[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Wed Mar 20 12:07:48 EDT 2013


Hello.  Joel, please refer to the pcap file from
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap,
packet 31.  I tried this rule:

alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|";
offset:8; depth:1; sid:135792468;)

I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at offset
8 in the true IPv4 payload?

Thanks.

-Lord C.

On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler at ...1935...> wrote:

> Do you have a pcap you can send us off list?
>
>
> On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
> wrote:
>
> Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full
> packet displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6
> is detecting the encapsulation and not populating the matching buffers as
> one would expects.  I don't have the same experience as Yun but also I am
> not able to detect on the actual payload like I needs to - the actual IPv4
> payload is what I want to match on with the Snort rules ("content", etc.)
> and because the payload is IPv6 and the snort is compiled with IPv6
> support, the engine seems to mange the packet so that I cannot detect on
> actual payload but may have to guess what the engine is doing and detect on
> the modified data?  The snort binary is compiled with the IPv6 support and
> I tried to modify configs like comment out 'preprocessor normalize_ip6' but
> I still get packet mangle for the sensor detection engine and I do not know
> how to tell it not to do this.
>
> Thank you for the help.
>
> Cheers,
>
> -Lord C.
>
> On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs at ...1935...> wrote:
>
>> There is no way to turn off teredo at runtime and, as of 2.9.4, there is
>> no way to build without ip6 support, but Snort rules can be written to
>> match on either the inner or outer IP layers.  Furthermore, snort -A cmg
>> will show both layers and unified2 packets have both as well.
>>
>> As for the example, need to see a pcap.  There should be no need to add
>> the ip6 address, which doesn't really make sense since it is a udp rule
>> (meaning the ip6 header is considered payload assuming something like
>> eth:ip4:udp:ip6:icmp6).
>>
>> On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
>> l0rdch0de1m0rt at ...11827...> wrote:
>>
>>> Hello.  I have not seen an answer to this question and I was thinking
>>> the same thing myself.  Would perhaps this be better asked on snort-sigs?
>>> I hate to cross-post so maybe Joel E. you can do the needful with asking
>>> who might know this answer?  Thank you.
>>>
>>> Cheers,
>>>
>>> -Lord C.
>>>
>>>
>>> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have Snort compiled with IPv6 support, and now it seems to
>>>> automatically decode Teredo traffic. This is a nice feature but I want
>>>> to detect Teredo tunnels on my network, but because the packet is
>>>> automatically decoded I cannot detect on the original ipv4 packets
>>>> that created the tunnel.
>>>>
>>>> For example, the following signature works on Snort without ipv6
>>>> support and reports the ipv4 source and dest that created the tunnel:
>>>>
>>>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>>>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>>>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>>>> sid:xxx; rev:1;)
>>>>
>>>> However with Snort and ipv6 support the signature stopped working and
>>>> i had to modify the signature to:
>>>>
>>>> alert udp $EXTERNAL_NET 3544 ->
>>>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>>>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>>>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>>>> classtype:policy-violation; sid:xxxx; rev:1;)
>>>>
>>>> However it would then report the ipv6 addresses from the decoded
>>>> Teredo traffic instead of the original ipv4 addresses:
>>>>
>>>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>>>> [**] [Classification: Potential Corporate Privacy Violation]
>>>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>>>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>>>
>>>> Is there a configuration option that disables the automatic decoding
>>>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
>>>> support but i'm looking for a better solution.
>>>> I'm not sure if this is a bug, but I think this actually degrades the
>>>> detection capabilities of Snort because it lost the original ipv4
>>>> addresses.
>>>>
>>>> Regards,
>>>>
>>>> Yun
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_mar
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
>
> http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130320/f155ec2c/attachment.html>


More information about the Snort-users mailing list