Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort IPv6 howto/rules

From: Stephen Reese <rsreese () gmail com>
Date: Tue, 21 Apr 2009 19:59:14 -0400
On Mon, Apr 13, 2009 at 8:02 PM, Stephen Reese <rsreese () gmail com> wrote:

Are there any IPv6 Snort rule sets available or do they need to be
written from scratch? I've compiled Snort 2.8.4 with IPv6 support but
realized I don't a clue in regards to the configuration that's needed
to look at the IPv6 traffic. TCPDUMP on the sensor interface sees IPv6
related traffic.

Should I specify another var for the IPv6 scheme:

var HOME_NET [x.x.x.0/24,x.x.x..0/24]

IPv6 tunnel over IPv4 | Router with IPv6 address | Snort sensor |
Network with functioning IPv6 hosts

Thanks



I wrote three very simple rules just to confirm that Snort is sniffing
IPv6 and sure enough it is though base doesn't seem to be playing
nicely (or it could be mysql).

alert tcp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 TCP
Traffic";sid:1000001;)
alert icmp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 ICMP
Traffic";sid:1000002;)
alert udp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"UDP ICMP
Traffic";sid:1000003;)

I registered for the VRT rules just to check and I do not see any new
IPv6 rules:

$ grep -i ipv6 *
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34;
classtype:misc-activity; sid:411; rev:5;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34;
classtype:misc-activity; sid:412; rev:7;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33;
classtype:misc-activity; sid:413; rev:5;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33;
classtype:misc-activity; sid:414; rev:7;)
policy.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"POLICY IPv6 encapsulated in IPv4 activity"; ip_proto:41;
classtype:policy-violation; sid:8446; rev:1;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC malformed ipv6 uri overflow attempt";
flow:to_server,established; uricontent:"|3A|/[";
pcre:"/\x3a\x2f\x5b\s*([\x2F\x3F\x23]*)|([\x2F\x3F\x23]+.+)|(\x3a[^\x3a^\x5d]*)$/U";
metadata:service http; reference:bugtraq,11187;
reference:cve,2004-0786; classtype:web-application-attack; sid:5715;
rev:2;)

Should I assume I'm on my own for the time being writing IPv6 rules?

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: