From 1eed3f22332fff19751f786489ec2565b9a274e1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 12 Dec 2012 18:29:01 +0100 Subject: [PATCH] ipv6: add event for ipv6 packet with icmpv4 header --- rules/decoder-events.rules | 3 ++- src/decode-events.h | 2 ++ src/decode-ipv6.c | 8 ++++++-- src/detect-engine-event.h | 1 + 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index ab4ac0ddce..ee4770fbd8 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -34,6 +34,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS only padding"; decod alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; sid:2200088; rev:1;) # DST header with only padding, covert channel? alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; sid:2200089; rev:1;) +alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200025; rev:1;) @@ -101,5 +102,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;) -# next sid is 2200090 +# next sid is 2200091 diff --git a/src/decode-events.h b/src/decode-events.h index c03a0af649..31b2636477 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -77,6 +77,8 @@ enum { IPV6_DSTOPTS_UNKNOWN_OPT, /**< unknown DST opt */ IPV6_DSTOPTS_ONLY_PADDING, /**< all options in DST opts are padding */ + IPV6_WITH_ICMPV4, /**< IPv6 packet with ICMPv4 header */ + /* TCP EVENTS */ TCP_PKT_TOO_SMALL, /**< tcp packet smaller than minimum size */ TCP_HLEN_TOO_SMALL, /**< tcp header smaller than minimum size */ diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index b45f16f0d7..7d6240d0e7 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -487,7 +487,9 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt case IPPROTO_NONE: IPV6_SET_L4PROTO(p,nh); SCReturn; - + case IPPROTO_ICMP: + ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4); + break; default: IPV6_SET_L4PROTO(p,nh); SCReturn; @@ -577,7 +579,9 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, case IPPROTO_ESP: DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq); break; - + case IPPROTO_ICMP: + ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4); + break; default: p->proto = IPV6_GET_NH(p); break; diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index c2a9cff87e..58fe0eb3e9 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -69,6 +69,7 @@ struct DetectEngineEvents_ { { "ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, }, { "ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, }, { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, }, + { "ipv6.icmpv4", IPV6_WITH_ICMPV4, }, { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, }, { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, }, { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },