Package: snort
Severity: minor
Tags: upstream patch ipv6
When using snort on a interface without a link level layer, for example
a AIYIA tunnel for IPv6 through SixXs, then snort assumes that the
packets will be IPv4. I have a patch that adds a check on the IP version
number in the header, and if it is not an IPv4 packet, try decoding as
IPv6.
Without this patch, listening on such an interface will result in
warning messages as below.
Not IPv4 datagram! ([ver: 0x6][len: 0x0])
Patch is attached
-- System Information:
Debian Release: 6.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
>From a118ba3f93757ff2c924a5481317d97b36d8da2d Mon Sep 17 00:00:00 2001
From: Hugh Davenport <h...@davenport.net.nz>
Date: Fri, 8 Jul 2011 10:46:17 +1200
Subject: [PATCH 1/4] snort: Enable IPv6 decoding for raw packets
---
src/decode.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/decode.c b/src/decode.c
index 0caf78d..e0ee343 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -3009,7 +3009,10 @@ void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t *
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););
- DecodeIP(pkt, p->pkth->caplen, p);
+ if (IP_VER((IPHdr *)pkt) != 4)
+ DecodeIPV6(pkt, p->pkth->caplen, p);
+ else
+ DecodeIP(pkt, p->pkth->caplen, p);
PREPROC_PROFILE_END(decodePerfStats);
return;
--
1.7.2.5
