alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag_overlap; classtype:protocol-command-decode; sid:2200070; rev:2;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)
# checksum rules
alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;)
alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)
-# next sid is 2200117
+# next sid is 2200120
{ "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, },
/* Fragmentation reasembly events. */
- { "decoder.ipv4.frag_pkt_too_large", IPV4_FRAG_PKT_TOO_LARGE, },
- { "decoder.ipv6.frag_pkt_too_large", IPV6_FRAG_PKT_TOO_LARGE, },
- { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, },
- { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, },
+ {
+ "decoder.ipv4.frag_pkt_too_large",
+ IPV4_FRAG_PKT_TOO_LARGE,
+ },
+ {
+ "decoder.ipv6.frag_pkt_too_large",
+ IPV6_FRAG_PKT_TOO_LARGE,
+ },
+ {
+ "decoder.ipv4.frag_overlap",
+ IPV4_FRAG_OVERLAP,
+ },
+ {
+ "decoder.ipv6.frag_overlap",
+ IPV6_FRAG_OVERLAP,
+ },
+ {
+ "decoder.ipv6.frag_invalid_length",
+ IPV6_FRAG_INVALID_LENGTH,
+ },
/* Fragment ignored due to internal error */
{ "decoder.ipv4.frag_ignored", IPV4_FRAG_IGNORED, },
{ "decoder.ipv6.frag_ignored", IPV6_FRAG_IGNORED, },
plen -= hdrextlen;
break;
}
+ if (p->ip6eh.fh_more_frags_set != 0 && plen % 8 != 0) {
+ // cf https://datatracker.ietf.org/doc/html/rfc2460#section-4.5
+ // each, except possibly the last ("rightmost") one,
+ // being an integer multiple of 8 octets long.
+ ENGINE_SET_EVENT(p, IPV6_FRAG_INVALID_LENGTH);
+ }
/* the rest is parsed upon reassembly */
p->flags |= PKT_IS_FRAGMENT;