[Oisf-users] IPv6 & Extension header

Peter Manev petermanev at gmail.com
Thu Mar 29 11:24:26 UTC 2012


Hi,

When you are using the Scapy script - are you doing the three-way handshake
with scapy?

Because if so - there is a rule that you have to add to your iptables ,
since scapy would send S , the server would return the SA and the kernel/OS
would send back a Reject since it never send a S (it is not aware that
scapy send it).

The way around this is to put a iptables rule that would stop the R coming
from the client to the www server.

Also just have a look at the traffic with wireshar/tcpdump to see if that
is not the problem.

Thanks

On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
<michel.saborde at gmail.com>wrote:

> Hello everyone,
>
> I'm trying to test the IPv6 implementation of suricata so i'm doing a
> bunch of tests.
> For that, i have installed a clean apache2 on a clean server with a single
> html page called bad.html and i made a simple rule to do an alert if
> someone tries to access it :
>
> alert tcp any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html";
> nocase; sid:1; rev:1;)
> If i do a simple access with my browser (iceweasel) from a remote
> computer, the alert is triggered.
> At this point, everything looks fine.
>
> If i now try to access it "manually" with a scapy script by adding some
> extension headers, no alert is triggered and i can retrieve the html page.
> I tried with :
> - Fragmentation header
> - Hop-By-Hop header
> - Destination header
> - Routing header type 0 without any addresses
>
> I tried to change the rule from tcp to ip :
>
>  alert ip any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html";
> nocase; sid:1; rev:1;)
> Then, the alert is triggered only with :
>  - Hop-By-Hop header
> - Destination header
> But not with :
> - Fragmentation header
> - Routing header type 0 without any addresses
>
> Maybe i missed something in the config file of suricata ?
> My opinion is that suricata should always trigger the alert in every case.
>
> I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.
>
> Thanks in advance for your help
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/917d849d/attachment-0002.html>


More information about the Oisf-users mailing list