Snort mailing list archives
Patch File for Snort 2.9.4.x and 2.9.5 which adds 169.254/16 addr space
From: Bill Parker <wp02855 () gmail com>
Date: Thu, 11 Jul 2013 10:57:02 -0700
Hi All, In Snort 2.9.4.x and 2.9.5, directory 'src/sfutil', file 'sf_ip.h', I found that no check is made for the private address block of 169.254/16 which is assigned by microsoft based networks when a NIC which normally gets a IP address from a DHCP server fails to receive one. --- sf_ip.h.orig 2013-07-11 08:42:09.691827157 -0700 +++ sf_ip.h 2013-07-11 09:10:30.036816734 -0700 @@ -439,7 +439,11 @@ /******************************************************************** * Function: sfip_is_private() * - * Checks if the address is local + * Checks if the address is local (i.e. - is it a Private IANA address) + * + * Currently defined IANA private address space blocks are: + * + * 10.x.x.x/8, 172.16.x.x/12, 169.254.x.x/16, 192.168.x.x/16 * * Arguments: * sfip_t * - IP address to check @@ -458,10 +462,12 @@ if(sfip_family(ip) == AF_INET) { /* * 10.0.0.0 - 10.255.255.255 (10/8 prefix) + * 169.254.0.0 - 169.254.255.255 (169.254/16 prefix) * 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) * 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) * */ return( (ip->ip8[0] == 10) + ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254)) ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16)) ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) ); @@ -478,6 +484,7 @@ /* ::ipv4 compatible ipv6 */ /* ::1 is the IPv6 loopback */ return ( (ip->ip8[12] == 10) + ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254)) ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) || (ntohl(p[3]) == 0x1) ); @@ -486,6 +493,7 @@ if ( ntohl(p[2]) == 0xffff ) { /* ::ffff: IPv4 loopback mapped over IPv6 */ return ( (ip->ip8[12] == 10) + ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254)) ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) ); } I'm attaching the patch file to this email. using 'make' results in a clean compile of the above header file. The above code was previously patched in directory 'dynamic-plugins/ sf_engine', file 'sf_ip.h', and in directory 'dynamic-preprocessors/ include', file 'sf_ip.h', reported back in 2012, but through oversight didn't get patched in directory 'src/sfutil' (gack). Bill Parker (wp02855 at gmail dot com)
Attachment:
sfutil-sf_ip.h.patch
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Patch File for Snort 2.9.4.x and 2.9.5 which adds 169.254/16 addr space Bill Parker (Jul 11)