Re: IPv6 rule options syntax

[김무성 <kimms () infosec co kr>]

Let's think tunneled packet.

The packet has two IP. (IPv4 and IPv6)
So there are two value of ttl(HL).
Where field is TTL option matched?
But, if IDS/IPS is on below Router, Maybe there is a IP.

RA packet have a two itype. (icmpv6 type and icmpv6 option type)
One thing is itype:134. This means RA packet.
Other thing is itype:3. This is icmpv6 option's type. This means prefix information.
This will be created a new option. Ex) iopts_type:3



-----Original Message-----
From: Steven Sturges [mailto:ssturges () sourcefire com] 
Sent: Wednesday, May 04, 2011 9:59 PM
To: Martin Schütte
Cc: snort-devel () lists sourceforge net; 김무성
Subject: Re: [Snort-devel] IPv6 rule options syntax

Martin is correct.

Snort does not expose all of the values from the IPv6 extension
headers via rule options, however where there is an IPv4 equivalent,
we do leverage those.

1) Hop limit is akin to the ttl value in the IPv4 header, so you can use 
the ttl rule option for that.

2) For ICMP, Snort handles both IPv4 and IPv6 versions of ICMP the same
way.

Other examples are the fragmentation offset, fragmentation ID, and
traffic class, which map to the offset, id, and tos fields of IPv4.

Cheers.
-steve

On 5/4/11 7:33 AM, Martin Schütte wrote:
> On 05/04/11 07:30, 김무성 wrote:
> > Are there any options for IPv6 which already created or will be created.
> >
> > Example) IPv6 Hop Limit ->  HL:50;
> > Example) ICMPv6 type ->  itype6:134
>
> There are no IPv6 specific options (yet?).
> But nearly all fields are mapped to their IPv4 counterparts, so your
> examples are expressed with the rules:
>
> alert ip icmp any ->  any any                           \
>      (msg:"IPv6 ICMP Router Advertisement"; itype:134;  \
>      classtype:icmp-event; sid:2000001; rev:1;)
> alert ip any any ->  any any                            \
>      (msg:"TTL or Hop Limit = 50"; ttl:50;              \
>      classtype:attempted-recon; sid:2000002; rev:1;)
>
>
> BTW, I am currently writing an IPv6 preprocessor to detect more issues
> and to track autoconfiguration. It is not released yet, but feel free to
> contact me off list.

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel