IDS mailing list archives
Re: EXPERIMENTAL IPv6 decoder available in Snort
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 27 Dec 2002 08:38:14 -0500
Nope, Lance's issue (the honeynet project's, actually) was IPv6 tunneled over IPv4. I used packet captures from the compromised honeypot as my test data, so I'm pretty sure about that one. I don't think there's an option to tunnel v4 over v6, at least not that I was able to find in in.h.
-Marty On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaast wrote:
"This decoder is implemented to test Snort's capability to analyze IPv6 and IPv6 tunneled over IPv4." Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffic being sent inside an IPv6 tunnel) I thought that was Lance's issue. I might be mistaken here. In any case, thanks Marty. We love you ;) Cheers, merry Christmas and happy new year. Greg van der Gaast Guy with clue @ Ordina Public West NL (Frustrating times) -----Oorspronkelijk bericht----- Van: Martin Roesch [mailto:roesch () sourcefire com] Verzonden: Saturday, December 21, 2002 2:45 AM Aan: focus-ids () securityfocus com Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort Hi everyone, Following up Lance's message regarding the usage of IPv6 tunneling on a honeynet, I'd like to announce the availability of an *experimental* version of Snort with an IPv6 decoder. This decoder is implemented to test Snort's capability to analyze IPv6 and IPv6 tunneled over IPv4. Currently it consists of a decoder and printing module only, so if you want to test it and see the v6 output, just run 'snort -dv'. If people would like to test the code out and see if it's working properly, it can be downloaded and tested at: http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz This code currently doesn't have any components integrated into the detection engine, so you can't tell Snort to look at IPv6 addresses or header fields using the rules language yet. It is capable of looking for standard embedded protocol headers and payloads in IPv6 tunneled over IPv4. If people would like to test this code out, I'm primarily interested in seeing if the code is stable and capable of decoding all v6 traffic without any memory leaks or crashes. Unfortunately, my ability to generate v6 traffic for testing purposes is extremely limited right now, so I'm depending on people with access to the right kind of networks to help out! Once I'm happy with the decoder, I'll integrate IPv6 support into the detection engine! -Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
Current thread:
- EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 23)
- RE: EXPERIMENTAL IPv6 decoder available in Snort Greg van der Gaast (Dec 24)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Frank Knobbe (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 27)
- <Possible follow-ups>
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)
- RE: EXPERIMENTAL IPv6 decoder available in Snort Greg van der Gaast (Dec 24)