ipv6: add event for ipv6 packet with icmpv4 header

12 years ago · 1eed3f2233
parent 53c023342c
commit 1eed3f2233
4 changed files with 11 additions and 3 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -34,6 +34,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS only padding"; decod
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; sid:2200088; rev:1;)
 # DST header with only padding, covert channel?
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; sid:2200089; rev:1;)
+alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200025; rev:1;)
@ -101,5 +102,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)

-# next sid is 2200090
+# next sid is 2200091

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -77,6 +77,8 @@ enum {
    IPV6_DSTOPTS_UNKNOWN_OPT,       /**< unknown DST opt */
    IPV6_DSTOPTS_ONLY_PADDING,      /**< all options in DST opts are padding */

+    IPV6_WITH_ICMPV4,               /**< IPv6 packet with ICMPv4 header */
+
    /* TCP EVENTS */
    TCP_PKT_TOO_SMALL,              /**< tcp packet smaller than minimum size */
    TCP_HLEN_TOO_SMALL,             /**< tcp header smaller than minimum size */
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@ -487,7 +487,9 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
            case IPPROTO_NONE:
                IPV6_SET_L4PROTO(p,nh);
                SCReturn;
-
+            case IPPROTO_ICMP:
+                ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
+                break;
            default:
                IPV6_SET_L4PROTO(p,nh);
                SCReturn;
@ -577,7 +579,9 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
        case IPPROTO_ESP:
            DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
            break;
-
+        case IPPROTO_ICMP:
+            ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
+            break;
        default:
            p->proto = IPV6_GET_NH(p);
            break;
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@ -69,6 +69,7 @@ struct DetectEngineEvents_ {
    { "ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, },
    { "ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, },
    { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
+    { "ipv6.icmpv4", IPV6_WITH_ICMPV4, },
    { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
    { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
    { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },