[Snort-devel] IP Option Router Alert Wrong Value

Jeffrey Denton dentonj at ...2499...
Wed Oct 3 04:21:12 EDT 2007


On 7/9/07, Todd Wease <twease at ...402...> wrote:
> Jeffrey Denton wrote:
> > In snort-2.7.0.RC2/src/decode.h:
> >
> > #ifndef IPOPT_RTRALT
> >     #define IPOPT_RTRALT         0x14
> >
> > This is equivalent to decimal value 20.  However at
> > http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
> > having a decimal value of 148.  The confusion starts with RFC 2113:
> >
> > http://www.ietf.org/rfc/rfc2113.txt:
> >
> >     The Router Alert option has the following format:
> >
> >                  +--------+--------+--------+--------+
> >                  |10010100|00000100|  2 octet value  |
> >                  +--------+--------+--------+--------+
> >
> >        Type:
> >          Copied flag:  1 (all fragments must carry the option)
> >          Option class: 0 (control)
> >          Option number: 20 (decimal)
> >
> > It would appear that the value for the Router Alert option is 20.
> > However in RFC 791:
> >
> > http://www.ietf.org/rfc/rfc0791.txt
> >
> >      The option-type octet is viewed as having 3 fields:
> >
> >           1 bit   copied flag,
> >           2 bits  option class,
> >           5 bits  option number.
> >
> > All 8 bits are used to determine the IP option type value.  Examples
> > from RFC 791:
> >
> >    Loose Source and Record Route
> >
> >         +--------+--------+--------+---------//--------+
> >         |10000011| length | pointer|     route data    |
> >         +--------+--------+--------+---------//--------+
> >          Type=131
> >
> >       Strict Source and Record Route
> >
> >         +--------+--------+--------+---------//--------+
> >         |10001001| length | pointer|     route data    |
> >         +--------+--------+--------+---------//--------+
> >          Type=137
> >
> > The IP option type value for Router Alert (RTRALT) should be 148
> > decimal.  The fix is to change decode.h to:
> >
> > #ifndef IPOPT_RTRALT
> >     #define IPOPT_RTRALT         0x94
> >
> > This bug also affects snort-2.6.1.5.
> >
>
> Thanks for pointing this out Jeffrey.  A bug has been created.  Not sure
> yet what release this fix will be in, but attached is a patch to change
> that option to the correct value.
>
> Thanks
> Todd

I noticed that decode.h is fixed in 2.8.0.  However, RTRALT was set is
several other files besides decode.h.  I apologize for not pointing
this out in my original email.  RTRALT is set to the wrong value in
the following files:

doc/snort_manual.tex:8538:#define IPOPTION_RTRALT         0x14

src/dynamic-examples/include/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

src/dynamic-plugins/sf_engine/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

src/dynamic-preprocessors/include/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

Thank you




More information about the Snort-devel mailing list