[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Tue Mar 26 15:56:00 EDT 2013


Hello.  Were anyone able to see the problem that I am having?  Thanks.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...11827...>wrote:

> Hello.  Joel, please refer to the pcap file from
> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap,
> packet 31.  I tried this rule:
>
> alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|";
> offset:8; depth:1; sid:135792468;)
>
> I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at offset
> 8 in the true IPv4 payload?
>
> Thanks.
>
> -Lord C.
>
>
> On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler at ...1935...>wrote:
>
>> Do you have a pcap you can send us off list?
>>
>>
>> On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
>> wrote:
>>
>> Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full
>> packet displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6
>> is detecting the encapsulation and not populating the matching buffers as
>> one would expects.  I don't have the same experience as Yun but also I am
>> not able to detect on the actual payload like I needs to - the actual IPv4
>> payload is what I want to match on with the Snort rules ("content", etc.)
>> and because the payload is IPv6 and the snort is compiled with IPv6
>> support, the engine seems to mange the packet so that I cannot detect on
>> actual payload but may have to guess what the engine is doing and detect on
>> the modified data?  The snort binary is compiled with the IPv6 support and
>> I tried to modify configs like comment out 'preprocessor normalize_ip6' but
>> I still get packet mangle for the sensor detection engine and I do not know
>> how to tell it not to do this.
>>
>> Thank you for the help.
>>
>> Cheers,
>>
>> -Lord C.
>>
>> On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs at ...1935...>wrote:
>>
>>> There is no way to turn off teredo at runtime and, as of 2.9.4, there is
>>> no way to build without ip6 support, but Snort rules can be written to
>>> match on either the inner or outer IP layers.  Furthermore, snort -A cmg
>>> will show both layers and unified2 packets have both as well.
>>>
>>> As for the example, need to see a pcap.  There should be no need to add
>>> the ip6 address, which doesn't really make sense since it is a udp rule
>>> (meaning the ip6 header is considered payload assuming something like
>>> eth:ip4:udp:ip6:icmp6).
>>>
>>> On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
>>> l0rdch0de1m0rt at ...11827...> wrote:
>>>
>>>> Hello.  I have not seen an answer to this question and I was thinking
>>>> the same thing myself.  Would perhaps this be better asked on snort-sigs?
>>>> I hate to cross-post so maybe Joel E. you can do the needful with asking
>>>> who might know this answer?  Thank you.
>>>>
>>>> Cheers,
>>>>
>>>> -Lord C.
>>>>
>>>>
>>>> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I have Snort compiled with IPv6 support, and now it seems to
>>>>> automatically decode Teredo traffic. This is a nice feature but I want
>>>>> to detect Teredo tunnels on my network, but because the packet is
>>>>> automatically decoded I cannot detect on the original ipv4 packets
>>>>> that created the tunnel.
>>>>>
>>>>> For example, the following signature works on Snort without ipv6
>>>>> support and reports the ipv4 source and dest that created the tunnel:
>>>>>
>>>>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>>>>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>>>>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>>>>> sid:xxx; rev:1;)
>>>>>
>>>>> However with Snort and ipv6 support the signature stopped working and
>>>>> i had to modify the signature to:
>>>>>
>>>>> alert udp $EXTERNAL_NET 3544 ->
>>>>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>>>>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>>>>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>>>>> classtype:policy-violation; sid:xxxx; rev:1;)
>>>>>
>>>>> However it would then report the ipv6 addresses from the decoded
>>>>> Teredo traffic instead of the original ipv4 addresses:
>>>>>
>>>>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>>>>> [**] [Classification: Potential Corporate Privacy Violation]
>>>>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>>>>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>>>>
>>>>> Is there a configuration option that disables the automatic decoding
>>>>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
>>>>> support but i'm looking for a better solution.
>>>>> I'm not sure if this is a bug, but I think this actually degrades the
>>>>> detection capabilities of Snort because it lost the original ipv4
>>>>> addresses.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Yun
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Live Security Virtual Conference
>>>>> Exclusive live event will cover all the ways today's security and
>>>>> threat landscape has changed and how IT managers can respond.
>>>>> Discussions
>>>>> will include endpoint security, mobile security and the latest in
>>>>> malware
>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Everyone hates slow websites. So do we.
>>>> Make your web apps faster with AppDynamics
>>>> Download AppDynamics Lite for free today:
>>>> http://p.sf.net/sfu/appdyn_d2d_mar
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>>
>> http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130326/a024e04e/attachment.html>


More information about the Snort-users mailing list