decode/ipv4: Create event on unknown protos

Issue: 7146

Create an event when the IPv4 header contains an unknown IP protocol.

etc/schema.json

@@ -6705,6 +6705,10 @@
                                             "type": "integer",
                                             "description": "Number of IPv4 packets flagged invalid due to truncated packet"
                                         },
+                                        "unknown_protocol": {
+                                            "type": "integer",
+                                            "description": "Number of IPv4 packets with unknown protocol"
+                                        },
                                         "wrong_ip_version": {
                                             "type": "integer",
                                             "description": "Number of IPv4 packets flagged invalid due to having wrong IP version in IP options"

rules/decoder-events.rules

@@ -157,5 +157,6 @@ alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; dec
 # Capture events.
 alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;)
 
-# next sid is 2200125
+alert ipv4 any any -> any any (msg:"SURICATA IPv4 unknown protocol"; decode-event:ipv4.unknown_protocol; threshold: type limit, track by_src, seconds 60, count 1;classtype:protocol-command-decode; sid:2200125;)
+# next sid is 2200126
 

src/decode-events.c

@@ -87,6 +87,10 @@ const struct DecodeEvents_ DEvents[] = {
             "decoder.ipv4.icmpv6",
             IPV4_WITH_ICMPV6,
     },
+    {
+            "decoder.ipv4.unknown_protocol",
+            IPV4_PROTO_UNKNOWN,
+    },
 
     /* ICMP EVENTS */
     {

src/decode-events.h

@@ -46,6 +46,7 @@ enum {
     IPV4_OPT_UNKNOWN,      /**< unknown ip option */
     IPV4_WRONG_IP_VER,     /**< wrong ip version in ip options */
     IPV4_WITH_ICMPV6,      /**< IPv4 packet with ICMPv6 header */
+    IPV4_PROTO_UNKNOWN,    /**< IPv4 packet with unknown protocol*/
 
     /* ICMP EVENTS */
     ICMPV4_PKT_TOO_SMALL,    /**< icmpv4 packet smaller than minimum size */

src/decode-ipv4.c

@@ -611,6 +611,11 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
         case IPPROTO_ICMPV6:
             ENGINE_SET_INVALID_EVENT(p, IPV4_WITH_ICMPV6);
             break;
+
+        default:
+            SCLogDebug("unknown protocol type: %" PRIx8 "", p->proto);
+            StatsCounterIncr(&tv->stats, dtv->counter_ipv4_unknown_proto);
+            ENGINE_SET_EVENT(p, IPV4_PROTO_UNKNOWN);
     }
 
     return TM_ECODE_OK;

src/decode.c

@@ -673,6 +673,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
     dtv->counter_ipv6inipv4 = StatsRegisterCounter("decoder.ipv6_in_ipv4", &tv->stats);
     dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", &tv->stats);
     dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", &tv->stats);
+    dtv->counter_ipv4_unknown_proto =
+            StatsRegisterCounter("decoder.ipv4.unknown_protocol", &tv->stats);
     dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", &tv->stats);
     dtv->counter_avg_pkt_size = StatsRegisterDeriveDivCounter(
             "decoder.avg_pkt_size", "decoder.bytes", "decoder.pkts", &tv->stats);

src/decode.h

@@ -1012,6 +1012,7 @@ typedef struct DecodeThreadVars_
     StatsCounterId counter_ipv6inipv4;
     StatsCounterId counter_ipv4inipv6;
     StatsCounterId counter_ipv6inipv6;
+    StatsCounterId counter_ipv4_unknown_proto;
     StatsCounterId counter_erspan;
     StatsCounterId counter_nsh;