[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Tue Apr 10 10:09:37 UTC 2012
On 04/10/2012 12:07 PM, Michel SABORDE wrote:
> Hi again,
>
> I just noticed that if you stack 42 extensions headers, for example 42
> destination option, the rule is not triggered.
Can share a pcap?
> Is it a config problem ?
No, there are no options affecting that.
Cheers,
Victor
> Michel
> Le 4 avril 2012 11:49, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> a écrit :
>
> On 04/03/2012 08:21 PM, Victor Julien wrote:
> > On 04/03/2012 03:06 PM, Victor Julien wrote:
> >> On 04/03/2012 11:28 AM, Michel SABORDE wrote:
> >>> The pcap is attach to this mail.
> >>> I tried with the same rule as before and no alert is trigerred.
> >>> I already tried reading the pcap with suricata so this pcap should
> >>> reproduce the issue.
> >>> I may also have found something weird in fragmented ICMPv6 Echo
> Request
> >>> / Reply.
> >>
> >> I think I found the issue. For some reason the reassembled packet
> >> contains the ethernet header as well, while the decoder doesn't
> expect
> >> that. Working on a fix.
> >
> > Partial fix pushed. Alert now fires. Http.log doesn't show the request
> > though, will look at that tomorrow.
>
> Fixed that as well. Please resync with the current git master.
>
> Thanks for the reports!
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list