EXPERIMENTAL IPv6 decoder available in Snort

From: Martin Roesch (roesch@sourcefire.com)
Date: 12/21/02

  • Next message: roy lo: "Re: IPv6"
    Date: Fri, 20 Dec 2002 20:45:13 -0500
    From: Martin Roesch <roesch@sourcefire.com>
    To: focus-ids@securityfocus.com

    Hi everyone,
         Following up Lance's message regarding the usage of IPv6 tunneling on a
    honeynet, I'd like to announce the availability of an *experimental* version
    of Snort with an IPv6 decoder. This decoder is implemented to test Snort's
    capability to analyze IPv6 and IPv6 tunneled over IPv4. Currently it
    consists of a decoder and printing module only, so if you want to test it
    and see the v6 output, just run 'snort -dv'.

    If people would like to test the code out and see if it's working properly,
    it can be downloaded and tested at:


    This code currently doesn't have any components integrated into the
    detection engine, so you can't tell Snort to look at IPv6 addresses or
    header fields using the rules language yet. It is capable of looking for
    standard embedded protocol headers and payloads in IPv6 tunneled over IPv4.

    If people would like to test this code out, I'm primarily interested in
    seeing if the code is stable and capable of decoding all v6 traffic without
    any memory leaks or crashes. Unfortunately, my ability to generate v6
    traffic for testing purposes is extremely limited right now, so I'm
    depending on people with access to the right kind of networks to help out!

    Once I'm happy with the decoder, I'll integrate IPv6 support into the
    detection engine!


    Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
    Sourcefire: Professional Snort Sensor and Management Console appliances
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org