Snort mailing list archives
Re: Snort 2.9 for IPv6
From: Russ via Snort-users <snort-users () lists snort org>
Date: Thu, 22 Feb 2018 10:52:26 -0500
On 2/22/18 6:01 AM, oleg gv wrote:
I use latest version as on site snort.org <http://snort.org> specified: daq-2.0.6 and snort-2.9.11.1OK, so --enable-ipv6 became the default in 2011 and was deleted altogether a while back. If you add --enable-option-checking=fatal to your configure line it will help flush those out. Anyway, that is for Snort not the DAQ.
This came up a long time ago on the list and apparently was never resolved. It looks like nfq_bind_pf is now deprecated (see eg https://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__LibrarySetup.html) and the NFQ DAQ should updated to support both simultaneously. Snort may need a tweak as well to deal with the ambiguous DLT.In Daq (even in 2.2.2 version for snort 3.x) there is comment in code: #if 0 // doesn't look like both can be handled simultaneously if ( !strncasecmp(s, "ip*", 3) ) return 0x3; #endifSo problem still exists - 2 instances of snort if I want to sniff all IP trafic (for 4 and 6 versions of IP).No other ways?
2018-02-21 21:14 GMT+03:00 Russ via Snort-users <snort-users () lists snort org <mailto:snort-users () lists snort org>>:What version of Snort and DAQ are you using? --enable-ipv6 is kinda old now. If you aren't using the latest I suggest updating. The DAQ may have been updated to address this issue. On 2/21/18 9:27 AM, oleg gv via Snort-users wrote:Daq can not sniff both on V4 and v6. So 2 instanses of snort is the only way? 2018-02-21 17:17 GMT+03:00 oleg gv <oagvozd () gmail com <mailto:oagvozd () gmail com>>: Hello, I can not see alert on the next rules alert ip any any --> IPV6_ADDRESS any (...) alert icmp any any --> IPV6_ADDRESS any (...) I use ping6 to test it. Ipv4 test works fine. Snort is build with --enable-ipv6 and uses ip6tables NFQUEUE. Other ipv6 tcp/udp alerts also works fine. Is it possible to detect IPv6 addresses in ip/icmp protocol rules ? _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users <https://lists.snort.org/mailman/listinfo/snort-users> Please visithttp://blog.snort.org to stay current on all the latest Snort news! Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>_______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users <https://lists.snort.org/mailman/listinfo/snort-users> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 2.9 for IPv6 oleg gv via Snort-users (Feb 21)
- Re: Snort 2.9 for IPv6 oleg gv via Snort-users (Feb 21)
- Re: Snort 2.9 for IPv6 Russ via Snort-users (Feb 21)
- Re: Snort 2.9 for IPv6 oleg gv via Snort-users (Feb 22)
- Re: Snort 2.9 for IPv6 oleg gv via Snort-users (Feb 22)
- Re: Snort 2.9 for IPv6 Russ via Snort-users (Feb 22)
- Re: Snort 2.9 for IPv6 Russ via Snort-users (Feb 21)
- Re: Snort 2.9 for IPv6 oleg gv via Snort-users (Feb 21)