[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Tue Mar 19 10:35:45 EDT 2013


Hello.  I have not seen an answer to this question and I was thinking the
same thing myself.  Would perhaps this be better asked on snort-sigs?  I
hate to cross-post so maybe Joel E. you can do the needful with asking who
might know this answer?  Thank you.

Cheers,

-Lord C.

On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...> wrote:

> Hi all,
>
> I have Snort compiled with IPv6 support, and now it seems to
> automatically decode Teredo traffic. This is a nice feature but I want
> to detect Teredo tunnels on my network, but because the packet is
> automatically decoded I cannot detect on the original ipv4 packets
> that created the tunnel.
>
> For example, the following signature works on Snort without ipv6
> support and reports the ipv4 source and dest that created the tunnel:
>
> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
> sid:xxx; rev:1;)
>
> However with Snort and ipv6 support the signature stopped working and
> i had to modify the signature to:
>
> alert udp $EXTERNAL_NET 3544 ->
> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
> 00 00 00 00 00 80 00|"; offset:29; depth:10;
> classtype:policy-violation; sid:xxxx; rev:1;)
>
> However it would then report the ipv6 addresses from the decoded
> Teredo traffic instead of the original ipv4 addresses:
>
> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
> [**] [Classification: Potential Corporate Privacy Violation]
> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>
> Is there a configuration option that disables the automatic decoding
> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
> support but i'm looking for a better solution.
> I'm not sure if this is a bug, but I think this actually degrades the
> detection capabilities of Snort because it lost the original ipv4
> addresses.
>
> Regards,
>
> Yun
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130319/275baf3d/attachment.html>


More information about the Snort-users mailing list