<div>I don't really know.</div><div>Maybe something like ip6_exthdr:44;depth:1; which allow to look for a specific extension header in the next "depth" extension header following the ipv6 header.</div><div>I think you can adapt a few content modifiers to create more specific rules, like a specific sequence of extension headers.</div>
<div>Moreover, depending on the extension header, you can add specific keywords like ip6_exthdr_frag_offset:0; between ip6_exthdr and the "content modifier" :</div><div> </div><div>ip6_exthdr:44;ip6_exthdr_frag_offset:0;depth:1; will match only if there is a Fragmentation Header immediatly after the IPv6 header with an offset of 0.</div>
<div> </div><div>Also, it could be nice to have a rule based on ip4 (respectively ip6) to match only IPv4 (respectively IPv6) traffic.<br></div><div>Michel</div><div> </div><div class="gmail_quote">2012/6/20 Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span><br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div class="im">On 06/18/2012 12:06 PM, Michel SABORDE wrote:<br>
> Hi,<br>
><br>
> I've been trying to create signature to identify IPv6 extension header.<br>
> When i try to use ip_proto in my signature, it only matches the next<br>
> "real" protocol like TCP not the immediately following ipv6 extension<br>
> header.<br>
> I think Suricata recognizes the protocol following the last ipv6<br>
> extension header.<br>
> If it is the normal behaviour, it would be nice to have a keyword to<br>
> match the immediately following protocol.<br>
<br>
</div>Yes, this behavior is intended. I'd be happy to add a keyword to test<br>
for ext hdr presence. Any suggestions on what it should look like?<br>
<br>
Cheers,<br>
Victor<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div></div></blockquote></div><br>