decode: update icmpv6 message handling

This patch adds two new events relative to icmpv6. One for packets
using unassigned icmpv6 type. The second one for packets using
private experimentation type.

Icmpv6 type table taken from http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index 314c0f9268e7daa5b34c964533105e14c17af9b9..4a20197fd5c3c9c74972878817088cbe18604fb8 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -52,11 +52,14 @@ alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-even
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;)
-alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
+# uncomment the following sginature if you plan to update suricata code to support more ICMPv6 type
+#alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; sid:2200030; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 MLD hop limit not 1"; decode-event:icmpv6.mld_message_with_invalid_hl; sid:2200102; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unassigned type"; decode-event:icmpv6.unassigned_type; sid:2200108; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 private experimentation type"; decode-event:icmpv6.experimentation_type; sid:2200109; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; decode-event:tcp.pkt_too_small; sid:2200033; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; decode-event:tcp.hlen_too_small; sid:2200034; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)
@@ -134,5 +137,5 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;)
 
-# next sid is 2200108
+# next sid is 2200110
 

diff --git a/src/decode-events.h b/src/decode-events.h
index c16d0d92d6a17f2461343501c1d2bffc996fc13d..51889387a14317bcf65b0bf3a930b88ccdfe2cae 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -58,6 +58,8 @@ enum {
     ICMPV6_IPV6_UNKNOWN_VER,        /**< unknown version in icmpv6 packet */
     ICMPV6_IPV6_TRUNC_PKT,          /**< truncated icmpv6 packet */
     ICMPV6_MLD_MESSAGE_WITH_INVALID_HL, /**< invalid MLD that doesn't have HL 1 */
+    ICMPV6_UNASSIGNED_TYPE,         /**< unsassigned ICMPv6 type */
+    ICMPV6_EXPERIMENTATION_TYPE,    /**< uprivate experimentation ICMPv6 type */
 
     /* IPV6 EVENTS */
     IPV6_PKT_TOO_SMALL,             /**< ipv6 packet smaller than minimum size */

diff --git a/src/decode-icmpv6.c b/src/decode-icmpv6.c
index 7972ea797c98af30636bb619cd2a0adf5bf0d743..a7a77b5a1967031ead38d48cffdb426f1e6ef422 100644 (file)
--- a/src/decode-icmpv6.c
+++ b/src/decode-icmpv6.c
@@ -321,9 +321,26 @@ int DecodeICMPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
             }
             break;
         default:
-            SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
-                       "implemented yet", ICMPV6_GET_TYPE(p));
-            ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+            /* Various range taken from:
+             *   http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
+             */
+            if ((ICMPV6_GET_TYPE(p) > 4) &&  (ICMPV6_GET_TYPE(p) < 100)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 100) &&  (ICMPV6_GET_TYPE(p) < 102)) {
+                ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+            } else  if ((ICMPV6_GET_TYPE(p) >= 102) &&  (ICMPV6_GET_TYPE(p) < 127)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 160) &&  (ICMPV6_GET_TYPE(p) < 200)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 200) &&  (ICMPV6_GET_TYPE(p) < 202)) {
+                ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+            } else if (ICMPV6_GET_TYPE(p) >= 202) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else {
+                SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
+                        "implemented yet", ICMPV6_GET_TYPE(p));
+                ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+            }
     }
 
     /* for a info message the header is just 4 bytes */

diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h
index 9d6424fbdb48f9a37cf4ed48d2421c5772240233..9ee152766ee0b1aef8299d780316366534355be1 100644 (file)
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -71,6 +71,8 @@ struct DetectEngineEvents_ {
     { "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
     { "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
     { "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
+    { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
+    { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},
 
     /* IPV6 EVENTS */
     { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },