]>
Commit | Line | Data |
---|---|---|
8036202c SB |
1 | /* Copyright (C) 2020 Open Information Security Foundation |
2 | * | |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
581cb622 | 18 | use crate::applayer::*; |
a866499b | 19 | use crate::core::{self, Direction, DIR_BOTH}; |
8036202c | 20 | use crate::dcerpc::dcerpc::{ |
ba781265 | 21 | DCERPCTransaction, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE, PFCL1_FRAG, PFCL1_LASTFRAG, |
581cb622 | 22 | rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME, |
8036202c | 23 | }; |
581cb622 SB |
24 | use std; |
25 | use std::ffi::CString; | |
8036202c | 26 | use crate::dcerpc::parser; |
8036202c SB |
27 | |
28 | // Constant DCERPC UDP Header length | |
29 | pub const DCERPC_UDP_HDR_LEN: i32 = 80; | |
30 | ||
1ef0bd58 | 31 | #[derive(Default, Debug)] |
8036202c SB |
32 | pub struct DCERPCHdrUdp { |
33 | pub rpc_vers: u8, | |
34 | pub pkt_type: u8, | |
35 | pub flags1: u8, | |
36 | pub flags2: u8, | |
37 | pub drep: Vec<u8>, | |
38 | pub serial_hi: u8, | |
39 | pub objectuuid: Vec<u8>, | |
40 | pub interfaceuuid: Vec<u8>, | |
41 | pub activityuuid: Vec<u8>, | |
42 | pub server_boot: u32, | |
43 | pub if_vers: u32, | |
44 | pub seqnum: u32, | |
45 | pub opnum: u16, | |
46 | pub ihint: u16, | |
47 | pub ahint: u16, | |
48 | pub fraglen: u16, | |
49 | pub fragnum: u16, | |
50 | pub auth_proto: u8, | |
51 | pub serial_lo: u8, | |
52 | } | |
53 | ||
1ef0bd58 | 54 | #[derive(Default, Debug)] |
8036202c | 55 | pub struct DCERPCUDPState { |
2840a2e0 | 56 | pub tx_id: u64, |
bab497ab | 57 | pub transactions: Vec<DCERPCTransaction>, |
8036202c SB |
58 | } |
59 | ||
60 | impl DCERPCUDPState { | |
1ef0bd58 JL |
61 | pub fn new() -> Self { |
62 | Default::default() | |
8036202c SB |
63 | } |
64 | ||
6916b63f | 65 | fn create_tx(&mut self, hdr: &DCERPCHdrUdp) -> DCERPCTransaction { |
bab497ab | 66 | let mut tx = DCERPCTransaction::new(); |
bab497ab | 67 | tx.id = self.tx_id; |
6916b63f IB |
68 | tx.endianness = hdr.drep[0] & 0x10; |
69 | tx.activityuuid = hdr.activityuuid.to_vec(); | |
70 | tx.seqnum = hdr.seqnum; | |
bab497ab SB |
71 | self.tx_id += 1; |
72 | tx | |
8036202c SB |
73 | } |
74 | ||
51f4e4d0 VJ |
75 | pub fn free_tx(&mut self, tx_id: u64) { |
76 | SCLogDebug!("Freeing TX with ID {} TX.ID {}", tx_id, tx_id+1); | |
77 | let len = self.transactions.len(); | |
78 | let mut found = false; | |
79 | let mut index = 0; | |
80 | for i in 0..len { | |
81 | let tx = &self.transactions[i]; | |
82 | if tx.id as u64 == tx_id { //+ 1 { | |
83 | found = true; | |
84 | index = i; | |
85 | SCLogDebug!("tx {} progress {}/{}", tx.id, tx.req_done, tx.resp_done); | |
86 | break; | |
87 | } | |
88 | } | |
89 | if found { | |
90 | SCLogDebug!("freeing TX with ID {} TX.ID {} at index {} left: {} max id: {}", | |
91 | tx_id, tx_id+1, index, self.transactions.len(), self.tx_id); | |
92 | self.transactions.remove(index); | |
93 | } | |
94 | } | |
bab497ab | 95 | |
ba781265 VJ |
96 | /// Get transaction as per the given transaction ID. Transaction ID with |
97 | /// which the lookup is supposed to be done as per the calls from AppLayer | |
98 | /// parser in C. This requires an internal transaction ID to be maintained. | |
99 | /// | |
100 | /// Arguments: | |
101 | /// * `tx_id`: | |
102 | /// description: internal transaction ID to track transactions | |
103 | /// | |
104 | /// Return value: | |
105 | /// Option mutable reference to DCERPCTransaction | |
106 | pub fn get_tx(&mut self, tx_id: u64) -> Option<&mut DCERPCTransaction> { | |
107 | for tx in &mut self.transactions { | |
108 | let found = tx.id == tx_id; | |
109 | if found { | |
110 | return Some(tx); | |
111 | } | |
112 | } | |
113 | None | |
114 | } | |
115 | ||
6916b63f | 116 | fn find_incomplete_tx(&mut self, hdr: &DCERPCHdrUdp) -> Option<&mut DCERPCTransaction> { |
bab497ab | 117 | for tx in &mut self.transactions { |
6916b63f IB |
118 | if tx.seqnum == hdr.seqnum && tx.activityuuid == hdr.activityuuid { |
119 | if (hdr.pkt_type == DCERPC_TYPE_REQUEST && !tx.req_done) || | |
120 | (hdr.pkt_type == DCERPC_TYPE_RESPONSE && !tx.resp_done) { | |
121 | SCLogDebug!("found tx id {}, last tx_id {}, {} {}", tx.id, self.tx_id, tx.seqnum, tx.activityuuid[0]); | |
122 | return Some(tx); | |
123 | } | |
8036202c SB |
124 | } |
125 | } | |
bab497ab | 126 | None |
8036202c SB |
127 | } |
128 | ||
6916b63f IB |
129 | pub fn handle_fragment_data(&mut self, hdr: &DCERPCHdrUdp, input: &[u8]) -> bool { |
130 | if hdr.pkt_type != DCERPC_TYPE_REQUEST && hdr.pkt_type != DCERPC_TYPE_RESPONSE { | |
131 | SCLogDebug!("Unrecognized packet type"); | |
132 | return false; | |
8036202c | 133 | } |
8036202c | 134 | |
6916b63f IB |
135 | let mut otx = self.find_incomplete_tx(hdr); |
136 | if otx.is_none() { | |
137 | let ntx = self.create_tx(hdr); | |
138 | SCLogDebug!("new tx id {}, last tx_id {}, {} {}", ntx.id, self.tx_id, ntx.seqnum, ntx.activityuuid[0]); | |
139 | self.transactions.push(ntx); | |
140 | otx = self.transactions.last_mut(); | |
8036202c | 141 | } |
8036202c | 142 | |
6916b63f IB |
143 | if let Some(tx) = otx { |
144 | let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0; | |
145 | ||
146 | match hdr.pkt_type { | |
147 | DCERPC_TYPE_REQUEST => { | |
69cf5c9e | 148 | tx.stub_data_buffer_ts.extend_from_slice(input); |
6916b63f IB |
149 | tx.frag_cnt_ts += 1; |
150 | if done { | |
151 | tx.req_done = true; | |
152 | } | |
153 | return true; | |
154 | } | |
155 | DCERPC_TYPE_RESPONSE => { | |
69cf5c9e | 156 | tx.stub_data_buffer_tc.extend_from_slice(input); |
6916b63f IB |
157 | tx.frag_cnt_tc += 1; |
158 | if done { | |
159 | tx.resp_done = true; | |
160 | } | |
161 | return true; | |
162 | } | |
163 | _ => { | |
164 | // unreachable | |
165 | } | |
166 | } | |
bab497ab | 167 | } |
6916b63f | 168 | return false; // unreachable |
bab497ab SB |
169 | } |
170 | ||
6916b63f IB |
171 | pub fn handle_input_data(&mut self, input: &[u8]) -> AppLayerResult { |
172 | // Input length should at least be header length | |
173 | if (input.len() as i32) < DCERPC_UDP_HDR_LEN { | |
174 | return AppLayerResult::err(); | |
8036202c | 175 | } |
8036202c | 176 | |
6916b63f | 177 | // Call header parser first |
8036202c SB |
178 | match parser::parse_dcerpc_udp_header(input) { |
179 | Ok((leftover_bytes, header)) => { | |
180 | if header.rpc_vers != 4 { | |
181 | SCLogDebug!("DCERPC UDP Header did not validate."); | |
6916b63f IB |
182 | return AppLayerResult::err(); |
183 | } | |
184 | if leftover_bytes.len() < header.fraglen as usize { | |
185 | SCLogDebug!("Insufficient data: leftover_bytes {}, fraglen {}", leftover_bytes.len(), header.fraglen); | |
186 | return AppLayerResult::err(); | |
187 | } | |
188 | if !self.handle_fragment_data(&header, &leftover_bytes[..header.fraglen as usize]) { | |
189 | return AppLayerResult::err(); | |
8036202c | 190 | } |
8036202c SB |
191 | } |
192 | Err(nom::Err::Incomplete(_)) => { | |
193 | // Insufficient data. | |
194 | SCLogDebug!("Insufficient data while parsing DCERPC request"); | |
6916b63f | 195 | return AppLayerResult::err(); |
8036202c SB |
196 | } |
197 | Err(_) => { | |
198 | // Error, probably malformed data. | |
199 | SCLogDebug!("An error occurred while parsing DCERPC request"); | |
6916b63f | 200 | return AppLayerResult::err(); |
8036202c SB |
201 | } |
202 | } | |
203 | return AppLayerResult::ok(); | |
204 | } | |
205 | } | |
206 | ||
8036202c | 207 | #[no_mangle] |
363b5f99 | 208 | pub unsafe extern "C" fn rs_dcerpc_udp_parse( |
d7007424 SB |
209 | _flow: *const core::Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void, |
210 | input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8, | |
8036202c | 211 | ) -> AppLayerResult { |
d7007424 | 212 | let state = cast_pointer!(state, DCERPCUDPState); |
922a453d | 213 | if input_len > 0 && !input.is_null() { |
8036202c SB |
214 | let buf = build_slice!(input, input_len as usize); |
215 | return state.handle_input_data(buf); | |
216 | } | |
217 | AppLayerResult::err() | |
218 | } | |
219 | ||
220 | #[no_mangle] | |
221 | pub extern "C" fn rs_dcerpc_udp_state_free(state: *mut std::os::raw::c_void) { | |
53413f2d | 222 | std::mem::drop(unsafe { Box::from_raw(state as *mut DCERPCUDPState) }); |
8036202c SB |
223 | } |
224 | ||
225 | #[no_mangle] | |
d7007424 | 226 | pub extern "C" fn rs_dcerpc_udp_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: core::AppProto) -> *mut std::os::raw::c_void { |
8036202c SB |
227 | let state = DCERPCUDPState::new(); |
228 | let boxed = Box::new(state); | |
53413f2d | 229 | return Box::into_raw(boxed) as *mut _; |
8036202c SB |
230 | } |
231 | ||
232 | #[no_mangle] | |
363b5f99 | 233 | pub unsafe extern "C" fn rs_dcerpc_udp_state_transaction_free( |
51f4e4d0 | 234 | state: *mut std::os::raw::c_void, tx_id: u64, |
8036202c | 235 | ) { |
51f4e4d0 VJ |
236 | let dce_state = cast_pointer!(state, DCERPCUDPState); |
237 | SCLogDebug!("freeing tx {}", tx_id as u64); | |
238 | dce_state.free_tx(tx_id); | |
8036202c SB |
239 | } |
240 | ||
a1e06247 | 241 | #[no_mangle] |
363b5f99 | 242 | pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_data( |
a1e06247 VJ |
243 | tx: *mut std::os::raw::c_void) |
244 | -> *mut AppLayerTxData | |
245 | { | |
ba781265 | 246 | let tx = cast_pointer!(tx, DCERPCTransaction); |
a1e06247 VJ |
247 | return &mut tx.tx_data; |
248 | } | |
249 | ||
8036202c | 250 | #[no_mangle] |
363b5f99 | 251 | pub unsafe extern "C" fn rs_dcerpc_udp_get_tx( |
ba781265 | 252 | state: *mut std::os::raw::c_void, tx_id: u64, |
d7007424 | 253 | ) -> *mut std::os::raw::c_void { |
8036202c | 254 | let dce_state = cast_pointer!(state, DCERPCUDPState); |
ba781265 VJ |
255 | match dce_state.get_tx(tx_id) { |
256 | Some(tx) => { | |
53413f2d | 257 | return tx as *const _ as *mut _; |
ba781265 VJ |
258 | }, |
259 | None => { | |
260 | return std::ptr::null_mut(); | |
261 | } | |
262 | } | |
8036202c SB |
263 | } |
264 | ||
265 | #[no_mangle] | |
363b5f99 | 266 | pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_cnt(vtx: *mut std::os::raw::c_void) -> u64 { |
ba781265 VJ |
267 | let dce_state = cast_pointer!(vtx, DCERPCUDPState); |
268 | dce_state.tx_id | |
8036202c SB |
269 | } |
270 | ||
3641f1b5 SB |
271 | /// Probe input to see if it looks like DCERPC. |
272 | fn probe(input: &[u8]) -> (bool, bool) { | |
273 | match parser::parse_dcerpc_udp_header(input) { | |
274 | Ok((_, hdr)) => { | |
275 | let is_request = hdr.pkt_type == 0x00; | |
f967a491 SB |
276 | let is_dcerpc = hdr.rpc_vers == 0x04 && |
277 | (hdr.flags2 & 0xfc == 0) && | |
278 | (hdr.drep[0] & 0xee == 0) && | |
279 | (hdr.drep[1] <= 3); | |
3641f1b5 SB |
280 | return (is_dcerpc, is_request); |
281 | }, | |
282 | Err(_) => (false, false), | |
283 | } | |
284 | } | |
285 | ||
363b5f99 | 286 | pub unsafe extern "C" fn rs_dcerpc_probe_udp(_f: *const core::Flow, direction: u8, input: *const u8, |
dee972b8 | 287 | len: u32, rdir: *mut u8) -> core::AppProto |
3641f1b5 SB |
288 | { |
289 | SCLogDebug!("Probing the packet for DCERPC/UDP"); | |
290 | if len == 0 { | |
291 | return core::ALPROTO_UNKNOWN; | |
292 | } | |
363b5f99 | 293 | let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize); |
3641f1b5 SB |
294 | //is_incomplete is checked by caller |
295 | let (is_dcerpc, is_request) = probe(slice); | |
296 | if is_dcerpc { | |
a866499b SB |
297 | let dir: Direction = (direction & DIR_BOTH).into(); |
298 | if is_request { | |
299 | if dir != Direction::ToServer { | |
300 | *rdir = Direction::ToServer.into(); | |
301 | } | |
3641f1b5 | 302 | } else { |
a866499b SB |
303 | if dir != Direction::ToClient { |
304 | *rdir = Direction::ToClient.into(); | |
305 | } | |
3641f1b5 | 306 | }; |
363b5f99 | 307 | return ALPROTO_DCERPC; |
581cb622 | 308 | } |
363b5f99 | 309 | return core::ALPROTO_FAILED; |
581cb622 SB |
310 | } |
311 | ||
312 | fn register_pattern_probe() -> i8 { | |
313 | unsafe { | |
314 | if AppLayerProtoDetectPMRegisterPatternCSwPP(core::IPPROTO_UDP as u8, ALPROTO_DCERPC, | |
315 | b"|04 00|\0".as_ptr() as *const std::os::raw::c_char, 2, 0, | |
a866499b | 316 | Direction::ToServer.into(), rs_dcerpc_probe_udp, 0, 0) < 0 { |
581cb622 SB |
317 | SCLogDebug!("TOSERVER => AppLayerProtoDetectPMRegisterPatternCSwPP FAILED"); |
318 | return -1; | |
319 | } | |
320 | } | |
321 | 0 | |
322 | } | |
323 | ||
324 | #[no_mangle] | |
325 | pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() { | |
581cb622 SB |
326 | let parser = RustParser { |
327 | name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char, | |
f4f6387a | 328 | default_port: std::ptr::null(), |
581cb622 SB |
329 | ipproto: core::IPPROTO_UDP, |
330 | probe_ts: None, | |
331 | probe_tc: None, | |
332 | min_depth: 0, | |
333 | max_depth: 16, | |
334 | state_new: rs_dcerpc_udp_state_new, | |
335 | state_free: rs_dcerpc_udp_state_free, | |
336 | tx_free: rs_dcerpc_udp_state_transaction_free, | |
337 | parse_ts: rs_dcerpc_udp_parse, | |
338 | parse_tc: rs_dcerpc_udp_parse, | |
339 | get_tx_count: rs_dcerpc_udp_get_tx_cnt, | |
340 | get_tx: rs_dcerpc_udp_get_tx, | |
341 | tx_comp_st_ts: 1, | |
342 | tx_comp_st_tc: 1, | |
343 | tx_get_progress: rs_dcerpc_get_alstate_progress, | |
581cb622 SB |
344 | get_eventinfo: None, |
345 | get_eventinfo_byid: None, | |
346 | localstorage_new: None, | |
347 | localstorage_free: None, | |
348 | get_files: None, | |
349 | get_tx_iterator: None, | |
350 | get_tx_data: rs_dcerpc_udp_get_tx_data, | |
351 | apply_tx_config: None, | |
352 | flags: APP_LAYER_PARSER_OPT_UNIDIR_TXS, | |
353 | truncate: None, | |
354 | }; | |
355 | ||
356 | let ip_proto_str = CString::new("udp").unwrap(); | |
357 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
358 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
359 | ALPROTO_DCERPC = alproto; | |
360 | if register_pattern_probe() < 0 { | |
361 | return; | |
362 | } | |
363 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
364 | let _ = AppLayerRegisterParser(&parser, alproto); | |
365 | } | |
366 | } else { | |
367 | SCLogDebug!("Protocol detecter and parser disabled for DCERPC/UDP."); | |
3641f1b5 | 368 | } |
3641f1b5 SB |
369 | } |
370 | ||
371 | ||
8036202c SB |
372 | #[cfg(test)] |
373 | mod tests { | |
374 | use crate::applayer::AppLayerResult; | |
375 | use crate::dcerpc::dcerpc_udp::DCERPCUDPState; | |
6916b63f | 376 | use crate::dcerpc::parser; |
8036202c SB |
377 | |
378 | #[test] | |
379 | fn test_process_header_udp_incomplete_hdr() { | |
380 | let request: &[u8] = &[ | |
381 | 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
382 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, | |
383 | 0x1c, 0x7d, 0xcf, 0x11, | |
384 | ]; | |
385 | ||
6916b63f IB |
386 | match parser::parse_dcerpc_udp_header(request) { |
387 | Ok((_rem, _header)) => { | |
388 | { assert!(false); } | |
389 | } | |
390 | _ => {} | |
391 | } | |
8036202c SB |
392 | } |
393 | ||
394 | #[test] | |
395 | fn test_process_header_udp_perfect_hdr() { | |
396 | let request: &[u8] = &[ | |
397 | 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
398 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, | |
399 | 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2, | |
400 | 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c, | |
401 | 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
402 | 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00, | |
403 | ]; | |
6916b63f IB |
404 | match parser::parse_dcerpc_udp_header(request) { |
405 | Ok((rem, header)) => { | |
406 | assert_eq!(4, header.rpc_vers); | |
407 | assert_eq!(80, request.len() - rem.len()); | |
408 | } | |
409 | _ => { assert!(false); } | |
410 | } | |
8036202c SB |
411 | } |
412 | ||
413 | #[test] | |
414 | fn test_handle_fragment_data_udp_no_body() { | |
415 | let request: &[u8] = &[ | |
416 | 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
417 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, | |
418 | 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2, | |
419 | 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c, | |
420 | 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
421 | 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00, | |
422 | ]; | |
6916b63f IB |
423 | match parser::parse_dcerpc_udp_header(request) { |
424 | Ok((rem, header)) => { | |
425 | assert_eq!(4, header.rpc_vers); | |
426 | assert_eq!(80, request.len() - rem.len()); | |
427 | assert_eq!(0, rem.len()); | |
428 | } | |
429 | _ => { assert!(false); } | |
430 | } | |
8036202c SB |
431 | } |
432 | ||
433 | #[test] | |
434 | fn test_handle_input_data_udp_full_body() { | |
435 | let request: &[u8] = &[ | |
436 | 0x04, 0x00, 0x2c, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
437 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00, | |
438 | 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3f, 0x98, | |
439 | 0xf0, 0x5c, 0xd9, 0x63, 0xcc, 0x46, 0xc2, 0x74, 0x51, 0x6c, 0x8a, 0x53, 0x7d, 0x6f, | |
440 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, | |
441 | 0xff, 0xff, 0xff, 0xff, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, | |
442 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45, | |
443 | 0x64, 0x49, 0xb0, 0x70, 0xdd, 0xae, 0x74, 0x2c, 0x96, 0xd2, 0x60, 0x5e, 0x0d, 0x00, | |
444 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00, | |
445 | 0x00, 0x00, 0x7c, 0x5e, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, | |
446 | 0x80, 0x96, 0xf1, 0xf1, 0x2a, 0x4d, 0xce, 0x11, 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e, | |
447 | 0x72, 0xf4, 0x0c, 0x00, 0x00, 0x00, 0x4d, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00, | |
448 | 0x00, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0xa8, 0xf4, | |
449 | 0x0b, 0x00, 0x10, 0x09, 0x00, 0x00, 0x10, 0x09, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, | |
450 | 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, | |
451 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
452 | 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x08, | |
453 | 0x00, 0x00, 0xd8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, | |
454 | 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0xd8, 0x08, | |
455 | 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, | |
456 | 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
457 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29, 0xcd, 0x00, | |
458 | 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00, | |
459 | 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xab, 0x01, 0x00, 0x00, | |
460 | 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01, | |
461 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, | |
462 | 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, | |
463 | 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, | |
464 | 0x00, 0x00, 0x00, 0x46, 0xad, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, | |
465 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
466 | 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00, | |
467 | 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, | |
468 | 0x20, 0x00, 0x00, 0x00, 0x28, 0x06, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, | |
469 | 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00, | |
470 | 0x4f, 0xb6, 0x88, 0x20, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
471 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
472 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
473 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
474 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
475 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
476 | 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, | |
477 | 0x66, 0x00, 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, | |
478 | 0x00, 0x00, 0x00, 0x46, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
479 | 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0c, 0x00, | |
480 | 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x70, 0xd8, | |
481 | 0x98, 0x93, 0x98, 0x4f, 0xd2, 0x11, 0xa9, 0x3d, 0xbe, 0x57, 0xb2, 0x00, 0x00, 0x00, | |
482 | 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00, | |
483 | 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
484 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00, | |
485 | 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, | |
486 | 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, | |
487 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
488 | 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, | |
489 | 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e, 0xe9, 0x4a, | |
490 | 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, | |
491 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
492 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, | |
493 | 0xcc, 0xcc, 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, | |
494 | 0xd8, 0xda, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x2f, | |
495 | 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, | |
496 | 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00, 0x58, 0x00, 0x00, 0x00, | |
497 | 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00, 0x00, 0x00, | |
498 | 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
499 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, | |
500 | 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02, 0x00, | |
501 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00, | |
502 | 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, | |
503 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, | |
504 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, | |
505 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x9d, 0x13, 0x00, 0x01, 0xcc, 0xe0, 0xfd, 0x7f, | |
506 | 0xcc, 0xe0, 0xfd, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
507 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
508 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
509 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
510 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
511 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
512 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
513 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
514 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
515 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
516 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
517 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
518 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
519 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
520 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
521 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
522 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
523 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
524 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
525 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
526 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
527 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
528 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
529 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
530 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
531 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
532 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
533 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
534 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
535 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
536 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
537 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
538 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
539 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
540 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
541 | 0x90, 0x90, | |
542 | ]; | |
543 | let mut dcerpcudp_state = DCERPCUDPState::new(); | |
544 | assert_eq!( | |
545 | AppLayerResult::ok(), | |
546 | dcerpcudp_state.handle_input_data(request) | |
547 | ); | |
bab497ab SB |
548 | assert_eq!( |
549 | 1392, | |
6916b63f | 550 | dcerpcudp_state.transactions[0].stub_data_buffer_ts.len() |
bab497ab | 551 | ); |
8036202c SB |
552 | } |
553 | } |