decode: update icmpv6 message handling

This patch adds two new events relative to icmpv6. One for packets using unassigned icmpv6 type. The second one for packets using private experimentation type. Icmpv6 type table taken from http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
10 years ago · ab3aed7d25
parent 27b02402e7
commit ab3aed7d25
4 changed files with 29 additions and 5 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -52,11 +52,14 @@ alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-even
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;)
-alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
+# uncomment the following sginature if you plan to update suricata code to support more ICMPv6 type
+#alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; sid:2200030; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 MLD hop limit not 1"; decode-event:icmpv6.mld_message_with_invalid_hl; sid:2200102; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unassigned type"; decode-event:icmpv6.unassigned_type; sid:2200108; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 private experimentation type"; decode-event:icmpv6.experimentation_type; sid:2200109; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; decode-event:tcp.pkt_too_small; sid:2200033; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; decode-event:tcp.hlen_too_small; sid:2200034; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)
@ -134,5 +137,5 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;)

-# next sid is 2200108
+# next sid is 2200110

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -58,6 +58,8 @@ enum {
    ICMPV6_IPV6_UNKNOWN_VER,        /**< unknown version in icmpv6 packet */
    ICMPV6_IPV6_TRUNC_PKT,          /**< truncated icmpv6 packet */
    ICMPV6_MLD_MESSAGE_WITH_INVALID_HL, /**< invalid MLD that doesn't have HL 1 */
+    ICMPV6_UNASSIGNED_TYPE,         /**< unsassigned ICMPv6 type */
+    ICMPV6_EXPERIMENTATION_TYPE,    /**< uprivate experimentation ICMPv6 type */

    /* IPV6 EVENTS */
    IPV6_PKT_TOO_SMALL,             /**< ipv6 packet smaller than minimum size */
--- a/src/decode-icmpv6.c
+++ b/src/decode-icmpv6.c
@ -321,9 +321,26 @@ int DecodeICMPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
            }
            break;
        default:
-            SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
-                       "implemented yet", ICMPV6_GET_TYPE(p));
-            ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+            /* Various range taken from:
+             *   http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
+             */
+            if ((ICMPV6_GET_TYPE(p) > 4) &&  (ICMPV6_GET_TYPE(p) < 100)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 100) &&  (ICMPV6_GET_TYPE(p) < 102)) {
+                ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+            } else  if ((ICMPV6_GET_TYPE(p) >= 102) &&  (ICMPV6_GET_TYPE(p) < 127)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 160) &&  (ICMPV6_GET_TYPE(p) < 200)) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else if ((ICMPV6_GET_TYPE(p) >= 200) &&  (ICMPV6_GET_TYPE(p) < 202)) {
+                ENGINE_SET_EVENT(p, ICMPV6_EXPERIMENTATION_TYPE);
+            } else if (ICMPV6_GET_TYPE(p) >= 202) {
+                ENGINE_SET_EVENT(p, ICMPV6_UNASSIGNED_TYPE);
+            } else {
+                SCLogDebug("ICMPV6 Message type %" PRIu8 " not "
+                        "implemented yet", ICMPV6_GET_TYPE(p));
+                ENGINE_SET_EVENT(p, ICMPV6_UNKNOWN_TYPE);
+            }
    }

    /* for a info message the header is just 4 bytes */
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@ -71,6 +71,8 @@ struct DetectEngineEvents_ {
    { "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
    { "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
    { "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
+    { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
+    { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},

    /* IPV6 EVENTS */
    { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },