[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Tue Apr 2 12:10:36 EDT 2013


Hello.  I am thinking maybe I should ask Snort-Sigs this question or maybe
a 'nother list?

Thanks.

-Lord C.


On Fri, Mar 29, 2013 at 8:35 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...11827...>wrote:

> Thanks Joel for looking it to this.  I am eagerly await the results and
> the expert(s) determination of this.  Most of the times I am wrong about a
> configuration or process so hopefully my error can be make clear or you can
> let me know if there is a *real* problem.
>
> I apologize in advance if this is an error on my end but secretly hope it
> is not the case :)
>
> -Lord C.
>
>
> On Tue, Mar 26, 2013 at 4:52 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> Let me take a look at this tomorrow.
>>
>> On Mar 26, 2013, at 3:56 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
>> wrote:
>>
>> Hello.  Were anyone able to see the problem that I am having?  Thanks.
>>
>> Cheers,
>>
>> -Lord C.
>>
>> On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt <
>> l0rdch0de1m0rt at ...11827...> wrote:
>>
>>> Hello.  Joel, please refer to the pcap file from
>>> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap,
>>> packet 31.  I tried this rule:
>>>
>>> alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|";
>>> offset:8; depth:1; sid:135792468;)
>>>
>>> I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at
>>> offset 8 in the true IPv4 payload?
>>>
>>> Thanks.
>>>
>>> -Lord C.
>>>
>>>
>>> On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler at ...1935...>wrote:
>>>
>>>> Do you have a pcap you can send us off list?
>>>>
>>>>
>>>> On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
>>>> wrote:
>>>>
>>>> Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full
>>>> packet displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6
>>>> is detecting the encapsulation and not populating the matching buffers as
>>>> one would expects.  I don't have the same experience as Yun but also I am
>>>> not able to detect on the actual payload like I needs to - the actual IPv4
>>>> payload is what I want to match on with the Snort rules ("content", etc.)
>>>> and because the payload is IPv6 and the snort is compiled with IPv6
>>>> support, the engine seems to mange the packet so that I cannot detect on
>>>> actual payload but may have to guess what the engine is doing and detect on
>>>> the modified data?  The snort binary is compiled with the IPv6 support and
>>>> I tried to modify configs like comment out 'preprocessor normalize_ip6' but
>>>> I still get packet mangle for the sensor detection engine and I do not know
>>>> how to tell it not to do this.
>>>>
>>>> Thank you for the help.
>>>>
>>>> Cheers,
>>>>
>>>> -Lord C.
>>>>
>>>> On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs at ...1935...>wrote:
>>>>
>>>>> There is no way to turn off teredo at runtime and, as of 2.9.4, there
>>>>> is no way to build without ip6 support, but Snort rules can be written to
>>>>> match on either the inner or outer IP layers.  Furthermore, snort -A cmg
>>>>> will show both layers and unified2 packets have both as well.
>>>>>
>>>>> As for the example, need to see a pcap.  There should be no need to
>>>>> add the ip6 address, which doesn't really make sense since it is a udp rule
>>>>> (meaning the ip6 header is considered payload assuming something like
>>>>> eth:ip4:udp:ip6:icmp6).
>>>>>
>>>>> On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
>>>>> l0rdch0de1m0rt at ...11827...> wrote:
>>>>>
>>>>>> Hello.  I have not seen an answer to this question and I was thinking
>>>>>> the same thing myself.  Would perhaps this be better asked on snort-sigs?
>>>>>> I hate to cross-post so maybe Joel E. you can do the needful with asking
>>>>>> who might know this answer?  Thank you.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> -Lord C.
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I have Snort compiled with IPv6 support, and now it seems to
>>>>>>> automatically decode Teredo traffic. This is a nice feature but I
>>>>>>> want
>>>>>>> to detect Teredo tunnels on my network, but because the packet is
>>>>>>> automatically decoded I cannot detect on the original ipv4 packets
>>>>>>> that created the tunnel.
>>>>>>>
>>>>>>> For example, the following signature works on Snort without ipv6
>>>>>>> support and reports the ipv4 source and dest that created the tunnel:
>>>>>>>
>>>>>>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>>>>>>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>>>>>>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>>>>>>> sid:xxx; rev:1;)
>>>>>>>
>>>>>>> However with Snort and ipv6 support the signature stopped working and
>>>>>>> i had to modify the signature to:
>>>>>>>
>>>>>>> alert udp $EXTERNAL_NET 3544 ->
>>>>>>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>>>>>>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>>>>>>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>>>>>>> classtype:policy-violation; sid:xxxx; rev:1;)
>>>>>>>
>>>>>>> However it would then report the ipv6 addresses from the decoded
>>>>>>> Teredo traffic instead of the original ipv4 addresses:
>>>>>>>
>>>>>>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>>>>>>> [**] [Classification: Potential Corporate Privacy Violation]
>>>>>>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>>>>>>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>>>>>>
>>>>>>> Is there a configuration option that disables the automatic decoding
>>>>>>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without
>>>>>>> ipv6
>>>>>>> support but i'm looking for a better solution.
>>>>>>> I'm not sure if this is a bug, but I think this actually degrades the
>>>>>>> detection capabilities of Snort because it lost the original ipv4
>>>>>>> addresses.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Yun
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Live Security Virtual Conference
>>>>>>> Exclusive live event will cover all the ways today's security and
>>>>>>> threat landscape has changed and how IT managers can respond.
>>>>>>> Discussions
>>>>>>> will include endpoint security, mobile security and the latest in
>>>>>>> malware
>>>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>> latest Snort news!
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Everyone hates slow websites. So do we.
>>>>>> Make your web apps faster with AppDynamics
>>>>>> Download AppDynamics Lite for free today:
>>>>>> http://p.sf.net/sfu/appdyn_d2d_mar
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>>
>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Everyone hates slow websites. So do we.
>>>> Make your web apps faster with AppDynamics
>>>> Download AppDynamics Lite for free today:
>>>>
>>>> http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130402/ce0aa3db/attachment.html>


More information about the Snort-users mailing list