output/ipv6: Add configuration option to shorten IPv6 IP addresses

doc/userguide/configuration/suricata-yaml.rst

@@ -1535,6 +1535,20 @@ the default behavior).
 
 Each supported protocol has a dedicated subsection under ``protocols``.
 
+Default IPv6 address output format
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+IPv6 addresses are output in their long form by default. To output addresses in their shortened form,
+per RFC-5952, set the following configuration variable to ``yes``::
+
+  global:
+      ipv6-addr-shorten: yes
+
+Here's an example of a IPv6 address with its shortened value::
+
+  ``fe80:0000:0000:0000:020c:29ff:faf2:ab42``
+  ``fe80::20c:29ff:faf2:ab42``
+
 Asn1_max_frames
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

rust/src/utils/ip_addr.rs

@@ -0,0 +1,180 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+// Author: Jeff Lucovsky <jlucovsky@oisf.net>
+
+use std::ffi::{c_char, c_uchar};
+use std::net::Ipv6Addr;
+
+/// Writes the shortened IPv6 string into `out_buf`, which has length `out_len`.
+/// Returns the number of bytes written (excluding the null terminator),
+/// or 0 on error (invalid addr pointer, buffer too small, etc.)
+#[no_mangle]
+pub unsafe extern "C" fn SCIPv6Shorten(
+    addr: *const c_uchar, // pointer to 16-byte IPv6
+    out_buf: *mut c_char, // out buffer allocated by caller
+    out_len: usize,       // size of out buffer
+) -> usize {
+    if addr.is_null() || out_buf.is_null() {
+        return 0;
+    }
+
+    // get 16-byte IPv6 address
+    let bytes = std::slice::from_raw_parts(addr, 16);
+
+    let mut fixed = [0u8; 16];
+    fixed.copy_from_slice(bytes);
+    let ipv6 = Ipv6Addr::from(fixed);
+
+    // RFC 5952 compressed format
+    let ipv6_str = ipv6.to_string();
+
+    // Sufficient room?
+    if ipv6_str.len() + 1 > out_len {
+        return 0;
+    }
+
+    // Copy string + NULL termination
+    std::ptr::copy_nonoverlapping(ipv6_str.as_ptr(), out_buf as *mut u8, ipv6_str.len());
+
+    ipv6_str.len()
+}
+
+#[cfg(test)]
+mod tests {
+
+    use super::*;
+    use std::os::raw::{c_char, c_uchar};
+
+    struct ShortenResult {
+        string: String,
+        len: usize,
+    }
+
+    fn call_shortener(bytes: &[u8; 16]) -> Option<ShortenResult> {
+        let mut out = vec![0u8; 64];
+        let len = unsafe {
+            SCIPv6Shorten(
+                bytes.as_ptr() as *const c_uchar,
+                out.as_mut_ptr() as *mut c_char,
+                out.len(),
+            )
+        };
+
+        if len == 0 {
+            return None;
+        }
+
+        let s = String::from_utf8(out[..len].to_vec()).unwrap();
+        Some(ShortenResult { string: s, len })
+    }
+
+    #[test]
+    fn test_ipv6_shorten_success_zero_addr() {
+        let addr = [0u8; 16];
+        let out = call_shortener(&addr).unwrap();
+        assert_eq!(out.string, "::");
+        assert_eq!(out.len, 2);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_success_loopback() {
+        let mut addr = [0u8; 16];
+        addr[15] = 1; // ::1
+        let out = call_shortener(&addr).unwrap();
+        assert_eq!(out.string, "::1");
+        assert_eq!(out.len, 3);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_success_normal_addr() {
+        let addr = [
+            0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x01,
+        ];
+        let out = call_shortener(&addr).unwrap();
+        assert_eq!(out.string, "2001:db8::1");
+        assert_eq!(out.len, 11);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_success_ipv4_mapped() {
+        let addr: [u8; 16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 192, 168, 0, 1];
+        let out = call_shortener(&addr).unwrap();
+        assert_eq!(out.string, "::ffff:192.168.0.1");
+        assert_eq!(out.len, 18);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_success_no_zero_compression() {
+        // 2001:db8:1:2:3:4:5:6 (fully expanded, no zero-run)
+        let addr: [u8; 16] = [
+            0x20, 0x01, 0x0d, 0xb8, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04, 0x00, 0x05,
+            0x00, 0x06,
+        ];
+        let out = call_shortener(&addr).unwrap();
+        assert_eq!(out.string, "2001:db8:1:2:3:4:5:6");
+        assert_eq!(out.len, 20);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_fail_null_addr() {
+        let mut out = vec![0u8; 64];
+        let len =
+            unsafe { SCIPv6Shorten(std::ptr::null(), out.as_mut_ptr() as *mut c_char, out.len()) };
+        assert_eq!(len, 0);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_fail_null_out_buf() {
+        let addr = [0u8; 16];
+        let len =
+            unsafe { SCIPv6Shorten(addr.as_ptr() as *const c_uchar, std::ptr::null_mut(), 64) };
+        assert_eq!(len, 0);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_fail_out_buf_too_small() {
+        let addr = [0u8; 16];
+        // "::" is 2 bytes + NUL = 3, so give only length 2
+        let mut out = vec![0u8; 2];
+        let len = unsafe {
+            SCIPv6Shorten(
+                addr.as_ptr() as *const c_uchar,
+                out.as_mut_ptr() as *mut c_char,
+                out.len(),
+            )
+        };
+        assert_eq!(len, 0);
+    }
+
+    #[test]
+    fn test_ipv6_shorten_fail_exactly_one_byte_short() {
+        let addr = [0u8; 16];
+        let compressed = "::";
+        let needed = compressed.len() + 1; // for NUL
+        let mut out = vec![0u8; needed - 1]; // one byte too small
+        let len = unsafe {
+            SCIPv6Shorten(
+                addr.as_ptr() as *const c_uchar,
+                out.as_mut_ptr() as *mut c_char,
+                out.len(),
+            )
+        };
+        assert_eq!(len, 0);
+    }
+}

rust/src/utils/mod.rs

@@ -17,3 +17,4 @@
 
 pub mod base64;
 pub mod datalink;
+pub mod ip_addr;

src/suricata.c

@@ -134,6 +134,7 @@
 #include "util-path.h"
 #include "util-pidfile.h"
 #include "util-plugin.h"
+#include "util-print.h"
 #include "util-privs.h"
 #include "util-profiling.h"
 #include "util-proto-name.h"
@@ -2934,6 +2935,12 @@ int PostConfLoadedSetup(SCInstance *suri)
         SCReturnInt(TM_ECODE_FAILED);
     }
 
+    SCConfNode *shorten_ipv6 = SCConfGetNode("global.ipv6-addr-shorten");
+    if (shorten_ipv6 && shorten_ipv6->val && SCConfValIsTrue(shorten_ipv6->val)) {
+        SCLogConfig("IPv6 addresses will be shortened in output per RFC 5952");
+        SetPrintShortenedInetV6(true);
+    }
+
     if (suri->disabled_detect) {
         SCLogConfig("detection engine disabled");
         /* disable raw reassembly */

src/util-print.c

@@ -30,6 +30,8 @@
 #include "util-validate.h"
 #include "rust.h"
 
+static bool g_shorten_ipv6 = false;
+
 /**
  *  \brief print a buffer as hex on a single line
  *
@@ -208,6 +210,14 @@ void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32
 
 static const char *PrintInetIPv6(const void *src, char *dst, socklen_t size)
 {
+    if (g_shorten_ipv6) {
+        if (SCIPv6Shorten(src, dst, size)) {
+            return dst;
+        }
+
+        // If we can't shorten it, use long-form */
+    }
+
     char s_part[6];
     uint16_t x[8];
     memcpy(&x, src, 16);
@@ -252,6 +262,11 @@ const char *PrintInet(int af, const void *src, char *dst, socklen_t size)
     return NULL;
 }
 
+void SetPrintShortenedInetV6(bool shorten)
+{
+    g_shorten_ipv6 = shorten;
+}
+
 void PrintHexString(char *str, size_t size, uint8_t *buf, size_t buf_len)
 {
     DEBUG_VALIDATE_BUG_ON(size < 2 * buf_len);

src/util-print.h

@@ -39,6 +39,7 @@
         }                                                               \
     } while (0)
 
+void SetPrintShortenedInetV6(bool shorten);
 void PrintBufferRawLineHex(char *, int *,int, const uint8_t *, uint32_t);
 void PrintRawUriFp(FILE *, const uint8_t *, uint32_t);
 void PrintRawUriBuf(char *, uint32_t *, uint32_t, const uint8_t *, size_t);

suricata.yaml.in

@@ -1273,6 +1273,14 @@ app-layer:
     mdns:
       enabled: yes
 
+#
+# Settings that affect Suricata on a global level.
+#
+global:
+
+  # Shorten IPv6 addresses per RFC 5952 before logging. The default is no
+  #ipv6-addr-shorten: no
+
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256