Snort mailing list archives
Re: Snort IPv6 howto/rules
From: Stephen Reese <rsreese () gmail com>
Date: Tue, 21 Apr 2009 19:59:14 -0400
On Mon, Apr 13, 2009 at 8:02 PM, Stephen Reese <rsreese () gmail com> wrote:
Are there any IPv6 Snort rule sets available or do they need to be written from scratch? I've compiled Snort 2.8.4 with IPv6 support but realized I don't a clue in regards to the configuration that's needed to look at the IPv6 traffic. TCPDUMP on the sensor interface sees IPv6 related traffic. Should I specify another var for the IPv6 scheme: var HOME_NET [x.x.x.0/24,x.x.x..0/24] IPv6 tunnel over IPv4 | Router with IPv6 address | Snort sensor | Network with functioning IPv6 hosts Thanks
I wrote three very simple rules just to confirm that Snort is sniffing IPv6 and sure enough it is though base doesn't seem to be playing nicely (or it could be mysql). alert tcp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 TCP Traffic";sid:1000001;) alert icmp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 ICMP Traffic";sid:1000002;) alert udp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"UDP ICMP Traffic";sid:1000003;) I registered for the VRT rules just to check and I do not see any new IPv6 rules: $ grep -i ipv6 * icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;) policy.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY IPv6 encapsulated in IPv4 activity"; ip_proto:41; classtype:policy-violation; sid:8446; rev:1;) web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC malformed ipv6 uri overflow attempt"; flow:to_server,established; uricontent:"|3A|/["; pcre:"/\x3a\x2f\x5b\s*([\x2F\x3F\x23]*)|([\x2F\x3F\x23]+.+)|(\x3a[^\x3a^\x5d]*)$/U"; metadata:service http; reference:bugtraq,11187; reference:cve,2004-0786; classtype:web-application-attack; sid:5715; rev:2;) Should I assume I'm on my own for the time being writing IPv6 rules? ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort IPv6 howto/rules Stephen Reese (Apr 13)
- Re: Snort IPv6 howto/rules Stephen Reese (Apr 21)
- Re: Snort IPv6 howto/rules Nigel Houghton (Apr 21)
- Re: Snort IPv6 howto/rules Stephen Reese (Apr 21)