Re: Automatically decoding of Teredo traffic

[Joel Esler <jesler () sourcefire com>]

Just to follow up, someone took a look at this and we think this is a bug.  We've put it into the system and I'll 
follow up when we get a release date.

J

On Apr 2, 2013, at 1:56 PM, Joel Esler <jesler () sourcefire com> wrote:

> I've looked into this and have bounced it to another person to take a look.  Let me ping.
>
>
> On Apr 2, 2013, at 12:10 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
>
> > Hello.  I am thinking maybe I should ask Snort-Sigs this question or maybe a 'nother list?
> >
> > Thanks.
> >
> > -Lord C.
> >
> >
> > On Fri, Mar 29, 2013 at 8:35 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
> > Thanks Joel for looking it to this.  I am eagerly await the results and the expert(s) determination of this.  Most 
> > of the times I am wrong about a configuration or process so hopefully my error can be make clear or you can let me 
> > know if there is a *real* problem.
> >
> > I apologize in advance if this is an error on my end but secretly hope it is not the case :)
> >
> > -Lord C.
> >
> >
> > On Tue, Mar 26, 2013 at 4:52 PM, Joel Esler <jesler () sourcefire com> wrote:
> > Let me take a look at this tomorrow.
> >
> > On Mar 26, 2013, at 3:56 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
> >
> > > Hello.  Were anyone able to see the problem that I am having?  Thanks.
> > >
> > > Cheers,
> > >
> > > -Lord C.
> > >
> > > On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
> > > Hello.  Joel, please refer to the pcap file from 
> > > http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap, packet 31.  I tried this 
> > > rule: 
> > >
> > > alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|"; offset:8; depth:1; sid:135792468;)
> > >
> > > I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at offset 8 in the true IPv4 payload?
> > >
> > > Thanks.
> > >
> > > -Lord C.
> > >
> > >
> > > On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler () sourcefire com> wrote:
> > > Do you have a pcap you can send us off list?
> > >
> > >
> > > On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
> > >
> > > > Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full packet displayed.  However, it seems 2 me 
> > > > that Snort 2.9 compiled with IPv6 is detecting the encapsulation and not populating the matching buffers as one 
> > > > would expects.  I don't have the same experience as Yun but also I am not able to detect on the actual payload 
> > > > like I needs to - the actual IPv4 payload is what I want to match on with the Snort rules ("content", etc.) and 
> > > > because the payload is IPv6 and the snort is compiled with IPv6 support, the engine seems to mange the packet so 
> > > > that I cannot detect on actual payload but may have to guess what the engine is doing and detect on the modified 
> > > > data?  The snort binary is compiled with the IPv6 support and I tried to modify configs like comment out 
> > > > 'preprocessor normalize_ip6' but I still get packet mangle for the sensor detection engine and I do not know how 
> > > > to tell it not to do this.
> > > >
> > > > Thank you for the help.
> > > >
> > > > Cheers,
> > > >
> > > > -Lord C.
> > > >
> > > > On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs () sourcefire com> wrote:
> > > > There is no way to turn off teredo at runtime and, as of 2.9.4, there is no way to build without ip6 support, but 
> > > > Snort rules can be written to match on either the inner or outer IP layers.  Furthermore, snort -A cmg will show 
> > > > both layers and unified2 packets have both as well.
> > > >
> > > > As for the example, need to see a pcap.  There should be no need to add the ip6 address, which doesn't really make 
> > > > sense since it is a udp rule (meaning the ip6 header is considered payload assuming something like 
> > > > eth:ip4:udp:ip6:icmp6).
> > > >
> > > > On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
> > > > Hello.  I have not seen an answer to this question and I was thinking the same thing myself.  Would perhaps this 
> > > > be better asked on snort-sigs?  I hate to cross-post so maybe Joel E. you can do the needful with asking who might 
> > > > know this answer?  Thank you.
> > > >
> > > > Cheers,
> > > >
> > > > -Lord C.
> > > >
> > > >
> > > > On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu () gmail com> wrote:
> > > > Hi all,
> > > >
> > > > I have Snort compiled with IPv6 support, and now it seems to
> > > > automatically decode Teredo traffic. This is a nice feature but I want
> > > > to detect Teredo tunnels on my network, but because the packet is
> > > > automatically decoded I cannot detect on the original ipv4 packets
> > > > that created the tunnel.
> > > >
> > > > For example, the following signature works on Snort without ipv6
> > > > support and reports the ipv4 source and dest that created the tunnel:
> > > >
> > > > alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
> > > > Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
> > > > 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
> > > > sid:xxx; rev:1;)
> > > >
> > > > However with Snort and ipv6 support the signature stopped working and
> > > > i had to modify the signature to:
> > > >
> > > > alert udp $EXTERNAL_NET 3544 ->
> > > > [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
> > > > IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
> > > > 00 00 00 00 00 80 00|"; offset:29; depth:10;
> > > > classtype:policy-violation; sid:xxxx; rev:1;)
> > > >
> > > > However it would then report the ipv6 addresses from the decoded
> > > > Teredo traffic instead of the original ipv4 addresses:
> > > >
> > > > [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
> > > > [**] [Classification: Potential Corporate Privacy Violation]
> > > > [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
> > > > fe80:0000:0000:0000:0000:ffff:ffff:ffff
> > > >
> > > > Is there a configuration option that disables the automatic decoding
> > > > of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
> > > > support but i'm looking for a better solution.
> > > > I'm not sure if this is a bug, but I think this actually degrades the
> > > > detection capabilities of Snort because it lost the original ipv4
> > > > addresses.
> > > >
> > > > Regards,
> > > >
> > > > Yun
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Live Security Virtual Conference
> > > > Exclusive live event will cover all the ways today's security and
> > > > threat landscape has changed and how IT managers can respond. Discussions
> > > > will include endpoint security, mobile security and the latest in malware
> > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Everyone hates slow websites. So do we.
> > > > Make your web apps faster with AppDynamics
> > > > Download AppDynamics Lite for free today:
> > > > http://p.sf.net/sfu/appdyn_d2d_mar
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Everyone hates slow websites. So do we.
> > > > Make your web apps faster with AppDynamics
> > > > Download AppDynamics Lite for free today:
> > > > http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!