[Snort-devel] IPv6 rule options syntax

Martin Schütte lists at ...3181...
Wed May 4 07:33:29 EDT 2011

On 05/04/11 07:30, 김무성 wrote:
> Are there any options for IPv6 which already created or will be created.
> Example) IPv6 Hop Limit -> HL:50;
> Example) ICMPv6 type -> itype6:134

There are no IPv6 specific options (yet?).
But nearly all fields are mapped to their IPv4 counterparts, so your
examples are expressed with the rules:

alert ip icmp any -> any any                           \
    (msg:"IPv6 ICMP Router Advertisement"; itype:134;  \
    classtype:icmp-event; sid:2000001; rev:1;)
alert ip any any -> any any                            \
    (msg:"TTL or Hop Limit = 50"; ttl:50;              \
    classtype:attempted-recon; sid:2000002; rev:1;)

BTW, I am currently writing an IPv6 preprocessor to detect more issues
and to track autoconfiguration. It is not released yet, but feel free to
contact me off list.

Martin Schütte

More information about the Snort-devel mailing list