Skip to content

dhcp: support option 52 overload#15348

Open
ssam18 wants to merge 2 commits into
OISF:mainfrom
ssam18:dhcp-option-52-overload-v2
Open

dhcp: support option 52 overload#15348
ssam18 wants to merge 2 commits into
OISF:mainfrom
ssam18:dhcp-option-52-overload-v2

Conversation

@ssam18
Copy link
Copy Markdown

@ssam18 ssam18 commented May 9, 2026
edited
Loading

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8538

Per RFC 2132 the BOOTP sname and file fields can hold extra DHCP options when the standard options area carries Option Overload (52), but the parser ignored those continuation areas. This closes the visibility gap reported in 8538 where attacker controlled dns_servers, routers or domain values placed inside sname stayed invisible to EVE logging and detection. End to end testing on the reporter pcap shows the overloaded OFFER and ACK now surfacing dns_servers 10.100.0.2 and routers 10.100.0.2 in eve.json, while the parallel benign flow in the same capture continues to report its inline values unchanged.

Replaces #15340.

Describe changes:

  • After parsing the main DHCP options, look up Option Overload (code 52) and walk the BOOTP file or sname continuation area as additional option streams, appending the parsed entries to the same options vector.
  • Add eight unit tests covering all three overload values, malformed continuation, no overload, and the actual pcap from issue 8538.
  • Document the new behavior in the EVE DHCP section of the user guide.

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#3074
SU_REPO=
SU_BRANCH=

@ssam18 ssam18 mentioned this pull request May 9, 2026
Closed
catenacyber
catenacyber requested changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this work : a quick remark : The pcap file does not belong to Suricata repository

ssam18 added 2 commits May 13, 2026 08:40
@ssam18
dhcp: support option 52 overload
a634e1b 
Per RFC 2132 the BOOTP sname and file fields can hold extra DHCP
options when option 52 is present, but the parser ignored them. After
parsing the main options we now look up option 52 and walk sname or
file as additional option streams, appending what we find to the same
options vector so the logger and detection keywords see the
overloaded values too.

Bug: OISF#8538.
@ssam18
doc: dhcp eve note for option 52 overload
566d06a 
Document that DHCP options carried in the overloaded BOOTP sname or
file fields are now merged into the EVE log option set alongside the
main options area.

Bug: OISF#8538.
@ssam18 ssam18 force-pushed the dhcp-option-52-overload-v2 branch from 20f9899 to 566d06a Compare May 13, 2026 13:41
@ssam18
Copy link
Copy Markdown
Author

ssam18 commented May 13, 2026

@catenacyber done, force pushed the branch with sname_overload.pcap removed along with the one unit test that loaded it via include_bytes!. The seven synthetic byte-buffer tests still cover the three overload values plus malformed-continuation and no-overload regression cases, and the real pcap is kept in the suricata-verify side at OISF/suricata-verify#3074.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

NOTE: This PR may contain new authors.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

❌ Patch coverage is 96.68874% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.64%. Comparing base (8968b1c) to head (566d06a).
⚠️ Report is 19 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15348      +/-   ##
==========================================
- Coverage   82.66%   82.64%   -0.03%     
==========================================
  Files         995      996       +1     
  Lines      271046   271260     +214     
==========================================
+ Hits       224069   224172     +103     
- Misses      46977    47088     +111
Flag Coverage Δ
fuzzcorpus 61.03% <90.32%> (-0.03%) ⬇️
livemode 18.36% <0.00%> (-0.03%) ⬇️
netns 22.56% <0.00%> (-0.07%) ⬇️
pcap 45.17% <87.09%> (-0.06%) ⬇️
suricata-verify 66.36% <87.09%> (-0.04%) ⬇️
unittests 58.58% <96.68%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ssam18
Copy link
Copy Markdown
Author

ssam18 commented May 13, 2026

@lukashino please assign the issue to me

@lukashino
Copy link
Copy Markdown
Contributor

lukashino commented May 14, 2026

Done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber requested changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ssam18 @lukashino @catenacyber