Bug #4081: ICMP IPv6 signature not matching when source contains ! condition with IPv4 addresses only - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4081

open

ICMP IPv6 signature not matching when source contains ! condition with IPv4 addresses only

Added by Zach Rasmor about 4 years ago. Updated 4 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

5.0.2

Effort:

Difficulty:

Label:

Description

It appears that an ICMP IPv6 rule will not match if the source variable contains a ! condition and a variable that only contains IPv4 addresses. The issue is alleviated if the variable contains either a mix of IPv4/v6 or IPv6 only.
This becomes an problem in cases where we specifically want to exclude vulnerability scanner IPs from our signature source address space using a variable. Maybe this is the intended behavior, but it would be nice to not have to worry about these distinctions when writing signatures.

A couple other notes:

We did not test if this issue affects other types of traffic (HTTP, DNS, etc).
We have not had a chance to test 6.0, but we were not able to see any Redmine issues that described this problem.

How to reproduce:

Using this sample ICMP IPv6 pcap: https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/v6.pcap

And these signatures:

$ cat test_icmpv6.rule
alert icmp !$TEST_1 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 1 - IPv4 only"; itype:136; sid:1; rev:1;)
alert icmp !$TEST_2 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 2 - IPv4 and IPv6"; itype:136; sid:2; rev:1;)
alert icmp !$TEST_3 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 3 - IPv6 only"; itype:136; sid:3; rev:1;)

Running this command, where I set three variables using the CLI:

$ suricata --runmode=autofp -r v6.pcap -S test_icmpv6.rule -l . -c /etc/suricata/suricata.yaml --set vars.address-groups.TEST_1=[127.0.0.1] --set vars.address-groups.TEST_2=[127.0.0.1,::1/128] --set vars.address-groups.TEST_3=[::1/128] -k none
[1110] 19/10/2020 -- 20:34:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[1110] 19/10/2020 -- 20:34:50 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 33 packet processing threads, 4 management threads initialized, engine started.
[1110] 19/10/2020 -- 20:34:50 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[1111] 19/10/2020 -- 20:34:50 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 161 packets, 25651 bytes

Seeing these results:

$ cat eve.json | jq 'select(.event_type == "alert")' | jq .alert.signature | sort | uniq -c
      9 "ICMPv6 Test Sig 2 - IPv4 and IPv6" 
      9 "ICMPv6 Test Sig 3 - IPv6 only"