[Oisf-users] IPv6 & Extension header

Victor Julien victor at inliniac.net
Wed Apr 18 07:27:38 UTC 2012


On 04/10/2012 12:36 PM, Michel SABORDE wrote:
> The pcap is attach to this email with the following tests :
> - 41 Destination Option Extension Header
> - 41 Atomic Fragmentation Extension Header

I've pushed a new git master that addresses this issue.

Thanks Michel!

Cheers,
Victor

> Michel
> 
> Le 10 avril 2012 12:09, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> a écrit :
> 
>     On 04/10/2012 12:07 PM, Michel SABORDE wrote:
>     > Hi again,
>     >
>     > I just noticed that if you stack 42 extensions headers, for example 42
>     > destination option, the rule is not triggered.
> 
>     Can share a pcap?
> 
>     > Is it a config problem ?
> 
>     No, there are no options affecting that.
> 
>     Cheers,
>     Victor
> 
>     > Michel
>     > Le 4 avril 2012 11:49, Victor Julien <victor at inliniac.net
>     <mailto:victor at inliniac.net>
>     > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>> a écrit :
>     >
>     >     On 04/03/2012 08:21 PM, Victor Julien wrote:
>     >     > On 04/03/2012 03:06 PM, Victor Julien wrote:
>     >     >> On 04/03/2012 11:28 AM, Michel SABORDE wrote:
>     >     >>> The pcap is attach to this mail.
>     >     >>> I tried with the same rule as before and no alert is
>     trigerred.
>     >     >>> I already tried reading the pcap with suricata so this
>     pcap should
>     >     >>> reproduce the issue.
>     >     >>> I may also have found something weird in fragmented ICMPv6
>     Echo
>     >     Request
>     >     >>> / Reply.
>     >     >>
>     >     >> I think I found the issue. For some reason the reassembled
>     packet
>     >     >> contains the ethernet header as well, while the decoder doesn't
>     >     expect
>     >     >> that. Working on a fix.
>     >     >
>     >     > Partial fix pushed. Alert now fires. Http.log doesn't show
>     the request
>     >     > though, will look at that tomorrow.
>     >
>     >     Fixed that as well. Please resync with the current git master.
>     >
>     >     Thanks for the reports!
>     >
>     >     --
>     >     ---------------------------------------------
>     >     Victor Julien
>     >     http://www.inliniac.net/
>     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     ---------------------------------------------
>     >
>     >     _______________________________________________
>     >     Oisf-users mailing list
>     >     Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     >     <mailto:Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>>
>     >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >
>     >
> 
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list