Re: Snort 2.9 for IPv6

[Russ via Snort-users <snort-users () lists snort org>]

On 2/22/18 6:01 AM, oleg gv wrote:
> I use latest version as on site snort.org <http://snort.org> 
> specified: daq-2.0.6 and snort-2.9.11.1
OK, so --enable-ipv6 became the default in 2011 and was deleted 
altogether a while back.  If you add --enable-option-checking=fatal to 
your configure line it will help flush those out.  Anyway, that is for 
Snort not the DAQ.
> In Daq (even in 2.2.2 version for snort 3.x) there is comment in code:
>
> #if 0
>     // doesn't look like both can be handled simultaneously
>     if ( !strncasecmp(s, "ip*", 3) )
>         return 0x3;
> #endif
>
> So problem still exists - 2 instances of snort if I want to sniff all 
> IP trafic (for 4 and 6 versions of IP).
>
> No other ways?
This came up a long time ago on the list and apparently was never 
resolved.  It looks like nfq_bind_pf is now deprecated (see eg 
https://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__LibrarySetup.html) 
and the NFQ DAQ should updated to support both simultaneously. Snort may 
need a tweak as well to deal with the ambiguous DLT.
> 2018-02-21 21:14 GMT+03:00 Russ via Snort-users 
> <snort-users () lists snort org <mailto:snort-users () lists snort org>>:
>
>     What version of Snort and DAQ are you using?  --enable-ipv6 is
>     kinda old now. If you aren't using the latest I suggest updating. 
>     The DAQ may have been updated to address this issue.
>
>
>     On 2/21/18 9:27 AM, oleg gv via Snort-users wrote:
> >     Daq can not sniff both on V4 and v6. So 2 instanses of snort is
> >     the only way?
> >
> >     2018-02-21 17:17 GMT+03:00 oleg gv <oagvozd () gmail com
> >     <mailto:oagvozd () gmail com>>:
> >
> >         Hello,
> >         I can not see alert on the next rules
> >
> >         alert ip any any --> IPV6_ADDRESS any (...)
> >
> >         alert icmp any any --> IPV6_ADDRESS any (...)
> >
> >         I use ping6 to test it.
> >
> >         Ipv4 test works fine.
> >
> >         Snort is build with --enable-ipv6 and uses ip6tables NFQUEUE.
> >
> >         Other ipv6 tcp/udp alerts also works fine.
> >
> >         Is it possible to detect IPv6 addresses in ip/icmp protocol
> >         rules  ?
> >
> >
> >
> >
> >     _______________________________________________
> >     Snort-users mailing list
> >     Snort-users () lists snort org <mailto:Snort-users () lists snort org>
> >     Go to this URL to change user options or unsubscribe:
> >     https://lists.snort.org/mailman/listinfo/snort-users
> >     <https://lists.snort.org/mailman/listinfo/snort-users>
> >
> >     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
> >
> >     Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
> >     <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists snort org <mailto:Snort-users () lists snort org>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.snort.org/mailman/listinfo/snort-users
>     <https://lists.snort.org/mailman/listinfo/snort-users>
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>     Please follow these rules:
>     https://snort.org/faq/what-is-the-mailing-list-etiquette
>     <https://snort.org/faq/what-is-the-mailing-list-etiquette>

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette