[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Tue Apr 3 18:21:59 UTC 2012
On 04/03/2012 03:06 PM, Victor Julien wrote:
> On 04/03/2012 11:28 AM, Michel SABORDE wrote:
>> The pcap is attach to this mail.
>> I tried with the same rule as before and no alert is trigerred.
>> I already tried reading the pcap with suricata so this pcap should
>> reproduce the issue.
>> I may also have found something weird in fragmented ICMPv6 Echo Request
>> / Reply.
>
> I think I found the issue. For some reason the reassembled packet
> contains the ethernet header as well, while the decoder doesn't expect
> that. Working on a fix.
Partial fix pushed. Alert now fires. Http.log doesn't show the request
though, will look at that tomorrow.
> Thanks,
> Victor
>
>>
>> Michel
>> Le 3 avril 2012 11:05, Victor Julien <victor at inliniac.net
>> <mailto:victor at inliniac.net>> a écrit :
>>
>> No, it should just work. You can't even disable it.
>>
>> If it doesn't work, can you share a pcap showing the issue?
>>
>> On 04/03/2012 11:03 AM, Michel SABORDE wrote:
>> > Do i need to activate something in suricata config file to enable ipv6
>> > defrag ?
>> > Because right now, my current config does not enable ipv6 defrag.
>> >
>> > Michel
>> > Le 2 avril 2012 11:40, Michel SABORDE <michel.saborde at gmail.com
>> <mailto:michel.saborde at gmail.com>
>> > <mailto:michel.saborde at gmail.com
>> <mailto:michel.saborde at gmail.com>>> a écrit :
>> >
>> > I just tried my previous tests with the current git version
>> and ipv6
>> > support is much much better.
>> > I think, you should consider adding a note on the website to tell
>> > people who wants a real IPv6 support no to use the current stable
>> > version but use the git instead.
>> >
>> > Michel
>> > Le 2 avril 2012 08:44, Victor Julien <victor at inliniac.net
>> <mailto:victor at inliniac.net>
>> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>> a
>> écrit :
>> >
>> > Cool, thanks for checking.
>> >
>> > On 03/30/2012 09:50 PM, rmkml wrote:
>> > > Sorry for disturb Victor,
>> > > It's not a FP.
>> > > Regards
>> > > Rmkml
>> > >
>> > >
>> > > On Fri, 30 Mar 2012, rmkml wrote:
>> > >
>> > >> Hi Victor,
>> > >>
>> > >> First, big thx you for your time and skills!
>> > >>
>> > >> Yes maybe a new FP with ip_proto option on ipv6 cause FP...
>> > >> In my memory, if you create a rule with alert ip ...
>> > ip_proto:30, with
>> > >> ipv6 pcap: suricata fire...
>> > >> Can you check? if confirm Im open a new ticket on redmine.
>> > >>
>> > >> Best Regards
>> > >> Rmkml
>> > >>
>> > >>
>> > >> On Fri, 30 Mar 2012, Victor Julien wrote:
>> > >>
>> > >>> On 03/29/2012 11:58 PM, rmkml wrote:
>> > >>>> and Im found a new FP!
>> > >>>
>> > >>> What did you find?
>> > >>
>> > >
>> >
>> >
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> <mailto:Oisf-users at openinfosecfoundation.org>
>> > <mailto:Oisf-users at openinfosecfoundation.org
>> <mailto:Oisf-users at openinfosecfoundation.org>>
>> >
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> >
>> >
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list