Snort mailing list archives

Problem capturing packets with IPv6 routing header


From: scheffler () cs uni-potsdam de
Date: Wed, 28 Apr 2010 23:04:53 +0200

Hi,

I am currently trying to find out, if it is possible to write a rule  
that can detect IPv6 Routing Headers of Type 0 (I tested this with an  
ICMPv6 Echo Request with an additional routing header).

In order to determine, if I can use content rules for the detection of  
the type of the routing headers, I let snort run in packet dump mode.  
Here I noticed some peculiar behaviour:

1. If the packet has a Routing Header present no output is produced  
for the ICMP Echo Request packet (look at 04/28-20:49:05.583031 in the  
attached dump).

2. The following packet shows a whole IPv6 packet, including the full  
IPv6 header (04/28-20:49:05.585397)!
The event marks the receipt of the ICMP Response. However, this dump  
shows not the response packet, instead it is the full packet content  
from the 04/28-20:49:05.583031 ICMP-event.

So it seems something is broken in the packet decoding if a  
IPv6-Routing Header is present.

Could somebody please look into this problem?

Best regards,
Thomas



snort -dev -i eth1
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Network Interface eth1
Decoding Ethernet on interface eth1

         --== Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.8.5.3 IPv6 (Build 124)
    ''''    By Martin Roesch & The Snort Team:  
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
            Using PCRE version: 6.6 06-Feb-2006

Not Using PCAP_FRAMES
04/28-20:49:05.548799 0:1E:58:DF:D2:48 -> 33:33:FF:6F:A7:E2  
type:0x86DD len:0x56
fd00:0141:0064:0001:0000:0000:0000:affe ->  
ff02:0000:0000:0000:0000:0001:ff6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0  
IpLen:40 DgmLen:72
00 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  .......A.d....>.
FE 6F A7 E2 01 01 00 1E 58 DF D2 48              .o......X..H

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-20:49:05.552768 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD  
len:0x56
fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->  
fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0  
IpLen:40 DgmLen:72
60 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  `......A.d....>.
FE 6F A7 E2 02 01 00 16 3E 6F A7 E2              .o......>o..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-20:49:05.583031 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD  
len:0x56
fd00:0141:0064:0001:0000:0000:0000:affe ->  
fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:64 TOS:0x0 ID:0  
IpLen:40 DgmLen:72

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-20:49:05.585397 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD  
len:0x86
fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->  
fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:64 TOS:0x0 ID:0  
IpLen:40 DgmLen:120
60 00 00 00 00 20 2B 40 FD 00 01 41 00 64 00 01  `.... +@...A.d..
00 00 00 00 00 00 AF FE FD 00 01 41 00 64 00 01  ...........A.d..
02 16 3E FF FE 6F A7 E2 3A 02 00 01 00 00 00 00  ..>..o..:.......
FD 00 01 41 00 64 00 01 02 16 3E FF FE 6F A7 E2  ...A.d....>..o..
80 00 EB 08 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-20:49:10.496075 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD  
len:0x56
fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 ->  
fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0  
IpLen:40 DgmLen:72
00 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  .......A.d......
00 00 AF FE 01 01 00 16 3E 6F A7 E2              ........>o..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-20:49:10.496117 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD  
len:0x4E
fd00:0141:0064:0001:0000:0000:0000:affe ->  
fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0  
IpLen:40 DgmLen:64
40 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  @......A.d......
00 00 AF FE                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

*** Caught Int-Signal
Run time prior to being shutdown was 11.444640 seconds
===============================================================================
Packet Wire Totals:
    Received:            3
    Analyzed:            6 (200.000%)
     Dropped:            0 (0.000%)
Outstanding: 18446744073709551613 (614891469123651633152.000%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
       ETH: 6          (100.000%)
   ETHdisc: 0          (0.000%)
      VLAN: 0          (0.000%)
      IPV6: 6          (100.000%)
   IP6 EXT: 7          (116.667%)
   IP6opts: 1          (16.667%)
   IP6disc: 0          (0.000%)
       IP4: 0          (0.000%)
   IP4disc: 0          (0.000%)
     TCP 6: 0          (0.000%)
     UDP 6: 0          (0.000%)
     ICMP6: 6          (100.000%)
   ICMP-IP: 1          (16.667%)
       TCP: 0          (0.000%)
       UDP: 0          (0.000%)
      ICMP: 0          (0.000%)
   TCPdisc: 0          (0.000%)
   UDPdisc: 0          (0.000%)
   ICMPdis: 0          (0.000%)
      FRAG: 0          (0.000%)
    FRAG 6: 0          (0.000%)
       ARP: 0          (0.000%)
     EAPOL: 0          (0.000%)
   ETHLOOP: 0          (0.000%)
       IPX: 0          (0.000%)
     OTHER: 0          (0.000%)
   DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
    S5 G 1: 0          (0.000%)
    S5 G 2: 0          (0.000%)
     Total: 6
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


Current thread: