Pull request #3980: codecs: Add IPv6 Reserved Address to GID:116 Rules

Merge in SNORT/snort3 from ~TGANESHK/snort3:ipv6_newrule to master

Squashed commit of the following:

commit af9ad67ce413fccf9514c93893abce2591e0868e
Author: THARANI DHARAN GANESHKUMAR -X (tganeshk - XORIANT CORPORATION at Cisco) <tganeshk@cisco.com>
Date:   Mon Aug 21 22:07:34 2023 +0530

    codecs: Add IPv6 Reserved Address to GID:116 Rules

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index 47b2af399694b6ca28ea7dc0888a6d90638953e4..0ddc211f5a9f8a880a52337843e4bd8ec131151d 100644 (file)
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -725,6 +725,14 @@ An ICMPv6 packet was received that was not encapsulated in IPv6.
 
 The IPv6 mobility header includes an invalid value for the payload protocol field.
 
+116:476
+
+The IPv6 packet has a reserved source address.
+
+116:477
+
+The IPv6 packet has a reserved destination address.
+
 119:1
 
 URI has percent encoding of an unreserved character. The ignore_unreserved option designates

diff --git a/src/codecs/codec_api.cc b/src/codecs/codec_api.cc
index 1a972f3b5b67ad9afe94de7d64391a2806b48f98..c2c2df7fb15b4ac287102277074c442addf108ea 100644 (file)
--- a/src/codecs/codec_api.cc
+++ b/src/codecs/codec_api.cc
@@ -29,6 +29,7 @@
 using namespace snort;
 
 extern const BaseApi* cd_ipv4[];    // static due to dependence on fpdetect
+extern const BaseApi* cd_ipv6[];    // static due to dependence on fpdetect
 extern const BaseApi* cd_hopopts[]; // static to ensure the symbols CheckIPV6HopOptions
                                     // and CheckIPv6ExtensionOrder the final executable.
 extern const BaseApi* cd_tcp[];     // static because only file that specific functions
@@ -53,7 +54,6 @@ extern const BaseApi* cd_icmp4[];
 extern const BaseApi* cd_icmp4_ip[];
 extern const BaseApi* cd_icmp6[];
 extern const BaseApi* cd_icmp6_ip[];
-extern const BaseApi* cd_ipv6[];
 extern const BaseApi* cd_igmp[];
 extern const BaseApi* cd_llc[];
 extern const BaseApi* cd_mobility[];
@@ -75,6 +75,7 @@ extern const BaseApi* cd_vxlan[];
 void load_codecs()
 {
     PluginManager::load_plugins(cd_ipv4);
+    PluginManager::load_plugins(cd_ipv6);
     PluginManager::load_plugins(cd_tcp);
     PluginManager::load_plugins(cd_hopopts);
 
@@ -97,7 +98,6 @@ void load_codecs()
     PluginManager::load_plugins(cd_icmp4_ip);
     PluginManager::load_plugins(cd_icmp6);
     PluginManager::load_plugins(cd_icmp6_ip);
-    PluginManager::load_plugins(cd_ipv6);
     PluginManager::load_plugins(cd_igmp);
     PluginManager::load_plugins(cd_llc);
     PluginManager::load_plugins(cd_mobility);

diff --git a/src/codecs/codec_module.h b/src/codecs/codec_module.h
index 8f2434d91ee4a3858fd43277602505fa81e4478b..af17bdb3a78676ca112dcc5cbca5d20b352d4ae2 100644 (file)
--- a/src/codecs/codec_module.h
+++ b/src/codecs/codec_module.h
@@ -226,6 +226,8 @@ enum CodecSid : uint32_t
     DECODE_BAD_ETHER_TYPE,
     DECODE_ICMP6_NOT_IP6,
     DECODE_MIPV6_BAD_PAYLOAD_PROTO,
+    DECODE_IPV6_SRC_RESERVED,
+    DECODE_IPV6_DST_RESERVED,
     DECODE_INDEX_MAX
 };
 

diff --git a/src/codecs/ip/CMakeLists.txt b/src/codecs/ip/CMakeLists.txt
index bd7e6a2643a8064d8876ba29fb92f86faadf2337..de8a58d8ab4af3459e0d168189dfb30c1e9c492b 100644 (file)
--- a/src/codecs/ip/CMakeLists.txt
+++ b/src/codecs/ip/CMakeLists.txt
@@ -10,7 +10,6 @@ if( STATIC_CODECS )
         cd_icmp4.cc
         cd_icmp6.cc
         cd_igmp.cc
-        cd_ipv6.cc
         cd_no_next.cc
         cd_mobility.cc
         cd_pgm.cc
@@ -30,7 +29,7 @@ else()
     add_dynamic_module(cd_icmp6 codecs cd_icmp6.cc checksum.h)
     add_dynamic_module(cd_igmp codecs cd_igmp.cc)
 #    add_dynamic_module(cd_ipv4 codecs cd_ipv4.cc checksum.h)
-    add_dynamic_module(cd_ipv6 codecs cd_ipv6.cc checksum.h)
+#    add_dynamic_module(cd_ipv6 codecs cd_ipv6.cc checksum.h)
     add_dynamic_module(cd_mobility codecs cd_mobility.cc)
     add_dynamic_module(cd_no_next codecs cd_no_next.cc)
     add_dynamic_module(cd_pgm codecs cd_pgm.cc checksum.h)
@@ -43,6 +42,7 @@ endif()
 
 add_library( ip_codecs OBJECT
     cd_ipv4.cc # Static due to its dependence on fpdetect
+    cd_ipv6.cc # Static due to its dependence on fpdetect
     cd_hop_opts.cc  #  Ensured the symbols CheckIPV6HopOptions && CheckIPv6ExtensionOrder are in the binary.
     cd_tcp.cc  # Only file to use some functions.  Must be included in binary.
     checksum.h

diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc
index 07fb79d0856a04271c15edc31e83420b5f4d49c8..1886ab9e7a1c1342fb9b13e728fa2bc1fbc8351c 100644 (file)
--- a/src/codecs/ip/cd_ipv6.cc
+++ b/src/codecs/ip/cd_ipv6.cc
@@ -29,12 +29,15 @@
 #include "framework/codec.h"
 #include "log/text_log.h"
 #include "main/snort_config.h"
+#include "parser/parse_ip.h"
+#include "sfip/sf_ipvar.h"
 
 using namespace snort;
 
 #define CD_IPV6_NAME "ipv6"
 #define CD_IPV6_HELP_STR "support for Internet protocol v6"
 #define CD_IPV6_HELP ADD_DLT(CD_IPV6_HELP_STR, DLT_IPV6)
+static sfip_var_t* ReservedIpv6 = nullptr;
 
 namespace
 {
@@ -72,6 +75,8 @@ static const RuleMap ipv6_rules[] =
     { DECODE_IP6_EXCESS_EXT_HDR, "too many IPv6 extension headers" },
     { DECODE_MIPV6_BAD_PAYLOAD_PROTO,
       "IPv6 mobility header includes an invalid value for the 'payload protocol' field" },
+    { DECODE_IPV6_SRC_RESERVED, "IPv6 packet from reserved source address" },
+    { DECODE_IPV6_DST_RESERVED, "IPv6 packet to reserved dest address" },
     { 0, nullptr }
 };
 
@@ -277,6 +282,15 @@ void Ipv6Codec::IPV6MiscTests(const DecodeData& snort, const CodecData& codec)
     {
         codec_event(codec, DECODE_IPV6_DST_ZERO);
     }
+
+    if (codec.conf->is_address_anomaly_check_enabled())
+    {
+        if (sfvar_ip_in(ReservedIpv6, ip_src))
+            codec_event(codec, DECODE_IPV6_SRC_RESERVED);
+
+        if (sfvar_ip_in(ReservedIpv6, ip_dst))
+            codec_event(codec, DECODE_IPV6_DST_RESERVED);
+    }
 }
 
 void Ipv6Codec::CheckIPV6Multicast(const ip::IP6Hdr* const ip6h, const CodecData& codec)
@@ -661,6 +675,21 @@ static Module* mod_ctor()
 static void mod_dtor(Module* m)
 { delete m; }
 
+static void ipv6_codec_ginit()
+{
+    /* Check against reserved ipv6 addresses. These are listed at:
+       https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml   */
+    ReservedIpv6 = sfip_var_from_string(
+        "[0000::/8,0100::/8,0200::/7,0400::/6,0800::/5,1000::/4,4000::/3,6000::/3,8000::/3,"
+        "a000::/3,c000::/3,e000::/4,f000::/5,f800::/6,fe00::/9]", "ipv6");
+    assert(ReservedIpv6);
+}
+
+static void ipv6_codec_gterm()
+{
+    sfvar_free(ReservedIpv6);
+}
+
 static Codec* ctor(Module*)
 { return new Ipv6Codec(); }
 
@@ -681,8 +710,8 @@ static const CodecApi ipv6_api =
         mod_ctor,
         mod_dtor,
     },
-    nullptr, // pinit
-    nullptr, // pterm
+    ipv6_codec_ginit, // pinit
+    ipv6_codec_gterm, // pterm
     nullptr, // tinit
     nullptr, // tterm
     ctor, // ctor

diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc
index 56262fc3a7e49b55e6328d99c83ebbfeb32c28e3..f296d995399c80b8de6e7917ac0c5a3aa1887865 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -703,6 +703,11 @@ const uint8_t* HttpInspect::adjust_log_packet(Packet* p, uint16_t& length)
     else
         return nullptr;
 
+    // FIXIT-L IPV6 regression test fails with IPv6 anomaly check enabled and
+    // 'other_section' is NULL. Seems to be a bug in HNI. Needs investigation
+    if (!other_section)
+        return nullptr;
+    
     const Field& start_line = other_section->get_classic_buffer(id, 0, 0);
     if (start_line.length() > 0)
     {