alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;)
-alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
+# uncomment the following sginature if you plan to update suricata code to support more ICMPv6 type
+#alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; sid:2200030; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 MLD hop limit not 1"; decode-event:icmpv6.mld_message_with_invalid_hl; sid:2200102; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unassigned type"; decode-event:icmpv6.unassigned_type; sid:2200108; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 private experimentation type"; decode-event:icmpv6.experimentation_type; sid:2200109; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; decode-event:tcp.pkt_too_small; sid:2200033; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; decode-event:tcp.hlen_too_small; sid:2200034; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;)
-# next sid is 2200108
+# next sid is 2200110
ICMPV6_IPV6_UNKNOWN_VER, /**< unknown version in icmpv6 packet */
ICMPV6_IPV6_TRUNC_PKT, /**< truncated icmpv6 packet */
ICMPV6_MLD_MESSAGE_WITH_INVALID_HL, /**< invalid MLD that doesn't have HL 1 */
+ ICMPV6_UNASSIGNED_TYPE, /**< unsassigned ICMPv6 type */
+ ICMPV6_EXPERIMENTATION_TYPE, /**< uprivate experimentation ICMPv6 type */
/* IPV6 EVENTS */
IPV6_PKT_TOO_SMALL, /**< ipv6 packet smaller than minimum size */
}
break;
default:
- SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
- "implemented yet", ICMPV6_GET_TYPE(p));
- ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+ /* Various range taken from:
+ * http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
+ */
+ if ((ICMPV6_GET_TYPE(p) > 4) && (ICMPV6_GET_TYPE(p) < 100)) {
+ ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+ } else if ((ICMPV6_GET_TYPE(p) >= 100) && (ICMPV6_GET_TYPE(p) < 102)) {
+ ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+ } else if ((ICMPV6_GET_TYPE(p) >= 102) && (ICMPV6_GET_TYPE(p) < 127)) {
+ ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+ } else if ((ICMPV6_GET_TYPE(p) >= 160) && (ICMPV6_GET_TYPE(p) < 200)) {
+ ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+ } else if ((ICMPV6_GET_TYPE(p) >= 200) && (ICMPV6_GET_TYPE(p) < 202)) {
+ ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+ } else if (ICMPV6_GET_TYPE(p) >= 202) {
+ ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+ } else {
+ SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
+ "implemented yet", ICMPV6_GET_TYPE(p));
+ ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+ }
}
/* for a info message the header is just 4 bytes */
{ "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
{ "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
{ "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
+ { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
+ { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},
/* IPV6 EVENTS */
{ "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },