<div>The pcap is attach to this mail.</div><div>I tried with the same rule as before and no alert is trigerred.</div><div>I already tried reading the pcap with suricata so this pcap should reproduce the issue.</div><div>I may also have found something weird in fragmented ICMPv6 Echo Request / Reply.</div>
<div> </div><div>Michel<br></div><div class="gmail_quote">Le 3 avril 2012 11:05, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> a écrit :<br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">
No, it should just work. You can't even disable it.<br>
<br>
If it doesn't work, can you share a pcap showing the issue?<br>
<div class="im"><br>
On 04/03/2012 11:03 AM, Michel SABORDE wrote:<br>
> Do i need to activate something in suricata config file to enable ipv6<br>
> defrag ?<br>
> Because right now, my current config does not enable ipv6 defrag.<br>
><br>
> Michel<br>
> Le 2 avril 2012 11:40, Michel SABORDE <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
</div>> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>> a écrit :<br>
<div class="im">><br>
> I just tried my previous tests with the current git version and ipv6<br>
> support is much much better.<br>
> I think, you should consider adding a note on the website to tell<br>
> people who wants a real IPv6 support no to use the current stable<br>
> version but use the git instead.<br>
><br>
> Michel<br>
> Le 2 avril 2012 08:44, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
</div>> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>> a écrit :<br>
<div><div class="h5">><br>
> Cool, thanks for checking.<br>
><br>
> On 03/30/2012 09:50 PM, rmkml wrote:<br>
> > Sorry for disturb Victor,<br>
> > It's not a FP.<br>
> > Regards<br>
> > Rmkml<br>
> ><br>
> ><br>
> > On Fri, 30 Mar 2012, rmkml wrote:<br>
> ><br>
> >> Hi Victor,<br>
> >><br>
> >> First, big thx you for your time and skills!<br>
> >><br>
> >> Yes maybe a new FP with ip_proto option on ipv6 cause FP...<br>
> >> In my memory, if you create a rule with alert ip ...<br>
> ip_proto:30, with<br>
> >> ipv6 pcap: suricata fire...<br>
> >> Can you check? if confirm Im open a new ticket on redmine.<br>
> >><br>
> >> Best Regards<br>
> >> Rmkml<br>
> >><br>
> >><br>
> >> On Fri, 30 Mar 2012, Victor Julien wrote:<br>
> >><br>
> >>> On 03/29/2012 11:58 PM, rmkml wrote:<br>
> >>>> and Im found a new FP!<br>
> >>><br>
> >>> What did you find?<br>
> >><br>
> ><br>
><br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
</div></div>> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div></div></blockquote></div><br>