[Oisf-users] IPv6 & Extension header
rmkml
rmkml at yahoo.fr
Thu Mar 29 21:58:22 UTC 2012
Hi Michel and Peter,
Thx you Michel for shared this pcap.
All case included in pcap:
tcp src port 36951 / IPv6 Destination
tcp src port 59694 / IPv6 Fragment
tcp src port 27393 / IPv6 Hop-by-hop
tcp src port 45805 / IPv6 Routing Type 0 (Source Routing)
Thx you wireshark ;)
and Im found a new FP!
Regards
Rmkml
On Thu, 29 Mar 2012, Peter Manev wrote:
> Hi Michel,
>
> Is the pcap provided containing all of the following tests:
> - Fragmentation header
> - Hop-By-Hop header
> - Destination header
> - Routing header type 0 without any addresses
>
> or is it just some of them?
>
> thanks
>
>
> On Thu, Mar 29, 2012 at 4:56 PM, Michel SABORDE <michel.saborde at gmail.com> wrote:
> The log pcap file is attach to this email.
>
> Elie
> Le 29 mars 2012 16:30, Victor Julien <victor at inliniac.net> a écrit :
> Can you share the pcaps you created/recorded? Saves us a lot of time
> debugging.
>
> Thanks,
> Victor
>
> On 03/29/2012 04:27 PM, Michel SABORDE wrote:
> > Results are the same with -r.
> > Le 29 mars 2012 15:09, Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>> a écrit :
> >
> > Hi Michel,
> >
> > If you read the pacaps (-r option, read pcap) from your tests -
> > would the results be the same?
> > If you would like, you could share privatelly the pcaps with the
> > yaml conf?
> >
> > Thanks
> >
> > On Thu, Mar 29, 2012 at 2:05 PM, Michel SABORDE
> > <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
> >
> > Thanks for your anwswer.
> >
> > I already looked into everything you mentioned.
> >
> > I'm doing the three-way handshake and i added the correct
> > ip6tables rule to prevent the kernel from sending the RST.
> >
> > I also looked into checksums and disabled the
> > checksum_validation from suricata config file, i also checked
> > with wireshark, all the checksums are correct.
> >
> >
> >
> > It must be something else.
> >
> > Le 29 mars 2012 13:39, Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>> a écrit :
> >
> > also you could try/check - with scapy make sure your
> > checksm-ing is correct.... and it is disabled in the yaml conf
> >
> >
> > On Thu, Mar 29, 2012 at 1:24 PM, Peter Manev
> > <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
> >
> > Hi,
> >
> > When you are using the Scapy script - are you doing the
> > three-way handshake with scapy?
> >
> > Because if so - there is a rule that you have to add to
> > your iptables , since scapy would send S , the server
> > would return the SA and the kernel/OS would send back a
> > Reject since it never send a S (it is not aware that
> > scapy send it).
> >
> > The way around this is to put a iptables rule that would
> > stop the R coming from the client to the www server.
> >
> > Also just have a look at the traffic with
> > wireshar/tcpdump to see if that is not the problem.
> >
> > Thanks
> >
> > On Thu, Mar 29, 2012 at 12:55 PM, Michel SABORDE
> > <michel.saborde at gmail.com
> > <mailto:michel.saborde at gmail.com>> wrote:
> >
> > Hello everyone,
> >
> > I'm trying to test the IPv6 implementation of
> > suricata so i'm doing a bunch of tests.
> > For that, i have installed a clean apache2 on a
> > clean server with a single html page called bad.html
> > and i made a simple rule to do an alert if someone
> > tries to access it :
> >
> > alert tcp any any <> any any (msg:"[ALERT]
> > bad.html"; content:"bad.html"; nocase; sid:1; rev:1;)
> > If i do a simple access with my browser (iceweasel)
> > from a remote computer, the alert is triggered.
> > At this point, everything looks fine.
> >
> > If i now try to access it "manually" with a scapy
> > script by adding some extension headers, no alert is
> > triggered and i can retrieve the html page.
> > I tried with :
> > - Fragmentation header
> > - Hop-By-Hop header
> > - Destination header
> > - Routing header type 0 without any addresses
> >
> > I tried to change the rule from tcp to ip :
> >
> > alert ip any any <> any any (msg:"[ALERT] bad.html";
> > content:"bad.html"; nocase; sid:1; rev:1;)
> > Then, the alert is triggered only with :
> > - Hop-By-Hop header
> > - Destination header
> > But not with :
> > - Fragmentation header
> > - Routing header type 0 without any addresses
> >
> > Maybe i missed something in the config file of
> > suricata ?
> > My opinion is that suricata should always trigger
> > the alert in every case.
> >
> > I'm using suricata 1.2.1 on a debian 6.0 with a
> > 2.6.32 kernel.
> >
> > Thanks in advance for your help
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
More information about the Oisf-users
mailing list