Snort mailing list archives
Add additional private IP address blocks to Snort-2.9.8.0
From: Bill Parker <wp02855 () gmail com>
Date: Mon, 29 Feb 2016 09:55:19 -0800
Hello All, This is from a diary on isc.incidents.org: Three years ago Johannes published a diary on Reserved IP Address Space with a complete list of reserved IPv4 address that obviously included the well-known as well as some new one such as RFC 6598 (released in April 2012) "[...] to accommodate the needs of Carrier-Grade NAT (CGN) devices."[1] The address space reserved for CGN is 100.64.0.0/10 which is used to counter the IPv4 address shortage by putting multiple hosts in a private subnet behind a public IP address. The patch file below adds the following private address blocks to file 'sf_ip.h', in directory 'src/sfutil'. The address block 100.64.0.0/10 was mentioned in the ISC incidents diary as one which should be monitored. Here are the address blocks and RFC's 100.64.0.0/10 (RFC 6598) (100.64-192.0.0/10) 199.0.2.0/24 (RFC 5737) 198.18.0.0/15 (RFC 2544) (198.18-254.0.0/15) 198.51.100.0/24 (RFC 5737) 203.0.113.0/24 (RFC 5737) ======================================================================= --- sf_ip.h.orig 2015-12-15 12:28:57.703222520 -0800 +++ sf_ip.h 2016-02-28 16:01:50.496622373 -0800 @@ -470,13 +470,25 @@ if ( ip->ia16[5] == 0xffff ) { /* ::ffff: IPv4 mapped over IPv6 */ /* - * 10.0.0.0 - 10.255.255.255 (10/8 prefix) - * 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) - * 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) + * 10.0.0.0 - 10.255.255.255 (10/8 prefix) RFC 1918 + * 100.64.0.0 - 100.192.0.0 (100.64.0.0/10 prefix) RFC 6598 + * 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) RFC 1918 + * 169.254.0.0 - 169.254.255.255 (169.254/16 prefix) RFC 3927 + * 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) RFC 1918 + * 198.18.0.0 - 198.254.255.255 (198.18/15 prefix) RFC 2544 + * 198.51.100.0 - 198.51.100.255 (192.51.100.0/24 prefix) RFC 5737 + * 199.0.2.0 - 192.0.2.255 (192.0.2.0/24 prefix) RFC 6598 + * 203.0.113.0 - 203.0.113.255 (203.0.113.0/24 prefix) RFC 5737 * */ return ( (ip->ia8[12] == 10) - ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0 ) == 16)) - ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168)) ); + ||((ip->ia8[12] == 100) && ((ip->ia8[13] & 0xc0) == 64)) + ||((ip->ia8[12] == 169) && (ip->ia8[13] == 254)) + ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0) == 16)) + ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168)) + ||((ip->ia8[12] == 198) && ((ip->ia8[13] & 0xfe) == 18)) + ||((ip->ia8[12] == 198) && (ip->ia8[13] == 51) && (ip->ia8[14] == 100)) + ||((ip->ia8[12] == 199) && (ip->ia8[13] == 0) && (ip->ia8[14] == 2)) + ||((ip->ia8[12] == 203) && (ip->ia8[13] == 0) && (ip->ia8[14] == 113)) ); } /* Check if the 3rd 32-bit int is zero */ @@ -484,8 +496,14 @@ /* ::ipv4 compatible ipv6 */ /* ::1 is the IPv6 loopback */ return ( (ip->ia8[12] == 10) + ||((ip->ia8[12] == 100) && ((ip->ia8[13] & 0xc0) == 64)) ||((ip->ia8[12] == 172) && ((ip->ia8[13] & 0xf0 ) == 16)) + ||((ip->ia8[12] == 169) && (ip->ia8[13] == 254)) ||((ip->ia8[12] == 192) && (ip->ia8[13] == 168)) + ||((ip->ia8[12] == 198) && ((ip->ia8[13] & 0xfe) == 18)) + ||((ip->ia8[12] == 198) && (ip->ia8[13] == 51) && (ip->ia8[14] == 100)) + ||((ip->ia8[12] == 199) && (ip->ia8[13] == 0) && (ip->ia8[14] == 2)) + ||((ip->ia8[12] == 203) && (ip->ia8[13] == 0) && (ip->ia8[14] == 113)) || (ip->ia32[3] == htonl(0x1)) ); } ======================================================================= The above code results in a clean 'make' && 'make install'... I am attaching the patch file to this email... Bill Parker (wp02855 at gmail dot com)
Attachment:
sf_ip.h.patch
Description:
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Add additional private IP address blocks to Snort-2.9.8.0 Bill Parker (Feb 29)