[Oisf-users] IPv6 & Extension header

Michel SABORDE michel.saborde at gmail.com
Thu May 10 12:16:35 UTC 2012


In the pcap i already sent, there was no AH extension header.
Here is a new pcap with AH.

Michel

2012/5/10 Peter Manev <petermanev at gmail.com>

> is this the same pcap, as provided earlier in the mail conversation?
>
> thanks
>
>
> On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE <michel.saborde at gmail.com>wrote:
>
>> I just tried the lastest git master and no alert is trigerred if a A H
>> extension header is present.
>>
>> Michel
>> 2012/5/10 Michel SABORDE <michel.saborde at gmail.com>
>>
>>> No sorry !
>>> But is there a way i can download the lastest git as a tgz or something ?
>>> I don't have git atm.
>>>
>>> Michel
>>>
>>> 2012/5/10 Peter Manev <petermanev at gmail.com>
>>>
>>>> Hi,
>>>>
>>>> Did you try the latest git master?
>>>>
>>>> thanks
>>>>
>>>> On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE <
>>>> michel.saborde at gmail.com> wrote:
>>>>
>>>>> Hi again :)
>>>>>
>>>>> I just tried AH extension header (not ESP) but i think suricata
>>>>> doesn't recognize it yet.
>>>>> Can you confirm ?
>>>>> I have a pcap if needed.
>>>>>
>>>>> Any news about more detailed ipv6 extension header rules ?
>>>>>
>>>>> Michel
>>>>>
>>>>> 2012/4/21 Victor Julien <victor at inliniac.net>
>>>>>
>>>>>> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
>>>>>> > Btw, is it possible (i'm sure it is) to write a signature that
>>>>>> trigger
>>>>>> > when Routing Header type 0 is present in a packet ?
>>>>>> > Or even just if any routing header is present ?
>>>>>>
>>>>>> Actually I don't think there is currently.
>>>>>>
>>>>>> Maybe we should add a keyword like:
>>>>>>
>>>>>> ip6exthdr:frag,>1; // more than one frag hdr
>>>>>> ip6exthdr:routing,1 // routing hdr present
>>>>>> ip6exthdr:esp,0; // esp hdr not present
>>>>>>
>>>>>> For more detailed matching:
>>>>>>
>>>>>> ip6rh_type:0;
>>>>>> ip6rh_type0:<ip6 addr/cidr>;
>>>>>>
>>>>>> Or something... suggestions are welcome.
>>>>>>
>>>>>> > I've found some decode-event rules in the decoder-events.rules file
>>>>>> but
>>>>>> > rules are only for duplicated extension header.
>>>>>>
>>>>>> Yes, these are only for anomalies.
>>>>>>
>>>>>> --
>>>>>> ---------------------------------------------
>>>>>> Victor Julien
>>>>>> http://www.inliniac.net/
>>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>>> ---------------------------------------------
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>>
>>>>
>>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/fa557822/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipv6_ah.pcap
Type: application/octet-stream
Size: 1271 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120510/fa557822/attachment.obj>


More information about the Oisf-users mailing list