decode/ethertype: Event on unknown ethertype

Issue: 7129 Create a decode/engine event if unknown ethertypes are observed.
8 months ago · 123b36b9f5
parent d9ac7489db
commit 123b36b9f5
5 changed files with 12 additions and 4 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -5410,6 +5410,9 @@
                                    "properties": {
                                        "pkt_too_small": {
                                            "type": "integer"
+                                        },
+                                        "unknown_ethertype": {
+                                            "type": "integer"
                                        }
                                    },
                                    "additionalProperties": false
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -71,6 +71,7 @@ alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; dec
 alert pkthdr any any -> any any (msg:"SURICATA UDP invalid length field in the header"; decode-event:udp.len_invalid; classtype:protocol-command-decode; sid:2200120; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; decode-event:sll.pkt_too_small; classtype:protocol-command-decode; sid:2200041; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; decode-event:ethernet.pkt_too_small; classtype:protocol-command-decode; sid:2200042; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA Ethertype unknown"; decode-event:ethernet.unknown_ethertype; threshold: type limit, track by_rule, seconds 60, count 1; classtype:protocol-command-decode; sid:2200121; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small"; decode-event:ppp.vju_pkt_too_small; classtype:protocol-command-decode; sid:2200044; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small"; decode-event:ppp.ip4_pkt_too_small; classtype:protocol-command-decode; sid:2200045; rev:2;)
@ -151,5 +152,5 @@ alert pkthdr any any -> any any (msg:"SURICATA CHDLC packet too small"; decode-e

 alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)

-# next sid is 2200121
+# next sid is 2200122

--- a/src/decode-events.c
+++ b/src/decode-events.c
@ -286,6 +286,10 @@ const struct DecodeEvents_ DEvents[] = {
            "decoder.ethernet.pkt_too_small",
            ETHERNET_PKT_TOO_SMALL,
    },
+    {
+            "decoder.ethernet.unknown_ethertype",
+            ETHERNET_UNKNOWN_ETHERTYPE,
+    },

    /* PPP EVENTS */
    {
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -109,7 +109,8 @@ enum {
    SLL_PKT_TOO_SMALL, /**< sll packet smaller than minimum size */

    /* ETHERNET EVENTS */
-    ETHERNET_PKT_TOO_SMALL, /**< ethernet packet smaller than minimum size */
+    ETHERNET_PKT_TOO_SMALL,     /**< ethernet packet smaller than minimum size */
+    ETHERNET_UNKNOWN_ETHERTYPE, /**< ethertype unknown/unhandled*/

    /* PPP EVENTS */
    PPP_PKT_TOO_SMALL,     /**< ppp packet smaller than minimum size */
--- a/src/decode.h
+++ b/src/decode.h
@ -1160,8 +1160,6 @@ void DecodeUnregisterCounters(void);
    ENGINE_SET_EVENT(p, e); \
 } while(0)

-
-
 #define ENGINE_ISSET_EVENT(p, e) ({ \
    int r = 0; \
    uint8_t u; \
@ -1504,6 +1502,7 @@ static inline bool DecodeNetworkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
        default:
            SCLogDebug("unknown ether type: %" PRIx16 "", proto);
            StatsIncr(tv, dtv->counter_ethertype_unknown);
+            ENGINE_SET_EVENT(p, ETHERNET_UNKNOWN_ETHERTYPE);
            return false;
    }
    return true;