[Snort-users] Automatically decoding of Teredo traffic

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Fri Mar 29 09:35:28 EDT 2013


Thanks Joel for looking it to this.  I am eagerly await the results and the
expert(s) determination of this.  Most of the times I am wrong about a
configuration or process so hopefully my error can be make clear or you can
let me know if there is a *real* problem.

I apologize in advance if this is an error on my end but secretly hope it
is not the case :)

-Lord C.

On Tue, Mar 26, 2013 at 4:52 PM, Joel Esler <jesler at ...1935...> wrote:

> Let me take a look at this tomorrow.
>
> On Mar 26, 2013, at 3:56 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
> wrote:
>
> Hello.  Were anyone able to see the problem that I am having?  Thanks.
>
> Cheers,
>
> -Lord C.
>
> On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt <
> l0rdch0de1m0rt at ...11827...> wrote:
>
>> Hello.  Joel, please refer to the pcap file from
>> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap,
>> packet 31.  I tried this rule:
>>
>> alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|";
>> offset:8; depth:1; sid:135792468;)
>>
>> I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at
>> offset 8 in the true IPv4 payload?
>>
>> Thanks.
>>
>> -Lord C.
>>
>>
>> On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler at ...1935...>wrote:
>>
>>> Do you have a pcap you can send us off list?
>>>
>>>
>>> On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...11827...>
>>> wrote:
>>>
>>> Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full
>>> packet displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6
>>> is detecting the encapsulation and not populating the matching buffers as
>>> one would expects.  I don't have the same experience as Yun but also I am
>>> not able to detect on the actual payload like I needs to - the actual IPv4
>>> payload is what I want to match on with the Snort rules ("content", etc.)
>>> and because the payload is IPv6 and the snort is compiled with IPv6
>>> support, the engine seems to mange the packet so that I cannot detect on
>>> actual payload but may have to guess what the engine is doing and detect on
>>> the modified data?  The snort binary is compiled with the IPv6 support and
>>> I tried to modify configs like comment out 'preprocessor normalize_ip6' but
>>> I still get packet mangle for the sensor detection engine and I do not know
>>> how to tell it not to do this.
>>>
>>> Thank you for the help.
>>>
>>> Cheers,
>>>
>>> -Lord C.
>>>
>>> On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs at ...1935...>wrote:
>>>
>>>> There is no way to turn off teredo at runtime and, as of 2.9.4, there
>>>> is no way to build without ip6 support, but Snort rules can be written to
>>>> match on either the inner or outer IP layers.  Furthermore, snort -A cmg
>>>> will show both layers and unified2 packets have both as well.
>>>>
>>>> As for the example, need to see a pcap.  There should be no need to add
>>>> the ip6 address, which doesn't really make sense since it is a udp rule
>>>> (meaning the ip6 header is considered payload assuming something like
>>>> eth:ip4:udp:ip6:icmp6).
>>>>
>>>> On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
>>>> l0rdch0de1m0rt at ...11827...> wrote:
>>>>
>>>>> Hello.  I have not seen an answer to this question and I was thinking
>>>>> the same thing myself.  Would perhaps this be better asked on snort-sigs?
>>>>> I hate to cross-post so maybe Joel E. you can do the needful with asking
>>>>> who might know this answer?  Thank you.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> -Lord C.
>>>>>
>>>>>
>>>>> On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu at ...11827...>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I have Snort compiled with IPv6 support, and now it seems to
>>>>>> automatically decode Teredo traffic. This is a nice feature but I want
>>>>>> to detect Teredo tunnels on my network, but because the packet is
>>>>>> automatically decoded I cannot detect on the original ipv4 packets
>>>>>> that created the tunnel.
>>>>>>
>>>>>> For example, the following signature works on Snort without ipv6
>>>>>> support and reports the ipv4 source and dest that created the tunnel:
>>>>>>
>>>>>> alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
>>>>>> Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
>>>>>> 00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
>>>>>> sid:xxx; rev:1;)
>>>>>>
>>>>>> However with Snort and ipv6 support the signature stopped working and
>>>>>> i had to modify the signature to:
>>>>>>
>>>>>> alert udp $EXTERNAL_NET 3544 ->
>>>>>> [$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
>>>>>> IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
>>>>>> 00 00 00 00 00 80 00|"; offset:29; depth:10;
>>>>>> classtype:policy-violation; sid:xxxx; rev:1;)
>>>>>>
>>>>>> However it would then report the ipv6 addresses from the decoded
>>>>>> Teredo traffic instead of the original ipv4 addresses:
>>>>>>
>>>>>> [**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
>>>>>> [**] [Classification: Potential Corporate Privacy Violation]
>>>>>> [Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
>>>>>> fe80:0000:0000:0000:0000:ffff:ffff:ffff
>>>>>>
>>>>>> Is there a configuration option that disables the automatic decoding
>>>>>> of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
>>>>>> support but i'm looking for a better solution.
>>>>>> I'm not sure if this is a bug, but I think this actually degrades the
>>>>>> detection capabilities of Snort because it lost the original ipv4
>>>>>> addresses.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Yun
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Live Security Virtual Conference
>>>>>> Exclusive live event will cover all the ways today's security and
>>>>>> threat landscape has changed and how IT managers can respond.
>>>>>> Discussions
>>>>>> will include endpoint security, mobile security and the latest in
>>>>>> malware
>>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Everyone hates slow websites. So do we.
>>>>> Make your web apps faster with AppDynamics
>>>>> Download AppDynamics Lite for free today:
>>>>> http://p.sf.net/sfu/appdyn_d2d_mar
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>>
>>> http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130329/bbd4b7de/attachment.html>


More information about the Snort-users mailing list