Snort mailing list archives
Re: IPv6 rule options syntax
From: Martin Schütte <lists () mschuette name>
Date: Wed, 04 May 2011 13:33:29 +0200
On 05/04/11 07:30, 김무성 wrote:
Are there any options for IPv6 which already created or will be created. Example) IPv6 Hop Limit -> HL:50; Example) ICMPv6 type -> itype6:134
There are no IPv6 specific options (yet?).
But nearly all fields are mapped to their IPv4 counterparts, so your
examples are expressed with the rules:
alert ip icmp any -> any any \
(msg:"IPv6 ICMP Router Advertisement"; itype:134; \
classtype:icmp-event; sid:2000001; rev:1;)
alert ip any any -> any any \
(msg:"TTL or Hop Limit = 50"; ttl:50; \
classtype:attempted-recon; sid:2000002; rev:1;)
BTW, I am currently writing an IPv6 preprocessor to detect more issues
and to track autoconfiguration. It is not released yet, but feel free to
contact me off list.
--
Martin Schütte
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- IPv6 rule options syntax 김무성 (May 03)
- Re: IPv6 rule options syntax Martin Schütte (May 04)
- Re: IPv6 rule options syntax Steven Sturges (May 04)
- Re: IPv6 rule options syntax 김무성 (May 05)
- Re: IPv6 rule options syntax Steven Sturges (May 04)
- Re: IPv6 rule options syntax Martin Schütte (May 04)