[Oisf-users] IPv6 & Extension header

rmkml rmkml at yahoo.fr
Thu Mar 29 21:58:22 UTC 2012


Hi Michel and Peter,
Thx you Michel for shared this pcap.
All case included in pcap:
  tcp src port 36951 / IPv6 Destination
  tcp src port 59694 / IPv6 Fragment
  tcp src port 27393 / IPv6 Hop-by-hop
  tcp src port 45805 / IPv6 Routing Type 0 (Source Routing)
Thx you wireshark ;)

and Im found a new FP!
Regards
Rmkml


On Thu, 29 Mar 2012, Peter Manev wrote:

> Hi Michel,
> 
> Is the pcap provided containing all of the  following tests:
> - Fragmentation header
> - Hop-By-Hop header
> - Destination header
> - Routing header type 0 without any addresses
> 
> or is it just some of them?
> 
> thanks
> 
> 
> On Thu, Mar 29, 2012 at 4:56 PM, Michel SABORDE <michel.saborde at gmail.com> wrote:
>       The log pcap file is attach to this email.
>  
> Elie
> Le 29 mars 2012 16:30, Victor Julien <victor at inliniac.net> a écrit :
>       Can you share the pcaps you created/recorded? Saves us a lot of time
>       debugging.
>
>       Thanks,
>       Victor
>
>       On 03/29/2012 04:27 PM, Michel SABORDE wrote:
>       > Results are the same with -r.
>       > Le 29 mars 2012 15:09, Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>> a écrit :
> >
> >     Hi Michel,
> >
> >     If you read the pacaps (-r option, read pcap) from your tests -
> >     would the results be the same?
> >     If you would like, you could share privatelly the pcaps with the
> >     yaml conf?
> >
> >     Thanks
> >
> >     On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE
> >     <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
> >
> >         Thanks for your anwswer.
> >
> >         I already looked into everything you mentioned.
> >
> >         I'm doing the three-way handshake and i added the correct
> >         ip6tables rule to prevent the kernel from sending the RST.
> >
> >         I also looked into checksums and disabled the
> >         checksum_validation from suricata config file, i also checked
> >         with wireshark, all the checksums are correct.
> >
> >
> >
> >         It must be something else.
> >
> >         Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com
> >         <mailto:petermanev at gmail.com>> a écrit :
> >
> >             also you could try/check - with scapy make sure your
> >             checksm-ing is correct.... and it is disabled in the yaml conf
> >
> >
> >             On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev
> >             <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
> >
> >                 Hi,
> >
> >                 When you are using the Scapy script - are you doing the
> >                 three-way handshake with scapy?
> >
> >                 Because if so - there is a rule that you have to add to
> >                 your iptables , since scapy would send S , the server
> >                 would return the SA and the kernel/OS would send back a
> >                 Reject since it never send a S (it is not aware that
> >                 scapy send it).
> >
> >                 The way around this is to put a iptables rule that would
> >                 stop the R coming from the client to the www server.
> >
> >                 Also just have a look at the traffic with
> >                 wireshar/tcpdump to see if that is not the problem.
> >
> >                 Thanks
> >
> >                 On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
> >                 <michel.saborde at gmail.com
> >                 <mailto:michel.saborde at gmail.com>> wrote:
> >
> >                     Hello everyone,
> >
> >                     I'm trying to test the IPv6 implementation of
> >                     suricata so i'm doing a bunch of tests.
> >                     For that, i have installed a clean apache2 on a
> >                     clean server with a single html page called bad.html
> >                     and i made a simple rule to do an alert if someone
> >                     tries to access it :
> >
> >                     alert tcp any any <> any any (msg:"[ALERT]
> >                     bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)
> >                     If i do a simple access with my browser (iceweasel)
> >                     from a remote computer, the alert is triggered.
> >                     At this point, everything looks fine.
> >
> >                     If i now try to access it "manually" with a scapy
> >                     script by adding some extension headers, no alert is
> >                     triggered and i can retrieve the html page.
> >                     I tried with :
> >                     - Fragmentation header
> >                     - Hop-By-Hop header
> >                     - Destination header
> >                     - Routing header type 0 without any addresses
> >
> >                     I tried to change the rule from tcp to ip :
> >
> >                     alert ip any any <> any any (msg:"[ALERT] bad.html";
> >                     content:"bad.html"; nocase; sid:1; rev:1;)
> >                     Then, the alert is triggered only with :
> >                     - Hop-By-Hop header
> >                     - Destination header
> >                     But not with :
> >                     - Fragmentation header
> >                     - Routing header type 0 without any addresses
> >
> >                     Maybe i missed something in the config file of
> >                     suricata ?
> >                     My opinion is that suricata should always trigger
> >                     the alert in every case.
> >
> >                     I'm using suricata 1.2.1 on a debian 6.0 with a
> >                     2.6.32 kernel.
> >
> >                     Thanks in advance for your help
> >
> >                     _______________________________________________
> >                     Oisf-users mailing list
> >                     Oisf-users at openinfosecfoundation.org
> >                     <mailto:Oisf-users at openinfosecfoundation.org>
> >                     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >
> >                 --
> >                 Regards,
> >                 Peter Manev
> >
> >
> >
> >
> >             --
> >             Regards,
> >             Peter Manev
> >
> >
> >
> >
> >
> >     --
> >     Regards,
> >     Peter Manev
> >
> >
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> 
> 
> --
> Regards,
> Peter Manev
> 
> 
>


More information about the Oisf-users mailing list