Re: EXPERIMENTAL IPv6 decoder available in Snort

From: mb_lima (mb_lima@uol.com.br)
Date: 12/27/02

  • Next message: Frank Knobbe: "Re: EXPERIMENTAL IPv6 decoder available in Snort"
    Date: Fri, 27 Dec 2002 16:14:35 -0200
    From: "mb_lima" <mb_lima@uol.com.br>
    To: mb_lima@uol.com.br
    
    

    Sorry, I would want to say "tunnel Ipv4 in Ipv6" in my first
    afirmation :-).

    >
    >
    > Hi folks,
    >
    > I think that there are few reasons to tunnel Ipv6 in Ipv4
     
    > packets. Tunneling is one of the many alternatives to
    > implement transition to Ipv6 networks. It is used basically
    > to provide communication between Ipv6 islands through IPv4
    > infrastructure.
    > Regards,
    >
    > Marcelo.
    >
    > > Nope, Lance's issue (the honeynet project's, actually) was
     I
    > Pv6
    > > tunneled over IPv4. I used packet captures from the compr
    om
    > ised
    > > honeypot as my test data, so I'm pretty sure about that on
    e.
    > I don't
    > > think there's an option to tunnel v4 over v6, at least not
     t
    > hat I was
    > > able to find in in.h.
    > >
    > > -Marty
    > >
    > >
    > > On Tuesday, December 24, 2002, at 03:10 AM, Greg van der G
    aa
    > st wrote:
    > >
    > > > "This decoder is implemented to test Snort's
    > > > capability to analyze IPv6 and IPv6 tunneled over IPv4."
    > > >
    > > >
    > > > Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traf
    fi
    > c being sent
    > > > inside an IPv6 tunnel) I thought that was Lance's issue.
     I
    > might be
    > > > mistaken here. In any case, thanks Marty. We love you ;)
    > > >
    > > > Cheers, merry Christmas and happy new year.
    > > >
    > > > Greg van der Gaast
    > > > Guy with clue @ Ordina Public West NL
    > > > (Frustrating times)
    > > >
    > > > -----Oorspronkelijk bericht-----
    > > > Van: Martin Roesch [mailto:roesch@sourcefire.com]
    > > > Verzonden: Saturday, December 21, 2002 2:45 AM
    > > > Aan: focus-ids@securityfocus.com
    > > > Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
    > > >
    > > > Hi everyone,
    > > > Following up Lance's message regarding the usage of
     I
    > Pv6 tunneling
    > > > on a
    > > > honeynet, I'd like to announce the availability of an *e
    xp
    > erimental*
    > > > version
    > > > of Snort with an IPv6 decoder. This decoder is implemen
    te
    > d to test
    > > > Snort's
    > > > capability to analyze IPv6 and IPv6 tunneled over IPv4.
     C
    > urrently it
    > > > consists of a decoder and printing module only, so if yo
    u
    > want to test
    > > > it
    > > > and see the v6 output, just run 'snort -dv'.
    > > >
    > > > If people would like to test the code out and see if it'
    s
    > working
    > > > properly,
    > > > it can be downloaded and tested at:
    > > >
    > > > http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
    > > >
    > > > This code currently doesn't have any components integrat
    ed
    > into the
    > > > detection engine, so you can't tell Snort to look at IPv
    6
    > addresses or
    > > > header fields using the rules language yet. It is capab
    le
    > of looking
    > > > for
    > > > standard embedded protocol headers and payloads in IPv6
    tu
    > nneled over
    > > > IPv4.
    > > >
    > > > If people would like to test this code out, I'm primaril
    y
    > interested in
    > > > seeing if the code is stable and capable of decoding all
     v
    > 6 traffic
    > > > without
    > > > any memory leaks or crashes. Unfortunately, my ability
    to
    > generate v6
    > > > traffic for testing purposes is extremely limited right
    no
    > w, so I'm
    > > > depending on people with access to the right kind of net
    wo
    > rks to help
    > > > out!
    > > >
    > > > Once I'm happy with the decoder, I'll integrate IPv6 sup
    po
    > rt into the
    > > > detection engine!
    > > >
    > > > -Marty
    > > >
    > > > --
    > > > Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-
    > 1616
    > > > Sourcefire: Professional Snort Sensor and Management Con
    so
    > le appliances
    > > > roesch@sourcefire.com - http://www.sourcefire.com
    > > > Snort: Open Source Network IDS - http://www.snort.org
    > > >
    > >
    > >
    >
    >
    > ---
    > UOL, o melhor da Internet
    > http://www.uol.com.br/
    >
    >

     

    ---
    UOL, o melhor da Internet
    http://www.uol.com.br/