[Oisf-users] IPv6 & Extension header

Peter Manev petermanev at gmail.com
Thu Mar 29 11:39:03 UTC 2012 

also you could try/check - with scapy make sure your checksm-ing is
correct.... and it is disabled in the yaml conf

On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev <petermanev at gmail.com> wrote:

> Hi,
>
> When you are using the Scapy script - are you doing the three-way
> handshake with scapy?
>
> Because if so - there is a rule that you have to add to your iptables ,
> since scapy would send S , the server would return the SA and the kernel/OS
> would send back a Reject since it never send a S (it is not aware that
> scapy send it).
>
> The way around this is to put a iptables rule that would stop the R coming
> from the client to the www server.
>
> Also just have a look at the traffic with wireshar/tcpdump to see if that
> is not the problem.
>
> Thanks
>
>  On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE <
> michel.saborde at gmail.com> wrote:
>
>>  Hello everyone,
>>
>> I'm trying to test the IPv6 implementation of suricata so i'm doing a
>> bunch of tests.
>> For that, i have installed a clean apache2 on a clean server with a
>> single html page called bad.html and i made a simple rule to do an alert if
>> someone tries to access it :
>>
>> alert tcp any any <> any any (msg:"[ALERT] bad.html"; content:"bad.html";
>> nocase; sid:1; rev:1;)
>> If i do a simple access with my browser (iceweasel) from a remote
>> computer, the alert is triggered.
>> At this point, everything looks fine.
>>
>> If i now try to access it "manually" with a scapy script by adding some
>> extension headers, no alert is triggered and i can retrieve the html page.
>> I tried with :
>> - Fragmentation header
>> - Hop-By-Hop header
>> - Destination header
>> - Routing header type 0 without any addresses
>>
>> I tried to change the rule from tcp to ip :
>>
>>  alert ip any any <> any any (msg:"[ALERT] bad.html";
>> content:"bad.html"; nocase; sid:1; rev:1;)
>> Then, the alert is triggered only with :
>>  - Hop-By-Hop header
>> - Destination header
>> But not with :
>> - Fragmentation header
>> - Routing header type 0 without any addresses
>>
>> Maybe i missed something in the config file of suricata ?
>> My opinion is that suricata should always trigger the alert in every case.
>>
>> I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.
>>
>> Thanks in advance for your help
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/46c9bc88/attachment-0002.html>

More information about the Oisf-users mailing list