Project

General

Profile

Actions

Feature #7221

open

Sanity checking on IP network prefix base addresses

Added by Brian Callan 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
low
Label:

Description

Suricata rules syntax checking should perform sanity checking on IP network prefixes. The validation would ensure that the address portion of a network prefix matches the expected base address for the given prefix length - for example, ensuring that a /24 prefix has a base address ending in .0, or that a /28 prefix has a base address ending in .0, .16, .32, etc. The validation also needs to be applied to Suricata variables that reference IPv4/v6 network prefixes. This validation would prevent user mistakes, that can lead to permitting or denying larger IP address ranges than the rule author intended.

Example 1: a user can today define HOME_NET = 10.3.4.5/16
Security best practice would suggest that the user should use HOME_NET = 10.3.0.0/16

Example 2: a copy and paste error could result in a user defining the following rule:
pass tcp 10.56.3.224/2 any -> 20.21.22.23 443 (msg:\"Allow access to webserver"; sid: 1453;)
When the user intended to only allow 10.56.3.224/27

No data to display

Actions

Also available in: Atom PDF