* "ikev1.server.nonce_payload_length", "ikev1.client.nonce_payload_length": Length of the nonce payload.
* "ikev1.client.client_proposals": List of the security associations proposed to the server.
* "ikev1.vendor_ids": List of the vendor IDs observed in the communication.
+* "server_proposals": List of server proposals with parameters, if there are more than one. This is a non-standard case; this field is only present if such a situation was observed in the inspected traffic.
``sa_field_size``.
IKEv2 supports ``alg_enc``, ``alg_auth``, ``alg_prf`` and ``alg_dh``.
+If there is more than one chosen SA the event ``MultipleServerProposal`` is set. The attributes of the first SA are used for this keyword.
+
Examples::
alert ike any any -> any any (msg:"SURICATA IKE invalid proposal selected"; flow:to_client; app-layer-event:ike.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:2;)
alert ike any any -> any any (msg:"SURICATA IKE unknown proposal"; flow:to_server; app-layer-event:ike.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:2;)
alert ike any any -> any any (msg:"SURICATA IKE unknown proposal selected"; flow:to_client; app-layer-event:ike.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:2;)
+alert ike any any -> any any (msg:"SURICATA IKE multiple server proposal"; flow:to_client; app-layer-event:ike.multiple_server_proposal; classtype:protocol-command-decode; sid:2224013; rev:1;)
if let Ok(sa) = sa_type_s {
if tx.ike_version == 1 {
- 'outer1: for (i, server_transform) in tx.hdr.ikev1_transforms.iter().enumerate() {
- if i >= 1 {
- debug_validate_bug_on!(true);
- break;
- }
- for attr in server_transform {
- if attr.attribute_type.to_string() == sa {
- if let Some(numeric_value) = attr.numeric_value {
- ret_val = numeric_value;
- ret_code = 1;
- break 'outer1;
+ if tx.hdr.ikev1_transforms.len() >= 1 {
+ // there should be only one chosen server_transform, check event
+ if let Some(server_transform) = tx.hdr.ikev1_transforms.first() {
+ for attr in server_transform {
+ if attr.attribute_type.to_string() == sa {
+ if let Some(numeric_value) = attr.numeric_value {
+ ret_val = numeric_value;
+ ret_code = 1;
+ break
+ }
}
}
}
InvalidProposal,
UnknownProposal,
PayloadExtraData,
+ MultipleServerProposal,
}
impl IkeEvent {
8 => Some(IkeEvent::InvalidProposal),
9 => Some(IkeEvent::UnknownProposal),
10 => Some(IkeEvent::PayloadExtraData),
+ 11 => Some(IkeEvent::MultipleServerProposal),
_ => None,
}
}
IkeEvent::InvalidProposal => "invalid_proposal\0",
IkeEvent::UnknownProposal => "unknown_proposal\0",
IkeEvent::PayloadExtraData => "payload_extra_data\0",
+ IkeEvent::MultipleServerProposal => "multiple_server_proposal\0",
};
unsafe {
*event_name = estr.as_ptr() as *const std::os::raw::c_char;
"invalid_proposal" => IkeEvent::InvalidProposal as i32,
"unknown_proposal" => IkeEvent::UnknownProposal as i32,
"payload_extra_data" => IkeEvent::PayloadExtraData as i32,
+ "multiple_server_proposal" => IkeEvent::MultipleServerProposal as i32,
_ => -1, // unknown event
}
}
&tx.hdr.ikev1_transforms,
);
} else {
+ if state.ikev1_container.server.transforms.len() <= 1
+ && state.ikev1_container.server.transforms.len()
+ + tx.hdr.ikev1_transforms.len()
+ > 1
+ {
+ SCLogDebug!("More than one chosen server proposal");
+ state.set_event(IkeEvent::MultipleServerProposal);
+ }
+
state.ikev1_container.server.update(
&to_hex(tx.hdr.ikev1_header.key_exchange.as_ref()),
&to_hex(tx.hdr.ikev1_header.nonce.as_ref()),
}
if tx.ike_version == 1 {
- let mut index = 0;
- for server_transform in &state.ikev1_container.server.transforms {
- if index >= 1 {
- debug_validate_bug_on!(true);
- break;
+ if state.ikev1_container.server.transforms.len() > 0 {
+ // log the first transform as the chosen one
+ add_attributes(&state.ikev1_container.server.transforms[0], jb)?;
+ }
+ if state.ikev1_container.server.transforms.len() > 1 {
+ // in case we have multiple server transforms log them in a list
+ jb.open_array("server_proposals")?;
+ for server_transform in &state.ikev1_container.server.transforms {
+ jb.start_object()?;
+ add_attributes(server_transform, jb)?;
+ jb.close()?;
}
- add_attributes(server_transform, jb)?;
- index += 1;
+ jb.close()?;
}
} else if tx.ike_version == 2 {
if tx.hdr.flags & IKEV2_FLAG_INITIATOR != 0 {
projects / thirdparty / suricata.git / commitdiff
