[Snort-users] Snort 2.9 for IPv6

oleg gv oagvozd at gmail.com
Thu Feb 22 06:02:13 EST 2018


I mean NFQ mode only.

2018-02-22 14:01 GMT+03:00 oleg gv <oagvozd at gmail.com>:

> I use latest version as on site snort.org specified: daq-2.0.6 and
> snort-2.9.11.1
>
> In Daq (even in 2.2.2 version for snort 3.x) there is comment in code:
>
> #if 0
>     // doesn't look like both can be handled simultaneously
>     if ( !strncasecmp(s, "ip*", 3) )
>         return 0x3;
> #endif
>
> So problem still exists - 2 instances of snort if I want to sniff all IP
> trafic (for 4 and 6 versions of IP).
>
> No other ways?
>
>
> 2018-02-21 21:14 GMT+03:00 Russ via Snort-users <
> snort-users at lists.snort.org>:
>
>> What version of Snort and DAQ are you using?  --enable-ipv6 is kinda old
>> now.  If you aren't using the latest I suggest updating.  The DAQ may have
>> been updated to address this issue.
>>
>>
>> On 2/21/18 9:27 AM, oleg gv via Snort-users wrote:
>>
>> Daq can not sniff both on V4 and v6. So 2 instanses of snort is the only
>> way?
>>
>> 2018-02-21 17:17 GMT+03:00 oleg gv <oagvozd at gmail.com>:
>>
>>> Hello,
>>> I can not see alert on the next rules
>>>
>>> alert ip any any --> IPV6_ADDRESS any (...)
>>>
>>> alert icmp any any --> IPV6_ADDRESS any (...)
>>>
>>> I use ping6 to test it.
>>>
>>> Ipv4 test works fine.
>>>
>>> Snort is build with --enable-ipv6 and uses ip6tables NFQUEUE.
>>>
>>> Other ipv6 tcp/udp alerts also works fine.
>>>
>>> Is it possible to detect IPv6 addresses in ip/icmp protocol rules  ?
>>>
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing listSnort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>> Please follow these rules: https://snort.org/faq/what-is-
>> the-mailing-list-etiquette
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180222/ea00c49c/attachment.html>


More information about the Snort-users mailing list