Re: [Snort-devel] IP Option Router Alert Wrong Value

["Jeffrey Denton" <dentonj () gmail com>]

On 7/9/07, Todd Wease <twease () sourcefire com> wrote:
> Jeffrey Denton wrote:
> > In snort-2.7.0.RC2/src/decode.h:
> >
> > #ifndef IPOPT_RTRALT
> >     #define IPOPT_RTRALT         0x14
> >
> > This is equivalent to decimal value 20.  However at
> > http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
> > having a decimal value of 148.  The confusion starts with RFC 2113:
> >
> > http://www.ietf.org/rfc/rfc2113.txt:
> >
> >     The Router Alert option has the following format:
> >
> >                  +--------+--------+--------+--------+
> >                  |10010100|00000100|  2 octet value  |
> >                  +--------+--------+--------+--------+
> >
> >        Type:
> >          Copied flag:  1 (all fragments must carry the option)
> >          Option class: 0 (control)
> >          Option number: 20 (decimal)
> >
> > It would appear that the value for the Router Alert option is 20.
> > However in RFC 791:
> >
> > http://www.ietf.org/rfc/rfc0791.txt
> >
> >      The option-type octet is viewed as having 3 fields:
> >
> >           1 bit   copied flag,
> >           2 bits  option class,
> >           5 bits  option number.
> >
> > All 8 bits are used to determine the IP option type value.  Examples
> > from RFC 791:
> >
> >    Loose Source and Record Route
> >
> >         +--------+--------+--------+---------//--------+
> >         |10000011| length | pointer|     route data    |
> >         +--------+--------+--------+---------//--------+
> >          Type=131
> >
> >       Strict Source and Record Route
> >
> >         +--------+--------+--------+---------//--------+
> >         |10001001| length | pointer|     route data    |
> >         +--------+--------+--------+---------//--------+
> >          Type=137
> >
> > The IP option type value for Router Alert (RTRALT) should be 148
> > decimal.  The fix is to change decode.h to:
> >
> > #ifndef IPOPT_RTRALT
> >     #define IPOPT_RTRALT         0x94
> >
> > This bug also affects snort-2.6.1.5.
>
> Thanks for pointing this out Jeffrey.  A bug has been created.  Not sure
> yet what release this fix will be in, but attached is a patch to change
> that option to the correct value.
>
> Thanks
> Todd

I noticed that decode.h is fixed in 2.8.0.  However, RTRALT was set is
several other files besides decode.h.  I apologize for not pointing
this out in my original email.  RTRALT is set to the wrong value in
the following files:

doc/snort_manual.tex:8538:#define IPOPTION_RTRALT         0x14

src/dynamic-examples/include/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

src/dynamic-plugins/sf_engine/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

src/dynamic-preprocessors/include/sf_snort_packet.h:71:#define
IPOPTION_RTRALT         0x14

Thank you

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users