[Snort-users] Snort IPv6

Martin Roesch roesch at ...1935...
Thu Feb 2 13:26:03 EST 2006


We have the same requirements at Sourcefire and we'll be addressing  
them in Snort as soon as we can.  I think it'd be a bad idea to  
rewrite everything independent of Sourcefire because we'll be  
duplicating the work and we're likely to come up with different  
solutions.

The "real answer" to this problem is to restructure Snort's decoder  
(as I've said before) so that it can gracefully handle layers/ 
encapsulation in a way that's not a big retrofit over everything we  
have.  That's a big undertaking because to do it we need a new Packet  
struct.  If you grep for "Packet" in Snort's source code you'll see  
this is a pretty serious refactoring effort.

We definitely will be interested in getting feedback and testing from  
the community on the implementation as it becomes available, this is  
a big change and we don't make any claims that our in-house testing  
can be as all encompassing as the the diverse operating environments  
that all of you have at your fingertips.

Anyway, stay tuned and sorry for the delay!

     -Marty

On Feb 2, 2006, at 9:56 AM, Eric Hines wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Community:
>
> Recently, OMB (Office of Management and Budget) issued a mandate that
> all federal agencies be IPv6 compliant by 2008. This sparks the  
> question
> of federal and military organizations who will be going through an  
> IPv6
> roll-out as to when Snort will have support for IPv6 addressing.
>
> I understand that previous attempts were made to make modifications to
> the Snort core for support of IPv6 but were abandoned and whether  
> or not
> they are still being worked on is in question.
>
> My understanding is that support of IPv6 will require a rewrite of  
> some,
> if not all, of Snort's Preprocessors and IPv6 support furthermore, can
> not be done simply with the use of a Preprocessor, rather  
> modifications
> to the Snort core itself.
>
> Does anyone have any insight in to these efforts or can anyone answer
> intelligently to this issue. Does anyone know of a project currently
> being developed or worked on that is working towards this effort?
>
>
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
>
>
> - ---------------------------------------------
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, LLC
> 1095 Pingree Road
> Suite 213
> Crystal Lake, IL 60014
> Toll Free: (877) 262-7593 ext:327
> Direct: (847) 854-2725 ext:327
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
> Email: eric.hines at ...8860...
>
> - --------------------------------------------
>
> "Enterprise Open Source Snort Management"
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFD4h27bOqF2QHgUK0RAr0uAJ0QU5JgA/lGsjqAuxn39CjhzDcOCACg11Rf
> 78Flj534c780OyDtVbNHK/4=
> =CZg6
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org








More information about the Snort-users mailing list