[Snort-users] Snort 2.9 for IPv6

Russ rucombs at cisco.com
Thu Feb 22 10:52:26 EST 2018



On 2/22/18 6:01 AM, oleg gv wrote:
> I use latest version as on site snort.org <http://snort.org> 
> specified: daq-2.0.6 and snort-2.9.11.1
OK, so --enable-ipv6 became the default in 2011 and was deleted 
altogether a while back.  If you add --enable-option-checking=fatal to 
your configure line it will help flush those out.  Anyway, that is for 
Snort not the DAQ.
>
> In Daq (even in 2.2.2 version for snort 3.x) there is comment in code:
>
> #if 0
>     // doesn't look like both can be handled simultaneously
>     if ( !strncasecmp(s, "ip*", 3) )
>         return 0x3;
> #endif
>
> So problem still exists - 2 instances of snort if I want to sniff all 
> IP trafic (for 4 and 6 versions of IP).
>
> No other ways?
This came up a long time ago on the list and apparently was never 
resolved.  It looks like nfq_bind_pf is now deprecated (see eg 
https://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__LibrarySetup.html) 
and the NFQ DAQ should updated to support both simultaneously. Snort may 
need a tweak as well to deal with the ambiguous DLT.
>
> 2018-02-21 21:14 GMT+03:00 Russ via Snort-users 
> <snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>>:
>
>     What version of Snort and DAQ are you using?  --enable-ipv6 is
>     kinda old now. If you aren't using the latest I suggest updating. 
>     The DAQ may have been updated to address this issue.
>
>
>     On 2/21/18 9:27 AM, oleg gv via Snort-users wrote:
>>     Daq can not sniff both on V4 and v6. So 2 instanses of snort is
>>     the only way?
>>
>>     2018-02-21 17:17 GMT+03:00 oleg gv <oagvozd at gmail.com
>>     <mailto:oagvozd at gmail.com>>:
>>
>>         Hello,
>>         I can not see alert on the next rules
>>
>>         alert ip any any --> IPV6_ADDRESS any (...)
>>
>>         alert icmp any any --> IPV6_ADDRESS any (...)
>>
>>         I use ping6 to test it.
>>
>>         Ipv4 test works fine.
>>
>>         Snort is build with --enable-ipv6 and uses ip6tables NFQUEUE.
>>
>>         Other ipv6 tcp/udp alerts also works fine.
>>
>>         Is it possible to detect IPv6 addresses in ip/icmp protocol
>>         rules  ?
>>
>>
>>
>>
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.snort.org/mailman/listinfo/snort-users
>>     <https://lists.snort.org/mailman/listinfo/snort-users>
>>
>>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>
>>     Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>>     <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.snort.org/mailman/listinfo/snort-users
>     <https://lists.snort.org/mailman/listinfo/snort-users>
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>     Please follow these rules:
>     https://snort.org/faq/what-is-the-mailing-list-etiquette
>     <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180222/4c5b720a/attachment.html>


More information about the Snort-users mailing list