]> git.ipfire.org Git - people/ms/suricata.git/blame - rust/src/dcerpc/dcerpc_udp.rs
projects / people / ms / suricata.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
app-layer: include decoder events in app-layer tx data
[people/ms/suricata.git] / rust / src / dcerpc / dcerpc_udp.rs
CommitLineData
8036202c
SB		 1/* Copyright (C) 2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
581cb622 18use crate::applayer::*;
a866499b 19use crate::core::{self, Direction, DIR_BOTH};
8036202c 20use crate::dcerpc::dcerpc::{
ba781265 21 DCERPCTransaction, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE, PFCL1_FRAG, PFCL1_LASTFRAG,
581cb622 22 rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME,
8036202c 23};
581cb622
SB		 24use std;
25use std::ffi::CString;
8036202c 26use crate::dcerpc::parser;
8036202c
SB		 27
28// Constant DCERPC UDP Header length
29pub const DCERPC_UDP_HDR_LEN: i32 = 80;
30
1ef0bd58 31#[derive(Default, Debug)]
8036202c
SB		 32pub struct DCERPCHdrUdp {
33 pub rpc_vers: u8,
34 pub pkt_type: u8,
35 pub flags1: u8,
36 pub flags2: u8,
37 pub drep: Vec<u8>,
38 pub serial_hi: u8,
39 pub objectuuid: Vec<u8>,
40 pub interfaceuuid: Vec<u8>,
41 pub activityuuid: Vec<u8>,
42 pub server_boot: u32,
43 pub if_vers: u32,
44 pub seqnum: u32,
45 pub opnum: u16,
46 pub ihint: u16,
47 pub ahint: u16,
48 pub fraglen: u16,
49 pub fragnum: u16,
50 pub auth_proto: u8,
51 pub serial_lo: u8,
52}
53
1ef0bd58 54#[derive(Default, Debug)]
8036202c 55pub struct DCERPCUDPState {
2840a2e0 56 pub tx_id: u64,
bab497ab 57 pub transactions: Vec<DCERPCTransaction>,
8036202c
SB		 58}
59
60impl DCERPCUDPState {
1ef0bd58
JL		 61 pub fn new() -> Self {
62 Default::default()
8036202c
SB		 63 }
64
6916b63f 65 fn create_tx(&mut self, hdr: &DCERPCHdrUdp) -> DCERPCTransaction {
bab497ab 66 let mut tx = DCERPCTransaction::new();
bab497ab 67 tx.id = self.tx_id;
6916b63f
IB		 68 tx.endianness = hdr.drep[0] & 0x10;
69 tx.activityuuid = hdr.activityuuid.to_vec();
70 tx.seqnum = hdr.seqnum;
bab497ab
SB		 71 self.tx_id += 1;
72 tx
8036202c
SB		 73 }
74
51f4e4d0
VJ		 75 pub fn free_tx(&mut self, tx_id: u64) {
76 SCLogDebug!("Freeing TX with ID {} TX.ID {}", tx_id, tx_id+1);
77 let len = self.transactions.len();
78 let mut found = false;
79 let mut index = 0;
80 for i in 0..len {
81 let tx = &self.transactions[i];
82 if tx.id as u64 == tx_id { //+ 1 {
83 found = true;
84 index = i;
85 SCLogDebug!("tx {} progress {}/{}", tx.id, tx.req_done, tx.resp_done);
86 break;
87 }
88 }
89 if found {
90 SCLogDebug!("freeing TX with ID {} TX.ID {} at index {} left: {} max id: {}",
91 tx_id, tx_id+1, index, self.transactions.len(), self.tx_id);
92 self.transactions.remove(index);
93 }
94 }
bab497ab 95
ba781265
VJ		 96 /// Get transaction as per the given transaction ID. Transaction ID with
97 /// which the lookup is supposed to be done as per the calls from AppLayer
98 /// parser in C. This requires an internal transaction ID to be maintained.
99 ///
100 /// Arguments:
101 /// * `tx_id`:
102 /// description: internal transaction ID to track transactions
103 ///
104 /// Return value:
105 /// Option mutable reference to DCERPCTransaction
106 pub fn get_tx(&mut self, tx_id: u64) -> Option<&mut DCERPCTransaction> {
107 for tx in &mut self.transactions {
108 let found = tx.id == tx_id;
109 if found {
110 return Some(tx);
111 }
112 }
113 None
114 }
115
6916b63f 116 fn find_incomplete_tx(&mut self, hdr: &DCERPCHdrUdp) -> Option<&mut DCERPCTransaction> {
bab497ab 117 for tx in &mut self.transactions {
6916b63f
IB		 118 if tx.seqnum == hdr.seqnum && tx.activityuuid == hdr.activityuuid {
119 if (hdr.pkt_type == DCERPC_TYPE_REQUEST && !tx.req_done) ||
120 (hdr.pkt_type == DCERPC_TYPE_RESPONSE && !tx.resp_done) {
121 SCLogDebug!("found tx id {}, last tx_id {}, {} {}", tx.id, self.tx_id, tx.seqnum, tx.activityuuid[0]);
122 return Some(tx);
123 }
8036202c
SB		 124 }
125 }
bab497ab 126 None
8036202c
SB		 127 }
128
6916b63f
IB		 129 pub fn handle_fragment_data(&mut self, hdr: &DCERPCHdrUdp, input: &[u8]) -> bool {
130 if hdr.pkt_type != DCERPC_TYPE_REQUEST && hdr.pkt_type != DCERPC_TYPE_RESPONSE {
131 SCLogDebug!("Unrecognized packet type");
132 return false;
8036202c 133 }
8036202c 134
6916b63f
IB		 135 let mut otx = self.find_incomplete_tx(hdr);
136 if otx.is_none() {
137 let ntx = self.create_tx(hdr);
138 SCLogDebug!("new tx id {}, last tx_id {}, {} {}", ntx.id, self.tx_id, ntx.seqnum, ntx.activityuuid[0]);
139 self.transactions.push(ntx);
140 otx = self.transactions.last_mut();
8036202c 141 }
8036202c 142
6916b63f
IB		 143 if let Some(tx) = otx {
144 let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0;
145
146 match hdr.pkt_type {
147 DCERPC_TYPE_REQUEST => {
69cf5c9e 148 tx.stub_data_buffer_ts.extend_from_slice(input);
6916b63f
IB		 149 tx.frag_cnt_ts += 1;
150 if done {
151 tx.req_done = true;
152 }
153 return true;
154 }
155 DCERPC_TYPE_RESPONSE => {
69cf5c9e 156 tx.stub_data_buffer_tc.extend_from_slice(input);
6916b63f
IB		 157 tx.frag_cnt_tc += 1;
158 if done {
159 tx.resp_done = true;
160 }
161 return true;
162 }
163 _ => {
164 // unreachable
165 }
166 }
bab497ab 167 }
6916b63f 168 return false; // unreachable
bab497ab
SB		 169 }
170
6916b63f
IB		 171 pub fn handle_input_data(&mut self, input: &[u8]) -> AppLayerResult {
172 // Input length should at least be header length
173 if (input.len() as i32) < DCERPC_UDP_HDR_LEN {
174 return AppLayerResult::err();
8036202c 175 }
8036202c 176
6916b63f 177 // Call header parser first
8036202c
SB		 178 match parser::parse_dcerpc_udp_header(input) {
179 Ok((leftover_bytes, header)) => {
180 if header.rpc_vers != 4 {
181 SCLogDebug!("DCERPC UDP Header did not validate.");
6916b63f
IB		 182 return AppLayerResult::err();
183 }
184 if leftover_bytes.len() < header.fraglen as usize {
185 SCLogDebug!("Insufficient data: leftover_bytes {}, fraglen {}", leftover_bytes.len(), header.fraglen);
186 return AppLayerResult::err();
187 }
188 if !self.handle_fragment_data(&header, &leftover_bytes[..header.fraglen as usize]) {
189 return AppLayerResult::err();
8036202c 190 }
8036202c
SB		 191 }
192 Err(nom::Err::Incomplete(_)) => {
193 // Insufficient data.
194 SCLogDebug!("Insufficient data while parsing DCERPC request");
6916b63f 195 return AppLayerResult::err();
8036202c
SB		 196 }
197 Err(_) => {
198 // Error, probably malformed data.
199 SCLogDebug!("An error occurred while parsing DCERPC request");
6916b63f 200 return AppLayerResult::err();
8036202c
SB		 201 }
202 }
203 return AppLayerResult::ok();
204 }
205}
206
8036202c 207#[no_mangle]
363b5f99 208pub unsafe extern "C" fn rs_dcerpc_udp_parse(
d7007424
SB		 209 _flow: *const core::Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
210 input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8,
8036202c 211) -> AppLayerResult {
d7007424 212 let state = cast_pointer!(state, DCERPCUDPState);
922a453d 213 if input_len > 0 && !input.is_null() {
8036202c
SB		 214 let buf = build_slice!(input, input_len as usize);
215 return state.handle_input_data(buf);
216 }
217 AppLayerResult::err()
218}
219
220#[no_mangle]
221pub extern "C" fn rs_dcerpc_udp_state_free(state: *mut std::os::raw::c_void) {
53413f2d 222 std::mem::drop(unsafe { Box::from_raw(state as *mut DCERPCUDPState) });
8036202c
SB		 223}
224
225#[no_mangle]
d7007424 226pub extern "C" fn rs_dcerpc_udp_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: core::AppProto) -> *mut std::os::raw::c_void {
8036202c
SB		 227 let state = DCERPCUDPState::new();
228 let boxed = Box::new(state);
53413f2d 229 return Box::into_raw(boxed) as *mut _;
8036202c
SB		 230}
231
232#[no_mangle]
363b5f99 233pub unsafe extern "C" fn rs_dcerpc_udp_state_transaction_free(
51f4e4d0 234 state: *mut std::os::raw::c_void, tx_id: u64,
8036202c 235) {
51f4e4d0
VJ		 236 let dce_state = cast_pointer!(state, DCERPCUDPState);
237 SCLogDebug!("freeing tx {}", tx_id as u64);
238 dce_state.free_tx(tx_id);
8036202c
SB		 239}
240
a1e06247 241#[no_mangle]
363b5f99 242pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_data(
a1e06247
VJ		 243 tx: *mut std::os::raw::c_void)
244 -> *mut AppLayerTxData
245{
ba781265 246 let tx = cast_pointer!(tx, DCERPCTransaction);
a1e06247
VJ		 247 return &mut tx.tx_data;
248}
249
8036202c 250#[no_mangle]
363b5f99 251pub unsafe extern "C" fn rs_dcerpc_udp_get_tx(
ba781265 252 state: *mut std::os::raw::c_void, tx_id: u64,
d7007424 253) -> *mut std::os::raw::c_void {
8036202c 254 let dce_state = cast_pointer!(state, DCERPCUDPState);
ba781265
VJ		 255 match dce_state.get_tx(tx_id) {
256 Some(tx) => {
53413f2d 257 return tx as *const _ as *mut _;
ba781265
VJ		 258 },
259 None => {
260 return std::ptr::null_mut();
261 }
262 }
8036202c
SB		 263}
264
265#[no_mangle]
363b5f99 266pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_cnt(vtx: *mut std::os::raw::c_void) -> u64 {
ba781265
VJ		 267 let dce_state = cast_pointer!(vtx, DCERPCUDPState);
268 dce_state.tx_id
8036202c
SB		 269}
270
3641f1b5
SB		 271/// Probe input to see if it looks like DCERPC.
272fn probe(input: &[u8]) -> (bool, bool) {
273 match parser::parse_dcerpc_udp_header(input) {
274 Ok((_, hdr)) => {
275 let is_request = hdr.pkt_type == 0x00;
f967a491
SB		 276 let is_dcerpc = hdr.rpc_vers == 0x04 &&
277 (hdr.flags2 & 0xfc == 0) &&
278 (hdr.drep[0] & 0xee == 0) &&
279 (hdr.drep[1] <= 3);
3641f1b5
SB		 280 return (is_dcerpc, is_request);
281 },
282 Err(_) => (false, false),
283 }
284}
285
363b5f99 286pub unsafe extern "C" fn rs_dcerpc_probe_udp(_f: *const core::Flow, direction: u8, input: *const u8,
dee972b8 287 len: u32, rdir: *mut u8) -> core::AppProto
3641f1b5
SB		 288{
289 SCLogDebug!("Probing the packet for DCERPC/UDP");
290 if len == 0 {
291 return core::ALPROTO_UNKNOWN;
292 }
363b5f99 293 let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
3641f1b5
SB		 294 //is_incomplete is checked by caller
295 let (is_dcerpc, is_request) = probe(slice);
296 if is_dcerpc {
a866499b
SB		 297 let dir: Direction = (direction & DIR_BOTH).into();
298 if is_request {
299 if dir != Direction::ToServer {
300 *rdir = Direction::ToServer.into();
301 }
3641f1b5 302 } else {
a866499b
SB		 303 if dir != Direction::ToClient {
304 *rdir = Direction::ToClient.into();
305 }
3641f1b5 306 };
363b5f99 307 return ALPROTO_DCERPC;
581cb622 308 }
363b5f99 309 return core::ALPROTO_FAILED;
581cb622
SB		 310}
311
312fn register_pattern_probe() -> i8 {
313 unsafe {
314 if AppLayerProtoDetectPMRegisterPatternCSwPP(core::IPPROTO_UDP as u8, ALPROTO_DCERPC,
315 b"|04 00|\0".as_ptr() as *const std::os::raw::c_char, 2, 0,
a866499b 316 Direction::ToServer.into(), rs_dcerpc_probe_udp, 0, 0) < 0 {
581cb622
SB		 317 SCLogDebug!("TOSERVER => AppLayerProtoDetectPMRegisterPatternCSwPP FAILED");
318 return -1;
319 }
320 }
321 0
322}
323
324#[no_mangle]
325pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() {
581cb622
SB		 326 let parser = RustParser {
327 name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
f4f6387a 328 default_port: std::ptr::null(),
581cb622
SB		 329 ipproto: core::IPPROTO_UDP,
330 probe_ts: None,
331 probe_tc: None,
332 min_depth: 0,
333 max_depth: 16,
334 state_new: rs_dcerpc_udp_state_new,
335 state_free: rs_dcerpc_udp_state_free,
336 tx_free: rs_dcerpc_udp_state_transaction_free,
337 parse_ts: rs_dcerpc_udp_parse,
338 parse_tc: rs_dcerpc_udp_parse,
339 get_tx_count: rs_dcerpc_udp_get_tx_cnt,
340 get_tx: rs_dcerpc_udp_get_tx,
341 tx_comp_st_ts: 1,
342 tx_comp_st_tc: 1,
343 tx_get_progress: rs_dcerpc_get_alstate_progress,
581cb622
SB		 344 get_eventinfo: None,
345 get_eventinfo_byid: None,
346 localstorage_new: None,
347 localstorage_free: None,
348 get_files: None,
349 get_tx_iterator: None,
350 get_tx_data: rs_dcerpc_udp_get_tx_data,
351 apply_tx_config: None,
352 flags: APP_LAYER_PARSER_OPT_UNIDIR_TXS,
353 truncate: None,
354 };
355
356 let ip_proto_str = CString::new("udp").unwrap();
357 if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
358 let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
359 ALPROTO_DCERPC = alproto;
360 if register_pattern_probe() < 0 {
361 return;
362 }
363 if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
364 let _ = AppLayerRegisterParser(&parser, alproto);
365 }
366 } else {
367 SCLogDebug!("Protocol detecter and parser disabled for DCERPC/UDP.");
3641f1b5 368 }
3641f1b5
SB		 369}
370
371
8036202c
SB		 372#[cfg(test)]
373mod tests {
374 use crate::applayer::AppLayerResult;
375 use crate::dcerpc::dcerpc_udp::DCERPCUDPState;
6916b63f 376 use crate::dcerpc::parser;
8036202c
SB		 377
378 #[test]
379 fn test_process_header_udp_incomplete_hdr() {
380 let request: &[u8] = &[
381 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
383 0x1c, 0x7d, 0xcf, 0x11,
384 ];
385
6916b63f
IB		 386 match parser::parse_dcerpc_udp_header(request) {
387 Ok((_rem, _header)) => {
388 { assert!(false); }
389 }
390 _ => {}
391 }
8036202c
SB		 392 }
393
394 #[test]
395 fn test_process_header_udp_perfect_hdr() {
396 let request: &[u8] = &[
397 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
399 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
400 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
401 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
402 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
403 ];
6916b63f
IB		 404 match parser::parse_dcerpc_udp_header(request) {
405 Ok((rem, header)) => {
406 assert_eq!(4, header.rpc_vers);
407 assert_eq!(80, request.len() - rem.len());
408 }
409 _ => { assert!(false); }
410 }
8036202c
SB		 411 }
412
413 #[test]
414 fn test_handle_fragment_data_udp_no_body() {
415 let request: &[u8] = &[
416 0x04, 0x00, 0x08, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x4a, 0x9f, 0x4d,
418 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x86, 0xc2,
419 0x37, 0x67, 0xf7, 0x1e, 0xd1, 0x11, 0xbc, 0xd9, 0x00, 0x60, 0x97, 0x92, 0xd2, 0x6c,
420 0x79, 0xbe, 0x01, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
421 0xff, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x0a, 0x00,
422 ];
6916b63f
IB		 423 match parser::parse_dcerpc_udp_header(request) {
424 Ok((rem, header)) => {
425 assert_eq!(4, header.rpc_vers);
426 assert_eq!(80, request.len() - rem.len());
427 assert_eq!(0, rem.len());
428 }
429 _ => { assert!(false); }
430 }
8036202c
SB		 431 }
432
433 #[test]
434 fn test_handle_input_data_udp_full_body() {
435 let request: &[u8] = &[
436 0x04, 0x00, 0x2c, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00,
438 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3f, 0x98,
439 0xf0, 0x5c, 0xd9, 0x63, 0xcc, 0x46, 0xc2, 0x74, 0x51, 0x6c, 0x8a, 0x53, 0x7d, 0x6f,
440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
441 0xff, 0xff, 0xff, 0xff, 0x70, 0x05, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00,
442 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45,
443 0x64, 0x49, 0xb0, 0x70, 0xdd, 0xae, 0x74, 0x2c, 0x96, 0xd2, 0x60, 0x5e, 0x0d, 0x00,
444 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00,
445 0x00, 0x00, 0x7c, 0x5e, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
446 0x80, 0x96, 0xf1, 0xf1, 0x2a, 0x4d, 0xce, 0x11, 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e,
447 0x72, 0xf4, 0x0c, 0x00, 0x00, 0x00, 0x4d, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00,
448 0x00, 0x00, 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0xa8, 0xf4,
449 0x0b, 0x00, 0x10, 0x09, 0x00, 0x00, 0x10, 0x09, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
450 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
451 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
452 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x08,
453 0x00, 0x00, 0xd8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00,
454 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0xd8, 0x08,
455 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
456 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29, 0xcd, 0x00,
458 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00,
459 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xab, 0x01, 0x00, 0x00,
460 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01,
461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
462 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,
463 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
464 0x00, 0x00, 0x00, 0x46, 0xad, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
465 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
466 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00,
467 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
468 0x20, 0x00, 0x00, 0x00, 0x28, 0x06, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00,
469 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00,
470 0x4f, 0xb6, 0x88, 0x20, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
476 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00,
477 0x66, 0x00, 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
478 0x00, 0x00, 0x00, 0x46, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
479 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0c, 0x00,
480 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x70, 0xd8,
481 0x98, 0x93, 0x98, 0x4f, 0xd2, 0x11, 0xa9, 0x3d, 0xbe, 0x57, 0xb2, 0x00, 0x00, 0x00,
482 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00,
483 0x00, 0x00, 0x0d, 0xf0, 0xad, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00,
485 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57,
486 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
487 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
488 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00,
489 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e, 0xe9, 0x4a,
490 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
492 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc,
493 0xcc, 0xcc, 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00,
494 0xd8, 0xda, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x2f,
495 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
496 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00, 0x58, 0x00, 0x00, 0x00,
497 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00, 0x00, 0x00,
498 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
500 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02, 0x00,
501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00,
502 0x00, 0x00, 0x00, 0x00, 0xfe, 0x02, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00,
503 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
504 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
505 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x9d, 0x13, 0x00, 0x01, 0xcc, 0xe0, 0xfd, 0x7f,
506 0xcc, 0xe0, 0xfd, 0x7f, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
507 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
508 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
509 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
510 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
511 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
512 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
513 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
514 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
515 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
516 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
517 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
518 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
519 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
520 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
521 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
522 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
523 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
524 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
525 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
526 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
527 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
528 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
529 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
530 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
531 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
532 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
533 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
534 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
535 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
536 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
537 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
538 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
539 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
540 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
541 0x90, 0x90,
542 ];
543 let mut dcerpcudp_state = DCERPCUDPState::new();
544 assert_eq!(
545 AppLayerResult::ok(),
546 dcerpcudp_state.handle_input_data(request)
547 );
bab497ab
SB		 548 assert_eq!(
549 1392,
6916b63f 550 dcerpcudp_state.transactions[0].stub_data_buffer_ts.len()
bab497ab 551 );
8036202c
SB		 552 }
553}
Michael's tree of suricata