<div>I just tried the lastest git master and no alert is trigerred if a A H extension header is present.</div><div> </div><div>Michel<br></div><div class="gmail_quote">2012/5/10 Michel SABORDE <span dir="ltr"><<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a>></span><br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div>No sorry !</div><div>But is there a way i can download the lastest git as a tgz or something ?</div>
<div>I don't have git atm.</div><span class="HOEnZb"><font color="#888888"><div> </div><div>Michel<br><br></div></font></span><div class="HOEnZb"><div class="h5"><div class="gmail_quote">2012/5/10 Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span><br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Hi,<br><br>Did you try the latest git master?<br><br>thanks<br>
<br><div class="gmail_quote"><div><div>On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE <span dir="ltr"><<a href="mailto:michel.saborde@gmail.com" target="_blank">michel.saborde@gmail.com</a>></span> wrote:<br>
</div></div><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div><div><div>Hi again :)</div><div>
</div><div>I just tried AH extension header (not ESP) but i think suricata doesn't recognize it yet.</div>
<div>Can you confirm ?</div><div>I have a pcap if needed.</div><div> </div><div>Any news about more detailed ipv6 extension header rules ?</div><span><font color="#888888">
<div> </div><div>Michel<br><br></div></font></span><div><div><div class="gmail_quote">2012/4/21 Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span><br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">
<div>On 04/19/2012 02:23 PM, Michel SABORDE wrote:<br>
> Btw, is it possible (i'm sure it is) to write a signature that trigger<br>
> when Routing Header type 0 is present in a packet ?<br>
> Or even just if any routing header is present ?<br>
<br>
</div>Actually I don't think there is currently.<br>
<br>
Maybe we should add a keyword like:<br>
<br>
ip6exthdr:frag,>1; // more than one frag hdr<br>
ip6exthdr:routing,1 // routing hdr present<br>
ip6exthdr:esp,0; // esp hdr not present<br>
<br>
For more detailed matching:<br>
<br>
ip6rh_type:0;<br>
ip6rh_type0:<ip6 addr/cidr>;<br>
<br>
Or something... suggestions are welcome.<br>
<div><br>
> I've found some decode-event rules in the decoder-events.rules file but<br>
> rules are only for duplicated extension header.<br>
<br>
</div>Yes, these are only for anomalies.<br>
<div><div><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div></div></blockquote></div><br>
</div></div><br></div></div><div>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
</div><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>
</font></span></blockquote></div><br>
</div></div></blockquote></div><br>