[Snort-devel] IPv6 rule options syntax
lists at ...3181...
Wed May 4 07:33:29 EDT 2011
On 05/04/11 07:30, 김무성 wrote:
> Are there any options for IPv6 which already created or will be created.
> Example) IPv6 Hop Limit -> HL:50;
> Example) ICMPv6 type -> itype6:134
There are no IPv6 specific options (yet?).
But nearly all fields are mapped to their IPv4 counterparts, so your
examples are expressed with the rules:
alert ip icmp any -> any any \
(msg:"IPv6 ICMP Router Advertisement"; itype:134; \
classtype:icmp-event; sid:2000001; rev:1;)
alert ip any any -> any any \
(msg:"TTL or Hop Limit = 50"; ttl:50; \
classtype:attempted-recon; sid:2000002; rev:1;)
BTW, I am currently writing an IPv6 preprocessor to detect more issues
and to track autoconfiguration. It is not released yet, but feel free to
contact me off list.
More information about the Snort-devel