[Oisf-users] IPv6 & Extension header
Michel SABORDE
michel.saborde at gmail.com
Mon Jun 18 10:06:40 UTC 2012
Hi,
I've been trying to create signature to identify IPv6 extension header.
When i try to use ip_proto in my signature, it only matches the next "real"
protocol like TCP not the immediately following ipv6 extension header.
I think Suricata recognizes the protocol following the last ipv6 extension
header.
If it is the normal behaviour, it would be nice to have a keyword to match
the immediately following protocol.
Michel
2012/6/11 Victor Julien <victor at inliniac.net>
> On 06/11/2012 12:03 PM, Michel SABORDE wrote:
> > Hi everyone,
> >
> > I just tested the Teredo tunneling protocol but it seems that Suricata
> > does not recognize it at all.
> > Is it a bug ? Or should i open a ticket for a feature request ?
>
> It's a missing feature. Please open a ticket.
>
> Cheers,
> Victor
>
> >
> > More information about teredo here : http://www.ietf.org/rfc/rfc4380.txt
> > I also attached a pcap to this email.
> >
> > Michel
> > 2012/6/5 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net
> >>
> >
> > On 06/04/2012 04:37 PM, Michel SABORDE wrote:
> > > It works fine ! Thank you again !
> >
> > Great, thanks for testing!
> >
> > > Any news about IPv4-in-IPv6 support ?
> >
> > Nothing yet. We're tracking the issue in the ticket you opened
> (#462).
> >
> > Cheers,
> > Victor
> >
> > >
> > > Michel
> > > 2012/5/20 Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> > <mailto:victor at inliniac.net>>>
> > >
> > > I pushed a fix for this to the current git master. Please test!
> > >
> > > Thanks Michel!
> > >
> > > Cheers,
> > > Victor
> > >
> > > On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> > > > In the pcap i already sent, there was no AH extension header.
> > > > Here is a new pcap with AH.
> > > >
> > > > Michel
> > > >
> > > > 2012/5/10 Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>
> > > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>
> > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>
> > > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>>>
> > > >
> > > > is this the same pcap, as provided earlier in the mail
> > > conversation?
> > > >
> > > > thanks
> > > >
> > > >
> > > > On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> > > > <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com> <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com> <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>>>
> > > wrote:
> > > >
> > > > I just tried the lastest git master and no alert is
> > > trigerred if
> > > > a A H extension header is present.
> > > >
> > > > Michel
> > > > 2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>
> > > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>>>
> > > >
> > > > No sorry !
> > > > But is there a way i can download the lastest
> > git as a tgz
> > > > or something ?
> > > > I don't have git atm.
> > > >
> > > > Michel
> > > >
> > > > 2012/5/10 Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>
> > > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>
> > > > <mailto:petermanev at gmail.com
> > <mailto:petermanev at gmail.com>
> > > <mailto:petermanev at gmail.com <mailto:petermanev at gmail.com>>>>
> > > >
> > > > Hi,
> > > >
> > > > Did you try the latest git master?
> > > >
> > > > thanks
> > > >
> > > > On Thu, May 10, 2012 at 12:08 PM, Michel
> SABORDE
> > > > <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>
> > > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>
> > > <mailto:michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>>>> wrote:
> > > >
> > > > Hi again :)
> > > >
> > > > I just tried AH extension header (not
> > ESP) but i
> > > > think suricata doesn't recognize it yet.
> > > > Can you confirm ?
> > > > I have a pcap if needed.
> > > >
> > > > Any news about more detailed ipv6
> > extension header
> > > > rules ?
> > > >
> > > > Michel
> > > >
> > > > 2012/4/21 Victor Julien
> > <victor at inliniac.net <mailto:victor at inliniac.net>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>
> > > > <mailto:victor at inliniac.net
> > <mailto:victor at inliniac.net>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>>
> > > >
> > > > On 04/19/2012 02:23 PM, Michel
> > SABORDE wrote:
> > > > > Btw, is it possible (i'm sure it
> > is) to
> > > write
> > > > a signature that trigger
> > > > > when Routing Header type 0 is
> > present in a
> > > > packet ?
> > > > > Or even just if any routing header
> is
> > > present ?
> > > >
> > > > Actually I don't think there is
> > currently.
> > > >
> > > > Maybe we should add a keyword like:
> > > >
> > > > ip6exthdr:frag,>1; // more than one
> > frag hdr
> > > > ip6exthdr:routing,1 // routing hdr
> > present
> > > > ip6exthdr:esp,0; // esp hdr not
> present
> > > >
> > > > For more detailed matching:
> > > >
> > > > ip6rh_type:0;
> > > > ip6rh_type0:<ip6 addr/cidr>;
> > > >
> > > > Or something... suggestions are
> welcome.
> > > >
> > > > > I've found some decode-event rules
> > in the
> > > > decoder-events.rules file but
> > > > > rules are only for duplicated
> > extension
> > > header.
> > > >
> > > > Yes, these are only for anomalies.
> > > >
> > > > --
> > > >
> > ---------------------------------------------
> > > > Victor Julien
> > > > http://www.inliniac.net/
> > > > PGP:
> > http://www.inliniac.net/victorjulien.asc
> > > >
> > ---------------------------------------------
> > > >
> > > >
> > > >
> > > >
> > _______________________________________________
> > > > Oisf-users mailing list
> > > > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>>
> > > >
> > <mailto:Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>>>
> > > >
> > >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Peter Manev
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Peter Manev
> > > >
> > > >
> > >
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > > _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > > <mailto:Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>>
> > >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120618/152deb5c/attachment-0002.html>
More information about the Oisf-users
mailing list