[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Sat Apr 21 09:19:33 UTC 2012
On 04/19/2012 02:23 PM, Michel SABORDE wrote:
> Btw, is it possible (i'm sure it is) to write a signature that trigger
> when Routing Header type 0 is present in a packet ?
> Or even just if any routing header is present ?
Actually I don't think there is currently.
Maybe we should add a keyword like:
ip6exthdr:frag,>1; // more than one frag hdr
ip6exthdr:routing,1 // routing hdr present
ip6exthdr:esp,0; // esp hdr not present
For more detailed matching:
ip6rh_type:0;
ip6rh_type0:<ip6 addr/cidr>;
Or something... suggestions are welcome.
> I've found some decode-event rules in the decoder-events.rules file but
> rules are only for duplicated extension header.
Yes, these are only for anomalies.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list