[Oisf-users] IPv6 & Extension header
Michel SABORDE
michel.saborde at gmail.com
Thu Mar 29 10:55:08 UTC 2012
Hello everyone,
I'm trying to test the IPv6 implementation of suricata so i'm doing a bunch
of tests.
For that, i have installed a clean apache2 on a clean server with a single
html page called bad.html and i made a simple rule to do an alert if
someone tries to access it :
alert tcp any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html";
nocase; sid:1; rev:1;)
If i do a simple access with my browser (iceweasel) from a remote computer,
the alert is triggered.
At this point, everything looks fine.
If i now try to access it "manually" with a scapy script by adding some
extension headers, no alert is triggered and i can retrieve the html page.
I tried with :
- Fragmentation header
- Hop-By-Hop header
- Destination header
- Routing header type 0 without any addresses
I tried to change the rule from tcp to ip :
alert ip any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html";
nocase; sid:1; rev:1;)
Then, the alert is triggered only with :
- Hop-By-Hop header
- Destination header
But not with :
- Fragmentation header
- Routing header type 0 without any addresses
Maybe i missed something in the config file of suricata ?
My opinion is that suricata should always trigger the alert in every case.
I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.
Thanks in advance for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/47665f99/attachment-0002.html>
More information about the Oisf-users
mailing list