Patch File for Snort 2.9.4.x and 2.9.5 which adds 169.254/16 addr space

[Bill Parker <wp02855 () gmail com>]

Hi All,

In Snort 2.9.4.x and 2.9.5, directory 'src/sfutil', file 'sf_ip.h',
I found that no check is made for the private address block of
169.254/16 which is assigned by microsoft based networks when a
NIC which normally gets a IP address from a DHCP server fails
to receive one.

--- sf_ip.h.orig        2013-07-11 08:42:09.691827157 -0700
+++ sf_ip.h     2013-07-11 09:10:30.036816734 -0700
@@ -439,7 +439,11 @@
 /********************************************************************
  * Function: sfip_is_private()
  *
- * Checks if the address is local
+ * Checks if the address is local (i.e. - is it a Private IANA address)
+ *
+ * Currently defined IANA private address space blocks are:
+ *
+ * 10.x.x.x/8, 172.16.x.x/12, 169.254.x.x/16, 192.168.x.x/16
  *
  * Arguments:
  *  sfip_t * - IP address to check
@@ -458,10 +462,12 @@
     if(sfip_family(ip) == AF_INET) {
         /*
          * 10.0.0.0        -   10.255.255.255  (10/8 prefix)
+        * 169.254.0.0     -   169.254.255.255 (169.254/16 prefix)
          * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
          * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
          * */
         return( (ip->ip8[0] == 10)
+             ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254))
               ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16))
               ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) );

@@ -478,6 +484,7 @@
         /* ::ipv4 compatible ipv6 */
         /* ::1 is the IPv6 loopback */
         return ( (ip->ip8[12] == 10)
+               ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168))
                 || (ntohl(p[3]) == 0x1) );
@@ -486,6 +493,7 @@
     if ( ntohl(p[2]) == 0xffff ) {
         /* ::ffff: IPv4 loopback mapped over IPv6 */
         return ( (ip->ip8[12] == 10)
+               ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) );
     }

I'm attaching the patch file to this email.

using 'make' results in a clean compile of the above header file.

The above code was previously patched in directory 'dynamic-plugins/
sf_engine', file 'sf_ip.h', and in directory 'dynamic-preprocessors/
include', file 'sf_ip.h', reported back in 2012, but through oversight
didn't get patched in directory 'src/sfutil' (gack).

Bill Parker (wp02855 at gmail dot com)

Attachment: sfutil-sf_ip.h.patch
Description:

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!