[Snort-users] Snort IPv6 howto/rules

Nigel Houghton nhoughton at ...1935...
Tue Apr 21 20:36:03 EDT 2009


On Tue, Apr 21, 2009 at 7:59 PM, Stephen Reese <rsreese at ...11827...> wrote:
> On Mon, Apr 13, 2009 at 8:02 PM, Stephen Reese <rsreese at ...11827...> wrote:
>> Are there any IPv6 Snort rule sets available or do they need to be
>> written from scratch? I've compiled Snort 2.8.4 with IPv6 support but
>> realized I don't a clue in regards to the configuration that's needed
>> to look at the IPv6 traffic. TCPDUMP on the sensor interface sees IPv6
>> related traffic.
>>
>> Should I specify another var for the IPv6 scheme:
>>
>> var HOME_NET [x.x.x.0/24,x.x.x..0/24]
>>
>> IPv6 tunnel over IPv4 | Router with IPv6 address | Snort sensor |
>> Network with functioning IPv6 hosts
>>
>> Thanks
>>
>
> I wrote three very simple rules just to confirm that Snort is sniffing
> IPv6 and sure enough it is though base doesn't seem to be playing
> nicely (or it could be mysql).
>
> alert tcp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 TCP
> Traffic";sid:1000001;)
> alert icmp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"IPV6 ICMP
> Traffic";sid:1000002;)
> alert udp $EXTERNAL_IPV6 any -> $HOME_IPV6 any (msg:"UDP ICMP
> Traffic";sid:1000003;)
>
> I registered for the VRT rules just to check and I do not see any new
> IPv6 rules:
>
> $ grep -i ipv6 *
> icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34;
> classtype:misc-activity; sid:411; rev:5;)
> icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34;
> classtype:misc-activity; sid:412; rev:7;)
> icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33;
> classtype:misc-activity; sid:413; rev:5;)
> icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33;
> classtype:misc-activity; sid:414; rev:7;)
> policy.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any
> (msg:"POLICY IPv6 encapsulated in IPv4 activity"; ip_proto:41;
> classtype:policy-violation; sid:8446; rev:1;)
> web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC malformed ipv6 uri overflow attempt";
> flow:to_server,established; uricontent:"|3A|/[";
> pcre:"/\x3a\x2f\x5b\s*([\x2F\x3F\x23]*)|([\x2F\x3F\x23]+.+)|(\x3a[^\x3a^\x5d]*)$/U";
> metadata:service http; reference:bugtraq,11187;
> reference:cve,2004-0786; classtype:web-application-attack; sid:5715;
> rev:2;)
>
> Should I assume I'm on my own for the time being writing IPv6 rules?

If all you are looking at is packet payload data, content is content
is content. No need to write any new rules.

For other information see:

 http://marc.info/?l=snort-devel&m=121935131920776&w=2

 http://marc.info/?l=snort-devel&m=121975623105073&w=2

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list