[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Tue Apr 3 09:28:16 UTC 2012 

The pcap is attach to this mail.
I tried with the same rule as before and no alert is trigerred.
I already tried reading the pcap with suricata so this pcap should
reproduce the issue.
I may also have found something weird in fragmented ICMPv6 Echo Request /
Reply.

Michel
Le 3 avril 2012 11:05, Victor Julien <victor at inliniac.net> a écrit :

> No, it should just work. You can't even disable it.
>
> If it doesn't work, can you share a pcap showing the issue?
>
> On 04/03/2012 11:03 AM, Michel SABORDE wrote:
> > Do i need to activate something in suricata config file to enable ipv6
> > defrag ?
> > Because right now, my current config does not enable ipv6 defrag.
> >
> > Michel
> > Le 2 avril 2012 11:40, Michel SABORDE <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>> a écrit :
> >
> >     I just tried my previous tests with the current git version and ipv6
> >     support is much much better.
> >     I think, you should consider adding a note on the website to tell
> >     people who wants a real IPv6 support no to use the current stable
> >     version but use the git instead.
> >
> >     Michel
> >     Le 2 avril 2012 08:44, Victor Julien <victor at inliniac.net
> >     <mailto:victor at inliniac.net>> a écrit :
> >
> >         Cool, thanks for checking.
> >
> >         On 03/30/2012 09:50 PM, rmkml wrote:
> >         > Sorry for disturb Victor,
> >         > It's not a FP.
> >         > Regards
> >         > Rmkml
> >         >
> >         >
> >         > On Fri, 30 Mar 2012, rmkml wrote:
> >         >
> >         >> Hi Victor,
> >         >>
> >         >> First, big thx you for your time and skills!
> >         >>
> >         >> Yes maybe a new FP with ip_proto option on ipv6 cause FP...
> >         >> In my memory, if you create a rule with alert ip ...
> >         ip_proto:30, with
> >         >> ipv6 pcap: suricata fire...
> >         >> Can you check? if confirm Im open a new ticket on redmine.
> >         >>
> >         >> Best Regards
> >         >> Rmkml
> >         >>
> >         >>
> >         >> On Fri, 30 Mar 2012, Victor Julien wrote:
> >         >>
> >         >>> On 03/29/2012 11:58 PM, rmkml wrote:
> >         >>>> and Im found a new FP!
> >         >>>
> >         >>> What did you find?
> >         >>
> >         >
> >
> >
> >         --
> >         ---------------------------------------------
> >         Victor Julien
> >         http://www.inliniac.net/
> >         PGP: http://www.inliniac.net/victorjulien.asc
> >         ---------------------------------------------
> >
> >         _______________________________________________
> >         Oisf-users mailing list
> >         Oisf-users at openinfosecfoundation.org
> >         <mailto:Oisf-users at openinfosecfoundation.org>
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120403/1b42410f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log_tcp_frag.pcap
Type: application/octet-stream
Size: 1735 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120403/1b42410f/attachment.obj>

More information about the Oisf-users mailing list