Add rules for IKEv2 events

diff --git a/rules/Makefile.am b/rules/Makefile.am
index 435950c05a05e49797b52515a3a017b3eb1a8dc4..345b46d9a44f438eba85e43a9c03d079567caeac 100644 (file)
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@@ -10,4 +10,5 @@ app-layer-events.rules \
 files.rules \
 dnp3-events.rules \
 ntp-events.rules \
-nfs-events.rules
+nfs-events.rules \
+ipsec-events.rules

diff --git a/rules/ipsec-events.rules b/rules/ipsec-events.rules
new file mode 100644 (file)
index 0000000..be5c30d
--- /dev/null
+++ b/rules/ipsec-events.rules
@@ -0,0 +1,19 @@
+# IPsec app layer event rules
+#
+# SID's fall in the 2224000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed request data"; flow:to_server; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224000; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed response data"; flow:to_client; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224001; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Encryption)"; flow:to_client; app-layer-event:ikev2.weak_crypto_enc; classtype:protocol-command-decode; sid:2224002; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Auth)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224004; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224005; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no Diffie-Hellman exchange parameters"; flow:to_client; app-layer-event:ikev2.weak_crypto_nodh; classtype:protocol-command-decode; sid:2224006; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no authentication"; flow:to_client; app-layer-event:ikev2.weak_crypto_noauth; classtype:protocol-command-decode; sid:2224007; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no encryption (AH)"; flow:to_client; app-layer-event:ikev2.no_encryption; classtype:protocol-command-decode; sid:2224008; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal"; flow:to_server; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224009; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal selected"; flow:to_client; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal"; flow:to_server; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:1;)
+alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal selected"; flow:to_client; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:1;)

diff --git a/suricata.yaml.in b/suricata.yaml.in
index fc52dedba9d64ff8d7ae12aaa787f68ca4a76da4..9d4c0e9c3b18c580e6442de355096e6f3b875bda 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -106,6 +106,7 @@ rule-files:
 # - app-layer-events.rules  # available in suricata sources under rules dir
 # - dnp3-events.rules       # available in suricata sources under rules dir
 # - ntp-events.rules       # available in suricata sources under rules dir
+# - ipsec-events.rules       # available in suricata sources under rules dir
 
 classification-file: @e_sysconfdir@classification.config
 reference-config-file: @e_sysconfdir@reference.config