OISF · victorjulien · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -52,6 +52,9 @@ esec       IP Extended Security
 lsrr       Loose Source Routing
 ssrr       Strict Source Routing
 satid      Stream Identifier
+qs         Quick-Start
+rtralt     Router Alert
+cipso      Commercial Security
 any        any IP options are set
 =========  =============================
 
@@ -793,3 +796,59 @@ Example rule:
 .. container:: example-rule
 
     alert ip $EXTERNAL_NET any -> $HOME_NET any (:example-rule-emphasis:`icmpv6.mtu:<1280;` sid:1234; rev:5;)
+
+
+IGMP keywords
+-------------
+
+The Internet Group Management Protocol (IGMP) is the protocol used by IPv4
+systems to report their IP multicast group memberships to neighboring
+multicast routers [RFC 9776].
+
+Additionally, the RGMP protocol is a dialect of IGMP. The keywords below
+also apply to RGMP. RGMP is defined in RFC 3488.
+
+igmp.hdr
+^^^^^^^^
+
+Sticky buffer to match on the whole IGMP header.
+
+Example rule:
+
+.. container:: example-rule
+
+   alert igmp any any -> any any (:example-rule-emphasis:`igmp.hdr; content:"|22|"; startswith;` sid:1234; rev:5;)
+
+
+igmp.type
+^^^^^^^^^
+
+Match on the IGMP type field.
+
+``igmp.type`` uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
+Format::
+
+  igmp.type:0x11;
+
+
+Example rule:
+
+.. container:: example-rule
+
+   alert igmp any any -> any any (:example-rule-emphasis:`igmp.type:0x22;` sid:1234; rev:5;)
+
+
+igmp-csum
+^^^^^^^^^
+
+Match on the validity of the checksum field.
+
+Format::
+
+  igmp-csum:valid;
+  igmp-csum:invalid;
+
+.. container:: example-rule
+
+   alert igmp any any -> any any (:example-rule-emphasis:`igmp-csum:invalid;` sid:1234; rev:5;)
@@ -2545,6 +2545,23 @@
                 ]
             }
         },
+        "igmp": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "type": {
+                    "type": "integer",
+                    "suricata": {
+                        "keywords": [
+                            "igmp.type"
+                        ]
+                    }
+                },
+                "version": {
+                    "type": "integer"
+                }
+            }
+        },
         "ike": {
             "type": "object",
             "additionalProperties": false,
@@ -5106,6 +5123,20 @@
             },
             "optional": true
         },
+        "rgmp": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "type": {
+                    "type": "integer",
+                    "suricata": {
+                        "keywords": [
+                            "igmp.type"
+                        ]
+                    }
+                }
+            }
+        },
         "rpc": {
             "type": "object",
             "additionalProperties": false,
@@ -6619,6 +6650,24 @@
                                         }
                                     }
                                 },
+                                "igmp": {
+                                    "type": "object",
+                                    "additionalProperties": false,
+                                    "properties": {
+                                        "malformed": {
+                                            "type": "integer",
+                                            "description": "IGMP with malformed data"
+                                        },
+                                        "pkt_too_small": {
+                                            "type": "integer",
+                                            "description": "IGMP packets too small to fit a IGMP header"
+                                        },
+                                        "v3_pkt_too_small": {
+                                            "type": "integer",
+                                            "description": "IGMPv3 packets too small to fit a IGMP header"
+                                        }
+                                    }
+                                },
                                 "ipraw": {
                                     "type": "object",
                                     "additionalProperties": false,
@@ -7058,6 +7107,10 @@
                             "type": "integer",
                             "description": "Number of IEEE802.1ah packets decoded"
                         },
+                        "igmp": {
+                            "type": "integer",
+                            "description": "Number of IGMP packets decoded"
+                        },
                         "invalid": {
                             "type": "integer",
                             "description": "Number of invalid packets decoded"

@@ -120,6 +120,8 @@ alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-cs
 alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; classtype:protocol-command-decode; sid:2200077; rev:2;)
 alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; classtype:protocol-command-decode; sid:2200078; rev:2;)
 alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;)
+alert igmp any any -> any any (msg:"SURICATA IGMP invalid checksum"; igmp-csum:invalid; classtype:protocol-command-decode; sid:2200126; rev:1;)
+
 # IPv4 in IPv6 rules
 alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short"; decode-event:ipv6.ipv4_in_ipv6_too_small; classtype:protocol-command-decode; sid:2200082; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; decode-event:ipv6.ipv4_in_ipv6_wrong_version; classtype:protocol-command-decode; sid:2200083; rev:2;)
@@ -157,6 +159,11 @@ alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; dec
 # Capture events.
 alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;)
 
+# IGMP
+alert igmp any any -> any any (msg:"SURICATA IGMP packet too small"; decode-event:igmp.pkt_too_small; classtype:protocol-command-decode; sid:2200127; rev:1;)
+alert igmp any any -> any any (msg:"SURICATA IGMPv3 packet too small"; decode-event:igmp.v3_pkt_too_small; classtype:protocol-command-decode; sid:2200128; rev:1;)
+alert igmp any any -> any any (msg:"SURICATA IGMP malformed packet"; decode-event:igmp.malformed; classtype:protocol-command-decode; sid:2200129; rev:1;)
+
 alert ipv4 any any -> any any (msg:"SURICATA IPv4 unknown protocol"; decode-event:ipv4.unknown_protocol; threshold: type limit, track by_src, seconds 60, count 1;classtype:protocol-command-decode; sid:2200125;)
-# next sid is 2200126
+# next sid is 2200130
 
@@ -74,6 +74,7 @@ noinst_HEADERS = \
 	decode-gre.h \
 	decode-icmpv4.h \
 	decode-icmpv6.h \
+	decode-igmp.h \
 	decode-ipv4.h \
 	decode-ipv6.h \
 	decode-mpls.h \
@@ -227,6 +228,8 @@ noinst_HEADERS = \
 	detect-icmpv6hdr.h \
 	detect-icode.h \
 	detect-id.h \
+	detect-igmphdr.h \
+	detect-igmp-type.h \
 	detect-ipaddr.h \
 	detect-ipopts.h \
 	detect-ipproto.h \
@@ -651,6 +654,7 @@ libsuricata_c_a_SOURCES = \
 	decode-gre.c \
 	decode-icmpv4.c \
 	decode-icmpv6.c \
+	decode-igmp.c \
 	decode-ipv4.c \
 	decode-ipv6.c \
 	decode-mpls.c \
@@ -804,6 +808,8 @@ libsuricata_c_a_SOURCES = \
 	detect-icmpv6hdr.c \
 	detect-icode.c \
 	detect-id.c \
+	detect-igmphdr.c \
+	detect-igmp-type.c \
 	detect-ipaddr.c \
 	detect-ipopts.c \
 	detect-ipproto.c \
@@ -1172,6 +1178,7 @@ EXTRA_DIST = \
 	tests/detect-http2.c \
 	tests/detect-icmpv6-mtu.c \
 	tests/detect-icmpv6hdr.c \
+	tests/detect-igmphdr.c \
 	tests/detect-template.c \
 	tests/detect-transform-pcrexform.c \
 	tests/detect-ttl.c \

@@ -614,6 +614,20 @@ const struct DecodeEvents_ DEvents[] = {
             NSH_UNKNOWN_PAYLOAD,
     },
 
+    /* IGMP events */
+    {
+            "decoder.igmp.pkt_too_small",
+            IGMP_PKT_TOO_SMALL,
+    },
+    {
+            "decoder.igmp.v3_pkt_too_small",
+            IGMP_V3_PKT_TOO_SMALL,
+    },
+    {
+            "decoder.igmp.malformed",
+            IGMP_MALFORMED,
+    },
+
     /* GENERIC EVENTS */
     {
             "decoder.too_many_layers",

@@ -229,6 +229,11 @@ enum {
     NSH_UNSUPPORTED_TYPE,
     NSH_UNKNOWN_PAYLOAD,
 
+    /* IGMP events */
+    IGMP_PKT_TOO_SMALL,    /**< packet too small to fit the basic IGMP header */
+    IGMP_V3_PKT_TOO_SMALL, /**< packet too small to fit the IGMPv3 header */
+    IGMP_MALFORMED,
+
     /* generic events */
     GENERIC_TOO_MANY_LAYERS,