Re: IPv6 rule options syntax

[Steven Sturges <ssturges () sourcefire com>]

Martin is correct.

Snort does not expose all of the values from the IPv6 extension
headers via rule options, however where there is an IPv4 equivalent,
we do leverage those.

1) Hop limit is akin to the ttl value in the IPv4 header, so you can use 
the ttl rule option for that.

2) For ICMP, Snort handles both IPv4 and IPv6 versions of ICMP the same
way.

Other examples are the fragmentation offset, fragmentation ID, and
traffic class, which map to the offset, id, and tos fields of IPv4.

Cheers.
-steve

On 5/4/11 7:33 AM, Martin Schütte wrote:
> On 05/04/11 07:30, 김무성 wrote:
> > Are there any options for IPv6 which already created or will be created.
> >
> > Example) IPv6 Hop Limit ->  HL:50;
> > Example) ICMPv6 type ->  itype6:134
>
> There are no IPv6 specific options (yet?).
> But nearly all fields are mapped to their IPv4 counterparts, so your
> examples are expressed with the rules:
>
> alert ip icmp any ->  any any                           \
>      (msg:"IPv6 ICMP Router Advertisement"; itype:134;  \
>      classtype:icmp-event; sid:2000001; rev:1;)
> alert ip any any ->  any any                            \
>      (msg:"TTL or Hop Limit = 50"; ttl:50;              \
>      classtype:attempted-recon; sid:2000002; rev:1;)
>
>
> BTW, I am currently writing an IPv6 preprocessor to detect more issues
> and to track autoconfiguration. It is not released yet, but feel free to
> contact me off list.

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel