[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Wed Jun 20 12:54:10 UTC 2012


I don't really know.
Maybe something like ip6_exthdr:44;depth:1; which allow to look for a
specific extension header in the next "depth" extension header following
the ipv6 header.
I think you can adapt a few content modifiers to create more specific
rules, like a specific sequence of extension headers.
Moreover, depending on the extension header, you can add specific keywords
like ip6_exthdr_frag_offset:0; between ip6_exthdr and the "content
modifier" :

ip6_exthdr:44;ip6_exthdr_frag_offset:0;depth:1; will match only if there is
a Fragmentation Header immediatly after the IPv6 header with an offset of 0.

Also, it could be nice to have a rule based on ip4 (respectively ip6) to
match only IPv4 (respectively IPv6) traffic.
Michel

2012/6/20 Victor Julien <victor at inliniac.net>

> On 06/18/2012 12:06 PM, Michel SABORDE wrote:
> > Hi,
> >
> > I've been trying to create signature to identify IPv6 extension header.
> > When i try to use ip_proto in my signature, it only matches the next
> > "real" protocol like TCP not the immediately following ipv6 extension
> > header.
> > I think Suricata recognizes the protocol following the last ipv6
> >  extension header.
> > If it is the normal behaviour, it would be nice to have a keyword to
> > match the immediately following protocol.
>
> Yes, this behavior is intended. I'd be happy to add a keyword to test
> for ext hdr presence. Any suggestions on what it should look like?
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120620/79be6f02/attachment-0002.html>


More information about the Oisf-users mailing list