<div>Hi,</div><div> </div><div>I've been trying to create signature to identify IPv6 extension header.</div><div>When i try to use ip_proto in my signature, it only matches the next "real" protocol like TCP not the immediately following ipv6 extension header.</div>
<div>I think Suricata recognizes the protocol following the last ipv6 extension header.</div><div>If it is the normal behaviour, it would be nice to have a keyword to match the immediately following protocol.</div><div>
</div>
<div>Michel<br></div><div class="gmail_quote">2012/6/11 Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span><br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">
<div class="im">On 06/11/2012 12:03 PM, Michel SABORDE wrote:<br>
> Hi everyone,<br>
><br>
> I just tested the Teredo tunneling protocol but it seems that Suricata<br>
> does not recognize it at all.<br>
> Is it a bug ? Or should i open a ticket for a feature request ?<br>
<br>
</div>It's a missing feature. Please open a ticket.<br>
<br>
Cheers,<br>
Victor<br>
<div class="im"><br>
><br>
> More information about teredo here : <a href="http://www.ietf.org/rfc/rfc4380.txt" target="_blank">http://www.ietf.org/rfc/rfc4380.txt</a><br>
> I also attached a pcap to this email.<br>
><br>
> Michel<br>
</div>> 2012/6/5 Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>><br>
<div class="im">><br>
> On 06/04/2012 04:37 PM, Michel SABORDE wrote:<br>
> > It works fine ! Thank you again !<br>
><br>
> Great, thanks for testing!<br>
><br>
> > Any news about IPv4-in-IPv6 support ?<br>
><br>
> Nothing yet. We're tracking the issue in the ticket you opened (#462).<br>
><br>
> Cheers,<br>
> Victor<br>
><br>
> ><br>
> > Michel<br>
> > 2012/5/20 Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
</div>> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
<div class="im">> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>>><br>
> ><br>
> > I pushed a fix for this to the current git master. Please test!<br>
> ><br>
> > Thanks Michel!<br>
> ><br>
> > Cheers,<br>
> > Victor<br>
> ><br>
> > On 05/10/2012 02:16 PM, Michel SABORDE wrote:<br>
> > > In the pcap i already sent, there was no AH extension header.<br>
> > > Here is a new pcap with AH.<br>
> > ><br>
> > > Michel<br>
> > ><br>
> > > 2012/5/10 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>
> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
> > <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>><br>
> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
</div>> > <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>>>><br>
<div><div class="h5">> > ><br>
> > > is this the same pcap, as provided earlier in the mail<br>
> > conversation?<br>
> > ><br>
> > > thanks<br>
> > ><br>
> > ><br>
> > > On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE<br>
> > > <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>><br>
> > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>>>><br>
> > wrote:<br>
> > ><br>
> > > I just tried the lastest git master and no alert is<br>
> > trigerred if<br>
> > > a A H extension header is present.<br>
> > ><br>
> > > Michel<br>
> > > 2012/5/10 Michel SABORDE <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>><br>
> > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>><br>
> > > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>><br>
> > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>>>><br>
> > ><br>
> > > No sorry !<br>
> > > But is there a way i can download the lastest<br>
> git as a tgz<br>
> > > or something ?<br>
> > > I don't have git atm.<br>
> > ><br>
> > > Michel<br>
> > ><br>
> > > 2012/5/10 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>
> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
> > <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>><br>
> > > <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a><br>
> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
</div></div>> > <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a> <mailto:<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>>>><br>
<div class="im">> > ><br>
> > > Hi,<br>
> > ><br>
> > > Did you try the latest git master?<br>
> > ><br>
> > > thanks<br>
> > ><br>
> > > On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE<br>
> > > <<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>><br>
> > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>><br>
</div><div class="im">> > > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>><br>
> > <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:michel.saborde@gmail.com">michel.saborde@gmail.com</a>>>>> wrote:<br>
> > ><br>
> > > Hi again :)<br>
> > ><br>
> > > I just tried AH extension header (not<br>
> ESP) but i<br>
> > > think suricata doesn't recognize it yet.<br>
> > > Can you confirm ?<br>
> > > I have a pcap if needed.<br>
> > ><br>
> > > Any news about more detailed ipv6<br>
> extension header<br>
> > > rules ?<br>
> > ><br>
> > > Michel<br>
> > ><br>
> > > 2012/4/21 Victor Julien<br>
> <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>><br>
> > > <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>><br>
</div>> > <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>>>><br>
<div class="HOEnZb"><div class="h5">> > ><br>
> > > On 04/19/2012 02:23 PM, Michel<br>
> SABORDE wrote:<br>
> > > > Btw, is it possible (i'm sure it<br>
> is) to<br>
> > write<br>
> > > a signature that trigger<br>
> > > > when Routing Header type 0 is<br>
> present in a<br>
> > > packet ?<br>
> > > > Or even just if any routing header is<br>
> > present ?<br>
> > ><br>
> > > Actually I don't think there is<br>
> currently.<br>
> > ><br>
> > > Maybe we should add a keyword like:<br>
> > ><br>
> > > ip6exthdr:frag,>1; // more than one<br>
> frag hdr<br>
> > > ip6exthdr:routing,1 // routing hdr<br>
> present<br>
> > > ip6exthdr:esp,0; // esp hdr not present<br>
> > ><br>
> > > For more detailed matching:<br>
> > ><br>
> > > ip6rh_type:0;<br>
> > > ip6rh_type0:<ip6 addr/cidr>;<br>
> > ><br>
> > > Or something... suggestions are welcome.<br>
> > ><br>
> > > > I've found some decode-event rules<br>
> in the<br>
> > > decoder-events.rules file but<br>
> > > > rules are only for duplicated<br>
> extension<br>
> > header.<br>
> > ><br>
> > > Yes, these are only for anomalies.<br>
> > ><br>
> > > --<br>
> > ><br>
> ---------------------------------------------<br>
> > > Victor Julien<br>
> > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > > PGP:<br>
> <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > ><br>
> ---------------------------------------------<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> _______________________________________________<br>
> > > Oisf-users mailing list<br>
> > > <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>>><br>
> > ><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>>>><br>
> > ><br>
> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Regards,<br>
> > > Peter Manev<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Regards,<br>
> > > Peter Manev<br>
> > ><br>
> > ><br>
> ><br>
> ><br>
> > --<br>
> > ---------------------------------------------<br>
> > Victor Julien<br>
> > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > ---------------------------------------------<br>
> ><br>
> > _______________________________________________<br>
> > Oisf-users mailing list<br>
> > <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>>><br>
> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> ><br>
> ><br>
><br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div></div></blockquote></div><br>