[Oisf-users] IPv6 & Extension header

Victor Julien victor at inliniac.net
Thu Jul 5 13:24:48 UTC 2012 

On 06/20/2012 02:54 PM, Michel SABORDE wrote:
> I don't really know.
> Maybe something like ip6_exthdr:44;depth:1; which allow to look for a
> specific extension header in the next "depth" extension header following
> the ipv6 header.
> I think you can adapt a few content modifiers to create more specific
> rules, like a specific sequence of extension headers.
> Moreover, depending on the extension header, you can add specific
> keywords like ip6_exthdr_frag_offset:0; between ip6_exthdr and the
> "content modifier" :
>  
> ip6_exthdr:44;ip6_exthdr_frag_offset:0;depth:1; will match only if there
> is a Fragmentation Header immediatly after the IPv6 header with an
> offset of 0.

I wonder if exposing this part of the raw packet to the content
detection engine would be good enough here. With byte tests, jumps,
extracts... Adding the keywords you'd want is quite some work.

Cheers,
Victor

>  
> 2012/6/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
> 
>     On 06/18/2012 12:06 PM, Michel SABORDE wrote:
>     > Hi,
>     >
>     > I've been trying to create signature to identify IPv6 extension
>     header.
>     > When i try to use ip_proto in my signature, it only matches the next
>     > "real" protocol like TCP not the immediately following ipv6 extension
>     > header.
>     > I think Suricata recognizes the protocol following the last ipv6
>     >  extension header.
>     > If it is the normal behaviour, it would be nice to have a keyword to
>     > match the immediately following protocol.
> 
>     Yes, this behavior is intended. I'd be happy to add a keyword to test
>     for ext hdr presence. Any suggestions on what it should look like?
> 
>     Cheers,
>     Victor
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list