]> git.ipfire.org Git - people/ms/suricata.git/blame - rust/src/dcerpc/dcerpc_udp.rs
projects / people / ms / suricata.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rust: Add DCERPC parser
[people/ms/suricata.git] / rust / src / dcerpc / dcerpc_udp.rs
CommitLineData
8036202c
SB		 1/* Copyright (C) 2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18use std::mem::transmute;
19
20use crate::applayer::AppLayerResult;
21use crate::core;
22use crate::dcerpc::dcerpc::{
23 DCERPCRequest, DCERPCResponse, DCERPCUuidEntry, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE,
24 PFC_FIRST_FRAG,
25};
26use crate::dcerpc::parser;
27use crate::log::*;
28use std::cmp;
29
30// Constant DCERPC UDP Header length
31pub const DCERPC_UDP_HDR_LEN: i32 = 80;
32
33#[derive(Debug)]
34pub struct DCERPCHdrUdp {
35 pub rpc_vers: u8,
36 pub pkt_type: u8,
37 pub flags1: u8,
38 pub flags2: u8,
39 pub drep: Vec<u8>,
40 pub serial_hi: u8,
41 pub objectuuid: Vec<u8>,
42 pub interfaceuuid: Vec<u8>,
43 pub activityuuid: Vec<u8>,
44 pub server_boot: u32,
45 pub if_vers: u32,
46 pub seqnum: u32,
47 pub opnum: u16,
48 pub ihint: u16,
49 pub ahint: u16,
50 pub fraglen: u16,
51 pub fragnum: u16,
52 pub auth_proto: u8,
53 pub serial_lo: u8,
54}
55
56#[derive(Debug)]
57pub struct DCERPCUDPState {
58 pub header: Option<DCERPCHdrUdp>,
59 pub request: Option<DCERPCRequest>,
60 pub response: Option<DCERPCResponse>,
61 pub fraglenleft: u16,
62 pub uuid_entry: Option<DCERPCUuidEntry>,
63 pub uuid_list: Vec<DCERPCUuidEntry>,
64 pub de_state: Option<*mut core::DetectEngineState>,
65}
66
67impl DCERPCUDPState {
68 pub fn new() -> DCERPCUDPState {
69 return DCERPCUDPState {
70 header: None,
71 request: None,
72 response: None,
73 fraglenleft: 0,
74 uuid_entry: None,
75 uuid_list: Vec::new(),
76 de_state: None,
77 };
78 }
79
80 fn new_request(&mut self) {
81 let request = DCERPCRequest::new();
82 self.request = Some(request);
83 }
84
85 fn new_response(&mut self) {
86 let response = DCERPCResponse::new();
87 self.response = Some(response);
88 }
89 fn create_new_query(&mut self, pkt_type: u8) {
90 match pkt_type {
91 DCERPC_TYPE_REQUEST => {
92 self.new_request();
93 }
94 DCERPC_TYPE_RESPONSE => {
95 self.new_response();
96 }
97 _ => {
98 SCLogDebug!("Unrecognized packet type");
99 }
100 }
101 }
102
103 fn get_hdr_pkt_type(&self) -> Option<u8> {
104 debug_validate_bug_on!(self.header.is_none());
105 if let Some(ref hdr) = &self.header {
106 return Some(hdr.pkt_type);
107 }
108 // Shouldn't happen
109 None
110 }
111
112 fn get_hdr_flags1(&self) -> Option<u8> {
113 debug_validate_bug_on!(self.header.is_none());
114 if let Some(ref hdr) = &self.header {
115 return Some(hdr.flags1);
116 }
117 // Shouldn't happen
118 None
119 }
120
121 pub fn get_hdr_fraglen(&self) -> Option<u16> {
122 debug_validate_bug_on!(self.header.is_none());
123 if let Some(ref hdr) = &self.header {
124 return Some(hdr.fraglen);
125 }
126 // Shouldn't happen
127 None
128 }
129
130 pub fn handle_fragment_data(&mut self, input: &[u8], input_len: u16) -> u16 {
131 let mut retval: u16 = 0;
132 let hdrflags1 = self.get_hdr_flags1().unwrap_or(0);
133 let fraglenleft = self.fraglenleft;
134
135 // Update the stub params based on the packet type
136 match self.get_hdr_pkt_type().unwrap_or(0) {
137 DCERPC_TYPE_REQUEST => {
138 if let Some(ref mut req) = self.request {
139 retval = evaluate_stub_params(
140 input,
141 input_len,
142 hdrflags1,
143 fraglenleft,
144 &mut req.stub_data_buffer,
145 &mut req.stub_data_buffer_len,
146 );
147 }
148 }
149 DCERPC_TYPE_RESPONSE => {
150 if let Some(ref mut resp) = self.response {
151 retval = evaluate_stub_params(
152 input,
153 input_len,
154 hdrflags1,
155 fraglenleft,
156 &mut resp.stub_data_buffer,
157 &mut resp.stub_data_buffer_len,
158 );
159 }
160 }
161 _ => {
162 SCLogDebug!("Unrecognized packet type");
163 return 0;
164 }
165 }
166 // Update the remaining fragment length
167 self.fraglenleft -= retval;
168
169 retval
170 }
171
172 pub fn process_header(&mut self, input: &[u8]) -> i32 {
173 match parser::parse_dcerpc_udp_header(input) {
174 Ok((leftover_bytes, header)) => {
175 if header.rpc_vers != 4 {
176 SCLogDebug!("DCERPC UDP Header did not validate.");
177 return -1;
178 }
179 let mut uuidentry = DCERPCUuidEntry::new();
180 let auuid = header.activityuuid.to_vec();
181 uuidentry.uuid = auuid;
182 self.uuid_list.push(uuidentry);
183 self.header = Some(header);
184 (input.len() - leftover_bytes.len()) as i32
185 }
186 Err(nom::Err::Incomplete(_)) => {
187 // Insufficient data.
188 SCLogDebug!("Insufficient data while parsing DCERPC request");
189 -1
190 }
191 Err(_) => {
192 // Error, probably malformed data.
193 SCLogDebug!("An error occurred while parsing DCERPC request");
194 -1
195 }
196 }
197 }
198
199 pub fn handle_input_data(&mut self, input: &[u8]) -> AppLayerResult {
200 // Input length should at least be header length
201 if (input.len() as i32) < DCERPC_UDP_HDR_LEN {
202 return AppLayerResult::err();
203 }
204 // Call header parser first
205 let mut parsed = self.process_header(input);
206 if parsed == -1 {
207 return AppLayerResult::err();
208 }
209
210 let mut input_left = input.len() as i32 - parsed;
211 let pkt_type = self.get_hdr_pkt_type().unwrap_or(0);
212 let fraglen = self.get_hdr_fraglen().unwrap_or(0);
213 self.fraglenleft = fraglen;
214 self.create_new_query(pkt_type);
215 // Parse rest of the body
216 while parsed >= DCERPC_UDP_HDR_LEN && parsed < fraglen as i32 && input_left > 0 {
217 let retval = self.handle_fragment_data(&input[parsed as usize..], input_left as u16);
218 if retval > 0 && retval <= input_left as u16 {
219 parsed += retval as i32;
220 input_left -= retval as i32;
221 } else if input_left > 0 {
222 SCLogDebug!("Error parsing DCERPC UDP Fragment Data");
223 parsed -= input_left;
224 input_left = 0;
225 }
226 }
227 return AppLayerResult::ok();
228 }
229}
230
231fn evaluate_stub_params(
232 input: &[u8],
233 input_len: u16,
234 hdrflags: u8,
235 lenleft: u16,
236 stub_data_buffer: &mut Vec<u8>,
237 stub_data_buffer_len: &mut u16,
238) -> u16 {
239 let stub_len: u16;
240 stub_len = cmp::min(lenleft, input_len);
241 if stub_len == 0 {
242 return 0;
243 }
244 // If the UDP frag is the the first frag irrespective of it being a part of
245 // a multi frag PDU or not, it indicates the previous PDU's stub would
246 // have been buffered and processed and we can use the buffer to hold
247 // frags from a fresh request/response
248 if hdrflags & PFC_FIRST_FRAG > 0 {
249 *stub_data_buffer_len = 0;
250 }
251
252 let input_slice = &input[..stub_len as usize];
253 stub_data_buffer.extend_from_slice(&input_slice);
254 *stub_data_buffer_len += stub_len;
255
256 stub_len
257}
258
259#[no_mangle]
260pub extern "C" fn rs_dcerpc_udp_parse(
261 _flow: *mut core::Flow,
262 state: &mut DCERPCUDPState,
263 _pstate: *mut std::os::raw::c_void,
264 input: *const u8,
265 input_len: u32,
266 _data: *mut std::os::raw::c_void,
267 _flags: u8,
268) -> AppLayerResult {
269 if input_len > 0 && input != std::ptr::null_mut() {
270 let buf = build_slice!(input, input_len as usize);
271 return state.handle_input_data(buf);
272 }
273 AppLayerResult::err()
274}
275
276#[no_mangle]
277pub extern "C" fn rs_dcerpc_udp_state_free(state: *mut std::os::raw::c_void) {
278 let _drop: Box<DCERPCUDPState> = unsafe { transmute(state) };
279}
280
281#[no_mangle]
282pub unsafe extern "C" fn rs_dcerpc_udp_state_new() -> *mut std::os::raw::c_void {
283 let state = DCERPCUDPState::new();
284 let boxed = Box::new(state);
285 transmute(boxed)
286}
287
288#[no_mangle]
289pub extern "C" fn rs_dcerpc_udp_state_transaction_free(
290 _state: *mut std::os::raw::c_void,
291 _tx_id: u64,
292) {
293 // do nothing
294}
295
296#[no_mangle]
297pub extern "C" fn rs_dcerpc_udp_get_tx_detect_state(
298 vtx: *mut std::os::raw::c_void,
299) -> *mut core::DetectEngineState {
300 let dce_state = cast_pointer!(vtx, DCERPCUDPState);
301 match dce_state.de_state {
302 Some(ds) => ds,
303 None => std::ptr::null_mut(),
304 }
305}
306
307#[no_mangle]
308pub extern "C" fn rs_dcerpc_udp_set_tx_detect_state(
309 vtx: *mut std::os::raw::c_void,
310 de_state: *mut core::DetectEngineState,
311) -> u8 {
312 let dce_state = cast_pointer!(vtx, DCERPCUDPState);
313 dce_state.de_state = Some(de_state);
314 0
315}
316
317#[no_mangle]
318pub extern "C" fn rs_dcerpc_udp_get_tx(
319 state: *mut std::os::raw::c_void,
320 _tx_id: u64,
321) -> *mut DCERPCUDPState {
322 let dce_state = cast_pointer!(state, DCERPCUDPState);
323 dce_state
324}
325
326#[no_mangle]
327pub extern "C" fn rs_dcerpc_udp_get_tx_cnt(_state: *mut std::os::raw::c_void) -> u8 {
328 1
329}
330
331#[no_mangle]
332pub extern "C" fn rs_dcerpc_udp_get_alstate_progress(
333 _tx: *mut std::os::raw::c_void,
334 _direction: u8,
335) -> u8 {
336 0
337}
338
339#[no_mangle]
340pub extern "C" fn rs_dcerpc_udp_get_alstate_progress_completion_status(_direction: u8) -> u8 {
341 1
342}
343
344#[cfg(test)]
345mod tests {
346 use crate::applayer::AppLayerResult;
347 use crate::dcerpc::dcerpc_udp::DCERPCUDPState;
348
349 #[test]
350 fn test_process_header_udp_incomplete_hdr() {
351 let request: &[u8] = &[
352 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
354 0x1c, 0x7d, 0xcf, 0x11,
355 ];
356
357 let mut dcerpcudp_state = DCERPCUDPState::new();
358 assert_eq!(-1, dcerpcudp_state.process_header(request));
359 }
360
361 #[test]
362 fn test_process_header_udp_perfect_hdr() {
363 let request: &[u8] = &[
364 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
366 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
367 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
368 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
369 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
370 ];
371 let mut dcerpcudp_state = DCERPCUDPState::new();
372 assert_eq!(80, dcerpcudp_state.process_header(request));
373 }
374
375 #[test]
376 fn test_handle_fragment_data_udp_no_body() {
377 let request: &[u8] = &[
378 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
380 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
381 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
382 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
383 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
384 ];
385 let mut dcerpcudp_state = DCERPCUDPState::new();
386 assert_eq!(
387 0,
388 dcerpcudp_state.handle_fragment_data(request, request.len() as u16)
389 );
390 }
391
392 #[test]
393 fn test_handle_input_data_udp_full_body() {
394 let request: &[u8] = &[
395 0x04, 0x00, 0x2c, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00,
397 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3f, 0x98,
398 0xf0, 0x5c, 0xd9, 0x63, 0xcc, 0x46, 0xc2, 0x74, 0x51, 0x6c, 0x8a, 0x53, 0x7d, 0x6f,
399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
400 0xff, 0xff, 0xff, 0xff, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00,
401 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45,
402 0x64, 0x49, 0xb0, 0x70, 0xdd, 0xae, 0x74, 0x2c, 0x96, 0xd2, 0x60, 0x5e, 0x0d, 0x00,
403 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00,
404 0x00, 0x00, 0x7c, 0x5e, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
405 0x80, 0x96, 0xf1, 0xf1, 0x2a, 0x4d, 0xce, 0x11, 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e,
406 0x72, 0xf4, 0x0c, 0x00, 0x00, 0x00, 0x4d, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00,
407 0x00, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0xa8, 0xf4,
408 0x0b, 0x00, 0x10, 0x09, 0x00, 0x00, 0x10, 0x09, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
409 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
410 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
411 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x08,
412 0x00, 0x00, 0xd8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00,
413 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0xd8, 0x08,
414 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
415 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29, 0xcd, 0x00,
417 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00,
418 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xab, 0x01, 0x00, 0x00,
419 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01,
420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
421 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,
422 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
423 0x00, 0x00, 0x00, 0x46, 0xad, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
424 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
425 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00,
426 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
427 0x20, 0x00, 0x00, 0x00, 0x28, 0x06, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00,
428 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00,
429 0x4f, 0xb6, 0x88, 0x20, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
435 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00,
436 0x66, 0x00, 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
437 0x00, 0x00, 0x00, 0x46, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
438 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0c, 0x00,
439 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x70, 0xd8,
440 0x98, 0x93, 0x98, 0x4f, 0xd2, 0x11, 0xa9, 0x3d, 0xbe, 0x57, 0xb2, 0x00, 0x00, 0x00,
441 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00,
442 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00,
444 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
445 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
446 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
447 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00,
448 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e, 0xe9, 0x4a,
449 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
450 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
451 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc,
452 0xcc, 0xcc, 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00,
453 0xd8, 0xda, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x2f,
454 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
455 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00, 0x58, 0x00, 0x00, 0x00,
456 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00, 0x00, 0x00,
457 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
459 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02, 0x00,
460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00,
461 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00,
462 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
463 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
464 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x9d, 0x13, 0x00, 0x01, 0xcc, 0xe0, 0xfd, 0x7f,
465 0xcc, 0xe0, 0xfd, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
466 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
467 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
468 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
469 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
470 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
471 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
472 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
473 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
474 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
475 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
476 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
477 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
478 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
479 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
480 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
481 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
482 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
483 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
484 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
485 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
486 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
487 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
488 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
489 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
490 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
491 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
492 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
493 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
494 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
495 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
496 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
497 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
498 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
499 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
500 0x90, 0x90,
501 ];
502 let mut dcerpcudp_state = DCERPCUDPState::new();
503 assert_eq!(
504 AppLayerResult::ok(),
505 dcerpcudp_state.handle_input_data(request)
506 );
507 assert_eq!(0, dcerpcudp_state.fraglenleft);
508 if let Some(req) = dcerpcudp_state.request {
509 assert_eq!(1392, req.stub_data_buffer_len);
510 }
511 }
512}
Michael's tree of suricata