Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 Header

From: Albert Gonzalez <albertg () cerveau us>
Date: Wed, 28 Oct 2009 23:45:11 -0400
Edurne,

The existing protocol keywords work with both IPv4/6. You can use BPF to
control (via filters) whether your sensor only sees one or both
protocols while sensing. 

You can specify IPv6 based addresses within your rulesets which can
further assist in identifying the traffic and potential malicious
activity. On top of that you can also specify the `ip_proto` option
within your ruleset. And as of the Snort 2.8.4 release support was added
to the frag3 preprocessor and various application level preprocessors
(SMTP, FTP, DCE/RPC, Portscan, etc...) so that provides more extensive
protection across the platform. 

I hope this helps with your questions, I have provided some links which
reference what it seems you are interested in and attempting to tackle. 

http://www.personal.psu.edu/dvm105/blogs/ipv6/2009/04/new-snort-release-with-ipv6-su.html
http://marc.info/?l=snort-devel&m=121935131920776&w=2
http://marc.info/?l=snort-devel&m=121975623105073&w=2

Cheers,

-  
Albert Gonzalez
http://blog.cerveau.us
"Success comes to the person who does today, what you are thinking of doing tomorrow."


On Mon, 2009-10-26 at 23:30 +0100, Edurne Izaguirre wrote:

Hello everyone,

I'm working with Snort in an IPv6 environments to make some
experiments. And I have some question related to this topic.

In the last Web Seminar it was said that all of Snort is supported on
IPv6. However, it doesn't talk about the options made for the IP
Header. Is there support enough to work with IP Header Fields? Is
there options for the new fields? How does Snort work with the
Extensions Header? What happens if our attacker puts some arbitrary
routing or fragmentation header in the packet?

Thank you very much,
Edurne

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: