suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a

Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f

1 files changed, 246 insertions, 0 deletions

diff --git a/framework/src/suricata/src/app-layer-dcerpc-common.h b/framework/src/suricata/src/app-layer-dcerpc-common.h
new file mode 100644
index 00000000..cdda5630
--- /dev/null
+++ b/framework/src/suricata/src/app-layer-dcerpc-common.h
@@ -0,0 +1,246 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Kirby Kuehl <kkuehl@gmail.com>
+ */
+
+#ifndef __APP_LAYER_DCERPC_COMMON_H__
+#define __APP_LAYER_DCERPC_COMMON_H__
+
+#include "app-layer-protos.h"
+#include "app-layer-parser.h"
+#include "flow.h"
+#include "queue.h"
+#include "util-byte.h"
+
+void RegisterDCERPCParsers(void);
+void DCERPCParserTests(void);
+void DCERPCParserRegisterTests(void);
+
+// http://www.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06
+#define REQUEST             0
+#define PING                1
+#define RESPONSE            2
+#define FAULT               3
+#define WORKING             4
+#define NOCALL              5
+#define REJECT              6
+#define ACK                 7
+#define CL_CANCEL           8
+#define FACK                9
+#define CANCEL_ACK          10
+#define BIND                11
+#define BIND_ACK            12
+#define BIND_NAK            13
+#define ALTER_CONTEXT       14
+#define ALTER_CONTEXT_RESP  15
+#define SHUTDOWN            17
+#define CO_CANCEL           18
+#define ORPHANED            19
+#if 0
+typedef struct {
+    uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/
+    uint8_t ptype;      /* Packet type (5 LSB only) */
+    uint8_t flags1;     /* Packet flags */
+    uint8_t flags2;     /* Packet flags */
+    uint8_t drep[3];    /* Data representation format label */
+    uint8_t serial_hi;  /* High byte of serial number */
+    uuid_t         object;     /* Object identifier */
+    uuid_t         if_id;      /* Interface identifier */
+    uuid_t         act_id;     /* Activity identifier */
+    unsigned long  server_boot;/* Server boot time */
+    unsigned long  if_vers;    /* Interface version */
+    unsigned long  seqnum;     /* Sequence number */
+    unsigned short opnum;      /* Operation number */
+    unsigned short ihint;      /* Interface hint */
+    unsigned short ahint;      /* Activity hint */
+    unsigned short len;        /* Length of packet body */
+    unsigned short fragnum;    /* Fragment number */
+    unsigned small auth_proto; /* Authentication protocol identifier*/
+    unsigned small serial_lo;  /* Low byte of serial number */
+} dc_rpc_cl_pkt_hdr_t;
+#endif
+
+#define RESERVED_01     0x01
+#define LASTFRAG        0x02
+#define FRAG            0x04
+#define NOFACK          0x08
+#define MAYBE           0x10
+#define IDEMPOTENT      0x20
+#define BROADCAST       0x40
+#define RESERVED_80     0x80
+
+#define CANCEL_PENDING  0x02
+#define RESERVED_04     0x04
+#define RESERVED_10     0x10
+#define RESERVED_20     0x20
+#define RESERVED_40     0x40
+#define RESERVED_80     0x80
+
+typedef struct DCERPCHdr_ {
+    uint8_t rpc_vers;       /**< 00:01 RPC version should be 5 */
+    uint8_t rpc_vers_minor; /**< 01:01 minor version */
+    uint8_t type;           /**< 02:01 packet type */
+    uint8_t pfc_flags;      /**< 03:01 flags (see PFC_... ) */
+    uint8_t packed_drep[4]; /**< 04:04 NDR data representation format label */
+    uint16_t frag_length;   /**< 08:02 total length of fragment */
+    uint16_t auth_length;   /**< 10:02 length of auth_value */
+    uint32_t call_id;       /**< 12:04 call identifier */
+} DCERPCHdr;
+
+#define DCERPC_HDR_LEN 16
+
+typedef struct DCERPCHdrUdp_ {
+    uint8_t rpc_vers;   /**< 4 RPC protocol major version (4 LSB only)*/
+    uint8_t type;       /**< Packet type (5 LSB only) */
+    uint8_t flags1;     /**< Packet flags */
+    uint8_t flags2;     /**< Packet flags */
+    uint8_t drep[3];    /**< Data representation format label */
+    uint8_t serial_hi;  /**< High byte of serial number */
+    uint8_t objectuuid[16];
+    uint8_t interfaceuuid[16];
+    uint8_t activityuuid[16];
+    uint32_t server_boot;   /**< Server boot time */
+    uint32_t if_vers;   /**< Interface version */
+    uint32_t seqnum;    /**< Sequence number */
+    uint16_t opnum;     /**< Operation number */
+    uint16_t ihint;     /**< Interface hint */
+    uint16_t ahint;     /**< Activity hint */
+    uint16_t fraglen;   /**< Length of packet body */
+    uint16_t fragnum;   /**< Fragment number */
+    uint8_t auth_proto; /**< Authentication protocol identifier*/
+    uint8_t serial_lo;  /**< Low byte of serial number */
+} DCERPCHdrUdp;
+
+#define DCERPC_UDP_HDR_LEN 80
+
+#define DCERPC_UUID_ENTRY_FLAG_FF       0x0001  /**< FIRST flag set on the packet
+                                                  that contained this uuid entry */
+
+typedef struct DCERPCUuidEntry_ {
+    uint16_t ctxid;
+    uint16_t internal_id;
+    uint16_t result;
+    uint8_t uuid[16];
+    uint16_t version;
+    uint16_t versionminor;
+    uint16_t flags;                             /**< DCERPC_UUID_ENTRY_FLAG_* flags */
+    TAILQ_ENTRY(DCERPCUuidEntry_) next;
+} DCERPCUuidEntry;
+
+typedef struct DCERPCBindBindAck_ {
+    uint8_t numctxitems;
+    uint8_t numctxitemsleft;
+    uint8_t ctxbytesprocessed;
+    uint16_t ctxid;
+    uint8_t uuid[16];
+    uint16_t version;
+    uint16_t versionminor;
+    DCERPCUuidEntry *uuid_entry;
+    TAILQ_HEAD(, DCERPCUuidEntry_) uuid_list;
+    /* the interface uuids that the server has accepted */
+    TAILQ_HEAD(, DCERPCUuidEntry_) accepted_uuid_list;
+    uint16_t uuid_internal_id;
+    uint16_t secondaryaddrlen;
+    uint16_t secondaryaddrlenleft;
+    uint16_t result;
+} DCERPCBindBindAck;
+
+typedef struct DCERPCRequest_ {
+    uint16_t ctxid;
+    uint16_t opnum;
+    /* holds the stub data for the request */
+    uint8_t *stub_data_buffer;
+    /* length of the above buffer */
+    uint32_t stub_data_buffer_len;
+    /* used by the dce preproc to indicate fresh entry in the stub data buffer */
+    uint8_t stub_data_fresh;
+    uint8_t first_request_seen;
+} DCERPCRequest;
+
+typedef struct DCERPCResponse_ {
+    /* holds the stub data for the response */
+    uint8_t *stub_data_buffer;
+    /* length of the above buffer */
+    uint32_t stub_data_buffer_len;
+    /* used by the dce preproc to indicate fresh entry in the stub data buffer */
+    uint8_t stub_data_fresh;
+} DCERPCResponse;
+
+typedef struct DCERPC_ {
+    DCERPCHdr dcerpchdr;
+    DCERPCBindBindAck dcerpcbindbindack;
+    DCERPCRequest dcerpcrequest;
+    DCERPCResponse dcerpcresponse;
+    uint16_t bytesprocessed;
+    uint8_t pad;
+    uint16_t padleft;
+    uint16_t transaction_id;
+    /* indicates if the dcerpc pdu state is in the middle of processing
+     * a fragmented pdu */
+    uint8_t pdu_fragged;
+} DCERPC;
+
+typedef struct DCERPCUDP_ {
+    DCERPCHdrUdp dcerpchdrudp;
+    DCERPCBindBindAck dcerpcbindbindack;
+    DCERPCRequest dcerpcrequest;
+    DCERPCResponse dcerpcresponse;
+    uint16_t bytesprocessed;
+    uint16_t fraglenleft;
+    uint8_t *frag_data;
+    DCERPCUuidEntry *uuid_entry;
+    TAILQ_HEAD(, uuid_entry) uuid_list;
+} DCERPCUDP;
+
+/** First fragment */
+#define PFC_FIRST_FRAG           0x01
+/** Last fragment */
+#define PFC_LAST_FRAG            0x02
+/** Cancel was pending at sender */
+#define PFC_PENDING_CANCEL       0x04
+#define PFC_RESERVED_1           0x08
+/** supports concurrent multiplexing of a single connection. */
+#define PFC_CONC_MPX             0x10
+/** only meaningful on `fault' packet; if true, guaranteed
+ *  call did not execute. */
+#define PFC_DID_NOT_EXECUTE      0x20
+/** `maybe' call semantics requested */
+#define PFC_MAYBE                0x40
+/** if true, a non-nil object UUID was specified in the handle, and
+ *  is present in the optional object field. If false, the object field
+ * is omitted. */
+#define PFC_OBJECT_UUID          0x80
+
+#define REASON_NOT_SPECIFIED            0
+#define TEMPORARY_CONGESTION            1
+#define LOCAL_LIMIT_EXCEEDED            2
+#define CALLED_PADDR_UNKNOWN            3 /* not used */
+#define PROTOCOL_VERSION_NOT_SUPPORTED  4
+#define DEFAULT_CONTEXT_NOT_SUPPORTED   5 /* not used */
+#define USER_DATA_NOT_READABLE          6 /* not used */
+#define NO_PSAP_AVAILABLE               7 /* not used */
+
+int32_t DCERPCParser(DCERPC *, uint8_t *, uint32_t);
+void hexdump(const void *buf, size_t len);
+void printUUID(char *type, DCERPCUuidEntry *uuid);
+
+#endif /* __APP_LAYER_DCERPC_COMMON_H__ */
+