Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: EXPERIMENTAL IPv6 decoder available in Snort

Re: EXPERIMENTAL IPv6 decoder available in Snort

From: mb_lima <mb_lima_at_uol.com.br>
Date: Fri, 27 Dec 2002 15:00:51 -0200

 Hi folks,

   I think that there are few reasons to tunnel Ipv6 in Ipv4
packets. Tunneling is one of the many alternatives to
implement transition to Ipv6 networks. It is used basically
to provide communication between Ipv6 islands through IPv4
infrastructure.
Regards,

   Marcelo.

> Nope, Lance's issue (the honeynet project's, actually) was I
Pv6
> tunneled over IPv4. I used packet captures from the comprom
ised
> honeypot as my test data, so I'm pretty sure about that one.
  I don't
> think there's an option to tunnel v4 over v6, at least not t
hat I was
> able to find in in.h.
>
> -Marty
>
>
> On Tuesday, December 24, 2002, at 03:10 AM, Greg van der Gaa
st wrote:
>
> > "This decoder is implemented to test Snort's
> > capability to analyze IPv6 and IPv6 tunneled over IPv4."
> >
> >
> > Don't you mean IPv4 tunneled over IPv6? (as in IPv4 traffi
c being sent
> > inside an IPv6 tunnel) I thought that was Lance's issue. I
 might be
> > mistaken here. In any case, thanks Marty. We love you ;)
> >
> > Cheers, merry Christmas and happy new year.
> >
> > Greg van der Gaast
> > Guy with clue @ Ordina Public West NL
> > (Frustrating times)
> >
> > -----Oorspronkelijk bericht-----
> > Van: Martin Roesch [mailto:roesch_at_sourcefire.com]
> > Verzonden: Saturday, December 21, 2002 2:45 AM
> > Aan: focus-ids_at_securityfocus.com
> > Onderwerp: EXPERIMENTAL IPv6 decoder available in Snort
> >
> > Hi everyone,
> > Following up Lance's message regarding the usage of I
Pv6 tunneling
> > on a
> > honeynet, I'd like to announce the availability of an *exp
erimental*
> > version
> > of Snort with an IPv6 decoder. This decoder is implemente
d to test
> > Snort's
> > capability to analyze IPv6 and IPv6 tunneled over IPv4. C
urrently it
> > consists of a decoder and printing module only, so if you
want to test
> > it
> > and see the v6 output, just run 'snort -dv'.
> >
> > If people would like to test the code out and see if it's
working
> > properly,
> > it can be downloaded and tested at:
> >
> > http://www.snort.org/~roesch/snort-2.0.0beta-ipv6.tar.gz
> >
> > This code currently doesn't have any components integrated
 into the
> > detection engine, so you can't tell Snort to look at IPv6
addresses or
> > header fields using the rules language yet. It is capable
 of looking
> > for
> > standard embedded protocol headers and payloads in IPv6 tu
nneled over
> > IPv4.
> >
> > If people would like to test this code out, I'm primarily
interested in
> > seeing if the code is stable and capable of decoding all v
6 traffic
> > without
> > any memory leaks or crashes. Unfortunately, my ability to
 generate v6
> > traffic for testing purposes is extremely limited right no
w, so I'm
> > depending on people with access to the right kind of netwo
rks to help
> > out!
> >
> > Once I'm happy with the decoder, I'll integrate IPv6 suppo
rt into the
> > detection engine!
> >
> > -Marty
> >
> > --
> > Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-
1616
> > Sourcefire: Professional Snort Sensor and Management Conso
le appliances
> > roesch@sourcefire.com - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
>
>

  

---
UOL, o melhor da Internet
http://www.uol.com.br/
Received on Dec 27 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos