[Oisf-users] IPv6 & Extension header

Peter Manev petermanev at gmail.com
Thu May 10 10:20:33 UTC 2012


Hi,

Did you try the latest git master?

thanks

On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
<michel.saborde at gmail.com>wrote:

> Hi again :)
>
> I just tried AH extension header (not ESP) but i think suricata doesn't
> recognize it yet.
> Can you confirm ?
> I have a pcap if needed.
>
> Any news about more detailed ipv6 extension header rules ?
>
> Michel
>
> 2012/4/21 Victor Julien <victor at inliniac.net>
>
>> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
>> > Btw, is it possible (i'm sure it is) to write a signature that trigger
>> > when Routing Header type 0 is present in a packet ?
>> > Or even just if any routing header is present ?
>>
>> Actually I don't think there is currently.
>>
>> Maybe we should add a keyword like:
>>
>> ip6exthdr:frag,>1; // more than one frag hdr
>> ip6exthdr:routing,1 // routing hdr present
>> ip6exthdr:esp,0; // esp hdr not present
>>
>> For more detailed matching:
>>
>> ip6rh_type:0;
>> ip6rh_type0:<ip6 addr/cidr>;
>>
>> Or something... suggestions are welcome.
>>
>> > I've found some decode-event rules in the decoder-events.rules file but
>> > rules are only for duplicated extension header.
>>
>> Yes, these are only for anomalies.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/fa644943/attachment-0002.html>


More information about the Oisf-users mailing list