ipv6: add event for ipv6 packet with icmpv4 header

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index ab4ac0ddcec92027638d155207eadffef5cae10a..ee4770fbd8d36ffb5bcf7b5dcec64c2b3c85f27d 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -34,6 +34,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS only padding"; decod
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; sid:2200088; rev:1;)
 # DST header with only padding, covert channel?
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; sid:2200089; rev:1;)
+alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200025; rev:1;)
@@ -101,5 +102,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)
 
-# next sid is 2200090
+# next sid is 2200091
 

diff --git a/src/decode-events.h b/src/decode-events.h
index c03a0af6490ea601daf4c7e5bf8e2fcd701bf21e..31b2636477d7f6664092a54a94ce5d04696d5e7b 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -77,6 +77,8 @@ enum {
     IPV6_DSTOPTS_UNKNOWN_OPT,       /**< unknown DST opt */
     IPV6_DSTOPTS_ONLY_PADDING,      /**< all options in DST opts are padding */
 
+    IPV6_WITH_ICMPV4,               /**< IPv6 packet with ICMPv4 header */
+
     /* TCP EVENTS */
     TCP_PKT_TOO_SMALL,              /**< tcp packet smaller than minimum size */
     TCP_HLEN_TOO_SMALL,             /**< tcp header smaller than minimum size */

diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c
index b45f16f0d7c1a2e77ab4f6e583cab7e98194cb85..7d6240d0e7f606501ecf78f949488fdee06d157a 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -487,7 +487,9 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
             case IPPROTO_NONE:
                 IPV6_SET_L4PROTO(p,nh);
                 SCReturn;
-
+            case IPPROTO_ICMP:
+                ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
+                break;
             default:
                 IPV6_SET_L4PROTO(p,nh);
                 SCReturn;
@@ -577,7 +579,9 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
         case IPPROTO_ESP:
             DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
             break;
-
+        case IPPROTO_ICMP:
+            ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
+            break;
         default:
             p->proto = IPV6_GET_NH(p);
             break;

diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h
index c2a9cff87e29bbb0178f60cc684d724e07c456d2..58fe0eb3e9de80c699a28dfc481a07adf42451e2 100644 (file)
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -69,6 +69,7 @@ struct DetectEngineEvents_ {
     { "ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, },
     { "ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, },
     { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
+    { "ipv6.icmpv4", IPV6_WITH_ICMPV4, },
     { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
     { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
     { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },