<div>The log pcap file is attach to this email.</div><div> </div><div>Elie<br></div><div class="gmail_quote">Le 29 mars 2012 16:30, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> a écrit :<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Can you share the pcaps you created/recorded? Saves us a lot of time<br>
debugging.<br>
<br>
Thanks,<br>
Victor<br>
<div class="im"><br>
On 03/29/2012 04:27 PM, Michel SABORDE wrote:<br>
> Results are the same with -r.<br>
> Le 29 mars 2012 15:09, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>
</div>> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>> a écrit :<br>
<div class="im">><br>
> Hi Michel,<br>
><br>
> If you read the pacaps (-r option, read pcap) from your tests -<br>
> would the results be the same?<br>
> If you would like, you could share privatelly the pcaps with the<br>
> yaml conf?<br>
><br>
> Thanks<br>
><br>
> On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE<br>
</div><div class="im">> <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>> wrote:<br>
><br>
> Thanks for your anwswer.<br>
><br>
> I already looked into everything you mentioned.<br>
><br>
> I'm doing the three-way handshake and i added the correct<br>
> ip6tables rule to prevent the kernel from sending the RST.<br>
><br>
> I also looked into checksums and disabled the<br>
> checksum_validation from suricata config file, i also checked<br>
> with wireshark, all the checksums are correct.<br>
><br>
><br>
><br>
> It must be something else.<br>
><br>
> Le 29 mars 2012 13:39, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>
</div>> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>> a écrit :<br>
<div class="im">><br>
> also you could try/check - with scapy make sure your<br>
> checksm-ing is correct.... and it is disabled in the yaml conf<br>
><br>
><br>
> On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev<br>
</div><div class="im">> <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>> wrote:<br>
><br>
> Hi,<br>
><br>
> When you are using the Scapy script - are you doing the<br>
> three-way handshake with scapy?<br>
><br>
> Because if so - there is a rule that you have to add to<br>
> your iptables , since scapy would send S , the server<br>
> would return the SA and the kernel/OS would send back a<br>
> Reject since it never send a S (it is not aware that<br>
> scapy send it).<br>
><br>
> The way around this is to put a iptables rule that would<br>
> stop the R coming from the client to the www server.<br>
><br>
> Also just have a look at the traffic with<br>
> wireshar/tcpdump to see if that is not the problem.<br>
><br>
> Thanks<br>
><br>
> On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE<br>
> <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
</div><div><div class="h5">> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>> wrote:<br>
><br>
> Hello everyone,<br>
><br>
> I'm trying to test the IPv6 implementation of<br>
> suricata so i'm doing a bunch of tests.<br>
> For that, i have installed a clean apache2 on a<br>
> clean server with a single html page called bad.html<br>
> and i made a simple rule to do an alert if someone<br>
> tries to access it :<br>
><br>
> alert tcp any any <> any any (msg:"[ALERT]<br>
> bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)<br>
> If i do a simple access with my browser (iceweasel)<br>
> from a remote computer, the alert is triggered.<br>
> At this point, everything looks fine.<br>
><br>
> If i now try to access it "manually" with a scapy<br>
> script by adding some extension headers, no alert is<br>
> triggered and i can retrieve the html page.<br>
> I tried with :<br>
> - Fragmentation header<br>
> - Hop-By-Hop header<br>
> - Destination header<br>
> - Routing header type 0 without any addresses<br>
><br>
> I tried to change the rule from tcp to ip :<br>
><br>
> alert ip any any <> any any (msg:"[ALERT] bad.html";<br>
> content:"bad.html"; nocase; sid:1; rev:1;)<br>
> Then, the alert is triggered only with :<br>
> - Hop-By-Hop header<br>
> - Destination header<br>
> But not with :<br>
> - Fragmentation header<br>
> - Routing header type 0 without any addresses<br>
><br>
> Maybe i missed something in the config file of<br>
> suricata ?<br>
> My opinion is that suricata should always trigger<br>
> the alert in every case.<br>
><br>
> I'm using suricata 1.2.1 on a debian 6.0 with a<br>
> 2.6.32 kernel.<br>
><br>
> Thanks in advance for your help<br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
</div></div>> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
<div class="im">> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
--<br>
</div>---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br>