[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Tue Jun 5 12:19:00 UTC 2012
On 06/04/2012 04:37 PM, Michel SABORDE wrote:
> It works fine ! Thank you again !
Great, thanks for testing!
> Any news about IPv4-in-IPv6 support ?
Nothing yet. We're tracking the issue in the ticket you opened (#462).
Cheers,
Victor
>
> Michel
> 2012/5/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>
> I pushed a fix for this to the current git master. Please test!
>
> Thanks Michel!
>
> Cheers,
> Victor
>
> On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> > In the pcap i already sent, there was no AH extension header.
> > Here is a new pcap with AH.
> >
> > Michel
> >
> > 2012/5/10 Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com> <mailto:petermanev at gmail.com
> <mailto:petermanev at gmail.com>>>
> >
> > is this the same pcap, as provided earlier in the mail
> conversation?
> >
> > thanks
> >
> >
> > On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> > <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>
> <mailto:michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>>>
> wrote:
> >
> > I just tried the lastest git master and no alert is
> trigerred if
> > a A H extension header is present.
> >
> > Michel
> > 2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>>
> >
> > No sorry !
> > But is there a way i can download the lastest git as a tgz
> > or something ?
> > I don't have git atm.
> >
> > Michel
> >
> > 2012/5/10 Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>
> > <mailto:petermanev at gmail.com
> <mailto:petermanev at gmail.com>>>
> >
> > Hi,
> >
> > Did you try the latest git master?
> >
> > thanks
> >
> > On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
> > <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>> wrote:
> >
> > Hi again :)
> >
> > I just tried AH extension header (not ESP) but i
> > think suricata doesn't recognize it yet.
> > Can you confirm ?
> > I have a pcap if needed.
> >
> > Any news about more detailed ipv6 extension header
> > rules ?
> >
> > Michel
> >
> > 2012/4/21 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>>
> >
> > On 04/19/2012 02:23 PM, Michel SABORDE wrote:
> > > Btw, is it possible (i'm sure it is) to
> write
> > a signature that trigger
> > > when Routing Header type 0 is present in a
> > packet ?
> > > Or even just if any routing header is
> present ?
> >
> > Actually I don't think there is currently.
> >
> > Maybe we should add a keyword like:
> >
> > ip6exthdr:frag,>1; // more than one frag hdr
> > ip6exthdr:routing,1 // routing hdr present
> > ip6exthdr:esp,0; // esp hdr not present
> >
> > For more detailed matching:
> >
> > ip6rh_type:0;
> > ip6rh_type0:<ip6 addr/cidr>;
> >
> > Or something... suggestions are welcome.
> >
> > > I've found some decode-event rules in the
> > decoder-events.rules file but
> > > rules are only for duplicated extension
> header.
> >
> > Yes, these are only for anomalies.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list