From: Victor Julien Date: Tue, 16 Jul 2013 13:03:07 +0000 (+0200) Subject: In case of fragments, don't consider ports. Bug #847. X-Git-Tag: suricata-2.0beta1~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f4dcba6de3b3f5d8a203dad36e0442c11b267239;p=thirdparty%2Fsuricata.git In case of fragments, don't consider ports. Bug #847. --- diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index c4dcd67bb6..76bed8e863 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -525,6 +525,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, p->ip4h = NULL; return; } + p->proto = IPV4_GET_IPPROTO(p); /* If a fragment, pass off for re-assembly. */ if (unlikely(IPV4_GET_IPOFFSET(p) > 0 || IPV4_GET_MF(p) == 1)) { @@ -534,6 +535,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, DecodeIPV4(tv, dtv, rp, (void *)rp->ip4h, IPV4_GET_IPLEN(rp), pq); PacketEnqueue(pq, rp); } + p->flags |= PKT_IS_FRAGMENT; return; } @@ -599,9 +601,6 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, IPV4_GET_IPLEN(p) - IPV4_GET_HLEN(p), pq); } break; - default: - p->proto = IPV4_GET_IPPROTO(p); - break; } return; diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index f0f0c64c59..9c2093f57f 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -402,6 +402,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt } /* the rest is parsed upon reassembly */ + p->flags |= PKT_IS_FRAGMENT; SCReturn; case IPPROTO_ESP: @@ -583,9 +584,10 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4); break; default: - p->proto = IPV6_GET_NH(p); + IPV6_SET_L4PROTO (p, IPV6_GET_NH(p)); break; } + p->proto = IPV6_GET_L4PROTO (p); /* Pass to defragger if a fragment. */ if (IPV6_EXTHDR_ISSET_FH(p)) { diff --git a/src/decode.h b/src/decode.h index b9cccd71ac..e5d74028ec 100644 --- a/src/decode.h +++ b/src/decode.h @@ -903,6 +903,8 @@ void AddressDebugPrint(Address *); #define PKT_HOST_SRC_LOOKED_UP (1<<17) #define PKT_HOST_DST_LOOKED_UP (1<<18) +#define PKT_IS_FRAGMENT (1<<19) /**< Packet is a fragment */ + /** \brief return 1 if the packet is a pseudo packet */ #define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END) diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index e9c41087ba..c7f88d26a8 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -1038,6 +1038,9 @@ void IPOnlyMatchPacket(ThreadVars *tv, /* check the source & dst port in the sig */ if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) { if (!(s->flags & SIG_FLAG_DP_ANY)) { + if (p->flags & PKT_IS_FRAGMENT) + continue; + DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp); if (dport == NULL) { SCLogDebug("dport didn't match."); @@ -1045,6 +1048,9 @@ void IPOnlyMatchPacket(ThreadVars *tv, } } if (!(s->flags & SIG_FLAG_SP_ANY)) { + if (p->flags & PKT_IS_FRAGMENT) + continue; + DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp); if (sport == NULL) { SCLogDebug("sport didn't match."); diff --git a/src/detect.c b/src/detect.c index c9a1b45d21..8eb1a2325c 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1501,6 +1501,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh /* check the source & dst port in the sig */ if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) { if (!(s->flags & SIG_FLAG_DP_ANY)) { + if (p->flags & PKT_IS_FRAGMENT) + goto next; DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp); if (dport == NULL) { SCLogDebug("dport didn't match."); @@ -1508,6 +1510,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } } if (!(s->flags & SIG_FLAG_SP_ANY)) { + if (p->flags & PKT_IS_FRAGMENT) + goto next; DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp); if (sport == NULL) { SCLogDebug("sport didn't match.");