Add additional private IP address blocks to Snort-2.9.8.0

[Bill Parker <wp02855 () gmail com>]

Hello All,

This is from a diary on isc.incidents.org:

Three years ago Johannes published a diary on Reserved IP Address
Space with a complete list of reserved IPv4 address that obviously
included the well-known as well as some new one such as RFC 6598
(released in April 2012) "[...] to accommodate the needs of
Carrier-Grade NAT (CGN) devices."[1] The address space reserved
for CGN is 100.64.0.0/10 which is used to counter the IPv4 address
shortage by putting multiple hosts in a private subnet behind a
public IP address.

The patch file below adds the following private address blocks to
file 'sf_ip.h', in directory 'src/sfutil'.  The address block 100.64.0.0/10
was mentioned in the ISC incidents diary as one which should be monitored.

Here are the address blocks and RFC's

100.64.0.0/10 (RFC 6598) (100.64-192.0.0/10)
199.0.2.0/24 (RFC 5737)
198.18.0.0/15 (RFC 2544) (198.18-254.0.0/15)
198.51.100.0/24 (RFC 5737)
203.0.113.0/24 (RFC 5737)

=======================================================================

--- sf_ip.h.orig 2015-12-15 12:28:57.703222520 -0800
+++ sf_ip.h 2016-02-28 16:01:50.496622373 -0800
@@ -470,13 +470,25 @@
     if ( ip->ia16[5] == 0xffff ) {
         /* ::ffff: IPv4 mapped over IPv6 */
         /*
-         * 10.0.0.0        -   10.255.255.255  (10/8 prefix)
-         * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
-         * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
+         * 10.0.0.0        -   10.255.255.255  (10/8 prefix) RFC 1918
+ * 100.64.0.0   -   100.192.0.0     (100.64.0.0/10 prefix) RFC 6598
+         * 172.16.0.0      -   172.31.255.255  (172.16/12 prefix) RFC 1918
+ * 169.254.0.0     -   169.254.255.255 (169.254/16 prefix) RFC 3927
+         * 192.168.0.0     -   192.168.255.255 (192.168/16 prefix) RFC 1918
+ * 198.18.0.0   -   198.254.255.255 (198.18/15 prefix) RFC 2544
+ * 198.51.100.0   -   198.51.100.255  (192.51.100.0/24 prefix) RFC 5737
+ * 199.0.2.0   -   192.0.2.255     (192.0.2.0/24 prefix) RFC 6598
+ * 203.0.113.0     -   203.0.113.255   (203.0.113.0/24 prefix) RFC 5737
          * */
         return ( (ip->ia8[12] == 10)
-                ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0 ) == 16))
-                ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168)) );
+ ||((ip->ia8[12] == 100) && ((ip->ia8[13] & 0xc0) == 64))
+ ||((ip->ia8[12] == 169) && (ip->ia8[13] == 254))
+                ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0) == 16))
+                ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168))
+ ||((ip->ia8[12] == 198) && ((ip->ia8[13] & 0xfe) == 18))
+ ||((ip->ia8[12] == 198) && (ip->ia8[13] == 51) && (ip->ia8[14] == 100))
+ ||((ip->ia8[12] == 199) && (ip->ia8[13] == 0) && (ip->ia8[14] == 2))
+ ||((ip->ia8[12] == 203) && (ip->ia8[13] == 0) && (ip->ia8[14] == 113)) );
     }

     /* Check if the 3rd 32-bit int is zero */
@@ -484,8 +496,14 @@
         /* ::ipv4 compatible ipv6 */
         /* ::1 is the IPv6 loopback */
         return ( (ip->ia8[12] == 10)
+ ||((ip->ia8[12] == 100) && ((ip->ia8[13] & 0xc0) == 64))
                 ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0 ) == 16))
+ ||((ip->ia8[12] == 169) && (ip->ia8[13] == 254))
                 ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168))
+ ||((ip->ia8[12] == 198) && ((ip->ia8[13] & 0xfe) == 18))
+ ||((ip->ia8[12] == 198) && (ip->ia8[13] == 51) && (ip->ia8[14] == 100))
+ ||((ip->ia8[12] == 199) && (ip->ia8[13] == 0) && (ip->ia8[14] == 2))
+ ||((ip->ia8[12] == 203) && (ip->ia8[13] == 0) && (ip->ia8[14] == 113))
                 || (ip->ia32[3] == htonl(0x1)) );
     }


=======================================================================

The above code results in a clean 'make' && 'make install'...

I am attaching the patch file to this email...

Bill Parker (wp02855 at gmail dot com)

Attachment: sf_ip.h.patch
Description:

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!