[Snort-devel] Problem capturing packets with IPv6 routing header

Joel Esler jesler at ...402...
Wed Apr 28 17:31:41 EDT 2010


Do you have an actual pcap you can submit that contains this traffic?

J

On Wed, Apr 28, 2010 at 5:04 PM, <scheffler at ...19...> wrote:

> Hi,
>
> I am currently trying to find out, if it is possible to write a rule
> that can detect IPv6 Routing Headers of Type 0 (I tested this with an
> ICMPv6 Echo Request with an additional routing header).
>
> In order to determine, if I can use content rules for the detection of
> the type of the routing headers, I let snort run in packet dump mode.
> Here I noticed some peculiar behaviour:
>
> 1. If the packet has a Routing Header present no output is produced
> for the ICMP Echo Request packet (look at 04/28-20:49:05.583031 in the
> attached dump).
>
> 2. The following packet shows a whole IPv6 packet, including the full
> IPv6 header (04/28-20:49:05.585397)!
> The event marks the receipt of the ICMP Response. However, this dump
> shows not the response packet, instead it is the full packet content
> from the 04/28-20:49:05.583031 ICMP-event.
>
> So it seems something is broken in the packet decoding if a
> IPv6-Routing Header is present.
>
> Could somebody please look into this problem?
>
> Best regards,
> Thomas
>
>
>
> snort -dev -i eth1
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Network Interface eth1
> Decoding Ethernet on interface eth1
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.5.3 IPv6 (Build 124)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>            Using PCRE version: 6.6 06-Feb-2006
>
> Not Using PCAP_FRAMES
> 04/28-20:49:05.548799 0:1E:58:DF:D2:48 -> 33:33:FF:6F:A7:E2
> type:0x86DD len:0x56
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> ff02:0000:0000:0000:0000:0001:ff6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 00 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  .......A.d....>.
> FE 6F A7 E2 01 01 00 1E 58 DF D2 48              .o......X..H
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.552768 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x56
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 60 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  `......A.d....>.
> FE 6F A7 E2 02 01 00 16 3E 6F A7 E2              .o......>o..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.583031 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD
> len:0x56
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:64 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.585397 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x86
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:64 TOS:0x0 ID:0
> IpLen:40 DgmLen:120
> 60 00 00 00 00 20 2B 40 FD 00 01 41 00 64 00 01  `.... + at ...A.d..
> 00 00 00 00 00 00 AF FE FD 00 01 41 00 64 00 01  ...........A.d..
> 02 16 3E FF FE 6F A7 E2 3A 02 00 01 00 00 00 00  ..>..o..:.......
> FD 00 01 41 00 64 00 01 02 16 3E FF FE 6F A7 E2  ...A.d....>..o..
> 80 00 EB 08 00 00 00 00                          ........
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:10.496075 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x56
> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 00 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  .......A.d......
> 00 00 AF FE 01 01 00 16 3E 6F A7 E2              ........>o..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:10.496117 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD
> len:0x4E
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:64
> 40 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  @......A.d......
> 00 00 AF FE                                      ....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> *** Caught Int-Signal
> Run time prior to being shutdown was 11.444640 seconds
>
> ===============================================================================
> Packet Wire Totals:
>    Received:            3
>    Analyzed:            6 (200.000%)
>     Dropped:            0 (0.000%)
> Outstanding: 18446744073709551613 (614891469123651633152.000%)
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>       ETH: 6          (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 6          (100.000%)
>   IP6 EXT: 7          (116.667%)
>   IP6opts: 1          (16.667%)
>   IP6disc: 0          (0.000%)
>       IP4: 0          (0.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 6          (100.000%)
>   ICMP-IP: 1          (16.667%)
>       TCP: 0          (0.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 6
>
> ===============================================================================
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
>
> ===============================================================================
> Snort exiting
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100428/96127cac/attachment.html>


More information about the Snort-devel mailing list