Bug #4081
openICMP IPv6 signature not matching when source contains ! condition with IPv4 addresses only
Description
It appears that an ICMP IPv6 rule will not match if the source variable contains a ! condition and a variable that only contains IPv4 addresses. The issue is alleviated if the variable contains either a mix of IPv4/v6 or IPv6 only.
This becomes an problem in cases where we specifically want to exclude vulnerability scanner IPs from our signature source address space using a variable. Maybe this is the intended behavior, but it would be nice to not have to worry about these distinctions when writing signatures.
- We did not test if this issue affects other types of traffic (HTTP, DNS, etc).
- We have not had a chance to test 6.0, but we were not able to see any Redmine issues that described this problem.
How to reproduce:
Using this sample ICMP IPv6 pcap: https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/v6.pcap
And these signatures:
$ cat test_icmpv6.rule
alert icmp !$TEST_1 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 1 - IPv4 only"; itype:136; sid:1; rev:1;)
alert icmp !$TEST_2 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 2 - IPv4 and IPv6"; itype:136; sid:2; rev:1;)
alert icmp !$TEST_3 any -> any any (flow:stateless; msg:"ICMPv6 Test Sig 3 - IPv6 only"; itype:136; sid:3; rev:1;)
Running this command, where I set three variables using the CLI:
$ suricata --runmode=autofp -r v6.pcap -S test_icmpv6.rule -l . -c /etc/suricata/suricata.yaml --set vars.address-groups.TEST_1=[127.0.0.1] --set vars.address-groups.TEST_2=[127.0.0.1,::1/128] --set vars.address-groups.TEST_3=[::1/128] -k none
[1110] 19/10/2020 -- 20:34:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[1110] 19/10/2020 -- 20:34:50 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 33 packet processing threads, 4 management threads initialized, engine started.
[1110] 19/10/2020 -- 20:34:50 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[1111] 19/10/2020 -- 20:34:50 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 161 packets, 25651 bytes
Seeing these results:
$ cat eve.json | jq 'select(.event_type == "alert")' | jq .alert.signature | sort | uniq -c
9 "ICMPv6 Test Sig 2 - IPv4 and IPv6"
9 "ICMPv6 Test Sig 3 - IPv6 only"
No data to display