[Snort-devel] Problem capturing packets with IPv6 routing header

Ryan Jordan ryan.jordan at ...402...
Thu Apr 29 09:51:37 EDT 2010


I happen to have a bug filed so that "ICMPv6 Routing Header of Type 0"
gets added to the decoder alerts in the next major release.

In the meantime, ICMP headers are handled during the decoding stage.
You wouldn't be able to write rules for them, because the "payload"
starts after the headers. Routing headers were overlooked when the
ICMPv6 decoder was written, which is why you get no output for that
packet. This too will be fixed in the next major release.

-Ryan

On Wed, Apr 28, 2010 at 5:04 PM,  <scheffler at ...19...> wrote:
> Hi,
>
> I am currently trying to find out, if it is possible to write a rule
> that can detect IPv6 Routing Headers of Type 0 (I tested this with an
> ICMPv6 Echo Request with an additional routing header).
>
> In order to determine, if I can use content rules for the detection of
> the type of the routing headers, I let snort run in packet dump mode.
> Here I noticed some peculiar behaviour:
>
> 1. If the packet has a Routing Header present no output is produced
> for the ICMP Echo Request packet (look at 04/28-20:49:05.583031 in the
> attached dump).
>
> 2. The following packet shows a whole IPv6 packet, including the full
> IPv6 header (04/28-20:49:05.585397)!
> The event marks the receipt of the ICMP Response. However, this dump
> shows not the response packet, instead it is the full packet content
> from the 04/28-20:49:05.583031 ICMP-event.
>
> So it seems something is broken in the packet decoding if a
> IPv6-Routing Header is present.
>
> Could somebody please look into this problem?
>
> Best regards,
> Thomas
>
>
>
> snort -dev -i eth1
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Network Interface eth1
> Decoding Ethernet on interface eth1
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.5.3 IPv6 (Build 124)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>            Using PCRE version: 6.6 06-Feb-2006
>
> Not Using PCAP_FRAMES
> 04/28-20:49:05.548799 0:1E:58:DF:D2:48 -> 33:33:FF:6F:A7:E2
> type:0x86DD len:0x56
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> ff02:0000:0000:0000:0000:0001:ff6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 00 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  .......A.d....>.
> FE 6F A7 E2 01 01 00 1E 58 DF D2 48              .o......X..H
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.552768 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x56
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 60 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF  `......A.d....>.
> FE 6F A7 E2 02 01 00 16 3E 6F A7 E2              .o......>o..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.583031 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD
> len:0x56
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:64 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:05.585397 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x86
> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:64 TOS:0x0 ID:0
> IpLen:40 DgmLen:120
> 60 00 00 00 00 20 2B 40 FD 00 01 41 00 64 00 01  `.... + at ...A.d..
> 00 00 00 00 00 00 AF FE FD 00 01 41 00 64 00 01  ...........A.d..
> 02 16 3E FF FE 6F A7 E2 3A 02 00 01 00 00 00 00  ..>..o..:.......
> FD 00 01 41 00 64 00 01 02 16 3E FF FE 6F A7 E2  ...A.d....>..o..
> 80 00 EB 08 00 00 00 00                          ........
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:10.496075 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD
> len:0x56
> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 ->
> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:72
> 00 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  .......A.d......
> 00 00 AF FE 01 01 00 16 3E 6F A7 E2              ........>o..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 04/28-20:49:10.496117 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD
> len:0x4E
> fd00:0141:0064:0001:0000:0000:0000:affe ->
> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0
> IpLen:40 DgmLen:64
> 40 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00  @...3089...
> 00 00 AF FE                                      ....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> *** Caught Int-Signal
> Run time prior to being shutdown was 11.444640 seconds
> ===============================================================================
> Packet Wire Totals:
>    Received:            3
>    Analyzed:            6 (200.000%)
>     Dropped:            0 (0.000%)
> Outstanding: 18446744073709551613 (614891469123651633152.000%)
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>       ETH: 6          (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 6          (100.000%)
>   IP6 EXT: 7          (116.667%)
>   IP6opts: 1          (16.667%)
>   IP6disc: 0          (0.000%)
>       IP4: 0          (0.000%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 6          (100.000%)
>   ICMP-IP: 1          (16.667%)
>       TCP: 0          (0.000%)
>       UDP: 0          (0.000%)
>      ICMP: 0          (0.000%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 0          (0.000%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 0          (0.000%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 0          (0.000%)
>     Total: 6
> ===============================================================================
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
> ===============================================================================
> Snort exiting
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list