[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Wed Mar 20 11:30:00 EDT 2013


Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full packet
displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6 is
detecting the encapsulation and not populating the matching buffers as one
would expects.  I don't have the same experience as Yun but also I am not
able to detect on the actual payload like I needs to - the actual IPv4
payload is what I want to match on with the Snort rules ("content", etc.)
and because the payload is IPv6 and the snort is compiled with IPv6
support, the engine seems to mange the packet so that I cannot detect on
actual payload but may have to guess what the engine is doing and detect on
the modified data?  The snort binary is compiled with the IPv6 support and
I tried to modify configs like comment out 'preprocessor normalize_ip6' but
I still get packet mangle for the sensor detection engine and I do not know
how to tell it not to do this.

Thank you for the help.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs at ...1935...> wrote:

> There is no way to turn off teredo at runtime and, as of 2.9.4, there is
> no way to build without ip6 support, but Snort rules can be written to
> match on either the inner or outer IP layers.  Furthermore, snort -A cmg
> will show both layers and unified2 packets have both as well.
>
> As for the example, need to see a pcap.  There should be no need to add
> the ip6 address, which doesn't really make sense since it is a udp rule
> (meaning the ip6 header is considered payload assuming something like
> eth:ip4:udp:ip6:icmp6).
>
> On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
> l0rdch0de1m0rt at ...11827...> wrote:
>
>> Hello.  I have not seen an answer to this question and I was thinking the
>> same thing myself.  Would perhaps this be better asked on snort-sigs?  I
>> hate to cross-post so maybe Joel E. you can do the needful with asking who
>> might know this answer?  Thank you.
>>
>> Cheers,
>>
>> -Lord C.
>>
>>
>> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>>
>>> Hi all,
>>>
>>> I have Snort compiled with IPv6 support, and now it seems to
>>> automatically decode Teredo traffic. This is a nice feature but I want
>>> to detect Teredo tunnels on my network, but because the packet is
>>> automatically decoded I cannot detect on the original ipv4 packets
>>> that created the tunnel.
>>>
>>> For example, the following signature works on Snort without ipv6
>>> support and reports the ipv4 source and dest that created the tunnel:
>>>
>>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>>> sid:xxx; rev:1;)
>>>
>>> However with Snort and ipv6 support the signature stopped working and
>>> i had to modify the signature to:
>>>
>>> alert udp $EXTERNAL_NET 3544 ->
>>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>>> classtype:policy-violation; sid:xxxx; rev:1;)
>>>
>>> However it would then report the ipv6 addresses from the decoded
>>> Teredo traffic instead of the original ipv4 addresses:
>>>
>>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>>> [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>>
>>> Is there a configuration option that disables the automatic decoding
>>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
>>> support but i'm looking for a better solution.
>>> I'm not sure if this is a bug, but I think this actually degrades the
>>> detection capabilities of Snort because it lost the original ipv4
>>> addresses.
>>>
>>> Regards,
>>>
>>> Yun
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_mar
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130320/10e54bfd/attachment.html>


More information about the Snort-users mailing list