IDS mailing list archives

Re: EXPERIMENTAL IPv6 decoder available in Snort

From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 27 Dec 2002 08:38:14 -0500

Nope, Lance's issue (the honeynet project's, actually) was IPv6tunneled over IPv4. I used packet captures from the compromisedhoneypot as my test data, so I'm pretty sure about that one. I don'tthink there's an option to tunnel v4 over v6, at least not that I wasable to find in in.h.


     -Marty


On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaast wrote:

"This decoder is implemented to test Snort's
capability to analyze IPv6 and IPv6 tunneled over IPv4."


Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffic being sent
inside an IPv6 tunnel) I thought that was Lance's issue. I might be
mistaken here. In any case, thanks Marty. We love you ;)

Cheers, merry Christmas and happy new year.

Greg van der Gaast
Guy with clue @ Ordina Public West NL
(Frustrating times)

-----Oorspronkelijk bericht-----
Van: Martin Roesch [mailto:roesch () sourcefire com]
Verzonden: Saturday, December 21, 2002 2:45 AM
Aan: focus-ids () securityfocus com
Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort

Hi everyone,
     Following up Lance's message regarding the usage of IPv6 tunneling
on a
honeynet, I'd like to announce the availability of an *experimental*
version
of Snort with an IPv6 decoder.  This decoder is implemented to test
Snort's
capability to analyze IPv6 and IPv6 tunneled over IPv4.  Currently it
consists of a decoder and printing module only, so if you want to test
it
and see the v6 output, just run 'snort -dv'.

If people would like to test the code out and see if it's working
properly,
it can be downloaded and tested at:

http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz

This code currently doesn't have any components integrated into the
detection engine, so you can't tell Snort to look at IPv6 addresses or
header fields using the rules language yet.  It is capable of looking
for
standard embedded protocol headers and payloads in IPv6 tunneled over
IPv4.

If people would like to test this code out, I'm primarily interested in
seeing if the code is stable and capable of decoding all v6 traffic
without
any memory leaks or crashes.  Unfortunately, my ability to generate v6
traffic for testing purposes is extremely limited right now, so I'm
depending on people with access to the right kind of networks to help
out!

Once I'm happy with the decoder, I'll integrate IPv6 support into the
detection engine!

    -Marty

--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Current thread:

EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 23)
- RE: EXPERIMENTAL IPv6 decoder available in Snort Greg van der Gaast (Dec 24)
  - Re: EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 27)
    - Re: EXPERIMENTAL IPv6 decoder available in Snort Frank Knobbe (Dec 27)
- <Possible follow-ups>
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)