[Oisf-users] IPv6 & Extension header

Victor Julien victor at inliniac.net
Thu Mar 29 14:30:07 UTC 2012


Can you share the pcaps you created/recorded? Saves us a lot of time
debugging.

Thanks,
Victor

On 03/29/2012 04:27 PM, Michel SABORDE wrote:
> Results are the same with -r.
> Le 29 mars 2012 15:09, Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>> a écrit :
> 
>     Hi Michel,
>      
>     If you read the pacaps (-r option, read pcap) from your tests -
>     would the results be the same?
>     If you would like, you could share privatelly the pcaps with the
>     yaml conf?
>      
>     Thanks
> 
>     On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE
>     <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
> 
>         Thanks for your anwswer.
> 
>         I already looked into everything you mentioned.
> 
>         I'm doing the three-way handshake and i added the correct
>         ip6tables rule to prevent the kernel from sending the RST.
> 
>         I also looked into checksums and disabled the
>         checksum_validation from suricata config file, i also checked
>         with wireshark, all the checksums are correct.
> 
>          
> 
>         It must be something else.
> 
>         Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com
>         <mailto:petermanev at gmail.com>> a écrit :
> 
>             also you could try/check - with scapy make sure your
>             checksm-ing is correct.... and it is disabled in the yaml conf
> 
> 
>             On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev
>             <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
> 
>                 Hi,
>                  
>                 When you are using the Scapy script - are you doing the
>                 three-way handshake with scapy?
>                  
>                 Because if so - there is a rule that you have to add to
>                 your iptables , since scapy would send S , the server
>                 would return the SA and the kernel/OS would send back a
>                 Reject since it never send a S (it is not aware that
>                 scapy send it).
>                  
>                 The way around this is to put a iptables rule that would
>                 stop the R coming from the client to the www server.
>                  
>                 Also just have a look at the traffic with
>                 wireshar/tcpdump to see if that is not the problem.
>                  
>                 Thanks
> 
>                 On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
>                 <michel.saborde at gmail.com
>                 <mailto:michel.saborde at gmail.com>> wrote:
> 
>                     Hello everyone,
>                      
>                     I'm trying to test the IPv6 implementation of
>                     suricata so i'm doing a bunch of tests.
>                     For that, i have installed a clean apache2 on a
>                     clean server with a single html page called bad.html
>                     and i made a simple rule to do an alert if someone
>                     tries to access it :
>                      
>                     alert tcp any any <> any any (msg:"[ALERT]
>                     bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)
>                     If i do a simple access with my browser (iceweasel)
>                     from a remote computer, the alert is triggered.
>                     At this point, everything looks fine.
>                      
>                     If i now try to access it "manually" with a scapy
>                     script by adding some extension headers, no alert is
>                     triggered and i can retrieve the html page.
>                     I tried with :
>                     - Fragmentation header
>                     - Hop-By-Hop header
>                     - Destination header
>                     - Routing header type 0 without any addresses
>                      
>                     I tried to change the rule from tcp to ip :
>                      
>                     alert ip any any <> any any (msg:"[ALERT] bad.html";
>                     content:"bad.html"; nocase; sid:1; rev:1;)
>                     Then, the alert is triggered only with :
>                     - Hop-By-Hop header
>                     - Destination header
>                     But not with :
>                     - Fragmentation header
>                     - Routing header type 0 without any addresses
>                      
>                     Maybe i missed something in the config file of
>                     suricata ?
>                     My opinion is that suricata should always trigger
>                     the alert in every case.
>                      
>                     I'm using suricata 1.2.1 on a debian 6.0 with a
>                     2.6.32 kernel.
>                      
>                     Thanks in advance for your help
> 
>                     _______________________________________________
>                     Oisf-users mailing list
>                     Oisf-users at openinfosecfoundation.org
>                     <mailto:Oisf-users at openinfosecfoundation.org>
>                     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> 
> 
>                 -- 
>                 Regards,
>                 Peter Manev
> 
> 
> 
> 
>             -- 
>             Regards,
>             Peter Manev
> 
> 
> 
> 
> 
>     -- 
>     Regards,
>     Peter Manev
> 
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list