dcerpc_request1);
uint32_t dcerpc_response1_len = sizeof(dcerpc_response1);
uint32_t dcerpc_request2_len = sizeof(dcerpc_request2);
uint32_t dcerpc_response2_len = sizeof(dcerpc_response2);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_DCERPC;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"DCERPC\"; "
"dce_opnum:30, 40; "
"sid:1;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* request1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request1,
dcerpc_request1_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
printf("dcerpc state holding invalid opnum after request1. Holding %d, while we are "
"expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
/* response1 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpc_response1,
dcerpc_response1_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 40) {
printf("dcerpc state holding invalid opnum after response1. Holding %d, while we are "
"expecting 40\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
goto end;
/* request2 */
printf("Sending Request2\n");
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpc_request2,
dcerpc_request2_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
printf("dcerpc state holding invalid opnum after request2. Holding %d, while we are "
"expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1))
goto end;
/* response2 */
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOCLIENT | STREAM_EOF, dcerpc_response2,
dcerpc_response2_len);
if (r != 0) {
printf("AppLayerParse for dcerpc failed. Returned %" PRId32, r);
goto end;
}
dcerpc_state = f.alstate;
if (dcerpc_state == NULL) {
printf("no dcerpc state: ");
goto end;
}
if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 30) {
printf("dcerpc state holding invalid opnum after response2. Holding %d, while we are "
"expecting 30\n", dcerpc_state->dcerpc.dcerpcrequest.opnum);
goto end;
}
p->flowflags &=~ FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1))
goto end;
result = 1;
end:
if (alp_tctx != NULL)
AppLayerDestroyCtxThread(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}
#endif
#endif /* UNITTESTS */
static void DetectDceOpnumRegisterTests(void)
{
#ifdef UNITTESTS
UtRegisterTest("DetectDceOpnumTestParse01", DetectDceOpnumTestParse01);
UtRegisterTest("DetectDceOpnumTestParse02", DetectDceOpnumTestParse02);
UtRegisterTest("DetectDceOpnumTestParse03", DetectDceOpnumTestParse03);
UtRegisterTest("DetectDceOpnumTestParse04", DetectDceOpnumTestParse04);
UtRegisterTest("DetectDceOpnumTestParse05", DetectDceOpnumTestParse05);
UtRegisterTest("DetectDceOpnumTestParse06", DetectDceOpnumTestParse06);
UtRegisterTest("DetectDceOpnumTestParse07", DetectDceOpnumTestParse07);
UtRegisterTest("DetectDceOpnumTestParse08", DetectDceOpnumTestParse08);
UtRegisterTest("DetectDceOpnumTestParse09", DetectDceOpnumTestParse09);
/* Disabled because of bug_753. Would be enabled, once we rewrite
* dce parser */
#if 0
UtRegisterTest("DetectDceOpnumTestParse10", DetectDceOpnumTestParse10, 1);
UtRegisterTest("DetectDceOpnumTestParse11", DetectDceOpnumTestParse11, 1);
UtRegisterTest("DetectDceOpnumTestParse12", DetectDceOpnumTestParse12, 1);
UtRegisterTest("DetectDceOpnumTestParse13", DetectDceOpnumTestParse13, 1);
#endif
#endif
}