[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Thu May 10 10:08:25 UTC 2012


Hi again :)

I just tried AH extension header (not ESP) but i think suricata doesn't
recognize it yet.
Can you confirm ?
I have a pcap if needed.

Any news about more detailed ipv6 extension header rules ?

Michel

2012/4/21 Victor Julien <victor at inliniac.net>

> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
> > Btw, is it possible (i'm sure it is) to write a signature that trigger
> > when Routing Header type 0 is present in a packet ?
> > Or even just if any routing header is present ?
>
> Actually I don't think there is currently.
>
> Maybe we should add a keyword like:
>
> ip6exthdr:frag,>1; // more than one frag hdr
> ip6exthdr:routing,1 // routing hdr present
> ip6exthdr:esp,0; // esp hdr not present
>
> For more detailed matching:
>
> ip6rh_type:0;
> ip6rh_type0:<ip6 addr/cidr>;
>
> Or something... suggestions are welcome.
>
> > I've found some decode-event rules in the decoder-events.rules file but
> > rules are only for duplicated extension header.
>
> Yes, these are only for anomalies.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/a1bcfd8a/attachment-0002.html>


More information about the Oisf-users mailing list