Snort mailing list archives
Re: Problem capturing packets with IPv6 routing header
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Thu, 29 Apr 2010 09:51:37 -0400
I happen to have a bug filed so that "ICMPv6 Routing Header of Type 0" gets added to the decoder alerts in the next major release. In the meantime, ICMP headers are handled during the decoding stage. You wouldn't be able to write rules for them, because the "payload" starts after the headers. Routing headers were overlooked when the ICMPv6 decoder was written, which is why you get no output for that packet. This too will be fixed in the next major release. -Ryan On Wed, Apr 28, 2010 at 5:04 PM, <scheffler () cs uni-potsdam de> wrote:
Hi, I am currently trying to find out, if it is possible to write a rule that can detect IPv6 Routing Headers of Type 0 (I tested this with an ICMPv6 Echo Request with an additional routing header). In order to determine, if I can use content rules for the detection of the type of the routing headers, I let snort run in packet dump mode. Here I noticed some peculiar behaviour: 1. If the packet has a Routing Header present no output is produced for the ICMP Echo Request packet (look at 04/28-20:49:05.583031 in the attached dump). 2. The following packet shows a whole IPv6 packet, including the full IPv6 header (04/28-20:49:05.585397)! The event marks the receipt of the ICMP Response. However, this dump shows not the response packet, instead it is the full packet content from the 04/28-20:49:05.583031 ICMP-event. So it seems something is broken in the packet decoding if a IPv6-Routing Header is present. Could somebody please look into this problem? Best regards, Thomas snort -dev -i eth1 Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Network Interface eth1 Decoding Ethernet on interface eth1 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.3 IPv6 (Build 124) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006 Not Using PCAP_FRAMES 04/28-20:49:05.548799 0:1E:58:DF:D2:48 -> 33:33:FF:6F:A7:E2 type:0x86DD len:0x56 fd00:0141:0064:0001:0000:0000:0000:affe -> ff02:0000:0000:0000:0000:0001:ff6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 00 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF .......A.d....>. FE 6F A7 E2 01 01 00 1E 58 DF D2 48 .o......X..H =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.552768 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x56 fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 60 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF `......A.d....>. FE 6F A7 E2 02 01 00 16 3E 6F A7 E2 .o......>o.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.583031 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD len:0x56 fd00:0141:0064:0001:0000:0000:0000:affe -> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:64 TOS:0x0 ID:0 IpLen:40 DgmLen:72 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.585397 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x86 fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:64 TOS:0x0 ID:0 IpLen:40 DgmLen:120 60 00 00 00 00 20 2B 40 FD 00 01 41 00 64 00 01 `.... +@...A.d.. 00 00 00 00 00 00 AF FE FD 00 01 41 00 64 00 01 ...........A.d.. 02 16 3E FF FE 6F A7 E2 3A 02 00 01 00 00 00 00 ..>..o..:....... FD 00 01 41 00 64 00 01 02 16 3E FF FE 6F A7 E2 ...A.d....>..o.. 80 00 EB 08 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:10.496075 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x56 fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 00 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00 .......A.d...... 00 00 AF FE 01 01 00 16 3E 6F A7 E2 ........>o.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:10.496117 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD len:0x4E fd00:0141:0064:0001:0000:0000:0000:affe -> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64 40 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00 @......A.d...... 00 00 AF FE .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal Run time prior to being shutdown was 11.444640 seconds =============================================================================== Packet Wire Totals: Received: 3 Analyzed: 6 (200.000%) Dropped: 0 (0.000%) Outstanding: 18446744073709551613 (614891469123651633152.000%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 6 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 6 (100.000%) IP6 EXT: 7 (116.667%) IP6opts: 1 (16.667%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 6 (100.000%) ICMP-IP: 1 (16.667%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 6 =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Problem capturing packets with IPv6 routing header scheffler (Apr 28)
- Re: Problem capturing packets with IPv6 routing header Joel Esler (Apr 28)
- Re: Problem capturing packets with IPv6 routing header Ryan Jordan (Apr 29)