From: Victor Julien Date: Mon, 28 Jul 2014 12:41:15 +0000 (+0200) Subject: ipv6: set event on unsupported nh X-Git-Tag: suricata-2.1beta1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c05685421afbb948cd6db308a5ee4cb347c7e15;p=thirdparty%2Fsuricata.git ipv6: set event on unsupported nh If a next header / protocol is encountered that we can't handle (yet) set an event. Disabled the rule by default. decode-event:ipv6.unknown_next_header; --- diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 779d6ed30e..5d77928283 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -43,6 +43,8 @@ alert ipv6 any any -> any any (msg:"SURICATA zero length padN option"; decode-ev alert ipv6 any any -> any any (msg:"SURICATA reserved field in Frag Header not zero"; decode-event:ipv6.fh_non_zero_reserved_field; sid:2200095; rev:1;) # Data after the 'none' header (59) is suspicious. alert ipv6 any any -> any any (msg:"SURICATA data after none (59) header"; decode-event:ipv6.data_after_none_header; sid:2200096; rev:1;) +# unknown/unsupported next header / protocol. Valid protocols are not yet supported, so disabling by default +#alert ipv6 any any -> any any (msg:"SURICATA unknown next header / protocol"; decode-event:ipv6.unknown_next_header; sid:2200097; rev:1;) alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;) @@ -114,5 +116,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;) -# next sid is 2200097 +# next sid is 2200098 diff --git a/src/decode-events.h b/src/decode-events.h index 1eceb8af7a..ceb8c64013 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -84,6 +84,7 @@ enum { IPV6_FH_NON_ZERO_RES_FIELD, /**< reserved field not zero */ IPV6_DATA_AFTER_NONE_HEADER, /**< data after 'none' (59) header */ + IPV6_UNKNOWN_NEXT_HEADER, /**< unknown/unsupported next header */ IPV6_WITH_ICMPV4, /**< IPv6 packet with ICMPv4 header */ /* TCP EVENTS */ diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 5424765f83..3bbbc5a9cd 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -562,6 +562,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt plen -= hdrextlen; break; default: + ENGINE_SET_EVENT(p, IPV6_UNKNOWN_NEXT_HEADER); IPV6_SET_L4PROTO(p,nh); SCReturn; } @@ -662,6 +663,7 @@ int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4); break; default: + ENGINE_SET_EVENT(p, IPV6_UNKNOWN_NEXT_HEADER); IPV6_SET_L4PROTO (p, IPV6_GET_NH(p)); break; } diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index 288956ddf3..5b42f6e743 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -93,6 +93,7 @@ struct DetectEngineEvents_ { { "ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, }, { "ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, }, { "ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, }, + { "ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, }, { "ipv6.icmpv4", IPV6_WITH_ICMPV4, }, /* TCP EVENTS */