[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Tue Apr 10 10:36:30 UTC 2012 

The pcap is attach to this email with the following tests :
- 41 Destination Option Extension Header
- 41 Atomic Fragmentation Extension Header

Michel

Le 10 avril 2012 12:09, Victor Julien <victor at inliniac.net> a écrit :

> On 04/10/2012 12:07 PM, Michel SABORDE wrote:
> > Hi again,
> >
> > I just noticed that if you stack 42 extensions headers, for example 42
> > destination option, the rule is not triggered.
>
> Can share a pcap?
>
> > Is it a config problem ?
>
> No, there are no options affecting that.
>
> Cheers,
> Victor
>
> > Michel
> > Le 4 avril 2012 11:49, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> a écrit :
> >
> >     On 04/03/2012 08:21 PM, Victor Julien wrote:
> >     > On 04/03/2012 03:06 PM, Victor Julien wrote:
> >     >> On 04/03/2012 11:28 AM, Michel SABORDE wrote:
> >     >>> The pcap is attach to this mail.
> >     >>> I tried with the same rule as before and no alert is trigerred.
> >     >>> I already tried reading the pcap with suricata so this pcap
> should
> >     >>> reproduce the issue.
> >     >>> I may also have found something weird in fragmented ICMPv6 Echo
> >     Request
> >     >>> / Reply.
> >     >>
> >     >> I think I found the issue. For some reason the reassembled packet
> >     >> contains the ethernet header as well, while the decoder doesn't
> >     expect
> >     >> that. Working on a fix.
> >     >
> >     > Partial fix pushed. Alert now fires. Http.log doesn't show the
> request
> >     > though, will look at that tomorrow.
> >
> >     Fixed that as well. Please resync with the current git master.
> >
> >     Thanks for the reports!
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Oisf-users mailing list
> >     Oisf-users at openinfosecfoundation.org
> >     <mailto:Oisf-users at openinfosecfoundation.org>
> >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120410/1d263748/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log_tcp_41exthdr.pcap
Type: application/octet-stream
Size: 5318 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120410/1d263748/attachment.obj>

More information about the Oisf-users mailing list