Skip to content

dhcp: support option 52 overload#15348

Open
ssam18 wants to merge 2 commits intoOISF:mainfrom
ssam18:dhcp-option-52-overload-v2
Open

dhcp: support option 52 overload#15348
ssam18 wants to merge 2 commits intoOISF:mainfrom
ssam18:dhcp-option-52-overload-v2

Conversation

@ssam18
Copy link
Copy Markdown

@ssam18 ssam18 commented May 9, 2026
edited
Loading

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8538

Per RFC 2132 the BOOTP sname and file fields can hold extra DHCP options when the standard options area carries Option Overload (52), but the parser ignored those continuation areas. This closes the visibility gap reported in 8538 where attacker controlled dns_servers, routers or domain values placed inside sname stayed invisible to EVE logging and detection. End to end testing on the reporter pcap shows the overloaded OFFER and ACK now surfacing dns_servers 10.100.0.2 and routers 10.100.0.2 in eve.json, while the parallel benign flow in the same capture continues to report its inline values unchanged.

Replaces #15340.

Describe changes:

  • After parsing the main DHCP options, look up Option Overload (code 52) and walk the BOOTP file or sname continuation area as additional option streams, appending the parsed entries to the same options vector.
  • Add eight unit tests covering all three overload values, malformed continuation, no overload, and the actual pcap from issue 8538.
  • Document the new behavior in the EVE DHCP section of the user guide.

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#3074
SU_REPO=
SU_BRANCH=

ssam18 added 2 commits May 9, 2026 08:26
@ssam18
dhcp: support option 52 overload
35b43fe 
Per RFC 2132 the BOOTP sname and file fields can hold extra DHCP
options when option 52 is present, but the parser ignored them. After
parsing the main options we now look up option 52 and walk sname or
file as additional option streams, appending what we find to the same
options vector so the logger and detection keywords see the
overloaded values too. Bug: OISF#8538.
@ssam18
doc: dhcp eve note for option 52 overload
20f9899 
Document that DHCP options carried in the overloaded BOOTP sname or
file fields are now merged into the EVE log option set alongside the
main options area. Bug: OISF#8538.
@ssam18 ssam18 mentioned this pull request May 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ssam18