[Snort-users] Automatically decoding of Teredo traffic

Yun Zheng Hu yunzheng.hu at ...11827...
Wed Jun 20 07:11:27 EDT 2012


Hi all,

I have Snort compiled with IPv6 support, and now it seems to
automatically decode Teredo traffic. This is a nice feature but I want
to detect Teredo tunnels on my network, but because the packet is
automatically decoded I cannot detect on the original ipv4 packets
that created the tunnel.

For example, the following signature works on Snort without ipv6
support and reports the ipv4 source and dest that created the tunnel:

alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
sid:xxx; rev:1;)

However with Snort and ipv6 support the signature stopped working and
i had to modify the signature to:

alert udp $EXTERNAL_NET 3544 ->
[$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
00 00 00 00 00 80 00|"; offset:29; depth:10;
classtype:policy-violation; sid:xxxx; rev:1;)

However it would then report the ipv6 addresses from the decoded
Teredo traffic instead of the original ipv4 addresses:

[**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
[**] [Classification: Potential Corporate Privacy Violation]
[Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
fe80:0000:0000:0000:0000:ffff:ffff:ffff

Is there a configuration option that disables the automatic decoding
of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
support but i'm looking for a better solution.
I'm not sure if this is a bug, but I think this actually degrades the
detection capabilities of Snort because it lost the original ipv4
addresses.

Regards,

Yun




More information about the Snort-users mailing list