Re: EXPERIMENTAL IPv6 decoder available in Snort

From: Martin Roesch (roesch@sourcefire.com)
Date: 12/27/02

  • Next message: Martin Roesch: "Re: Snort 2.0 - Any Idea when ? ?"
    Date: Fri, 27 Dec 2002 08:38:14 -0500
    To: "Greg van der Gaast" <greg.van.der.gaast@ordina.nl>
    From: Martin Roesch <roesch@sourcefire.com>
    
    

    Nope, Lance's issue (the honeynet project's, actually) was IPv6
    tunneled over IPv4. I used packet captures from the compromised
    honeypot as my test data, so I'm pretty sure about that one. I don't
    think there's an option to tunnel v4 over v6, at least not that I was
    able to find in in.h.

          -Marty

    On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaast wrote:

    > "This decoder is implemented to test Snort's
    > capability to analyze IPv6 and IPv6 tunneled over IPv4."
    >
    >
    > Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffic being sent
    > inside an IPv6 tunnel) I thought that was Lance's issue. I might be
    > mistaken here. In any case, thanks Marty. We love you ;)
    >
    > Cheers, merry Christmas and happy new year.
    >
    > Greg van der Gaast
    > Guy with clue @ Ordina Public West NL
    > (Frustrating times)
    >
    > -----Oorspronkelijk bericht-----
    > Van: Martin Roesch [mailto:roesch@sourcefire.com]
    > Verzonden: Saturday, December 21, 2002 2:45 AM
    > Aan: focus-ids@securityfocus.com
    > Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
    >
    > Hi everyone,
    > Following up Lance's message regarding the usage of IPv6 tunneling
    > on a
    > honeynet, I'd like to announce the availability of an *experimental*
    > version
    > of Snort with an IPv6 decoder. This decoder is implemented to test
    > Snort's
    > capability to analyze IPv6 and IPv6 tunneled over IPv4. Currently it
    > consists of a decoder and printing module only, so if you want to test
    > it
    > and see the v6 output, just run 'snort -dv'.
    >
    > If people would like to test the code out and see if it's working
    > properly,
    > it can be downloaded and tested at:
    >
    > http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
    >
    > This code currently doesn't have any components integrated into the
    > detection engine, so you can't tell Snort to look at IPv6 addresses or
    > header fields using the rules language yet. It is capable of looking
    > for
    > standard embedded protocol headers and payloads in IPv6 tunneled over
    > IPv4.
    >
    > If people would like to test this code out, I'm primarily interested in
    > seeing if the code is stable and capable of decoding all v6 traffic
    > without
    > any memory leaks or crashes. Unfortunately, my ability to generate v6
    > traffic for testing purposes is extremely limited right now, so I'm
    > depending on people with access to the right kind of networks to help
    > out!
    >
    > Once I'm happy with the decoder, I'll integrate IPv6 support into the
    > detection engine!
    >
    > -Marty
    >
    > --
    > Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
    > Sourcefire: Professional Snort Sensor and Management Console appliances
    > roesch@sourcefire.com - http://www.sourcefire.com
    > Snort: Open Source Network IDS - http://www.snort.org
    >