Snort mailing list archives
Re: Add Link-Local Address Network Assignment Block (IPv4) to sf_ip.h in Snort 3/Snort++
From: Russ <rucombs () cisco com>
Date: Wed, 10 Jun 2015 20:17:47 -0400
Hey Bill,Thanks for reporting the issue. Snort++ syncs up with the current Snort code base periodically and we will pull in any such changes at those times.
Russ On 6/10/15 7:41 PM, Bill Parker wrote:
Hello All, In reviewing source code for Snort 3/Snort++, I found in directory 'src/sfip', file 'sf_ip.h', that the private Microsoft Networkblock 169.254.0.0/16 <http://169.254.0.0/16> (which is assigned if MS DHCP fails for somereason) is not included in the private IPv4 network listing. In RFC 3927, the Internet Engineering Task Force has reserved the address block 169.254.1.0 through 169.254.254.255] for link-local addressing in Internet Protocol Version 4. Link-local addresses are assigned to interfaces by host-internal, i.e. stateless, address autoconfiguration when other means of address assignment are not available. The patch file below addresses this issue: --- sf_ip.h.orig 2015-06-09 16:32:18.361202622 -0700 +++ sf_ip.h 2015-06-09 16:38:38.405504298 -0700 @@ -527,10 +527,12 @@ /* * 10.0.0.0 - 10.255.255.255 (10/8 prefix) * 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)+ * 169.254.0.0 - 169.254.0.0 (169.254/16 prefix) - Microsoft Private IP Assignment* 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) * */ return( (ip->ip8[0] == 10) ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16)) + ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254)) ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) ); } @@ -548,6 +550,7 @@ ::1 is the IPv6 loopback */ return ( (ip->ip8[12] == 10) ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) + ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254)) ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) || (ntohl(p[3]) == 0x1) ); } @@ -557,6 +560,7 @@ /* ::ffff: IPv4 loopback mapped over IPv6 */ return ( (ip->ip8[12] == 10) ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) + ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254)) ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) ); } return 0; This check was submitted for inclusion in Snort 2.x some time ago, but it was left out of Snort 3. I am attaching the patch file to this bug report... Bill Parker (wp02855 at gmail dot com) ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Add Link-Local Address Network Assignment Block (IPv4) to sf_ip.h in Snort 3/Snort++ Bill Parker (Jun 10)
- Re: Add Link-Local Address Network Assignment Block (IPv4) to sf_ip.h in Snort 3/Snort++ Russ (Jun 10)