[Snort-users] Snort IPv6 howto/rules

Stephen Reese rsreese at ...11827...
Tue Apr 21 19:59:14 EDT 2009

On Mon, Apr 13, 2009 at 8:02 PM, Stephen Reese <rsreese at ...11827...> wrote:
> Are there any IPv6 Snort rule sets available or do they need to be
> written from scratch? I've compiled Snort 2.8.4 with IPv6 support but
> realized I don't a clue in regards to the configuration that's needed
> to look at the IPv6 traffic. TCPDUMP on the sensor interface sees IPv6
> related traffic.
> Should I specify another var for the IPv6 scheme:
> var HOME_NET [x.x.x.0/24,x.x.x..0/24]
> IPv6 tunnel over IPv4 | Router with IPv6 address | Snort sensor |
> Network with functioning IPv6 hosts
> Thanks

I wrote three very simple rules just to confirm that Snort is sniffing
IPv6 and sure enough it is though base doesn't seem to be playing
nicely (or it could be mysql).

alert tcp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 TCP
alert icmp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 ICMP
alert udp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"UDP ICMP

I registered for the VRT rules just to check and I do not see any new
IPv6 rules:

$ grep -i ipv6 *
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34;
classtype:misc-activity; sid:411; rev:5;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34;
classtype:misc-activity; sid:412; rev:7;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33;
classtype:misc-activity; sid:413; rev:5;)
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
(msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33;
classtype:misc-activity; sid:414; rev:7;)
policy.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"POLICY IPv6 encapsulated in IPv4 activity"; ip_proto:41;
classtype:policy-violation; sid:8446; rev:1;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC malformed ipv6 uri overflow attempt";
flow:to_server,established; uricontent:"|3A|/[";
metadata:service http; reference:bugtraq,11187;
reference:cve,2004-0786; classtype:web-application-attack; sid:5715;

Should I assume I'm on my own for the time being writing IPv6 rules?

More information about the Snort-users mailing list