[Oisf-users] IPv6 & Extension header
Victor Julien
victor at inliniac.net
Sun May 20 11:43:20 UTC 2012
I pushed a fix for this to the current git master. Please test!
Thanks Michel!
Cheers,
Victor
On 05/10/2012 02:16 PM, Michel SABORDE wrote:
> In the pcap i already sent, there was no AH extension header.
> Here is a new pcap with AH.
>
> Michel
>
> 2012/5/10 Peter Manev <petermanev at gmail.com <mailto:petermanev at gmail.com>>
>
> is this the same pcap, as provided earlier in the mail conversation?
>
> thanks
>
>
> On Thu, May 10, 2012 at 2:13 PM, Michel SABORDE
> <michel.saborde at gmail.com <mailto:michel.saborde at gmail.com>> wrote:
>
> I just tried the lastest git master and no alert is trigerred if
> a A H extension header is present.
>
> Michel
> 2012/5/10 Michel SABORDE <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>>
>
> No sorry !
> But is there a way i can download the lastest git as a tgz
> or something ?
> I don't have git atm.
>
> Michel
>
> 2012/5/10 Peter Manev <petermanev at gmail.com
> <mailto:petermanev at gmail.com>>
>
> Hi,
>
> Did you try the latest git master?
>
> thanks
>
> On Thu, May 10, 2012 at 12:08 PM, Michel SABORDE
> <michel.saborde at gmail.com
> <mailto:michel.saborde at gmail.com>> wrote:
>
> Hi again :)
>
> I just tried AH extension header (not ESP) but i
> think suricata doesn't recognize it yet.
> Can you confirm ?
> I have a pcap if needed.
>
> Any news about more detailed ipv6 extension header
> rules ?
>
> Michel
>
> 2012/4/21 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>>
>
> On 04/19/2012 02:23 PM, Michel SABORDE wrote:
> > Btw, is it possible (i'm sure it is) to write
> a signature that trigger
> > when Routing Header type 0 is present in a
> packet ?
> > Or even just if any routing header is present ?
>
> Actually I don't think there is currently.
>
> Maybe we should add a keyword like:
>
> ip6exthdr:frag,>1; // more than one frag hdr
> ip6exthdr:routing,1 // routing hdr present
> ip6exthdr:esp,0; // esp hdr not present
>
> For more detailed matching:
>
> ip6rh_type:0;
> ip6rh_type0:<ip6 addr/cidr>;
>
> Or something... suggestions are welcome.
>
> > I've found some decode-event rules in the
> decoder-events.rules file but
> > rules are only for duplicated extension header.
>
> Yes, these are only for anomalies.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list