diff --git a/etc/schema.json b/etc/schema.json index bce75a1077..b3b8c17a17 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -6705,6 +6705,10 @@ "type": "integer", "description": "Number of IPv4 packets flagged invalid due to truncated packet" }, + "unknown_protocol": { + "type": "integer", + "description": "Number of IPv4 packets with unknown protocol" + }, "wrong_ip_version": { "type": "integer", "description": "Number of IPv4 packets flagged invalid due to having wrong IP version in IP options" diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 773b6983ea..385d16228c 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -157,5 +157,6 @@ alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; dec # Capture events. alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;) -# next sid is 2200125 +alert ipv4 any any -> any any (msg:"SURICATA IPv4 unknown protocol"; decode-event:ipv4.unknown_protocol; threshold: type limit, track by_src, seconds 60, count 1;classtype:protocol-command-decode; sid:2200125;) +# next sid is 2200126 diff --git a/src/decode-events.c b/src/decode-events.c index d235c4caed..3af8fa048a 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -87,6 +87,10 @@ const struct DecodeEvents_ DEvents[] = { "decoder.ipv4.icmpv6", IPV4_WITH_ICMPV6, }, + { + "decoder.ipv4.unknown_protocol", + IPV4_PROTO_UNKNOWN, + }, /* ICMP EVENTS */ { diff --git a/src/decode-events.h b/src/decode-events.h index 2d2f6867f9..67c0f52598 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -46,6 +46,7 @@ enum { IPV4_OPT_UNKNOWN, /**< unknown ip option */ IPV4_WRONG_IP_VER, /**< wrong ip version in ip options */ IPV4_WITH_ICMPV6, /**< IPv4 packet with ICMPv6 header */ + IPV4_PROTO_UNKNOWN, /**< IPv4 packet with unknown protocol*/ /* ICMP EVENTS */ ICMPV4_PKT_TOO_SMALL, /**< icmpv4 packet smaller than minimum size */ diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index 49dfbc6182..86ea095c62 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -611,6 +611,11 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, case IPPROTO_ICMPV6: ENGINE_SET_INVALID_EVENT(p, IPV4_WITH_ICMPV6); break; + + default: + SCLogDebug("unknown protocol type: %" PRIx8 "", p->proto); + StatsCounterIncr(&tv->stats, dtv->counter_ipv4_unknown_proto); + ENGINE_SET_EVENT(p, IPV4_PROTO_UNKNOWN); } return TM_ECODE_OK; diff --git a/src/decode.c b/src/decode.c index 299e424993..914ef8f7f6 100644 --- a/src/decode.c +++ b/src/decode.c @@ -673,6 +673,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv) dtv->counter_ipv6inipv4 = StatsRegisterCounter("decoder.ipv6_in_ipv4", &tv->stats); dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", &tv->stats); dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", &tv->stats); + dtv->counter_ipv4_unknown_proto = + StatsRegisterCounter("decoder.ipv4.unknown_protocol", &tv->stats); dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", &tv->stats); dtv->counter_avg_pkt_size = StatsRegisterDeriveDivCounter( "decoder.avg_pkt_size", "decoder.bytes", "decoder.pkts", &tv->stats); diff --git a/src/decode.h b/src/decode.h index 508d643db6..6f240a75d4 100644 --- a/src/decode.h +++ b/src/decode.h @@ -1012,6 +1012,7 @@ typedef struct DecodeThreadVars_ StatsCounterId counter_ipv6inipv4; StatsCounterId counter_ipv4inipv6; StatsCounterId counter_ipv6inipv6; + StatsCounterId counter_ipv4_unknown_proto; StatsCounterId counter_erspan; StatsCounterId counter_nsh;