[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Thu May 10 12:13:10 UTC 2012 

I just tried the lastest git master and no alert is trigerred if a A H
extension header is present.

Michel
2012/5/10 Michel SABORDE <michel.saborde at gmail.com>

> No sorry !
> But is there a way i can download the lastest git as a tgz or something ?
> I don't have git atm.
>
> Michel
>
> 2012/5/10 Peter Manev <petermanev at gmail.com>
>
>> Hi,
>>
>> Did you try the latest git master?
>>
>> thanks
>>
>> On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE <
>> michel.saborde at gmail.com> wrote:
>>
>>> Hi again :)
>>>
>>> I just tried AH extension header (not ESP) but i think suricata doesn't
>>> recognize it yet.
>>> Can you confirm ?
>>> I have a pcap if needed.
>>>
>>> Any news about more detailed ipv6 extension header rules ?
>>>
>>> Michel
>>>
>>> 2012/4/21 Victor Julien <victor at inliniac.net>
>>>
>>>> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
>>>> > Btw, is it possible (i'm sure it is) to write a signature that trigger
>>>> > when Routing Header type 0 is present in a packet ?
>>>> > Or even just if any routing header is present ?
>>>>
>>>> Actually I don't think there is currently.
>>>>
>>>> Maybe we should add a keyword like:
>>>>
>>>> ip6exthdr:frag,>1; // more than one frag hdr
>>>> ip6exthdr:routing,1 // routing hdr present
>>>> ip6exthdr:esp,0; // esp hdr not present
>>>>
>>>> For more detailed matching:
>>>>
>>>> ip6rh_type:0;
>>>> ip6rh_type0:<ip6 addr/cidr>;
>>>>
>>>> Or something... suggestions are welcome.
>>>>
>>>> > I've found some decode-event rules in the decoder-events.rules file
>>>> but
>>>> > rules are only for duplicated extension header.
>>>>
>>>> Yes, these are only for anomalies.
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/7c48ad3e/attachment-0002.html>

More information about the Oisf-users mailing list