[Snort-users] Automatically decoding of Teredo traffic

Russ Combs rcombs at ...1935...
Wed Mar 20 10:06:56 EDT 2013


There is no way to turn off teredo at runtime and, as of 2.9.4, there is no
way to build without ip6 support, but Snort rules can be written to match
on either the inner or outer IP layers.  Furthermore, snort -A cmg will
show both layers and unified2 packets have both as well.

As for the example, need to see a pcap.  There should be no need to add the
ip6 address, which doesn't really make sense since it is a udp rule
(meaning the ip6 header is considered payload assuming something like
eth:ip4:udp:ip6:icmp6).

On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...11827...>wrote:

> Hello.  I have not seen an answer to this question and I was thinking the
> same thing myself.  Would perhaps this be better asked on snort-sigs?  I
> hate to cross-post so maybe Joel E. you can do the needful with asking who
> might know this answer?  Thank you.
>
> Cheers,
>
> -Lord C.
>
>
> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>
>> Hi all,
>>
>> I have Snort compiled with IPv6 support, and now it seems to
>> automatically decode Teredo traffic. This is a nice feature but I want
>> to detect Teredo tunnels on my network, but because the packet is
>> automatically decoded I cannot detect on the original ipv4 packets
>> that created the tunnel.
>>
>> For example, the following signature works on Snort without ipv6
>> support and reports the ipv4 source and dest that created the tunnel:
>>
>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>> sid:xxx; rev:1;)
>>
>> However with Snort and ipv6 support the signature stopped working and
>> i had to modify the signature to:
>>
>> alert udp $EXTERNAL_NET 3544 ->
>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>> classtype:policy-violation; sid:xxxx; rev:1;)
>>
>> However it would then report the ipv6 addresses from the decoded
>> Teredo traffic instead of the original ipv4 addresses:
>>
>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>> [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>
>> Is there a configuration option that disables the automatic decoding
>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
>> support but i'm looking for a better solution.
>> I'm not sure if this is a bug, but I think this actually degrades the
>> detection capabilities of Snort because it lost the original ipv4
>> addresses.
>>
>> Regards,
>>
>> Yun
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130320/6d4e70ae/attachment.html>


More information about the Snort-users mailing list