diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 58f7d02d28..13f2ac3344 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -24,6 +24,8 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Authentication He alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicate ESP extension header"; decode-event:ipv6.exthdr_dupl_eh; sid:2200020; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 invalid option lenght in header"; decode-event:ipv6.exthdr_invalid_optlen; sid:2200021; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 wrong IP version"; decode-event:ipv6.wrong_ip_version; sid:2200022; rev:1;) +# RFC 4302 states the reserved field should be 0. +alert pkthdr any any -> any any (msg:"SURICATA IPv6 AH reserved field not 0"; decode-event:ipv6.exthdr_ah_res_not_null; sid:2200081; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200025; rev:1;) @@ -84,5 +86,5 @@ alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum: alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;) alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;) -# next sid is 2200081 +# next sid is 2200082 diff --git a/src/decode-events.h b/src/decode-events.h index b6cd6049a3..b2d7d516cd 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -70,6 +70,7 @@ enum { IPV6_EXTHDR_INVALID_OPTLEN, /**< the opt len in an hop or dst hdr is invalid. */ IPV6_WRONG_IP_VER, /**< wrong version in ipv6 */ + IPV6_EXTHDR_AH_RES_NOT_NULL, /**< AH hdr reserved fields not null (rfc 4302) */ /* TCP EVENTS */ TCP_PKT_TOO_SMALL, /**< tcp packet smaller than minimum size */ diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 9e49d57097..15701e1ad2 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -362,8 +362,10 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt IPV6_SET_L4PROTO(p,nh); /* we need the header as a minimum */ hdrextlen = sizeof(IPV6AuthHdr); - /* the payload len field is the number of extra 4 byte fields */ - hdrextlen += (*(pkt+1)) * 4; + /* the payload len field is the number of extra 4 byte fields, + * IPV6AuthHdr already contains the first */ + if (*(pkt+1) > 0) + hdrextlen += ((*(pkt+1) - 1) * 4); SCLogDebug("hdrextlen %"PRIu8, hdrextlen); @@ -372,7 +374,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt SCReturn; } - if(p->IPV6_EH_CNTip6ah_reserved != 0x0000) { + ENGINE_SET_EVENT(p, IPV6_EXTHDR_AH_RES_NOT_NULL); + } + + if(p->IPV6_EH_CNT < IPV6_MAX_OPT) { p->IPV6_EXTHDRS[p->IPV6_EH_CNT].type = nh; p->IPV6_EXTHDRS[p->IPV6_EH_CNT].next = *pkt; diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index 7cfc71e400..0cb96a7262 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -64,6 +64,7 @@ struct DetectEngineEvents_ { { "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, }, { "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, }, { "ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, }, + { "ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, }, { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, }, { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, }, { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },