From 70bda6506db84ff33e51520f09b956c3cd648cc1 Mon Sep 17 00:00:00 2001 From: Pablo Rincon Date: Fri, 23 Jul 2010 18:43:00 +0200 Subject: [PATCH] Fix for bug 180 (check proto specified at the IP hdr) --- src/decode.h | 4 ++++ src/detect-engine-iponly.c | 3 ++- src/detect.c | 6 +++--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/decode.h b/src/decode.h index a71ccab329..bde75a7088 100644 --- a/src/decode.h +++ b/src/decode.h @@ -191,6 +191,10 @@ typedef uint16_t Port; #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p))) +/* Retrieve proto regardless of IP version */ +#define IP_GET_IPPROTO(p) \ + (PKT_IS_IPV4(p)? IPV4_GET_IPPROTO(p) : (PKT_IS_IPV6(p)? IPV6_GET_NH(p) : 0)) + /* structure to store the sids/gids/etc the detection engine * found in this packet */ typedef struct PacketAlert_ { diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index faf63d4f29..3b4e40d4f3 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -976,7 +976,8 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx, Signature *s = de_ctx->sig_array[u * 8 + i]; /* Need to check the protocol first */ - if (!(s->proto.proto[(p->proto/8)] & (1 << (p->proto % 8)))) + if (!(s->proto.proto[(IP_GET_IPPROTO(p)/8)] & (1 << (IP_GET_IPPROTO(p) % 8)))) + continue; SCLogDebug("Signum %"PRIu16" match (sid: %"PRIu16", msg: %s)", diff --git a/src/detect.c b/src/detect.c index 37155c85bc..1854579be4 100644 --- a/src/detect.c +++ b/src/detect.c @@ -567,7 +567,7 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre SCLogDebug("f %d", f); /* find the right mpm instance */ - DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[p->proto], &p->src); + DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src); if (ag != NULL) { /* source group found, lets try a dst group */ ag = DetectAddressLookupInHead(ag->dst_gh, &p->dst); @@ -723,7 +723,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh /* Get the stored sgh from the flow (if any). Make sure we're not using * the sgh for icmp error packets part of the same stream. */ - if (p->proto == p->flow->proto) { /* filter out icmp */ + if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */ if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) { sgh = p->flow->sgh_toserver; use_flow_sgh = TRUE; @@ -864,7 +864,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh s = det_ctx->match_array[idx]; SCLogDebug("inspecting signature id %"PRIu32"", s->id); - if (DetectProtoContainsProto(&s->proto, p->proto) == 0) { + if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) { SCLogDebug("proto didn't match"); goto next; }