Re: EXPERIMENTAL IPv6 decoder available in Snort

From: mb_lima (mb_lima@uol.com.br)
Date: 12/27/02

  • Next message: Frank Knobbe: "Re: EXPERIMENTAL IPv6 decoder available in Snort"
    Date: Fri, 27 Dec 2002 16:14:35 -0200
    From: "mb_lima" <mb_lima@uol.com.br>
    To: mb_lima@uol.com.br
    
    

    Sorry, I would want to say "tunnel Ipv4 in Ipv6" in my first
    afirmation :-).

    >
    >
    > Hi folks,
    >
    > I think that there are few reasons to tunnel Ipv6 in Ipv4
     
    > packets. Tunneling is one of the many alternatives to
    > implement transition to Ipv6 networks. It is used basically
    > to provide communication between Ipv6 islands through IPv4
    > infrastructure.
    > Regards,
    >
    > Marcelo.
    >
    > > Nope, Lance's issue (the honeynet project's, actually) was
     I
    > Pv6
    > > tunneled over IPv4. I used packet captures from the compr
    om
    > ised
    > > honeypot as my test data, so I'm pretty sure about that on
    e.
    > I don't
    > > think there's an option to tunnel v4 over v6, at least not
     t
    > hat I was
    > > able to find in in.h.
    > >
    > > -Marty
    > >
    > >
    > > On Tuesday, December 24, 2002, at 03:10 AM, Greg van der G
    aa
    > st wrote:
    > >
    > > > "This decoder is implemented to test Snort's
    > > > capability to analyze IPv6 and IPv6 tunneled over IPv4."
    > > >
    > > >
    > > > Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traf
    fi
    > c being sent
    > > > inside an IPv6 tunnel) I thought that was Lance's issue.
     I
    > might be
    > > > mistaken here. In any case, thanks Marty. We love you ;)
    > > >
    > > > Cheers, merry Christmas and happy new year.
    > > >
    > > > Greg van der Gaast
    > > > Guy with clue @ Ordina Public West NL
    > > > (Frustrating times)
    > > >
    > > > -----Oorspronkelijk bericht-----
    > > > Van: Martin Roesch [mailto:roesch@sourcefire.com]
    > > > Verzonden: Saturday, December 21, 2002 2:45 AM
    > > > Aan: focus-ids@securityfocus.com
    > > > Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
    > > >
    > > > Hi everyone,
    > > > Following up Lance's message regarding the usage of
     I
    > Pv6 tunneling
    > > > on a
    > > > honeynet, I'd like to announce the availability of an *e
    xp
    > erimental*
    > > > version
    > > > of Snort with an IPv6 decoder. This decoder is implemen
    te
    > d to test
    > > > Snort's
    > > > capability to analyze IPv6 and IPv6 tunneled over IPv4.
     C
    > urrently it
    > > > consists of a decoder and printing module only, so if yo
    u
    > want to test
    > > > it
    > > > and see the v6 output, just run 'snort -dv'.
    > > >
    > > > If people would like to test the code out and see if it'
    s
    > working
    > > > properly,
    > > > it can be downloaded and tested at:
    > > >
    > > > http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
    > > >
    > > > This code currently doesn't have any components integrat
    ed
    > into the
    > > > detection engine, so you can't tell Snort to look at IPv
    6
    > addresses or
    > > > header fields using the rules language yet. It is capab
    le
    > of looking
    > > > for
    > > > standard embedded protocol headers and payloads in IPv6
    tu
    > nneled over
    > > > IPv4.
    > > >
    > > > If people would like to test this code out, I'm primaril
    y
    > interested in
    > > > seeing if the code is stable and capable of decoding all
     v
    > 6 traffic
    > > > without
    > > > any memory leaks or crashes. Unfortunately, my ability
    to
    > generate v6
    > > > traffic for testing purposes is extremely limited right
    no
    > w, so I'm
    > > > depending on people with access to the right kind of net
    wo
    > rks to help
    > > > out!
    > > >
    > > > Once I'm happy with the decoder, I'll integrate IPv6 sup
    po
    > rt into the
    > > > detection engine!
    > > >
    > > > -Marty
    > > >
    > > > --
    > > > Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-
    > 1616
    > > > Sourcefire: Professional Snort Sensor and Management Con
    so
    > le appliances
    > > > roesch@sourcefire.com - http://www.sourcefire.com
    > > > Snort: Open Source Network IDS - http://www.snort.org
    > > >
    > >
    > >
    >
    >
    > ---
    > UOL, o melhor da Internet
    > http://www.uol.com.br/
    >
    >

     

    ---
    UOL, o melhor da Internet
    http://www.uol.com.br/
    


    Relevant Pages

    • IPv6 6to4 tunneling - PIX Firewall
      ... I am starting to see a pattern of staff and students using 6to4 (IPv6 to ... IPv4) tunneling to bypass our content filtering systems. ... I am trying to find out if I can implement an access list to drop IPv4 ... packets with a IPv6 tunnel payload? ...
      (comp.dcom.sys.cisco)
    • Re: Can FC5 Route/Work With IPv6 Addresses?
      ... Others have gateways which can encapsulate IPv4 packets from ... outside and allow access to their IPv6 network. ... protocols and applications which can understand and process IPv6 packets. ...
      (Fedora)
    • Re: Using IPv4 TCPMSS target with IPv6-in-IPv4
      ... again small packets get through and large ... I have not seen that the latest stable 2.6 kernels and ip6tables offer an IPv6 TCPMSS target either. ... make the IPv6 stuff use the IPv4 TCPMSS target, ...
      (comp.os.linux.networking)
    • Using IPv4 TCPMSS target with IPv6-in-IPv4
      ... Now I'm playing with IPv6, again small packets get through and large ... so ip6tables isn't offering a TCPMSS target. ... make the IPv6 stuff use the IPv4 TCPMSS target, ...
      (comp.os.linux.networking)
    • IPv4 problems with an driver
      ... it seems like ipv4 is not workint perfectly. ... ipv6 seems to work fine though. ... 100 packets transmitted, 67 packets received, 33% packet loss ...
      (freebsd-current)