[Snort-devel] IP Option Router Alert Wrong Value

Jeffrey Denton dentonj at ...2499...
Sat Jul 7 20:36:02 EDT 2007


In snort-2.7.0.RC2/src/decode.h:

#ifndef IPOPT_RTRALT
    #define IPOPT_RTRALT         0x14

This is equivalent to decimal value 20.  However at
http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
having a decimal value of 148.  The confusion starts with RFC 2113:

http://www.ietf.org/rfc/rfc2113.txt:

    The Router Alert option has the following format:

                 +--------+--------+--------+--------+
                 |10010100|00000100|  2 octet value  |
                 +--------+--------+--------+--------+

       Type:
         Copied flag:  1 (all fragments must carry the option)
         Option class: 0 (control)
         Option number: 20 (decimal)

It would appear that the value for the Router Alert option is 20.
However in RFC 791:

http://www.ietf.org/rfc/rfc0791.txt

     The option-type octet is viewed as having 3 fields:

          1 bit   copied flag,
          2 bits  option class,
          5 bits  option number.

All 8 bits are used to determine the IP option type value.  Examples
from RFC 791:

   Loose Source and Record Route

        +--------+--------+--------+---------//--------+
        |10000011| length | pointer|     route data    |
        +--------+--------+--------+---------//--------+
         Type=131

      Strict Source and Record Route

        +--------+--------+--------+---------//--------+
        |10001001| length | pointer|     route data    |
        +--------+--------+--------+---------//--------+
         Type=137

The IP option type value for Router Alert (RTRALT) should be 148
decimal.  The fix is to change decode.h to:

#ifndef IPOPT_RTRALT
    #define IPOPT_RTRALT         0x94

This bug also affects snort-2.6.1.5.




More information about the Snort-devel mailing list