From: Victor Julien <victor@inliniac.net>
Date: Sat, 8 Feb 2014 10:25:13 +0000 (+0100)
Subject: ipv4 decoder: set 'invalid' event on icmpv6
X-Git-Tag: suricata-2.0rc1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdca557e0162e02ee5b40949948685e3ca8ae5c0;p=thirdparty%2Fsuricata.git

ipv4 decoder: set 'invalid' event on icmpv6

ICMPv6 on IPv4 is invalid, so if we encounter this we set an event
and flag the packet as invalid.

Ticket #1105.
---

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index a14056ebc1..a54f9dcaf4 100644
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -8,6 +8,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option"; decode-even
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; sid:2200005; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 malformed option"; decode-event:ipv4.opt_malformed; sid:2200006; rev:1;)
 #alert pkthdr any any -> any any (msg:"SURICATA IPv4 padding required "; decode-event:ipv4.opt_pad_required; sid:2200007; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv4 with ICMPv6 header"; decode-event:ipv4.icmpv6; sid:2200092; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 option end of list required"; decode-event:ipv4.opt_eol_required; sid:2200008; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 duplicated IP option"; decode-event:ipv4.opt_duplicate; sid:2200009; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4 unknown IP option"; decode-event:ipv4.opt_unknown; sid:2200010; rev:1;)
@@ -105,5 +106,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)
 
-# next sid is 2200092
+# next sid is 2200093
 
diff --git a/src/decode-events.h b/src/decode-events.h
index 16aec8311a..cbbc733c6c 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -42,6 +42,7 @@ enum {
     IPV4_OPT_DUPLICATE,             /**< duplicated ip option */
     IPV4_OPT_UNKNOWN,               /**< unknown ip option */
     IPV4_WRONG_IP_VER,              /**< wrong ip version in ip options */
+    IPV4_WITH_ICMPV6,               /**< IPv4 packet with ICMPv6 header */
 
     /* ICMP EVENTS */
     ICMPV4_PKT_TOO_SMALL,           /**< icmpv4 packet smaller than minimum size */
diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c
index 4b18fada8e..665f4acd49 100644
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@@ -594,6 +594,9 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
                           IPV4_GET_IPLEN(p) -  IPV4_GET_HLEN(p), pq);
             }
             break;
+        case IPPROTO_ICMPV6:
+            ENGINE_SET_INVALID_EVENT(p, IPV4_WITH_ICMPV6);
+            break;
     }
 
     return TM_ECODE_OK;
diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h
index 8dadeac005..dcff16bcc5 100644
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -55,6 +55,7 @@ struct DetectEngineEvents_ {
     { "ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, },
     { "ipv4.opt_unknown", IPV4_OPT_UNKNOWN, },
     { "ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, },
+    { "ipv4.icmpv6", IPV4_WITH_ICMPV6, },
 
     /* ICMP EVENTS */
     { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },