Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[Fwd: Re: [Snort-devel] IP Option Router Alert Wrong Value]

From: Todd Wease <twease () sourcefire com>
Date: Mon, 09 Jul 2007 12:59:34 -0400
--- Begin Message --- From: Todd Wease <twease () sourcefire com>
Date: Mon, 09 Jul 2007 12:29:15 -0400
Jeffrey Denton wrote:

In snort-2.7.0.RC2/src/decode.h:

#ifndef IPOPT_RTRALT
    #define IPOPT_RTRALT         0x14

This is equivalent to decimal value 20.  However at
http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
having a decimal value of 148.  The confusion starts with RFC 2113:

http://www.ietf.org/rfc/rfc2113.txt:

    The Router Alert option has the following format:

                 +--------+--------+--------+--------+
                 |10010100|00000100|  2 octet value  |
                 +--------+--------+--------+--------+

       Type:
         Copied flag:  1 (all fragments must carry the option)
         Option class: 0 (control)
         Option number: 20 (decimal)

It would appear that the value for the Router Alert option is 20.
However in RFC 791:

http://www.ietf.org/rfc/rfc0791.txt

     The option-type octet is viewed as having 3 fields:

          1 bit   copied flag,
          2 bits  option class,
          5 bits  option number.

All 8 bits are used to determine the IP option type value.  Examples
from RFC 791:

   Loose Source and Record Route

        +--------+--------+--------+---------//--------+
        |10000011| length | pointer|     route data    |
        +--------+--------+--------+---------//--------+
         Type=131

      Strict Source and Record Route

        +--------+--------+--------+---------//--------+
        |10001001| length | pointer|     route data    |
        +--------+--------+--------+---------//--------+
         Type=137

The IP option type value for Router Alert (RTRALT) should be 148
decimal.  The fix is to change decode.h to:

#ifndef IPOPT_RTRALT
    #define IPOPT_RTRALT         0x94

This bug also affects snort-2.6.1.5.



Thanks for pointing this out Jeffrey.  A bug has been created.  Not sure
yet what release this fix will be in, but attached is a patch to change
that option to the correct value.

Thanks
Todd


Index: src/decode.h
===================================================================
RCS file: /usr/cvsroot-snort/snort/src/decode.h,v
retrieving revision 1.94.2.10
diff -p -u -r1.94.2.10 decode.h
--- src/decode.h        26 Apr 2007 20:45:20 -0000      1.94.2.10
+++ src/decode.h        9 Jul 2007 16:30:45 -0000
@@ -457,7 +457,7 @@ struct enc_header {
 #endif
 
 #ifndef IPOPT_RTRALT
-    #define IPOPT_RTRALT         0x14
+    #define IPOPT_RTRALT         0x94
 #endif
 
 #ifndef IPOPT_TS

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

--- End Message ---
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: