[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Thu Mar 29 14:30:07 UTC 2012
Can you share the pcaps you created/recorded? Saves us a lot of time
debugging.
Thanks,
Victor
On 03/29/2012 04:27 PM, Michel SABORDE wrote:
> Results are the same with -r.
> Le 29 mars 2012 15:09, Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>> a écrit :
>
> Hi Michel,
>
> If you read the pacaps (-r option, read pcap) from your tests -
> would the results be the same?
> If you would like, you could share privatelly the pcaps with the
> yaml conf?
>
> Thanks
>
> On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE
> <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
>
> Thanks for your anwswer.
>
> I already looked into everything you mentioned.
>
> I'm doing the three-way handshake and i added the correct
> ip6tables rule to prevent the kernel from sending the RST.
>
> I also looked into checksums and disabled the
> checksum_validation from suricata config file, i also checked
> with wireshark, all the checksums are correct.
>
>
>
> It must be something else.
>
> Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>> a écrit :
>
> also you could try/check - with scapy make sure your
> checksm-ing is correct.... and it is disabled in the yaml conf
>
>
> On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev
> <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
>
> Hi,
>
> When you are using the Scapy script - are you doing the
> three-way handshake with scapy?
>
> Because if so - there is a rule that you have to add to
> your iptables , since scapy would send S , the server
> would return the SA and the kernel/OS would send back a
> Reject since it never send a S (it is not aware that
> scapy send it).
>
> The way around this is to put a iptables rule that would
> stop the R coming from the client to the www server.
>
> Also just have a look at the traffic with
> wireshar/tcpdump to see if that is not the problem.
>
> Thanks
>
> On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
> <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>> wrote:
>
> Hello everyone,
>
> I'm trying to test the IPv6 implementation of
> suricata so i'm doing a bunch of tests.
> For that, i have installed a clean apache2 on a
> clean server with a single html page called bad.html
> and i made a simple rule to do an alert if someone
> tries to access it :
>
> alert tcp any any <> any any (msg:"[ALERT]
> bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)
> If i do a simple access with my browser (iceweasel)
> from a remote computer, the alert is triggered.
> At this point, everything looks fine.
>
> If i now try to access it "manually" with a scapy
> script by adding some extension headers, no alert is
> triggered and i can retrieve the html page.
> I tried with :
> - Fragmentation header
> - Hop-By-Hop header
> - Destination header
> - Routing header type 0 without any addresses
>
> I tried to change the rule from tcp to ip :
>
> alert ip any any <> any any (msg:"[ALERT] bad.html";
> content:"bad.html"; nocase; sid:1; rev:1;)
> Then, the alert is triggered only with :
> - Hop-By-Hop header
> - Destination header
> But not with :
> - Fragmentation header
> - Routing header type 0 without any addresses
>
> Maybe i missed something in the config file of
> suricata ?
> My opinion is that suricata should always trigger
> the alert in every case.
>
> I'm using suricata 1.2.1 on a debian 6.0 with a
> 2.6.32 kernel.
>
> Thanks in advance for your help
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list