IDS mailing list archives
Re: EXPERIMENTAL IPv6 decoder available in Snort
From: "mb_lima" <mb_lima () uol com br>
Date: Fri, 27 Dec 2002 16:14:35 -0200
Sorry, I would want to say "tunnel Ipv4 in Ipv6" in my first afirmation :-).
Hi folks, I think that there are few reasons to tunnel Ipv6 in Ipv4
packets. Tunneling is one of the many alternatives to implement transition to Ipv6 networks. It is used basically to provide communication between Ipv6 islands through IPv4 infrastructure. Regards, Marcelo.Nope, Lance's issue (the honeynet project's, actually) was
I
Pv6tunneled over IPv4. I used packet captures from the compr
om
isedhoneypot as my test data, so I'm pretty sure about that on
e.
I don'tthink there's an option to tunnel v4 over v6, at least not
t
hat I wasable to find in in.h. -Marty On Tuesday, December 24, 2002, at 03:10 AM, Greg van der G
aa
st wrote:"This decoder is implemented to test Snort's capability to analyze IPv6 and IPv6 tunneled over IPv4." Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traf
fi
c being sentinside an IPv6 tunnel) I thought that was Lance's issue.
I
might bemistaken here. In any case, thanks Marty. We love you ;) Cheers, merry Christmas and happy new year. Greg van der Gaast Guy with clue @ Ordina Public West NL (Frustrating times) -----Oorspronkelijk bericht----- Van: Martin Roesch [mailto:roesch () sourcefire com] Verzonden: Saturday, December 21, 2002 2:45 AM Aan: focus-ids () securityfocus com Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort Hi everyone, Following up Lance's message regarding the usage of
I
Pv6 tunnelingon a honeynet, I'd like to announce the availability of an *e
xp
erimental*version of Snort with an IPv6 decoder. This decoder is implemen
te
d to testSnort's capability to analyze IPv6 and IPv6 tunneled over IPv4.
C
urrently itconsists of a decoder and printing module only, so if yo
u
want to testit and see the v6 output, just run 'snort -dv'. If people would like to test the code out and see if it'
s
workingproperly, it can be downloaded and tested at: http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz This code currently doesn't have any components integrat
ed
into thedetection engine, so you can't tell Snort to look at IPv
6
addresses orheader fields using the rules language yet. It is capab
le
of lookingfor standard embedded protocol headers and payloads in IPv6
tu
nneled overIPv4. If people would like to test this code out, I'm primaril
y
interested inseeing if the code is stable and capable of decoding all
v
6 trafficwithout any memory leaks or crashes. Unfortunately, my ability
to
generate v6traffic for testing purposes is extremely limited right
no
w, so I'mdepending on people with access to the right kind of net
wo
rks to helpout! Once I'm happy with the decoder, I'll integrate IPv6 sup
po
rt into thedetection engine! -Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616Sourcefire: Professional Snort Sensor and Management Con
so
le appliancesroesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org--- UOL, o melhor da Internet http://www.uol.com.br/
--- UOL, o melhor da Internet http://www.uol.com.br/
Current thread:
- EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 23)
- RE: EXPERIMENTAL IPv6 decoder available in Snort Greg van der Gaast (Dec 24)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Frank Knobbe (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort Martin Roesch (Dec 27)
- <Possible follow-ups>
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)
- Re: EXPERIMENTAL IPv6 decoder available in Snort mb_lima (Dec 27)
- RE: EXPERIMENTAL IPv6 decoder available in Snort Greg van der Gaast (Dec 24)