[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Tue Apr 3 13:06:25 UTC 2012
On 04/03/2012 11:28 AM, Michel SABORDE wrote:
> The pcap is attach to this mail.
> I tried with the same rule as before and no alert is trigerred.
> I already tried reading the pcap with suricata so this pcap should
> reproduce the issue.
> I may also have found something weird in fragmented ICMPv6 Echo Request
> / Reply.
I think I found the issue. For some reason the reassembled packet
contains the ethernet header as well, while the decoder doesn't expect
that. Working on a fix.
Thanks,
Victor
>
> Michel
> Le 3 avril 2012 11:05, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> a écrit :
>
> No, it should just work. You can't even disable it.
>
> If it doesn't work, can you share a pcap showing the issue?
>
> On 04/03/2012 11:03 AM, Michel SABORDE wrote:
> > Do i need to activate something in suricata config file to enable ipv6
> > defrag ?
> > Because right now, my current config does not enable ipv6 defrag.
> >
> > Michel
> > Le 2 avril 2012 11:40, Michel SABORDE <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>> a écrit :
> >
> > I just tried my previous tests with the current git version
> and ipv6
> > support is much much better.
> > I think, you should consider adding a note on the website to tell
> > people who wants a real IPv6 support no to use the current stable
> > version but use the git instead.
> >
> > Michel
> > Le 2 avril 2012 08:44, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>> a
> écrit :
> >
> > Cool, thanks for checking.
> >
> > On 03/30/2012 09:50 PM, rmkml wrote:
> > > Sorry for disturb Victor,
> > > It's not a FP.
> > > Regards
> > > Rmkml
> > >
> > >
> > > On Fri, 30 Mar 2012, rmkml wrote:
> > >
> > >> Hi Victor,
> > >>
> > >> First, big thx you for your time and skills!
> > >>
> > >> Yes maybe a new FP with ip_proto option on ipv6 cause FP...
> > >> In my memory, if you create a rule with alert ip ...
> > ip_proto:30, with
> > >> ipv6 pcap: suricata fire...
> > >> Can you check? if confirm Im open a new ticket on redmine.
> > >>
> > >> Best Regards
> > >> Rmkml
> > >>
> > >>
> > >> On Fri, 30 Mar 2012, Victor Julien wrote:
> > >>
> > >>> On 03/29/2012 11:58 PM, rmkml wrote:
> > >>>> and Im found a new FP!
> > >>>
> > >>> What did you find?
> > >>
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list