From: Cynthia Leonard (cyleonar) Date: Thu, 15 Oct 2020 09:40:12 +0000 (+0000) Subject: Merge pull request #2541 in SNORT/snort3 from ~PUNEETKU/snort3:vrf_same_ip to master X-Git-Tag: 3.0.3-3~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09e1a0e14d0c4db64dbcd20f8899a9b9c45b7524;p=thirdparty%2Fsnort3.git Merge pull request #2541 in SNORT/snort3 from ~PUNEETKU/snort3:vrf_same_ip to master Squashed commit of the following: commit 7ced046818da05917d2df20779f3c493967aa2a4 Author: Puneeth Kumar C V Date: Sun Aug 9 23:58:02 2020 -0400 codec: support for overlapping ip in different groups --- diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index 3d63e9ac4..cc40195cd 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -124,7 +124,7 @@ public: private: bool valid_checksum_from_daq(const RawData&); - void IP4AddrTests(const ip::IP4Hdr*, const CodecData&, DecodeData&); + void IP4AddrTests(const ip::IP4Hdr*, const RawData&, const CodecData&, DecodeData&); void IPMiscTests(const ip::IP4Hdr* const ip4h, const CodecData& codec, uint16_t len); void DecodeIPOptions(const uint8_t* start, uint8_t& o_len, CodecData& data); }; @@ -255,7 +255,7 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) /* * IP Header tests: Land attack, and Loop back test */ - IP4AddrTests(iph, codec, snort); + IP4AddrTests(iph, raw, codec, snort); if (snort::get_network_policy()->ip_checksums() && !valid_checksum_from_daq(raw)) { @@ -358,14 +358,23 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) } void Ipv4Codec::IP4AddrTests( - const ip::IP4Hdr* iph, const CodecData& codec, DecodeData& snort) + const ip::IP4Hdr* iph, const RawData& raw, const CodecData& codec, + DecodeData& snort) { uint8_t msb_src, msb_dst; // check all 32 bits ... if ( iph->ip_src == iph->ip_dst ) { - codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); + const DAQ_PktHdr_t* pkth = daq_msg_get_pkthdr(raw.daq_msg); + + if ( pkth->flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS ) + { + if ( pkth->ingress_group == pkth->egress_group ) + codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); + } + else + codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); } // check all 32 bits ... diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index 90950b0f6..6989aa275 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -103,7 +103,7 @@ private: void IPV6CheckIsatap(const ip::IP6Hdr* const, const DecodeData&, const CodecData&); - void IPV6MiscTests(const DecodeData&, const CodecData&); + void IPV6MiscTests(const RawData&, const DecodeData&, const CodecData&); void CheckIPV6Multicast(const ip::IP6Hdr* const, const CodecData&); bool CheckTeredoPrefix(const ip::IP6Hdr* const hdr); }; @@ -213,7 +213,7 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) snort.ip_api.update(real_src, real_dst); } - IPV6MiscTests(snort, codec); + IPV6MiscTests(raw, snort, codec); CheckIPV6Multicast(ip6h, codec); if (ip6h->is_valid_next_header() == false) @@ -251,7 +251,8 @@ void Ipv6Codec::IPV6CheckIsatap(const ip::IP6Hdr* const ip6h, } } -void Ipv6Codec::IPV6MiscTests(const DecodeData& snort, const CodecData& codec) +void Ipv6Codec::IPV6MiscTests(const RawData& raw, const DecodeData& snort, + const CodecData& codec) { const SfIp* ip_src = snort.ip_api.get_src(); const SfIp* ip_dst = snort.ip_api.get_dst(); @@ -263,7 +264,15 @@ void Ipv6Codec::IPV6MiscTests(const DecodeData& snort, const CodecData& codec) */ if (ip_src->fast_eq6(*ip_dst)) { - codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); + const DAQ_PktHdr_t* pkth = daq_msg_get_pkthdr(raw.daq_msg); + + if (pkth->flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) + { + if (pkth->ingress_group == pkth->egress_group) + codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); + } + else + codec_event(codec, DECODE_BAD_TRAFFIC_SAME_SRCDST); } if (ip_src->is_loopback() || ip_dst->is_loopback())