[Snort-devel] [PATCH]: Add Nonce Sum bit to 'flags'

Joshua Kinard kumba at ...2185...
Sat Jan 26 04:59:38 EST 2013


Hi snort-devel,

The attached patch adds support for reading the 'Nonce Sum' bit of the TCP
Flags byte, as defined in RFC 3540.  The order of the 'C' and 'E' bit case
statements are moved around to put them into logical (LSB) order
(FSRPAUECN).  It also fixes the TCPHEADER_NORESERVED macro in
src/dynamic-plugins/sf_engine/sf_snort_packet.h, which was missing the
ECE/CWR bits, and adds TCPHEADER_NS to it as well.  The TeX for the manual
is also updated.

 doc/snort_manual.tex                            |    7 ++--
 src/detection-plugins/sp_tcp_flag_check.c       |   35 +++++++++++++++---------
 src/dynamic-plugins/sf_engine/sf_snort_packet.h |    4 ++
 src/rules.h                                     |    1
 4 files changed, 31 insertions(+), 16 deletions(-)


Cheers!,

-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic
-------------- next part --------------
diff --git a/doc/snort_manual.tex b/doc/snort_manual.tex
index 11b3fd0..5a05803 100644
--- a/doc/snort_manual.tex
+++ b/doc/snort_manual.tex
@@ -16378,8 +16378,9 @@ The following bits may be checked:
 \item [P] - PSH - Push
 \item [A] - ACK - Acknowledgment
 \item [U] - URG - Urgent
-\item [C] - CWR - Congestion Window Reduced (MSB in TCP Flags byte)
 \item [E] - ECE - ECN-Echo (If SYN, then ECN capable.  Else, CE flag in IP header is set)
+\item [C] - CWR - Congestion Window Reduced (RFC3168)
+\item [N] - NS  - Nonce Sum (RFC3540)
 \item [0] - No TCP Flags Set
 \end{description}
 
@@ -16400,7 +16401,7 @@ bits.
 \subsubsection{Format}
 
 \begin{verbatim}
-    flags:[!|*|+]<FSRPAUCE0>[,<FSRPAUCE>];
+    flags:[!|*|+]<FSRPAUECN0>[,<FSRPAUECN>];
 \end{verbatim}
 
 \subsubsection{Example}
@@ -16416,7 +16417,7 @@ bit 1) and ECN (reserved bit 2).
 
 The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, 
 to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP".
-The old values of '1' and '2' are still valid for the \texttt{flag} keyword, but
+The old values of '1' and '2' are still valid for the \texttt{flags} keyword, but
 are now deprecated.
 
 \end{note}
diff --git a/src/detection-plugins/sp_tcp_flag_check.c b/src/detection-plugins/sp_tcp_flag_check.c
index 60c824c..d73bdd7 100644
--- a/src/detection-plugins/sp_tcp_flag_check.c
+++ b/src/detection-plugins/sp_tcp_flag_check.c
@@ -221,8 +221,10 @@ void ParseTCPFlags(char *rule, OptTreeNode *otn)
                 idx->tcp_flags |= R_URG;
                 break;
 
-            case '0':
-                idx->tcp_flags = 0;
+            case '2': /* reserved bit flags */
+            case 'e':
+            case 'E':
+                idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
                 break;
 
             case '1': /* reserved bit flags */
@@ -231,10 +233,13 @@ void ParseTCPFlags(char *rule, OptTreeNode *otn)
                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */
                 break;
 
-            case '2': /* reserved bit flags */
-            case 'e':
-            case 'E':
-                idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
+            case 'n':
+            case 'N':
+                idx->tcp_flags |= R_NS; /* Nonce Sum, RFC 3540 */
+                break;
+
+            case '0':
+                idx->tcp_flags = 0;
                 break;
 
             case '!': /* not, fire if all flags specified are not present,
@@ -254,7 +259,7 @@ void ParseTCPFlags(char *rule, OptTreeNode *otn)
                 break;
             default:
                 FatalError("%s(%d): bad TCP flag = \"%c\"\n"
-                           "Valid otions: UAPRSFCE or 0 for NO flags (e.g. NULL scan),"
+                           "Valid otions: FSRPAUECN or 0 for NO flags (e.g. NULL scan),"
                            " and !, + or * for modifiers\n",
                            file_name, file_line, *fptr);
         }
@@ -301,19 +306,25 @@ void ParseTCPFlags(char *rule, OptTreeNode *otn)
                 idx->tcp_mask |= R_URG;
                 break;
 
+            case '2': /* reserved bit flags */
+            case 'e':
+            case 'E':
+                idx->tcp_mask |= R_ECE; /* ECN echo, RFC 3168 */
+                break;
+
             case '1': /* reserved bit flags */
             case 'c':
             case 'C':
                 idx->tcp_mask |= R_CWR; /* Congestion Window Reduced, RFC 3168 */
                 break;
 
-            case '2': /* reserved bit flags */
-            case 'e':
-            case 'E':
-                idx->tcp_mask |= R_ECE; /* ECN echo, RFC 3168 */
+            case 'n':
+            case 'N':
+                idx->tcp_mask |= R_NS; /* Nonce Sum, RFC 3540 */
                 break;
+
             default:
-                FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n  Valid otions: UAPRSFCE \n",
+                FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n  Valid otions: FSRPAUECN \n",
                            file_name, file_line, *fptr);
         }
 
diff --git a/src/dynamic-plugins/sf_engine/sf_snort_packet.h b/src/dynamic-plugins/sf_engine/sf_snort_packet.h
index a402858..7a1e5b0 100644
--- a/src/dynamic-plugins/sf_engine/sf_snort_packet.h
+++ b/src/dynamic-plugins/sf_engine/sf_snort_packet.h
@@ -156,8 +156,10 @@ typedef struct _TCPHeader
 #define TCPHEADER_URG  0x20
 #define TCPHEADER_ECE  0x40
 #define TCPHEADER_CWR  0x80
+#define TCPHEADER_NS   0x100
 #define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \
-                            |TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG)
+                            | TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG \
+                              TCPHEADER_ECE|TCPHEADER_CWR|TCPHEADER_NS)
 
 #define MAX_TCP_OPTIONS 40
 /* tcp option codes */
diff --git a/src/rules.h b/src/rules.h
index 5d419e6..e210134 100644
--- a/src/rules.h
+++ b/src/rules.h
@@ -59,6 +59,7 @@
 #define R_URG          0x20
 #define R_ECE          0x40  /* ECN echo, RFC 3168 */
 #define R_CWR          0x80  /* Congestion Window Reduced, RFC 3168 */
+#define R_NS           0x100 /* NONCE Flag, RFC3540 */
 
 #define MODE_EXIT_ON_MATCH   0
 #define MODE_FULL_SEARCH     1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130126/36edbc02/attachment.sig>


More information about the Snort-devel mailing list