[Oisf-users] IPv6 & Extension header

Thu Mar 29 13:09:23 UTC 2012

Hi Michel,

If you read the pacaps (-r option, read pcap) from your tests - would the
results be the same?
If you would like, you could share privatelly the pcaps with the yaml conf?

Thanks

On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE <michel.saborde at gmail.com>wrote:

>  Thanks for your anwswer.
>
> I already looked into everything you mentioned.
>
> I'm doing the three-way handshake and i added the correct ip6tables rule
> to prevent the kernel from sending the RST.
>
> I also looked into checksums and disabled the checksum_validation from
> suricata config file, i also checked with wireshark, all the checksums are
> correct.
>
>
>
> It must be something else.
>
>  Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com> a écrit :
>
>> also you could try/check - with scapy make sure your checksm-ing is
>> correct.... and it is disabled in the yaml conf
>>
>>
>> On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev <petermanev at gmail.com>wrote:
>>
>>> Hi,
>>>
>>> When you are using the Scapy script - are you doing the three-way
>>> handshake with scapy?
>>>
>>> Because if so - there is a rule that you have to add to your iptables ,
>>> since scapy would send S , the server would return the SA and the kernel/OS
>>> would send back a Reject since it never send a S (it is not aware that
>>> scapy send it).
>>>
>>> The way around this is to put a iptables rule that would stop the R
>>> coming from the client to the www server.
>>>
>>> Also just have a look at the traffic with wireshar/tcpdump to see if
>>> that is not the problem.
>>>
>>> Thanks
>>>
>>>  On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE <
>>> michel.saborde at gmail.com> wrote:
>>>
>>>>  Hello everyone,
>>>>
>>>> I'm trying to test the IPv6 implementation of suricata so i'm doing a
>>>> bunch of tests.
>>>> For that, i have installed a clean apache2 on a clean server with a
>>>> single html page called bad.html and i made a simple rule to do an alert if
>>>> someone tries to access it :
>>>>
>>>> alert tcp any any <> any any (msg:"[ALERT] bad.html";
>>>> content:"bad.html"; nocase; sid:1; rev:1;)
>>>> If i do a simple access with my browser (iceweasel) from a remote
>>>> computer, the alert is triggered.
>>>> At this point, everything looks fine.
>>>>
>>>> If i now try to access it "manually" with a scapy script by adding some
>>>> extension headers, no alert is triggered and i can retrieve the html page.
>>>> I tried with :
>>>> - Fragmentation header
>>>> - Hop-By-Hop header
>>>> - Destination header
>>>> - Routing header type 0 without any addresses
>>>>
>>>> I tried to change the rule from tcp to ip :
>>>>
>>>>  alert ip any any <> any any (msg:"[ALERT] bad.html";
>>>> content:"bad.html"; nocase; sid:1; rev:1;)
>>>> Then, the alert is triggered only with :
>>>>  - Hop-By-Hop header
>>>> - Destination header
>>>> But not with :
>>>> - Fragmentation header
>>>> - Routing header type 0 without any addresses
>>>>
>>>> Maybe i missed something in the config file of suricata ?
>>>> My opinion is that suricata should always trigger the alert in every
>>>> case.
>>>>
>>>> I'm using suricata 1.2.1 on a debian 6.0 with a 2.6.32 kernel.
>>>>
>>>> Thanks in advance for your help
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>

-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/959e532c/attachment-0002.html>