aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

In case of fragments, don't consider ports. Bug #847.

Browse Source
pull/437/merge
Victor Julien 12 years ago
parent e7f09f24c8
commit f4dcba6de3
5 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File

5
src/decode-ipv4.c
Unescape Escape View File

@ -525,6 +525,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
p->ip4h = NULL;
return;
}
p->proto = IPV4_GET_IPPROTO(p);
/* If a fragment, pass off for re-assembly. */
if (unlikely(IPV4_GET_IPOFFSET(p) > 0 || IPV4_GET_MF(p) == 1)) {
@ -534,6 +535,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
DecodeIPV4(tv, dtv, rp, (void *)rp->ip4h, IPV4_GET_IPLEN(rp), pq);
PacketEnqueue(pq, rp);
}
p->flags |= PKT_IS_FRAGMENT;
return;
}
@ -599,9 +601,6 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
IPV4_GET_IPLEN(p) - IPV4_GET_HLEN(p), pq);
}
break;
default:
p->proto = IPV4_GET_IPPROTO(p);
break;
}
return;

4
src/decode-ipv6.c
Unescape Escape View File

@ -402,6 +402,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
}
/* the rest is parsed upon reassembly */
p->flags |= PKT_IS_FRAGMENT;
SCReturn;
case IPPROTO_ESP:
@ -583,9 +584,10 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
break;
default:
p->proto = IPV6_GET_NH(p);
IPV6_SET_L4PROTO (p, IPV6_GET_NH(p));
break;
}
p->proto = IPV6_GET_L4PROTO (p);
/* Pass to defragger if a fragment. */
if (IPV6_EXTHDR_ISSET_FH(p)) {

2
src/decode.h
Unescape Escape View File

@ -903,6 +903,8 @@ void AddressDebugPrint(Address *);
#define PKT_HOST_SRC_LOOKED_UP (1<<17)
#define PKT_HOST_DST_LOOKED_UP (1<<18)
#define PKT_IS_FRAGMENT (1<<19) /**< Packet is a fragment */
/** \brief return 1 if the packet is a pseudo packet */
#define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END)

6
src/detect-engine-iponly.c
Unescape Escape View File

@ -1038,6 +1038,9 @@ void IPOnlyMatchPacket(ThreadVars *tv,
/* check the source & dst port in the sig */
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
if (!(s->flags & SIG_FLAG_DP_ANY)) {
if (p->flags & PKT_IS_FRAGMENT)
continue;
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL) {
SCLogDebug("dport didn't match.");
@ -1045,6 +1048,9 @@ void IPOnlyMatchPacket(ThreadVars *tv,
}
}
if (!(s->flags & SIG_FLAG_SP_ANY)) {
if (p->flags & PKT_IS_FRAGMENT)
continue;
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
if (sport == NULL) {
SCLogDebug("sport didn't match.");

4
src/detect.c
Unescape Escape View File

@ -1501,6 +1501,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
/* check the source & dst port in the sig */
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
if (!(s->flags & SIG_FLAG_DP_ANY)) {
if (p->flags & PKT_IS_FRAGMENT)
goto next;
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL) {
SCLogDebug("dport didn't match.");
@ -1508,6 +1510,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
}
}
if (!(s->flags & SIG_FLAG_SP_ANY)) {
if (p->flags & PKT_IS_FRAGMENT)
goto next;
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
if (sport == NULL) {
SCLogDebug("sport didn't match.");

Write Preview
Loading…
Cancel
Save