[Snort-devel] Add Link-Local Address Network Assignment Block (IPv4) to sf_ip.h in Snort 3/Snort++

Bill Parker wp02855 at ...2499...
Wed Jun 10 19:41:34 EDT 2015


Hello All,

   In reviewing source code for Snort 3/Snort++, I found in directory
'src/sfip', file 'sf_ip.h', that the private Microsoft Network
block 169.254.0.0/16 (which is assigned if MS DHCP fails for some
reason) is not included in the private IPv4 network listing.

In RFC 3927, the Internet Engineering Task Force has reserved the
address block 169.254.1.0 through 169.254.254.255] for link-local
addressing in Internet Protocol Version 4. Link-local addresses
are assigned to interfaces by host-internal, i.e. stateless,
address autoconfiguration when other means of address assignment
are not available.

The patch file below addresses this issue:

--- sf_ip.h.orig        2015-06-09 16:32:18.361202622 -0700
+++ sf_ip.h     2015-06-09 16:38:38.405504298 -0700
@@ -527,10 +527,12 @@
         /*
          * 10.0.0.0        -   10.255.255.255  (10/8 prefix)
          * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
+        * 169.254.0.0     -   169.254.0.0     (169.254/16 prefix) -
Microsoft Private IP Assignment
          * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
          * */
         return( (ip->ip8[0] == 10)
                ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16))
+              ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254))
                ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) );
     }

@@ -548,6 +550,7 @@
            ::1 is the IPv6 loopback */
         return ( (ip->ip8[12] == 10)
                ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
+              ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168))
                || (ntohl(p[3]) == 0x1) );
     }
@@ -557,6 +560,7 @@
         /* ::ffff: IPv4 loopback mapped over IPv6 */
         return ( (ip->ip8[12] == 10)
                ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
+              ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
                ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) );
     }
     return 0;

This check was submitted for inclusion in Snort 2.x some time ago,
but it was left out of Snort 3.

I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150610/63e7999d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sf_ip.h
Type: text/x-chdr
Size: 1359 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150610/63e7999d/attachment.h>


More information about the Snort-devel mailing list