From b454aa46c6ecaddb382eae401e34c929f8f50887 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 19 Sep 2016 07:47:24 -0600 Subject: [PATCH] defrag: use frag_pkt_too_large instead of frag_too_large The rules were using the wrong decoder event type, which was only set in the unlikely event of a complete overlap, which really had nothing to do with being too large. Remove FRAG_TOO_LARGE as its no longer being used, an overlap event is already set in the case where this event would be set. --- rules/decoder-events.rules | 4 ++-- src/decode-events.c | 4 ++-- src/decode-events.h | 2 -- src/defrag.c | 7 ++----- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 95414b74c6..7372870605 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -99,9 +99,9 @@ alert pkthdr any any -> any any (msg:"SURICATA VLAN unknown type"; decode-event: alert pkthdr any any -> any any (msg:"SURICATA VLAN too many layers"; decode-event:vlan.too_many_layers; sid:2200091; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version "; decode-event:ipraw.invalid_ip_version; sid:2200068; rev:1;) -alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_pkt_too_large; sid:2200069; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag_overlap; sid:2200070; rev:1;) -alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; sid:2200071; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; sid:2200072; rev:1;) # checksum rules diff --git a/src/decode-events.c b/src/decode-events.c index a07b44b1d4..e6b330a76c 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -152,8 +152,8 @@ const struct DecodeEvents_ DEvents[] = { { "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, }, /* Fragmentation reasembly events. */ - { "decoder.ipv4.frag_too_large", IPV4_FRAG_PKT_TOO_LARGE, }, - { "decoder.ipv6.frag_too_large", IPV6_FRAG_PKT_TOO_LARGE, }, + { "decoder.ipv4.frag_pkt_too_large", IPV4_FRAG_PKT_TOO_LARGE, }, + { "decoder.ipv6.frag_pkt_too_large", IPV6_FRAG_PKT_TOO_LARGE, }, { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, }, { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, }, /* Fragment ignored due to internal error */ diff --git a/src/decode-events.h b/src/decode-events.h index 2d249aba16..048ac45571 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -160,8 +160,6 @@ enum { IPV6_FRAG_PKT_TOO_LARGE, IPV4_FRAG_OVERLAP, IPV6_FRAG_OVERLAP, - IPV4_FRAG_TOO_LARGE, - IPV6_FRAG_TOO_LARGE, /* Fragment ignored due to internal error */ IPV4_FRAG_IGNORED, diff --git a/src/defrag.c b/src/defrag.c index 7004918c77..68ac0886e9 100644 --- a/src/defrag.c +++ b/src/defrag.c @@ -705,11 +705,8 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker, insert: if (data_len - ltrim <= 0) { - if (af == AF_INET) { - ENGINE_SET_EVENT(p, IPV4_FRAG_TOO_LARGE); - } else { - ENGINE_SET_EVENT(p, IPV6_FRAG_TOO_LARGE); - } + /* Full packet has been trimmed due to the overlap policy. Overlap + * already set. */ goto done; }