dhcp: verify option 52 overload parsing#3074
Conversation
Add a verification test that runs Suricata over a pcap where the server places dns_servers, routers and a domain inside the BOOTP sname continuation area while flagging Option Overload (52) value 2 in the standard options block. The test asserts that the EVE DHCP events for both the OFFER and the ACK now expose those overloaded values and that the parallel non overloaded flow in the same capture still reports its inline values. Bug: #8538.
|
I'm worried this pcap from the ticket is very synthetic. Do you have any real pcaps showing this option being used? |
Yes, it's synthetic. Option 52 overload is rare enough in the wild that I don't have a production capture either, but the Wireshark sample collection has I would suggest adding it as a second test directory rather than swapping out my current pcap. The Wireshark sample covers overload value 3 (both sname and file overloaded) on a single packet; my current synthetic covers overload value 2 (sname only) on an OFFER/ACK pair plus a benign control flow. Different overload modes, complementary coverage. Happy to just swap it instead if you would prefer the smaller test footprint. |
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Looks like a good SV test
An additional test would be great. |
Companion to dhcp-option-52-overload (overload value 2, sname only). This adds a second test using PRIV_bootp-both_overload.pcap from the Wireshark sample collection, which exercises overload value 3 (both sname and file overloaded) on a single DHCP DISCOVER -- the canonical reference capture for BOOTP option overload. The Wireshark sample only carries Option 56 (DHCP Message) in the overloaded areas, which the EVE DHCP logger does not currently emit, so this test does not assert on the overloaded-area content itself. It does verify the parser cleanly processes a real-world overload=3 packet without dropping the event and that the inline-option fields (dhcp_type, id, client_mac, lease_time) still surface correctly -- a regression guard for the Option 52 overload code path. Bug: #8538.
4 participants
This adds an integration test for issue 8538, the request to make Suricata parse DHCP options carried inside the BOOTP sname or file fields when Option Overload (52) is set. The pcap captures two parallel flows with the same xid, one benign and one where the OFFER and ACK hide dns_servers, routers and domain inside an overloaded sname while keeping the inline options block looking innocuous. The test asserts that the EVE dhcp events for the overloaded OFFER and ACK now expose those values, and that the benign flow in the same capture still reports its inline values unchanged. This is the verify side companion to OISF/suricata#15340.