[Snort-devel] IPv6 rule options syntax

Martin Schütte lists at ...3181...
Wed May 4 07:33:29 EDT 2011


On 05/04/11 07:30, 김무성 wrote:
> Are there any options for IPv6 which already created or will be created.
>
> Example) IPv6 Hop Limit -> HL:50;
> Example) ICMPv6 type -> itype6:134

There are no IPv6 specific options (yet?).
But nearly all fields are mapped to their IPv4 counterparts, so your
examples are expressed with the rules:

alert ip icmp any -> any any                           \
    (msg:"IPv6 ICMP Router Advertisement"; itype:134;  \
    classtype:icmp-event; sid:2000001; rev:1;)
alert ip any any -> any any                            \
    (msg:"TTL or Hop Limit = 50"; ttl:50;              \
    classtype:attempted-recon; sid:2000002; rev:1;)


BTW, I am currently writing an IPv6 preprocessor to detect more issues
and to track autoconfiguration. It is not released yet, but feel free to
contact me off list.

-- 
Martin Schütte





More information about the Snort-devel mailing list