[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Mon Jun 11 13:38:29 UTC 2012
On 06/11/2012 12:03 PM, Michel SABORDE wrote:
> Hi everyone,
>
> I just tested the Teredo tunneling protocol but it seems that Suricata
> does not recognize it at all.
> Is it a bug ? Or should i open a ticket for a feature request ?
It's a missing feature. Please open a ticket.
Cheers,
Victor
>
> More information about teredo here : http://www.ietf.org/rfc/rfc4380.txt
> I also attached a pcap to this email.
>
> Michel
> 2012/6/5 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>
> On 06/04/2012 04:37 PM, Michel SABORDE wrote:
> > It works fine ! Thank you again !
>
> Great, thanks for testing!
>
> > Any news about IPv4-in-IPv6 support ?
>
> Nothing yet. We're tracking the issue in the ticket you opened (#462).
>
> Cheers,
> Victor
>
> >
> > Michel
> > 2012/5/20 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>>
> >
> > I pushed a fix for this to the current git master. Please test!
> >
> > Thanks Michel!
> >
> > Cheers,
> > Victor
> >
> > On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> > > In the pcap i already sent, there was no AH extension header.
> > > Here is a new pcap with AH.
> > >
> > > Michel
> > >
> > > 2012/5/10 Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>
> > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>
> <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>
> > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>>>
> > >
> > > is this the same pcap, as provided earlier in the mail
> > conversation?
> > >
> > > thanks
> > >
> > >
> > > On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> > > <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com> <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com> <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>>>
> > wrote:
> > >
> > > I just tried the lastest git master and no alert is
> > trigerred if
> > > a A H extension header is present.
> > >
> > > Michel
> > > 2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>
> > > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>>>
> > >
> > > No sorry !
> > > But is there a way i can download the lastest
> git as a tgz
> > > or something ?
> > > I don't have git atm.
> > >
> > > Michel
> > >
> > > 2012/5/10 Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>
> > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>
> > > <mailto:petermanev at gmail.com
> <mailto:petermanev at gmail.com>
> > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>>>
> > >
> > > Hi,
> > >
> > > Did you try the latest git master?
> > >
> > > thanks
> > >
> > > On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
> > > <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>
> > > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>
> > <mailto:michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>>> wrote:
> > >
> > > Hi again :)
> > >
> > > I just tried AH extension header (not
> ESP) but i
> > > think suricata doesn't recognize it yet.
> > > Can you confirm ?
> > > I have a pcap if needed.
> > >
> > > Any news about more detailed ipv6
> extension header
> > > rules ?
> > >
> > > Michel
> > >
> > > 2012/4/21 Victor Julien
> <victor at inliniac.net <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>
> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
> > >
> > > On 04/19/2012 02:23 PM, Michel
> SABORDE wrote:
> > > > Btw, is it possible (i'm sure it
> is) to
> > write
> > > a signature that trigger
> > > > when Routing Header type 0 is
> present in a
> > > packet ?
> > > > Or even just if any routing header is
> > present ?
> > >
> > > Actually I don't think there is
> currently.
> > >
> > > Maybe we should add a keyword like:
> > >
> > > ip6exthdr:frag,>1; // more than one
> frag hdr
> > > ip6exthdr:routing,1 // routing hdr
> present
> > > ip6exthdr:esp,0; // esp hdr not present
> > >
> > > For more detailed matching:
> > >
> > > ip6rh_type:0;
> > > ip6rh_type0:<ip6 addr/cidr>;
> > >
> > > Or something... suggestions are welcome.
> > >
> > > > I've found some decode-event rules
> in the
> > > decoder-events.rules file but
> > > > rules are only for duplicated
> extension
> > header.
> > >
> > > Yes, these are only for anomalies.
> > >
> > > --
> > >
> ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP:
> http://www.inliniac.net/victorjulien.asc
> > >
> ---------------------------------------------
> > >
> > >
> > >
> > >
> _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > >
> <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>>
> > >
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list