[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Tue Jul 3 09:58:38 UTC 2012

Hi again,

I'm still trying to access extension headers that are after the IPv6 header
but i can't manage to do it.
Even if i use a pcre like /^\x2c/ to check if the first octet of the
payload is a fragment next header it does not work because pcre only
matches the TCP/ICMP/... payload, not the IPv6 payload, even when the
signature is about ip protocol.
Is there something like "raw signatures" ? Maybe with the use of pkthdr
signatures ? Or by accessing the payload of the ethernet protocol ?

Thanks in advance for your help.


2012/6/20 Michel SABORDE <michel.saborde at gmail.com>

> I don't really know.
> Maybe something like ip6_exthdr:44;depth:1; which allow to look for a
> specific extension header in the next "depth" extension header following
> the ipv6 header.
> I think you can adapt a few content modifiers to create more specific
> rules, like a specific sequence of extension headers.
> Moreover, depending on the extension header, you can add specific keywords
> like ip6_exthdr_frag_offset:0; between ip6_exthdr and the "content
> modifier" :
> ip6_exthdr:44;ip6_exthdr_frag_offset:0;depth:1; will match only if there
> is a Fragmentation Header immediatly after the IPv6 header with an offset
> of 0.
> Also, it could be nice to have a rule based on ip4 (respectively ip6) to
> match only IPv4 (respectively IPv6) traffic.
> Michel
> 2012/6/20 Victor Julien <victor at inliniac.net>
>> On 06/18/2012 12:06 PM, Michel SABORDE wrote:
>> > Hi,
>> >
>> > I've been trying to create signature to identify IPv6 extension header.
>> > When i try to use ip_proto in my signature, it only matches the next
>> > "real" protocol like TCP not the immediately following ipv6 extension
>> > header.
>> > I think Suricata recognizes the protocol following the last ipv6
>> >  extension header.
>> > If it is the normal behaviour, it would be nice to have a keyword to
>> > match the immediately following protocol.
>> Yes, this behavior is intended. I'd be happy to add a keyword to test
>> for ext hdr presence. Any suggestions on what it should look like?
>> Cheers,
>> Victor
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120703/272996eb/attachment-0002.html>

More information about the Oisf-users mailing list