[Oisf-users] IPv6 & Extension header
Peter Manev
petermanev at gmail.com
Thu May 10 12:14:17 UTC 2012
is this the same pcap, as provided earlier in the mail conversation?
thanks
On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE <michel.saborde at gmail.com>wrote:
> I just tried the lastest git master and no alert is trigerred if a A H
> extension header is present.
>
> Michel
> 2012/5/10 Michel SABORDE <michel.saborde at gmail.com>
>
>> No sorry !
>> But is there a way i can download the lastest git as a tgz or something ?
>> I don't have git atm.
>>
>> Michel
>>
>> 2012/5/10 Peter Manev <petermanev at gmail.com>
>>
>>> Hi,
>>>
>>> Did you try the latest git master?
>>>
>>> thanks
>>>
>>> On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE <
>>> michel.saborde at gmail.com> wrote:
>>>
>>>> Hi again :)
>>>>
>>>> I just tried AH extension header (not ESP) but i think suricata doesn't
>>>> recognize it yet.
>>>> Can you confirm ?
>>>> I have a pcap if needed.
>>>>
>>>> Any news about more detailed ipv6 extension header rules ?
>>>>
>>>> Michel
>>>>
>>>> 2012/4/21 Victor Julien <victor at inliniac.net>
>>>>
>>>>> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
>>>>> > Btw, is it possible (i'm sure it is) to write a signature that
>>>>> trigger
>>>>> > when Routing Header type 0 is present in a packet ?
>>>>> > Or even just if any routing header is present ?
>>>>>
>>>>> Actually I don't think there is currently.
>>>>>
>>>>> Maybe we should add a keyword like:
>>>>>
>>>>> ip6exthdr:frag,>1; // more than one frag hdr
>>>>> ip6exthdr:routing,1 // routing hdr present
>>>>> ip6exthdr:esp,0; // esp hdr not present
>>>>>
>>>>> For more detailed matching:
>>>>>
>>>>> ip6rh_type:0;
>>>>> ip6rh_type0:<ip6 addr/cidr>;
>>>>>
>>>>> Or something... suggestions are welcome.
>>>>>
>>>>> > I've found some decode-event rules in the decoder-events.rules file
>>>>> but
>>>>> > rules are only for duplicated extension header.
>>>>>
>>>>> Yes, these are only for anomalies.
>>>>>
>>>>> --
>>>>> ---------------------------------------------
>>>>> Victor Julien
>>>>> http://www.inliniac.net/
>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>> ---------------------------------------------
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>>
>>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/e607c773/attachment-0002.html>
More information about the Oisf-users
mailing list