|
Focus on IDS
EXPERIMENTAL IPv6 decoder available in Snort Dec 21 2002 01:45AM Martin Roesch (roesch sourcefire com) (1 replies) RE: EXPERIMENTAL IPv6 decoder available in Snort Dec 24 2002 08:10AM Greg van der Gaast (greg van der gaast ordina nl) (1 replies) |
|
 Privacy Statement |
tunneled over IPv4. I used packet captures from the compromised
honeypot as my test data, so I'm pretty sure about that one. I don't
think there's an option to tunnel v4 over v6, at least not that I was
able to find in in.h.
-Marty
On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaast wrote:
> "This decoder is implemented to test Snort's
> capability to analyze IPv6 and IPv6 tunneled over IPv4."
>
>
> Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffic being sent
> inside an IPv6 tunnel) I thought that was Lance's issue. I might be
> mistaken here. In any case, thanks Marty. We love you ;)
>
> Cheers, merry Christmas and happy new year.
>
> Greg van der Gaast
> Guy with clue @ Ordina Public West NL
> (Frustrating times)
>
> -----Oorspronkelijk bericht-----
> Van: Martin Roesch [mailto:roesch (at) sourcefire (dot) com [email concealed]]
> Verzonden: Saturday, December 21, 2002 2:45 AM
> Aan: focus-ids (at) securityfocus (dot) com [email concealed]
> Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
>
> Hi everyone,
> Following up Lance's message regarding the usage of IPv6 tunneling
> on a
> honeynet, I'd like to announce the availability of an *experimental*
> version
> of Snort with an IPv6 decoder. This decoder is implemented to test
> Snort's
> capability to analyze IPv6 and IPv6 tunneled over IPv4. Currently it
> consists of a decoder and printing module only, so if you want to test
> it
> and see the v6 output, just run 'snort -dv'.
>
> If people would like to test the code out and see if it's working
> properly,
> it can be downloaded and tested at:
>
> http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
>
> This code currently doesn't have any components integrated into the
> detection engine, so you can't tell Snort to look at IPv6 addresses or
> header fields using the rules language yet. It is capable of looking
> for
> standard embedded protocol headers and payloads in IPv6 tunneled over
> IPv4.
>
> If people would like to test this code out, I'm primarily interested in
> seeing if the code is stable and capable of decoding all v6 traffic
> without
> any memory leaks or crashes. Unfortunately, my ability to generate v6
> traffic for testing purposes is extremely limited right now, so I'm
> depending on people with access to the right kind of networks to help
> out!
>
> Once I'm happy with the decoder, I'll integrate IPv6 support into the
> detection engine!
>
> -Marty
>
> --
> Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch (at) sourcefire (dot) com [email concealed] - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
[ reply ]