[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Mon Jun 11 10:03:10 UTC 2012


Hi everyone,

I just tested the Teredo tunneling protocol but it seems that Suricata does
not recognize it at all.
Is it a bug ? Or should i open a ticket for a feature request ?

More information about teredo here : http://www.ietf.org/rfc/rfc4380.txt
I also attached a pcap to this email.

Michel
2012/6/5 Victor Julien <victor at inliniac.net>

> On 06/04/2012 04:37 PM, Michel SABORDE wrote:
> > It works fine ! Thank you again !
>
> Great, thanks for testing!
>
> > Any news about IPv4-in-IPv6 support ?
>
> Nothing yet. We're tracking the issue in the ticket you opened (#462).
>
> Cheers,
> Victor
>
> >
> > Michel
> > 2012/5/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net
> >>
> >
> >     I pushed a fix for this to the current git master. Please test!
> >
> >     Thanks Michel!
> >
> >     Cheers,
> >     Victor
> >
> >     On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> >     > In the pcap i already sent, there was no AH extension header.
> >     > Here is a new pcap with AH.
> >     >
> >     > Michel
> >     >
> >     > 2012/5/10 Peter Manev <petermanev at gmail.com
> >     <mailto:petermanev at gmail.com> <mailto:petermanev at gmail.com
> >     <mailto:petermanev at gmail.com>>>
> >     >
> >     >     is this the same pcap, as provided earlier in the mail
> >     conversation?
> >     >
> >     >     thanks
> >     >
> >     >
> >     >     On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> >     >     <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>
> >     <mailto:michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>>>
> >     wrote:
> >     >
> >     >         I just tried the lastest git master and no alert is
> >     trigerred if
> >     >         a A H extension header is present.
> >     >
> >     >         Michel
> >     >         2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> >     <mailto:michel.saborde at gmail.com>
> >     >         <mailto:michel.saborde at gmail.com
> >     <mailto:michel.saborde at gmail.com>>>
> >     >
> >     >             No sorry !
> >     >             But is there a way i can download the lastest git as a
> tgz
> >     >             or something ?
> >     >             I don't have git atm.
> >     >
> >     >             Michel
> >     >
> >     >             2012/5/10 Peter Manev <petermanev at gmail.com
> >     <mailto:petermanev at gmail.com>
> >     >             <mailto:petermanev at gmail.com
> >     <mailto:petermanev at gmail.com>>>
> >     >
> >     >                 Hi,
> >     >
> >     >                 Did you try the latest git master?
> >     >
> >     >                 thanks
> >     >
> >     >                 On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
> >     >                 <michel.saborde at gmail.com
> >     <mailto:michel.saborde at gmail.com>
> >     >                 <mailto:michel.saborde at gmail.com
> >     <mailto:michel.saborde at gmail.com>>> wrote:
> >     >
> >     >                     Hi again :)
> >     >
> >     >                     I just tried AH extension header (not ESP) but
> i
> >     >                     think suricata doesn't recognize it yet.
> >     >                     Can you confirm ?
> >     >                     I have a pcap if needed.
> >     >
> >     >                     Any news about more detailed ipv6 extension
> header
> >     >                     rules ?
> >     >
> >     >                     Michel
> >     >
> >     >                     2012/4/21 Victor Julien <victor at inliniac.net
> >     <mailto:victor at inliniac.net>
> >     >                     <mailto:victor at inliniac.net
> >     <mailto:victor at inliniac.net>>>
> >     >
> >     >                         On 04/19/2012 02:23 PM, Michel SABORDE
> wrote:
> >     >                         > Btw, is it possible (i'm sure it is) to
> >     write
> >     >                         a signature that trigger
> >     >                         > when Routing Header type 0 is present in
> a
> >     >                         packet ?
> >     >                         > Or even just if any routing header is
> >     present ?
> >     >
> >     >                         Actually I don't think there is currently.
> >     >
> >     >                         Maybe we should add a keyword like:
> >     >
> >     >                         ip6exthdr:frag,>1; // more than one frag
> hdr
> >     >                         ip6exthdr:routing,1 // routing hdr present
> >     >                         ip6exthdr:esp,0; // esp hdr not present
> >     >
> >     >                         For more detailed matching:
> >     >
> >     >                         ip6rh_type:0;
> >     >                         ip6rh_type0:<ip6 addr/cidr>;
> >     >
> >     >                         Or something... suggestions are welcome.
> >     >
> >     >                         > I've found some decode-event rules in the
> >     >                         decoder-events.rules file but
> >     >                         > rules are only for duplicated extension
> >     header.
> >     >
> >     >                         Yes, these are only for anomalies.
> >     >
> >     >                         --
> >     >
> ---------------------------------------------
> >     >                         Victor Julien
> >     >                         http://www.inliniac.net/
> >     >                         PGP:
> http://www.inliniac.net/victorjulien.asc
> >     >
> ---------------------------------------------
> >     >
> >     >
> >     >
> >     >                     _______________________________________________
> >     >                     Oisf-users mailing list
> >     >                     Oisf-users at openinfosecfoundation.org
> >     <mailto:Oisf-users at openinfosecfoundation.org>
> >     >                     <mailto:Oisf-users at openinfosecfoundation.org
> >     <mailto:Oisf-users at openinfosecfoundation.org>>
> >     >
> >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >     >
> >     >
> >     >
> >     >
> >     >                 --
> >     >                 Regards,
> >     >                 Peter Manev
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >     --
> >     >     Regards,
> >     >     Peter Manev
> >     >
> >     >
> >
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Oisf-users mailing list
> >     Oisf-users at openinfosecfoundation.org
> >     <mailto:Oisf-users at openinfosecfoundation.org>
> >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120611/3239c633/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: teredo.pcap
Type: application/octet-stream
Size: 2700 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120611/3239c633/attachment.obj>


More information about the Oisf-users mailing list