Hi Michel,<br><br>Is the pcap provided containing all of the  following tests:<br><div>- Fragmentation header</div><div>- Hop-By-Hop header</div><div>- Destination header</div><div>- Routing header type 0 without any addresses<br>
<br>or is it just some of them?<br><br>thanks<br></div><br><br><div class="gmail_quote">On Thu, Mar 29, 2012 at 4:56 PM, Michel SABORDE <span dir="ltr"><<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>The log pcap file is attach to this email.</div><div> </div><div>Elie<br></div><div class="gmail_quote">Le 29 mars 2012 16:30, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> a écrit :<div>
<div class="h5"><br>

<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Can you share the pcaps you created/recorded? Saves us a lot of time<br>



debugging.<br>
<br>
Thanks,<br>
Victor<br>
<div><br>
On 03/29/2012 04:27 PM, Michel SABORDE wrote:<br>
> Results are the same with -r.<br>
> Le 29 mars 2012 15:09, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a><br>
</div>> <mailto:<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>> a écrit :<br>
<div>><br>
>     Hi Michel,<br>
><br>
>     If you read the pacaps (-r option, read pcap) from your tests -<br>
>     would the results be the same?<br>
>     If you would like, you could share privatelly the pcaps with the<br>
>     yaml conf?<br>
><br>
>     Thanks<br>
><br>
>     On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE<br>
</div><div>>     <<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a> <mailto:<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a>>> wrote:<br>

><br>
>         Thanks for your anwswer.<br>
><br>
>         I already looked into everything you mentioned.<br>
><br>
>         I'm doing the three-way handshake and i added the correct<br>
>         ip6tables rule to prevent the kernel from sending the RST.<br>
><br>
>         I also looked into checksums and disabled the<br>
>         checksum_validation from suricata config file, i also checked<br>
>         with wireshark, all the checksums are correct.<br>
><br>
><br>
><br>
>         It must be something else.<br>
><br>
>         Le 29 mars 2012 13:39, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a><br>
</div>>         <mailto:<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>> a écrit :<br>
<div>><br>
>             also you could try/check - with scapy make sure your<br>
>             checksm-ing is correct.... and it is disabled in the yaml conf<br>
><br>
><br>
>             On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev<br>
</div><div>>             <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>>> wrote:<br>
><br>
>                 Hi,<br>
><br>
>                 When you are using the Scapy script - are you doing the<br>
>                 three-way handshake with scapy?<br>
><br>
>                 Because if so - there is a rule that you have to add to<br>
>                 your iptables , since scapy would send S , the server<br>
>                 would return the SA and the kernel/OS would send back a<br>
>                 Reject since it never send a S (it is not aware that<br>
>                 scapy send it).<br>
><br>
>                 The way around this is to put a iptables rule that would<br>
>                 stop the R coming from the client to the www server.<br>
><br>
>                 Also just have a look at the traffic with<br>
>                 wireshar/tcpdump to see if that is not the problem.<br>
><br>
>                 Thanks<br>
><br>
>                 On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE<br>
>                 <<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a><br>
</div><div><div>>                 <mailto:<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a>>> wrote:<br>
><br>
>                     Hello everyone,<br>
><br>
>                     I'm trying to test the IPv6 implementation of<br>
>                     suricata so i'm doing a bunch of tests.<br>
>                     For that, i have installed a clean apache2 on a<br>
>                     clean server with a single html page called bad.html<br>
>                     and i made a simple rule to do an alert if someone<br>
>                     tries to access it :<br>
><br>
>                     alert tcp any any <> any any (msg:"[ALERT]<br>
>                     bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)<br>
>                     If i do a simple access with my browser (iceweasel)<br>
>                     from a remote computer, the alert is triggered.<br>
>                     At this point, everything looks fine.<br>
><br>
>                     If i now try to access it "manually" with a scapy<br>
>                     script by adding some extension headers, no alert is<br>
>                     triggered and i can retrieve the html page.<br>
>                     I tried with :<br>
>                     - Fragmentation header<br>
>                     - Hop-By-Hop header<br>
>                     - Destination header<br>
>                     - Routing header type 0 without any addresses<br>
><br>
>                     I tried to change the rule from tcp to ip :<br>
><br>
>                     alert ip any any <> any any (msg:"[ALERT] bad.html";<br>
>                     content:"bad.html"; nocase; sid:1; rev:1;)<br>
>                     Then, the alert is triggered only with :<br>
>                     - Hop-By-Hop header<br>
>                     - Destination header<br>
>                     But not with :<br>
>                     - Fragmentation header<br>
>                     - Routing header type 0 without any addresses<br>
><br>
>                     Maybe i missed something in the config file of<br>
>                     suricata ?<br>
>                     My opinion is that suricata should always trigger<br>
>                     the alert in every case.<br>
><br>
>                     I'm using suricata 1.2.1 on a debian 6.0 with a<br>
>                     2.6.32 kernel.<br>
><br>
>                     Thanks in advance for your help<br>
><br>
>                     _______________________________________________<br>
>                     Oisf-users mailing list<br>
>                     <a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
</div></div>>                     <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
<div>>                     <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
><br>
><br>
><br>
>                 --<br>
>                 Regards,<br>
>                 Peter Manev<br>
><br>
><br>
><br>
><br>
>             --<br>
>             Regards,<br>
>             Peter Manev<br>
><br>
><br>
><br>
><br>
><br>
>     --<br>
>     Regards,<br>
>     Peter Manev<br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
--<br>
</div>---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<div><div><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div></div></div><br>
<br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>