Snort mailing list archives
Re: IPv6 Header
From: Edurne Izaguirre <soyedurne () hotmail com>
Date: Sat, 31 Oct 2009 12:07:27 +0100
Hello Albert, Thank you very much for your answer. Those links were really useful when I read them some time ago. What you have told is what I have read in the Webseminar from Sourcefire but what I was asking was for further information about IPv6 header fields such as version or next header ones. And also what happens if our attacker puts some arbitrary routing or fragmentation header in the packet? Thank you anyway for your help, it is nice to be answered! Edurne
Subject: Re: [Snort-users] IPv6 Header From: albertg () cerveau us To: soyedurne () hotmail com CC: snort-users () lists sourceforge net Date: Wed, 28 Oct 2009 23:45:11 -0400 Edurne, The existing protocol keywords work with both IPv4/6. You can use BPF to control (via filters) whether your sensor only sees one or both protocols while sensing. You can specify IPv6 based addresses within your rulesets which can further assist in identifying the traffic and potential malicious activity. On top of that you can also specify the `ip_proto` option within your ruleset. And as of the Snort 2.8.4 release support was added to the frag3 preprocessor and various application level preprocessors (SMTP, FTP, DCE/RPC, Portscan, etc...) so that provides more extensive protection across the platform. I hope this helps with your questions, I have provided some links which reference what it seems you are interested in and attempting to tackle. http://www.personal.psu.edu/dvm105/blogs/ipv6/2009/04/new-snort-release-with-ipv6-su.html http://marc.info/?l=snort-devel&m=121935131920776&w=2 http://marc.info/?l=snort-devel&m=121975623105073&w=2 Cheers, - Albert Gonzalez http://blog.cerveau.us "Success comes to the person who does today, what you are thinking of doing tomorrow." On Mon, 2009-10-26 at 23:30 +0100, Edurne Izaguirre wrote:Hello everyone, I'm working with Snort in an IPv6 environments to make some experiments. And I have some question related to this topic. In the last Web Seminar it was said that all of Snort is supported on IPv6. However, it doesn't talk about the options made for the IP Header. Is there support enough to work with IP Header Fields? Is there options for the new fields? How does Snort work with the Extensions Header? What happens if our attacker puts some arbitrary routing or fragmentation header in the packet? Thank you very much, Edurne
_________________________________________________________________ ¿Sabías que ahora puedes hablar por Messenger desde Hotmail con todos tus contactos? Revisa tu correo mientras conversas con tus amigos. http://www.hotmail.com
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IPv6 Header Edurne Izaguirre (Oct 26)
- Re: IPv6 Header Albert Gonzalez (Oct 28)
- Re: IPv6 Header Edurne Izaguirre (Oct 31)
- Re: IPv6 Header Albert Gonzalez (Oct 28)