Use separate frag decoder events for IPv4 and IPv6.

rules/decoder-events.rules

@@ -69,7 +69,9 @@ alert pkthdr any any -> any any (msg:"SURICATA GRE v1 header too big"; decode-ev
 alert pkthdr any any -> any any (msg:"SURICATA VLAN header too small "; decode-event:vlan.header_too_small; sid:22000065; rev:1;) 
 alert pkthdr any any -> any any (msg:"SURICATA VLAN unknown type"; decode-event:vlan.unknown_type; sid:22000066; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version "; decode-event:ipraw.invalid_ip_version; sid:22000067; rev:1;)
-alert pkthdr any any -> any any (msg:"SURICATA FRAG Packet size too large"; decode-event:frag.too_large; sid:22000067; rev:1;)
-alert pkthdr any any -> any any (msg:"SURICATA FRAG Fragmentation overlap"; decode-event:frag.overlap; sid:22000068; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag.too_large; sid:22000067; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag.overlap; sid:22000068; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag.too_large; sid:22000069; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag.overlap; sid:22000070; rev:1;)
 
 

src/decode-events.h

@@ -181,8 +181,10 @@ enum {
     SCTP_PKT_TOO_SMALL,              /**< sctp packet smaller than minimum size */
 
     /* Fragmentation reasembly events. */
-    FRAG_PKT_TOO_LARGE,
-    FRAG_OVERLAP,
+    IPV4_FRAG_PKT_TOO_LARGE,
+    IPV4_FRAG_OVERLAP,
+    IPV6_FRAG_PKT_TOO_LARGE,
+    IPV6_FRAG_OVERLAP,
 
     /* should always be last! */
     DECODE_EVENT_MAX,

src/defrag.c

@@ -780,7 +780,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
         /* Ignore fragment if the end of packet extends past the
          * maximum size of a packet. */
         if (IPV4_HEADER_LEN + frag_offset + data_len > IPV4_MAXPACKET_LEN) {
-            DECODER_SET_EVENT(p, FRAG_PKT_TOO_LARGE);
+            DECODER_SET_EVENT(p, IPV4_FRAG_PKT_TOO_LARGE);
             return NULL;;
         }
     }
@@ -798,7 +798,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
         /* Ignore fragment if the end of packet extends past the
          * maximum size of a packet. */
         if (frag_offset + data_len > IPV6_MAXPACKET) {
-            DECODER_SET_EVENT(p, FRAG_PKT_TOO_LARGE);
+            DECODER_SET_EVENT(p, IPV6_FRAG_PKT_TOO_LARGE);
             return NULL;
         }
     }
@@ -983,7 +983,12 @@ insert:
 
 done:
     if (overlap) {
-        DECODER_SET_EVENT(p, FRAG_OVERLAP);
+        if (tracker->af == AF_INET) {
+            DECODER_SET_EVENT(p, IPV4_FRAG_OVERLAP);
+        }
+        else {
+            DECODER_SET_EVENT(p, IPV6_FRAG_OVERLAP);
+        }
     }
     SCMutexUnlock(&tracker->lock);
     return r;
@@ -1781,7 +1786,7 @@ DefragDoSturgesNovakTest(int policy, u_char *expected, size_t expected_len)
             SCFree(tp);
             goto end;
         }
-        if (DECODER_ISSET_EVENT(packets[i], FRAG_OVERLAP)) {
+        if (DECODER_ISSET_EVENT(packets[i], IPV4_FRAG_OVERLAP)) {
             goto end;
         }
     }
@@ -1792,7 +1797,7 @@ DefragDoSturgesNovakTest(int policy, u_char *expected, size_t expected_len)
             SCFree(tp);
             goto end;
         }
-        if (DECODER_ISSET_EVENT(packets[i], FRAG_OVERLAP)) {
+        if (DECODER_ISSET_EVENT(packets[i], IPV4_FRAG_OVERLAP)) {
             overlap++;
         }
     }
@@ -1920,7 +1925,7 @@ IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, size_t expected_len)
             SCFree(tp);
             goto end;
         }
-        if (DECODER_ISSET_EVENT(packets[i], FRAG_OVERLAP)) {
+        if (DECODER_ISSET_EVENT(packets[i], IPV6_FRAG_OVERLAP)) {
             goto end;
         }
     }
@@ -1931,7 +1936,7 @@ IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, size_t expected_len)
             SCFree(tp);
             goto end;
         }
-        if (DECODER_ISSET_EVENT(packets[i], FRAG_OVERLAP)) {
+        if (DECODER_ISSET_EVENT(packets[i], IPV6_FRAG_OVERLAP)) {
             overlap++;
         }
     }
@@ -2524,7 +2529,7 @@ DefragIPv4TooLargeTest(void)
     /* We do not expect a packet returned. */
     if (Defrag(NULL, NULL, dc, p) != NULL)
         goto end;
-    if (!DECODER_ISSET_EVENT(p, FRAG_PKT_TOO_LARGE))
+    if (!DECODER_ISSET_EVENT(p, IPV4_FRAG_PKT_TOO_LARGE))
         goto end;
 
     /* The fragment should have been ignored so no fragments should have

src/detect-decode-event.h

@@ -110,8 +110,10 @@ struct DetectDecodeEvents_ {
     { "ipraw.invalid_ip_version",IPRAW_INVALID_IPV, },
     { "vlan.header_too_small",VLAN_HEADER_TOO_SMALL, },
     { "vlan.unknown_type",VLAN_UNKNOWN_TYPE, },
-    { "frag.too_large", FRAG_PKT_TOO_LARGE, },
-    { "frag.overlap", FRAG_OVERLAP, },
+    { "ipv4.frag.too_large", IPV4_FRAG_PKT_TOO_LARGE, },
+    { "ipv4.frag.overlap", IPV4_FRAG_OVERLAP, },
+    { "ipv6.frag.too_large", IPV6_FRAG_PKT_TOO_LARGE, },
+    { "ipv6.frag.overlap", IPV6_FRAG_OVERLAP, },
     { NULL, 0 },
 };
 #endif /* DETECT_EVENTS */