From: Eric Leblond Date: Thu, 3 Mar 2016 09:35:19 +0000 (+0100) Subject: decode: update icmpv6 message handling X-Git-Tag: suricata-3.0.1RC1~71 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab3aed7d251f5abec3b11bbf8af61f3815e33409;p=thirdparty%2Fsuricata.git decode: update icmpv6 message handling This patch adds two new events relative to icmpv6. One for packets using unassigned icmpv6 type. The second one for packets using private experimentation type. Icmpv6 type table taken from http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2 --- diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 314c0f9268..4a20197fd5 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -52,11 +52,14 @@ alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-even alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;) -alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;) +# uncomment the following sginature if you plan to update suricata code to support more ICMPv6 type +#alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; sid:2200030; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 MLD hop limit not 1"; decode-event:icmpv6.mld_message_with_invalid_hl; sid:2200102; rev:1;) +alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unassigned type"; decode-event:icmpv6.unassigned_type; sid:2200108; rev:1;) +alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 private experimentation type"; decode-event:icmpv6.experimentation_type; sid:2200109; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; decode-event:tcp.pkt_too_small; sid:2200033; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; decode-event:tcp.hlen_too_small; sid:2200034; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; sid:2200035; rev:1;) @@ -134,5 +137,5 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;) -# next sid is 2200108 +# next sid is 2200110 diff --git a/src/decode-events.h b/src/decode-events.h index c16d0d92d6..51889387a1 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -58,6 +58,8 @@ enum { ICMPV6_IPV6_UNKNOWN_VER, /**< unknown version in icmpv6 packet */ ICMPV6_IPV6_TRUNC_PKT, /**< truncated icmpv6 packet */ ICMPV6_MLD_MESSAGE_WITH_INVALID_HL, /**< invalid MLD that doesn't have HL 1 */ + ICMPV6_UNASSIGNED_TYPE, /**< unsassigned ICMPv6 type */ + ICMPV6_EXPERIMENTATION_TYPE, /**< uprivate experimentation ICMPv6 type */ /* IPV6 EVENTS */ IPV6_PKT_TOO_SMALL, /**< ipv6 packet smaller than minimum size */ diff --git a/src/decode-icmpv6.c b/src/decode-icmpv6.c index 7972ea797c..a7a77b5a19 100644 --- a/src/decode-icmpv6.c +++ b/src/decode-icmpv6.c @@ -321,9 +321,26 @@ int DecodeICMPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, } break; default: - SCLogDebug("ICMPV6 Message type %" PRIu8 " not " - "implemented yet", ICMPV6_GET_TYPE(p)); - ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE); + /* Various range taken from: + * http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2 + */ + if ((ICMPV6_GET_TYPE(p) > 4) && (ICMPV6_GET_TYPE(p) < 100)) { + ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE); + } else if ((ICMPV6_GET_TYPE(p) >= 100) && (ICMPV6_GET_TYPE(p) < 102)) { + ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE); + } else if ((ICMPV6_GET_TYPE(p) >= 102) && (ICMPV6_GET_TYPE(p) < 127)) { + ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE); + } else if ((ICMPV6_GET_TYPE(p) >= 160) && (ICMPV6_GET_TYPE(p) < 200)) { + ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE); + } else if ((ICMPV6_GET_TYPE(p) >= 200) && (ICMPV6_GET_TYPE(p) < 202)) { + ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE); + } else if (ICMPV6_GET_TYPE(p) >= 202) { + ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE); + } else { + SCLogDebug("ICMPV6 Message type %" PRIu8 " not " + "implemented yet", ICMPV6_GET_TYPE(p)); + ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE); + } } /* for a info message the header is just 4 bytes */ diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index 9d6424fbdb..9ee152766e 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -71,6 +71,8 @@ struct DetectEngineEvents_ { { "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,}, { "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,}, { "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,}, + { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,}, + { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,}, /* IPV6 EVENTS */ { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },