Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Automatically decoding of Teredo traffic

From: Yun Zheng Hu <yunzheng.hu () gmail com>
Date: Wed, 20 Jun 2012 13:11:27 +0200
Hi all,

I have Snort compiled with IPv6 support, and now it seems to
automatically decode Teredo traffic. This is a nice feature but I want
to detect Teredo tunnels on my network, but because the packet is
automatically decoded I cannot detect on the original ipv4 packets
that created the tunnel.

For example, the following signature works on Snort without ipv6
support and reports the ipv4 source and dest that created the tunnel:

alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
sid:xxx; rev:1;)

However with Snort and ipv6 support the signature stopped working and
i had to modify the signature to:

alert udp $EXTERNAL_NET 3544 ->
[$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
00 00 00 00 00 80 00|"; offset:29; depth:10;
classtype:policy-violation; sid:xxxx; rev:1;)

However it would then report the ipv6 addresses from the decoded
Teredo traffic instead of the original ipv4 addresses:

[**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
[**] [Classification: Potential Corporate Privacy Violation]
[Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
fe80:0000:0000:0000:0000:ffff:ffff:ffff

Is there a configuration option that disables the automatic decoding
of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
support but i'm looking for a better solution.
I'm not sure if this is a bug, but I think this actually degrades the
detection capabilities of Snort because it lost the original ipv4
addresses.

Regards,

Yun

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: