[Oisf-users] IPv6 & Extension header
Michel SABORDE
michel.saborde at gmail.com
Thu May 10 10:22:55 UTC 2012
No sorry !
But is there a way i can download the lastest git as a tgz or something ?
I don't have git atm.
Michel
2012/5/10 Peter Manev <petermanev at gmail.com>
> Hi,
>
> Did you try the latest git master?
>
> thanks
>
> On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE <michel.saborde at gmail.com
> > wrote:
>
>> Hi again :)
>>
>> I just tried AH extension header (not ESP) but i think suricata doesn't
>> recognize it yet.
>> Can you confirm ?
>> I have a pcap if needed.
>>
>> Any news about more detailed ipv6 extension header rules ?
>>
>> Michel
>>
>> 2012/4/21 Victor Julien <victor at inliniac.net>
>>
>>> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
>>> > Btw, is it possible (i'm sure it is) to write a signature that trigger
>>> > when Routing Header type 0 is present in a packet ?
>>> > Or even just if any routing header is present ?
>>>
>>> Actually I don't think there is currently.
>>>
>>> Maybe we should add a keyword like:
>>>
>>> ip6exthdr:frag,>1; // more than one frag hdr
>>> ip6exthdr:routing,1 // routing hdr present
>>> ip6exthdr:esp,0; // esp hdr not present
>>>
>>> For more detailed matching:
>>>
>>> ip6rh_type:0;
>>> ip6rh_type0:<ip6 addr/cidr>;
>>>
>>> Or something... suggestions are welcome.
>>>
>>> > I've found some decode-event rules in the decoder-events.rules file but
>>> > rules are only for duplicated extension header.
>>>
>>> Yes, these are only for anomalies.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/6b9fb8c9/attachment-0002.html>
More information about the Oisf-users
mailing list