[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Thu Mar 29 12:05:08 UTC 2012


Thanks for your anwswer.

I already looked into everything you mentioned.

I'm doing the three-way handshake and i added the correct ip6tables rule to
prevent the kernel from sending the RST.

I also looked into checksums and disabled the checksum_validation from
suricata config file, i also checked with wireshark, all the checksums are
correct.



It must be something else.

Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com> a écrit :

> also you could try/check - with scapy make sure your checksm-ing is
> correct.... and it is disabled in the yaml conf
>
>
> On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>> Hi,
>>
>> When you are using the Scapy script - are you doing the three-way
>> handshake with scapy?
>>
>> Because if so - there is a rule that you have to add to your iptables ,
>> since scapy would send S , the server would return the SA and the kernel/OS
>> would send back a Reject since it never send a S (it is not aware that
>> scapy send it).
>>
>> The way around this is to put a iptables rule that would stop the R
>> coming from the client to the www server.
>>
>> Also just have a look at the traffic with wireshar/tcpdump to see if that
>> is not the problem.
>>
>> Thanks
>>
>>  On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE <
>> michel.saborde at gmail.com> wrote:
>>
>>>  Hello everyone,
>>>
>>> I'm trying to test the IPv6 implementation of suricata so i'm doing a
>>> bunch of tests.
>>> For that, i have installed a clean apache2 on a clean server with a
>>> single html page called bad.html and i made a simple rule to do an alert if
>>> someone tries to access it :
>>>
>>> alert tcp any any <> any any (msg:"[ALERT] bad.html";
>>> content:"bad.html"; nocase; sid:1; rev:1;)
>>> If i do a simple access with my browser (iceweasel) from a remote
>>> computer, the alert is triggered.
>>> At this point, everything looks fine.
>>>
>>> If i now try to access it "manually" with a scapy script by adding some
>>> extension headers, no alert is triggered and i can retrieve the html page.
>>> I tried with :
>>> - Fragmentation header
>>> - Hop-By-Hop header
>>> - Destination header
>>> - Routing header type 0 without any addresses
>>>
>>> I tried to change the rule from tcp to ip :
>>>
>>>  alert ip any any <> any any (msg:"[ALERT] bad.html";
>>> content:"bad.html"; nocase; sid:1; rev:1;)
>>> Then, the alert is triggered only with :
>>>  - Hop-By-Hop header
>>> - Destination header
>>> But not with :
>>> - Fragmentation header
>>> - Routing header type 0 without any addresses
>>>
>>> Maybe i missed something in the config file of suricata ?
>>> My opinion is that suricata should always trigger the alert in every
>>> case.
>>>
>>> I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.
>>>
>>> Thanks in advance for your help
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/2673c3da/attachment-0002.html>


More information about the Oisf-users mailing list