[Snort-devel] Add Link-Local Address Network Assignment Block (IPv4) to sf_ip.h in Snort 3/Snort++

Russ rucombs at ...3461...
Wed Jun 10 20:17:47 EDT 2015


Hey Bill,

Thanks for reporting the issue.  Snort++ syncs up with the current Snort 
code base periodically and we will pull in any such changes at those times.

Russ


On 6/10/15 7:41 PM, Bill Parker wrote:
> Hello All,
>
>    In reviewing source code for Snort 3/Snort++, I found in directory
> 'src/sfip', file 'sf_ip.h', that the private Microsoft Network
> block 169.254.0.0/16 <http://169.254.0.0/16> (which is assigned if MS 
> DHCP fails for some
> reason) is not included in the private IPv4 network listing.
>
> In RFC 3927, the Internet Engineering Task Force has reserved the
> address block 169.254.1.0 through 169.254.254.255] for link-local
> addressing in Internet Protocol Version 4. Link-local addresses
> are assigned to interfaces by host-internal, i.e. stateless,
> address autoconfiguration when other means of address assignment
> are not available.
>
> The patch file below addresses this issue:
>
> --- sf_ip.h.orig        2015-06-09 16:32:18.361202622 -0700
> +++ sf_ip.h     2015-06-09 16:38:38.405504298 -0700
> @@ -527,10 +527,12 @@
>          /*
>           * 10.0.0.0        -   10.255.255.255  (10/8 prefix)
>           * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
> +        * 169.254.0.0     -   169.254.0.0     (169.254/16 prefix) - 
> Microsoft Private IP Assignment
>           * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
>           * */
>          return( (ip->ip8[0] == 10)
>                 ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16))
> +              ||((ip->ip8[0] == 169) && (ip->ip8[1] == 254))
>                 ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) );
>      }
>
> @@ -548,6 +550,7 @@
>             ::1 is the IPv6 loopback */
>          return ( (ip->ip8[12] == 10)
>                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
> +              ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
>                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168))
>                 || (ntohl(p[3]) == 0x1) );
>      }
> @@ -557,6 +560,7 @@
>          /* ::ffff: IPv4 loopback mapped over IPv6 */
>          return ( (ip->ip8[12] == 10)
>                 ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16))
> +              ||((ip->ip8[12] == 169) && (ip->ip8[13] == 254))
>                 ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) );
>      }
>      return 0;
>
> This check was submitted for inclusion in Snort 2.x some time ago,
> but it was left out of Snort 3.
>
> I am attaching the patch file to this bug report...
>
> Bill Parker (wp02855 at gmail dot com)
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150610/18e72804/attachment.html>


More information about the Snort-devel mailing list