[Snort-devel] Patch File for Snort 2.9.4.x and 2.9.5 which adds 169.254/16 addr space

Bill Parker wp02855 at ...2499...
Thu Jul 11 13:57:02 EDT 2013


Hi All,

In Snort 2.9.4.x and 2.9.5, directory 'src/sfutil', file 'sf_ip.h',
I found that no check is made for the private address block of
169.254/16 which is assigned by microsoft based networks when a
NIC which normally gets a IP address from a DHCP server fails
to receive one.

--- sf_ip.h.orig        2013-07-11 08:42:09.691827157 -0700
+++ sf_ip.h     2013-07-11 09:10:30.036816734 -0700
@@ -439,7 +439,11 @@
 /********************************************************************
  * Function: sfip_is_private()
  *
- * Checks if the address is local
+ * Checks if the address is local (i.e. - is it a Private IANA address)
+ *
+ * Currently defined IANA private address space blocks are:
+ *
+ * 10.x.x.x/8, 172.16.x.x/12, 169.254.x.x/16, 192.168.x.x/16
  *
  * Arguments:
  *  sfip_t * - IP address to check
@@ -458,10 +462,12 @@
     if(sfip_family(ip) == AF_INET) {
         /*
          * 10.0.0.0        -   10.255.255.255  (10/8 prefix)
+        * 169.254.0.0     -   169.254.255.255 (169.254/16 prefix)
          * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
          * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
          * */
         return( (ip->ip8[0] == 10)
+             ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254))
               ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16))
               ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) );

@@ -478,6 +484,7 @@
         /* ::ipv4 compatible ipv6 */
         /* ::1 is the IPv6 loopback */
         return ( (ip->ip8[12] == 10)
+               ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168))
                 || (ntohl(p[3]) == 0x1) );
@@ -486,6 +493,7 @@
     if ( ntohl(p[2]) == 0xffff ) {
         /* ::ffff: IPv4 loopback mapped over IPv6 */
         return ( (ip->ip8[12] == 10)
+               ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) );
     }

I'm attaching the patch file to this email.

using 'make' results in a clean compile of the above header file.

The above code was previously patched in directory 'dynamic-plugins/
sf_engine', file 'sf_ip.h', and in directory 'dynamic-preprocessors/
include', file 'sf_ip.h', reported back in 2012, but through oversight
didn't get patched in directory 'src/sfutil' (gack).

Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130711/257af42a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sfutil-sf_ip.h.patch
Type: application/octet-stream
Size: 1821 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130711/257af42a/attachment.obj>


More information about the Snort-devel mailing list