Re: EXPERIMENTAL IPv6 decoder available in Snort

From: Martin Roesch (roesch@sourcefire.com)
Date: 12/27/02

  • Next message: Martin Roesch: "Re: Snort 2.0 - Any Idea when ? ?"
    Date: Fri, 27 Dec 2002 08:38:14 -0500
    To: "Greg van der Gaast" <greg.van.der.gaast@ordina.nl>
    From: Martin Roesch <roesch@sourcefire.com>
    
    

    Nope, Lance's issue (the honeynet project's, actually) was IPv6
    tunneled over IPv4. I used packet captures from the compromised
    honeypot as my test data, so I'm pretty sure about that one. I don't
    think there's an option to tunnel v4 over v6, at least not that I was
    able to find in in.h.

          -Marty

    On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaast wrote:

    > "This decoder is implemented to test Snort's
    > capability to analyze IPv6 and IPv6 tunneled over IPv4."
    >
    >
    > Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffic being sent
    > inside an IPv6 tunnel) I thought that was Lance's issue. I might be
    > mistaken here. In any case, thanks Marty. We love you ;)
    >
    > Cheers, merry Christmas and happy new year.
    >
    > Greg van der Gaast
    > Guy with clue @ Ordina Public West NL
    > (Frustrating times)
    >
    > -----Oorspronkelijk bericht-----
    > Van: Martin Roesch [mailto:roesch@sourcefire.com]
    > Verzonden: Saturday, December 21, 2002 2:45 AM
    > Aan: focus-ids@securityfocus.com
    > Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
    >
    > Hi everyone,
    > Following up Lance's message regarding the usage of IPv6 tunneling
    > on a
    > honeynet, I'd like to announce the availability of an *experimental*
    > version
    > of Snort with an IPv6 decoder. This decoder is implemented to test
    > Snort's
    > capability to analyze IPv6 and IPv6 tunneled over IPv4. Currently it
    > consists of a decoder and printing module only, so if you want to test
    > it
    > and see the v6 output, just run 'snort -dv'.
    >
    > If people would like to test the code out and see if it's working
    > properly,
    > it can be downloaded and tested at:
    >
    > http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
    >
    > This code currently doesn't have any components integrated into the
    > detection engine, so you can't tell Snort to look at IPv6 addresses or
    > header fields using the rules language yet. It is capable of looking
    > for
    > standard embedded protocol headers and payloads in IPv6 tunneled over
    > IPv4.
    >
    > If people would like to test this code out, I'm primarily interested in
    > seeing if the code is stable and capable of decoding all v6 traffic
    > without
    > any memory leaks or crashes. Unfortunately, my ability to generate v6
    > traffic for testing purposes is extremely limited right now, so I'm
    > depending on people with access to the right kind of networks to help
    > out!
    >
    > Once I'm happy with the decoder, I'll integrate IPv6 support into the
    > detection engine!
    >
    > -Marty
    >
    > --
    > Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
    > Sourcefire: Professional Snort Sensor and Management Console appliances
    > roesch@sourcefire.com - http://www.sourcefire.com
    > Snort: Open Source Network IDS - http://www.snort.org
    >



    Relevant Pages

    • Re: [fw-wiz] IPv6 and IPSec
      ... >> Now, as a system administrator, how are you going to track down a virus ... network to network). ... Nice thing is that, with IPv6, you can have ... up an IPv6 tunnel back out that slid right past all the IDS they had. ...
      (Firewall-Wizards)
    • Re: ipv6 confusion
      ... The machine I want to do the tunneling on is behind a NAT'ed firewall ... so it can receive all of your incoming IPv6 traffic. ... Pick the tunnel with the least delay! ... LAN get other IPv6 addresses, all with the same initial 48 bits (I.E. ...
      (freebsd-questions)
    • IPv6 tunnel problem
      ... The tunnel runs fine on 8.2, I can ping6 ipv6.google.com from all interfaces using all IPv6 addresses. ... Route Advertisements are sent, Linux Machines, Mac OS X machiens and FreeBSD 8.2/8.1 machines are all receiveing the advertisements and are able to ping and use the IPv6 network. ...
      (freebsd-current)
    • Re: EXPERIMENTAL IPv6 decoder available in Snort
      ... I think that there are few reasons to tunnel Ipv6 in Ipv4 ... EXPERIMENTAL IPv6 decoder available in Snort ...
      (Focus-IDS)
    • EXPERIMENTAL IPv6 decoder available in Snort
      ... Following up Lance's message regarding the usage of IPv6 tunneling on a ... of Snort with an IPv6 decoder. ... This decoder is implemented to test Snort's ... just run 'snort -dv'. ...
      (Focus-IDS)