[Oisf-users] IPv6 & Extension header
Michel SABORDE
michel.saborde at gmail.com
Mon Jun 11 10:03:10 UTC 2012
Hi everyone,
I just tested the Teredo tunneling protocol but it seems that Suricata does
not recognize it at all.
Is it a bug ? Or should i open a ticket for a feature request ?
More information about teredo here : http://www.ietf.org/rfc/rfc4380.txt
I also attached a pcap to this email.
Michel
2012/6/5 Victor Julien <victor at inliniac.net>
> On 06/04/2012 04:37 PM, Michel SABORDE wrote:
> > It works fine ! Thank you again !
>
> Great, thanks for testing!
>
> > Any news about IPv4-in-IPv6 support ?
>
> Nothing yet. We're tracking the issue in the ticket you opened (#462).
>
> Cheers,
> Victor
>
> >
> > Michel
> > 2012/5/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net
> >>
> >
> > I pushed a fix for this to the current git master. Please test!
> >
> > Thanks Michel!
> >
> > Cheers,
> > Victor
> >
> > On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> > > In the pcap i already sent, there was no AH extension header.
> > > Here is a new pcap with AH.
> > >
> > > Michel
> > >
> > > 2012/5/10 Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com> <mailto:petermanev at gmail.com
> > <mailto:petermanev at gmail.com>>>
> > >
> > > is this the same pcap, as provided earlier in the mail
> > conversation?
> > >
> > > thanks
> > >
> > >
> > > On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> > > <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>>>
> > wrote:
> > >
> > > I just tried the lastest git master and no alert is
> > trigerred if
> > > a A H extension header is present.
> > >
> > > Michel
> > > 2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>>
> > >
> > > No sorry !
> > > But is there a way i can download the lastest git as a
> tgz
> > > or something ?
> > > I don't have git atm.
> > >
> > > Michel
> > >
> > > 2012/5/10 Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>
> > > <mailto:petermanev at gmail.com
> > <mailto:petermanev at gmail.com>>>
> > >
> > > Hi,
> > >
> > > Did you try the latest git master?
> > >
> > > thanks
> > >
> > > On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
> > > <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>> wrote:
> > >
> > > Hi again :)
> > >
> > > I just tried AH extension header (not ESP) but
> i
> > > think suricata doesn't recognize it yet.
> > > Can you confirm ?
> > > I have a pcap if needed.
> > >
> > > Any news about more detailed ipv6 extension
> header
> > > rules ?
> > >
> > > Michel
> > >
> > > 2012/4/21 Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>
> > > <mailto:victor at inliniac.net
> > <mailto:victor at inliniac.net>>>
> > >
> > > On 04/19/2012 02:23 PM, Michel SABORDE
> wrote:
> > > > Btw, is it possible (i'm sure it is) to
> > write
> > > a signature that trigger
> > > > when Routing Header type 0 is present in
> a
> > > packet ?
> > > > Or even just if any routing header is
> > present ?
> > >
> > > Actually I don't think there is currently.
> > >
> > > Maybe we should add a keyword like:
> > >
> > > ip6exthdr:frag,>1; // more than one frag
> hdr
> > > ip6exthdr:routing,1 // routing hdr present
> > > ip6exthdr:esp,0; // esp hdr not present
> > >
> > > For more detailed matching:
> > >
> > > ip6rh_type:0;
> > > ip6rh_type0:<ip6 addr/cidr>;
> > >
> > > Or something... suggestions are welcome.
> > >
> > > > I've found some decode-event rules in the
> > > decoder-events.rules file but
> > > > rules are only for duplicated extension
> > header.
> > >
> > > Yes, these are only for anomalies.
> > >
> > > --
> > >
> ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP:
> http://www.inliniac.net/victorjulien.asc
> > >
> ---------------------------------------------
> > >
> > >
> > >
> > > _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>>
> > >
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120611/3239c633/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: teredo.pcap
Type: application/octet-stream
Size: 2700 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120611/3239c633/attachment.obj>
More information about the Oisf-users
mailing list