[Oisf-users] IPv6 & Extension header

Peter Manev petermanev at gmail.com
Thu Mar 29 18:54:52 UTC 2012


Hi Michel,

Is the pcap provided containing all of the  following tests:
- Fragmentation header
- Hop-By-Hop header
- Destination header
- Routing header type 0 without any addresses

or is it just some of them?

thanks


On Thu, Mar 29, 2012 at 4:56 PM, Michel SABORDE <michel.saborde at gmail.com>wrote:

> The log pcap file is attach to this email.
>
> Elie
> Le 29 mars 2012 16:30, Victor Julien <victor at inliniac.net> a écrit :
>
> Can you share the pcaps you created/recorded? Saves us a lot of time
>> debugging.
>>
>> Thanks,
>> Victor
>>
>> On 03/29/2012 04:27 PM, Michel SABORDE wrote:
>> > Results are the same with -r.
>> > Le 29 mars 2012 15:09, Peter Manev <petermanev at gmail.com
>> > <mailto:petermanev at gmail.com>> a écrit :
>> >
>> >     Hi Michel,
>> >
>> >     If you read the pacaps (-r option, read pcap) from your tests -
>> >     would the results be the same?
>> >     If you would like, you could share privatelly the pcaps with the
>> >     yaml conf?
>> >
>> >     Thanks
>> >
>> >     On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE
>> >     <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
>> >
>> >         Thanks for your anwswer.
>> >
>> >         I already looked into everything you mentioned.
>> >
>> >         I'm doing the three-way handshake and i added the correct
>> >         ip6tables rule to prevent the kernel from sending the RST.
>> >
>> >         I also looked into checksums and disabled the
>> >         checksum_validation from suricata config file, i also checked
>> >         with wireshark, all the checksums are correct.
>> >
>> >
>> >
>> >         It must be something else.
>> >
>> >         Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com
>> >         <mailto:petermanev at gmail.com>> a écrit :
>> >
>> >             also you could try/check - with scapy make sure your
>> >             checksm-ing is correct.... and it is disabled in the yaml
>> conf
>> >
>> >
>> >             On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev
>> >             <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
>> >
>> >                 Hi,
>> >
>> >                 When you are using the Scapy script - are you doing the
>> >                 three-way handshake with scapy?
>> >
>> >                 Because if so - there is a rule that you have to add to
>> >                 your iptables , since scapy would send S , the server
>> >                 would return the SA and the kernel/OS would send back a
>> >                 Reject since it never send a S (it is not aware that
>> >                 scapy send it).
>> >
>> >                 The way around this is to put a iptables rule that would
>> >                 stop the R coming from the client to the www server.
>> >
>> >                 Also just have a look at the traffic with
>> >                 wireshar/tcpdump to see if that is not the problem.
>> >
>> >                 Thanks
>> >
>> >                 On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
>> >                 <michel.saborde at gmail.com
>> >                 <mailto:michel.saborde at gmail.com>> wrote:
>> >
>> >                     Hello everyone,
>> >
>> >                     I'm trying to test the IPv6 implementation of
>> >                     suricata so i'm doing a bunch of tests.
>> >                     For that, i have installed a clean apache2 on a
>> >                     clean server with a single html page called bad.html
>> >                     and i made a simple rule to do an alert if someone
>> >                     tries to access it :
>> >
>> >                     alert tcp any any <> any any (msg:"[ALERT]
>> >                     bad.html"; content:"bad.html"; nocase; sid:1;
>> rev:1;)
>> >                     If i do a simple access with my browser (iceweasel)
>> >                     from a remote computer, the alert is triggered.
>> >                     At this point, everything looks fine.
>> >
>> >                     If i now try to access it "manually" with a scapy
>> >                     script by adding some extension headers, no alert is
>> >                     triggered and i can retrieve the html page.
>> >                     I tried with :
>> >                     - Fragmentation header
>> >                     - Hop-By-Hop header
>> >                     - Destination header
>> >                     - Routing header type 0 without any addresses
>> >
>> >                     I tried to change the rule from tcp to ip :
>> >
>> >                     alert ip any any <> any any (msg:"[ALERT] bad.html";
>> >                     content:"bad.html"; nocase; sid:1; rev:1;)
>> >                     Then, the alert is triggered only with :
>> >                     - Hop-By-Hop header
>> >                     - Destination header
>> >                     But not with :
>> >                     - Fragmentation header
>> >                     - Routing header type 0 without any addresses
>> >
>> >                     Maybe i missed something in the config file of
>> >                     suricata ?
>> >                     My opinion is that suricata should always trigger
>> >                     the alert in every case.
>> >
>> >                     I'm using suricata 1.2.1 on a debian 6.0 with a
>> >                     2.6.32 kernel.
>> >
>> >                     Thanks in advance for your help
>> >
>> >                     _______________________________________________
>> >                     Oisf-users mailing list
>> >                     Oisf-users at openinfosecfoundation.org
>> >                     <mailto:Oisf-users at openinfosecfoundation.org>
>> >
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> >
>> >
>> >
>> >                 --
>> >                 Regards,
>> >                 Peter Manev
>> >
>> >
>> >
>> >
>> >             --
>> >             Regards,
>> >             Peter Manev
>> >
>> >
>> >
>> >
>> >
>> >     --
>> >     Regards,
>> >     Peter Manev
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120329/690af9e5/attachment-0002.html>


More information about the Oisf-users mailing list