]> git.ipfire.org Git - people/ms/suricata.git/blame - rust/src/dcerpc/dcerpc_udp.rs
projects / people / ms / suricata.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
dcerpc: add probe function
[people/ms/suricata.git] / rust / src / dcerpc / dcerpc_udp.rs
CommitLineData
8036202c
SB		 1/* Copyright (C) 2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18use std::mem::transmute;
19
a1e06247 20use crate::applayer::{AppLayerResult, AppLayerTxData};
8036202c
SB		 21use crate::core;
22use crate::dcerpc::dcerpc::{
ba781265 23 DCERPCTransaction, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE, PFCL1_FRAG, PFCL1_LASTFRAG,
8036202c
SB		 24};
25use crate::dcerpc::parser;
8036202c
SB		 26
27// Constant DCERPC UDP Header length
28pub const DCERPC_UDP_HDR_LEN: i32 = 80;
29
30#[derive(Debug)]
31pub struct DCERPCHdrUdp {
32 pub rpc_vers: u8,
33 pub pkt_type: u8,
34 pub flags1: u8,
35 pub flags2: u8,
36 pub drep: Vec<u8>,
37 pub serial_hi: u8,
38 pub objectuuid: Vec<u8>,
39 pub interfaceuuid: Vec<u8>,
40 pub activityuuid: Vec<u8>,
41 pub server_boot: u32,
42 pub if_vers: u32,
43 pub seqnum: u32,
44 pub opnum: u16,
45 pub ihint: u16,
46 pub ahint: u16,
47 pub fraglen: u16,
48 pub fragnum: u16,
49 pub auth_proto: u8,
50 pub serial_lo: u8,
51}
52
53#[derive(Debug)]
54pub struct DCERPCUDPState {
2840a2e0 55 pub tx_id: u64,
bab497ab 56 pub transactions: Vec<DCERPCTransaction>,
8036202c
SB		 57}
58
59impl DCERPCUDPState {
60 pub fn new() -> DCERPCUDPState {
61 return DCERPCUDPState {
bab497ab 62 tx_id: 0,
bab497ab 63 transactions: Vec::new(),
8036202c
SB		 64 };
65 }
66
6916b63f 67 fn create_tx(&mut self, hdr: &DCERPCHdrUdp) -> DCERPCTransaction {
bab497ab 68 let mut tx = DCERPCTransaction::new();
bab497ab 69 tx.id = self.tx_id;
6916b63f
IB		 70 tx.endianness = hdr.drep[0] & 0x10;
71 tx.activityuuid = hdr.activityuuid.to_vec();
72 tx.seqnum = hdr.seqnum;
bab497ab
SB		 73 self.tx_id += 1;
74 tx
8036202c
SB		 75 }
76
51f4e4d0
VJ		 77 pub fn free_tx(&mut self, tx_id: u64) {
78 SCLogDebug!("Freeing TX with ID {} TX.ID {}", tx_id, tx_id+1);
79 let len = self.transactions.len();
80 let mut found = false;
81 let mut index = 0;
82 for i in 0..len {
83 let tx = &self.transactions[i];
84 if tx.id as u64 == tx_id { //+ 1 {
85 found = true;
86 index = i;
87 SCLogDebug!("tx {} progress {}/{}", tx.id, tx.req_done, tx.resp_done);
88 break;
89 }
90 }
91 if found {
92 SCLogDebug!("freeing TX with ID {} TX.ID {} at index {} left: {} max id: {}",
93 tx_id, tx_id+1, index, self.transactions.len(), self.tx_id);
94 self.transactions.remove(index);
95 }
96 }
bab497ab 97
ba781265
VJ		 98 /// Get transaction as per the given transaction ID. Transaction ID with
99 /// which the lookup is supposed to be done as per the calls from AppLayer
100 /// parser in C. This requires an internal transaction ID to be maintained.
101 ///
102 /// Arguments:
103 /// * `tx_id`:
104 /// description: internal transaction ID to track transactions
105 ///
106 /// Return value:
107 /// Option mutable reference to DCERPCTransaction
108 pub fn get_tx(&mut self, tx_id: u64) -> Option<&mut DCERPCTransaction> {
109 for tx in &mut self.transactions {
110 let found = tx.id == tx_id;
111 if found {
112 return Some(tx);
113 }
114 }
115 None
116 }
117
6916b63f 118 fn find_incomplete_tx(&mut self, hdr: &DCERPCHdrUdp) -> Option<&mut DCERPCTransaction> {
bab497ab 119 for tx in &mut self.transactions {
6916b63f
IB		 120 if tx.seqnum == hdr.seqnum && tx.activityuuid == hdr.activityuuid {
121 if (hdr.pkt_type == DCERPC_TYPE_REQUEST && !tx.req_done) ||
122 (hdr.pkt_type == DCERPC_TYPE_RESPONSE && !tx.resp_done) {
123 SCLogDebug!("found tx id {}, last tx_id {}, {} {}", tx.id, self.tx_id, tx.seqnum, tx.activityuuid[0]);
124 return Some(tx);
125 }
8036202c
SB		 126 }
127 }
bab497ab 128 None
8036202c
SB		 129 }
130
6916b63f
IB		 131 pub fn handle_fragment_data(&mut self, hdr: &DCERPCHdrUdp, input: &[u8]) -> bool {
132 if hdr.pkt_type != DCERPC_TYPE_REQUEST && hdr.pkt_type != DCERPC_TYPE_RESPONSE {
133 SCLogDebug!("Unrecognized packet type");
134 return false;
8036202c 135 }
8036202c 136
6916b63f
IB		 137 let mut otx = self.find_incomplete_tx(hdr);
138 if otx.is_none() {
139 let ntx = self.create_tx(hdr);
140 SCLogDebug!("new tx id {}, last tx_id {}, {} {}", ntx.id, self.tx_id, ntx.seqnum, ntx.activityuuid[0]);
141 self.transactions.push(ntx);
142 otx = self.transactions.last_mut();
8036202c 143 }
8036202c 144
6916b63f
IB		 145 if let Some(tx) = otx {
146 let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0;
147
148 match hdr.pkt_type {
149 DCERPC_TYPE_REQUEST => {
150 tx.stub_data_buffer_ts.extend_from_slice(&input);
151 tx.frag_cnt_ts += 1;
152 if done {
153 tx.req_done = true;
154 }
155 return true;
156 }
157 DCERPC_TYPE_RESPONSE => {
158 tx.stub_data_buffer_tc.extend_from_slice(&input);
159 tx.frag_cnt_tc += 1;
160 if done {
161 tx.resp_done = true;
162 }
163 return true;
164 }
165 _ => {
166 // unreachable
167 }
168 }
bab497ab 169 }
6916b63f 170 return false; // unreachable
bab497ab
SB		 171 }
172
6916b63f
IB		 173 pub fn handle_input_data(&mut self, input: &[u8]) -> AppLayerResult {
174 // Input length should at least be header length
175 if (input.len() as i32) < DCERPC_UDP_HDR_LEN {
176 return AppLayerResult::err();
8036202c 177 }
8036202c 178
6916b63f 179 // Call header parser first
8036202c
SB		 180 match parser::parse_dcerpc_udp_header(input) {
181 Ok((leftover_bytes, header)) => {
182 if header.rpc_vers != 4 {
183 SCLogDebug!("DCERPC UDP Header did not validate.");
6916b63f
IB		 184 return AppLayerResult::err();
185 }
186 if leftover_bytes.len() < header.fraglen as usize {
187 SCLogDebug!("Insufficient data: leftover_bytes {}, fraglen {}", leftover_bytes.len(), header.fraglen);
188 return AppLayerResult::err();
189 }
190 if !self.handle_fragment_data(&header, &leftover_bytes[..header.fraglen as usize]) {
191 return AppLayerResult::err();
8036202c 192 }
8036202c
SB		 193 }
194 Err(nom::Err::Incomplete(_)) => {
195 // Insufficient data.
196 SCLogDebug!("Insufficient data while parsing DCERPC request");
6916b63f 197 return AppLayerResult::err();
8036202c
SB		 198 }
199 Err(_) => {
200 // Error, probably malformed data.
201 SCLogDebug!("An error occurred while parsing DCERPC request");
6916b63f 202 return AppLayerResult::err();
8036202c
SB		 203 }
204 }
205 return AppLayerResult::ok();
206 }
207}
208
8036202c
SB		 209#[no_mangle]
210pub extern "C" fn rs_dcerpc_udp_parse(
bab497ab
SB		 211 _flow: *mut core::Flow, state: &mut DCERPCUDPState, _pstate: *mut std::os::raw::c_void,
212 input: *const u8, input_len: u32, _data: *mut std::os::raw::c_void, _flags: u8,
8036202c
SB		 213) -> AppLayerResult {
214 if input_len > 0 && input != std::ptr::null_mut() {
215 let buf = build_slice!(input, input_len as usize);
216 return state.handle_input_data(buf);
217 }
218 AppLayerResult::err()
219}
220
221#[no_mangle]
222pub extern "C" fn rs_dcerpc_udp_state_free(state: *mut std::os::raw::c_void) {
223 let _drop: Box<DCERPCUDPState> = unsafe { transmute(state) };
224}
225
226#[no_mangle]
547d6c2d 227pub unsafe extern "C" fn rs_dcerpc_udp_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: core::AppProto) -> *mut std::os::raw::c_void {
8036202c
SB		 228 let state = DCERPCUDPState::new();
229 let boxed = Box::new(state);
230 transmute(boxed)
231}
232
233#[no_mangle]
234pub extern "C" fn rs_dcerpc_udp_state_transaction_free(
51f4e4d0 235 state: *mut std::os::raw::c_void, tx_id: u64,
8036202c 236) {
51f4e4d0
VJ		 237 let dce_state = cast_pointer!(state, DCERPCUDPState);
238 SCLogDebug!("freeing tx {}", tx_id as u64);
239 dce_state.free_tx(tx_id);
8036202c
SB		 240}
241
242#[no_mangle]
243pub extern "C" fn rs_dcerpc_udp_get_tx_detect_state(
244 vtx: *mut std::os::raw::c_void,
245) -> *mut core::DetectEngineState {
ba781265 246 let dce_state = cast_pointer!(vtx, DCERPCTransaction);
8036202c
SB		 247 match dce_state.de_state {
248 Some(ds) => ds,
249 None => std::ptr::null_mut(),
250 }
251}
252
253#[no_mangle]
254pub extern "C" fn rs_dcerpc_udp_set_tx_detect_state(
bab497ab 255 vtx: *mut std::os::raw::c_void, de_state: *mut core::DetectEngineState,
8036202c 256) -> u8 {
ba781265 257 let dce_state = cast_pointer!(vtx, DCERPCTransaction);
8036202c
SB		 258 dce_state.de_state = Some(de_state);
259 0
260}
261
a1e06247
VJ		 262#[no_mangle]
263pub extern "C" fn rs_dcerpc_udp_get_tx_data(
264 tx: *mut std::os::raw::c_void)
265 -> *mut AppLayerTxData
266{
ba781265 267 let tx = cast_pointer!(tx, DCERPCTransaction);
a1e06247
VJ		 268 return &mut tx.tx_data;
269}
270
8036202c
SB		 271#[no_mangle]
272pub extern "C" fn rs_dcerpc_udp_get_tx(
ba781265
VJ		 273 state: *mut std::os::raw::c_void, tx_id: u64,
274) -> *mut DCERPCTransaction {
8036202c 275 let dce_state = cast_pointer!(state, DCERPCUDPState);
ba781265
VJ		 276 match dce_state.get_tx(tx_id) {
277 Some(tx) => {
0ca85919 278 return unsafe{&mut *(tx as *mut DCERPCTransaction)};
ba781265
VJ		 279 },
280 None => {
281 return std::ptr::null_mut();
282 }
283 }
8036202c
SB		 284}
285
286#[no_mangle]
ba781265
VJ		 287pub extern "C" fn rs_dcerpc_udp_get_tx_cnt(vtx: *mut std::os::raw::c_void) -> u64 {
288 let dce_state = cast_pointer!(vtx, DCERPCUDPState);
289 dce_state.tx_id
8036202c
SB		 290}
291
3641f1b5
SB		 292/// Probe input to see if it looks like DCERPC.
293fn probe(input: &[u8]) -> (bool, bool) {
294 match parser::parse_dcerpc_udp_header(input) {
295 Ok((_, hdr)) => {
296 let is_request = hdr.pkt_type == 0x00;
297 let is_dcerpc = hdr.rpc_vers == 0x04;
298 return (is_dcerpc, is_request);
299 },
300 Err(_) => (false, false),
301 }
302}
303
304#[no_mangle]
305pub extern "C" fn rs_dcerpc_probe_udp(direction: u8, input: *const u8,
306 len: u32, rdir: *mut u8) -> i32
307{
308 SCLogDebug!("Probing the packet for DCERPC/UDP");
309 if len == 0 {
310 return core::ALPROTO_UNKNOWN;
311 }
312 let slice: &[u8] = unsafe {
313 std::slice::from_raw_parts(input as *mut u8, len as usize)
314 };
315 //is_incomplete is checked by caller
316 let (is_dcerpc, is_request) = probe(slice);
317 if is_dcerpc {
318 let dir = if is_request {
319 core::STREAM_TOSERVER
320 } else {
321 core::STREAM_TOCLIENT
322 };
323 if direction & (core::STREAM_TOSERVER|core::STREAM_TOCLIENT) != dir {
324 unsafe { *rdir = dir };
325 }
326 return 1;
327 }
328 return 0;
329
330}
331
332
8036202c
SB		 333#[cfg(test)]
334mod tests {
335 use crate::applayer::AppLayerResult;
336 use crate::dcerpc::dcerpc_udp::DCERPCUDPState;
6916b63f 337 use crate::dcerpc::parser;
8036202c
SB		 338
339 #[test]
340 fn test_process_header_udp_incomplete_hdr() {
341 let request: &[u8] = &[
342 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
344 0x1c, 0x7d, 0xcf, 0x11,
345 ];
346
6916b63f
IB		 347 match parser::parse_dcerpc_udp_header(request) {
348 Ok((_rem, _header)) => {
349 { assert!(false); }
350 }
351 _ => {}
352 }
8036202c
SB		 353 }
354
355 #[test]
356 fn test_process_header_udp_perfect_hdr() {
357 let request: &[u8] = &[
358 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
360 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
361 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
362 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
363 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
364 ];
6916b63f
IB		 365 match parser::parse_dcerpc_udp_header(request) {
366 Ok((rem, header)) => {
367 assert_eq!(4, header.rpc_vers);
368 assert_eq!(80, request.len() - rem.len());
369 }
370 _ => { assert!(false); }
371 }
8036202c
SB		 372 }
373
374 #[test]
375 fn test_handle_fragment_data_udp_no_body() {
376 let request: &[u8] = &[
377 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
379 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
380 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
381 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
383 ];
6916b63f
IB		 384 match parser::parse_dcerpc_udp_header(request) {
385 Ok((rem, header)) => {
386 assert_eq!(4, header.rpc_vers);
387 assert_eq!(80, request.len() - rem.len());
388 assert_eq!(0, rem.len());
389 }
390 _ => { assert!(false); }
391 }
8036202c
SB		 392 }
393
394 #[test]
395 fn test_handle_input_data_udp_full_body() {
396 let request: &[u8] = &[
397 0x04, 0x00, 0x2c, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00,
399 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3f, 0x98,
400 0xf0, 0x5c, 0xd9, 0x63, 0xcc, 0x46, 0xc2, 0x74, 0x51, 0x6c, 0x8a, 0x53, 0x7d, 0x6f,
401 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
402 0xff, 0xff, 0xff, 0xff, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00,
403 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45,
404 0x64, 0x49, 0xb0, 0x70, 0xdd, 0xae, 0x74, 0x2c, 0x96, 0xd2, 0x60, 0x5e, 0x0d, 0x00,
405 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00,
406 0x00, 0x00, 0x7c, 0x5e, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
407 0x80, 0x96, 0xf1, 0xf1, 0x2a, 0x4d, 0xce, 0x11, 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e,
408 0x72, 0xf4, 0x0c, 0x00, 0x00, 0x00, 0x4d, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00,
409 0x00, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0xa8, 0xf4,
410 0x0b, 0x00, 0x10, 0x09, 0x00, 0x00, 0x10, 0x09, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
411 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
412 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
413 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x08,
414 0x00, 0x00, 0xd8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00,
415 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0xd8, 0x08,
416 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
417 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29, 0xcd, 0x00,
419 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00,
420 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xab, 0x01, 0x00, 0x00,
421 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01,
422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
423 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,
424 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
425 0x00, 0x00, 0x00, 0x46, 0xad, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
426 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
427 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00,
428 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
429 0x20, 0x00, 0x00, 0x00, 0x28, 0x06, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00,
430 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00,
431 0x4f, 0xb6, 0x88, 0x20, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
437 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00,
438 0x66, 0x00, 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
439 0x00, 0x00, 0x00, 0x46, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
440 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0c, 0x00,
441 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x70, 0xd8,
442 0x98, 0x93, 0x98, 0x4f, 0xd2, 0x11, 0xa9, 0x3d, 0xbe, 0x57, 0xb2, 0x00, 0x00, 0x00,
443 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00,
444 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00,
446 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
447 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
448 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
449 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00,
450 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e, 0xe9, 0x4a,
451 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
453 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc,
454 0xcc, 0xcc, 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00,
455 0xd8, 0xda, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x2f,
456 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
457 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00, 0x58, 0x00, 0x00, 0x00,
458 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00, 0x00, 0x00,
459 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
461 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02, 0x00,
462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00,
463 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00,
464 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
465 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
466 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x9d, 0x13, 0x00, 0x01, 0xcc, 0xe0, 0xfd, 0x7f,
467 0xcc, 0xe0, 0xfd, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
468 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
469 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
470 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
471 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
472 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
473 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
474 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
475 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
476 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
477 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
478 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
479 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
480 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
481 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
482 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
483 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
484 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
485 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
486 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
487 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
488 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
489 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
490 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
491 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
492 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
493 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
494 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
495 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
496 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
497 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
498 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
499 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
500 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
501 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
502 0x90, 0x90,
503 ];
504 let mut dcerpcudp_state = DCERPCUDPState::new();
505 assert_eq!(
506 AppLayerResult::ok(),
507 dcerpcudp_state.handle_input_data(request)
508 );
bab497ab
SB		 509 assert_eq!(
510 1392,
6916b63f 511 dcerpcudp_state.transactions[0].stub_data_buffer_ts.len()
bab497ab 512 );
8036202c
SB		 513 }
514}
Michael's tree of suricata