<div>Hello everyone,</div><div> </div><div>I'm trying to test the IPv6 implementation of suricata so i'm doing a bunch of tests.</div><div>For that, i have installed a clean apache2 on a clean server with a single html page called bad.html and i made a simple rule to do an alert if someone tries to access it :</div>
<div> </div><div>alert tcp any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)<br></div><div>If i do a simple access with my browser (iceweasel) from a remote computer, the alert is triggered.</div>
<div>At this point, everything looks fine.</div><div> </div><div>If i now try to access it "manually" with a scapy script by adding some extension headers, no alert is triggered and i can retrieve the html page.</div>
<div>I tried with :</div><div>- Fragmentation header</div><div>- Hop-By-Hop header</div><div>- Destination header</div><div>- Routing header type 0 without any addresses</div><div> </div><div>I tried to change the rule from tcp to ip :</div>
<div> </div><div><div>alert ip any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)<br></div><div>Then, the alert is triggered only with :</div><div><div>- Hop-By-Hop header</div>
<div>- Destination header</div><div>But not with :</div><div>- Fragmentation header</div><div>- Routing header type 0 without any addresses</div><div> </div><div>Maybe i missed something in the config file of suricata ?</div>
<div>My opinion is that suricata should always trigger the alert in every case.</div><div> </div><div>I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.</div><div> </div><div>Thanks in advance for your help</div>
</div></div>