Snort mailing list archives
Automatically decoding of Teredo traffic
From: Yun Zheng Hu <yunzheng.hu () gmail com>
Date: Wed, 20 Jun 2012 13:11:27 +0200
Hi all, I have Snort compiled with IPv6 support, and now it seems to automatically decode Teredo traffic. This is a nice feature but I want to detect Teredo tunnels on my network, but because the packet is automatically decoded I cannot detect on the original ipv4 packets that created the tunnel. For example, the following signature works on Snort without ipv6 support and reports the ipv4 source and dest that created the tunnel: alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation; sid:xxx; rev:1;) However with Snort and ipv6 support the signature stopped working and i had to modify the signature to: alert udp $EXTERNAL_NET 3544 -> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation; sid:xxxx; rev:1;) However it would then report the ipv6 addresses from the decoded Teredo traffic instead of the original ipv4 addresses: [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client [**] [Classification: Potential Corporate Privacy Violation] [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx -> fe80:0000:0000:0000:0000:ffff:ffff:ffff Is there a configuration option that disables the automatic decoding of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6 support but i'm looking for a better solution. I'm not sure if this is a bug, but I think this actually degrades the detection capabilities of Snort because it lost the original ipv4 addresses. Regards, Yun ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Automatically decoding of Teredo traffic Yun Zheng Hu (Jun 20)