Snort-IPv6
extended snort© featuring IPv6 function.

Resources
» 新着情報
  パッケージ更新情報など
» ドキュメント
  機能説明,セットアップ情報
«English»
» ダウンロード
  ソースコードのダウンロード
» コンタクト情報
  質問等メールアドレス
 
ドキュメント

Introduction abekatsu @ 2003/12/14
現在,IPv6 に対応したネットワーク侵入検知システム(NIDS)はその数は 少なく,また,対応していたとしていてもその機能はパケット毎の検知という 限定的なものとなっています。 そこで,我々はオープンソフトのNIDSとして名高いsnortを改良し,疑わしい IPv6パケットを検知できるように拡張しました。更に,プリプロセッサ, デテクションプラグイン,アウトプットプラグインの幾つかをIPv6に対応して, ポートスキャンのような疑わしいIPv6フローも検出できるように拡張しました。

Features abekatsu @ 2003/12/14
snort for IPv6 では以下の機能を実装しています。
  1. Rule Header
    Rule Header に,IPv6 アドレスを記述できます。また any と記述した場合は IPv4/IPv6 両方に対応します。

  2. Rule Options/detection plug-ins
    We can support the following rule option to extend the corresponding detection plug-ins to IPv6 features. We refer to Snort Users Manual to fill the Feature field.

    Rule Option Feature
    msg prints a message in alerts and packet logs
    hlim test the IPv6 header's Hop Limit filed value
    i6type test the ICMPv6 type field against a specific value
    i6code test the ICMPv6 code field against a specific value
    content search for a pattern in the packet's payload
    uricontent search for a pattern in the URI portion of a packet

    Currently, there are only supports IPv4.

    Rule Option Feature
    ttl test the IP header's TTL field value
    tos test the IP header's TOS field value
    id test the IP header's fragment ID field for a specific value
    ipoption watch the IP option fields for specific codes
    fragbits test the fragmentation bits of the IP header
    itype test the ICMP type field against a specific value
    icode test the ICMP code field against a specific value
    icmp_id test the ICMP ECHO ID field against a specific value
    icmp_seq test the ICMP ECHO sequence number against a specific value
    ip_proto test the IP header's protocol value

    The below is under testing. But there is no guarantee that the following rule options works well for IPv6 traffic.

    Rule Option Feature
    logto log the packet to a user specified filename instead of the standard output file
    dsize test the packet's payload size against a value
    flags test the TCP flags for certain values
    seq test the TCP sequence number field for a specific value
    ack test the TCP acknowledgement field for a specific value
    window test the TCP window field for a specific value
    content-list search for a set of patterns in the packet's payload
    offset modifier for the content option, sets the offset to begin attempting a pattern match
    depth modifier for the content option, sets the maximum search depth for a pattern match attempt
    no-case match the preceding content string with case insensitivity
    session dumps the application layer information for a given session
    rpc watch RPC services for specific application/procedure calls
    resp active response (knock down connections, etc)
    react active response (block web sites)
    tag advanced logging actions for rules
    sameip determines if source ip equals the destination ip
    ip6_proto test IPv6 header's Next Header value
    i6type test the ICMPv6 type field against a specific value
    i6code test the ICMPv6 code field against a specific value
    icmp6_id test the ICMPv6 ECHO ID field against a specific value
    icmp6_seq test the ICMPv6 ECHO sequence number against a specific value
    stateless valid regardless of stream state
    regex wildcard pattern matching
    byte_test numerical evaluation
    distance forcing relative pattern matching to skip space
    within forcing relative pattern matching to be within a count
    byte_test numerical pattern testing
    byte_jump numerical pattern testing and offset adjustment

  3. Preprocessor
    We extend the following preprocessor.

    Preprocessor Features
    conversation geting basic conversation status on protocols rather than just with TCP as done in spp_stream4
    portscan2 this module allows portscans to be detected

    Currently, there are only supporting IPv4.

    Preprocessor Features
    http_decode processing HTTP URI strings and converting theri data to non-obfuscated ASCII strings.
    portscan logging the start and end of portscans from a single source IP th the standard logging facility
    portscan-ignorehosts telling preprocessor portscan to ignore portscans from certain hosts.
    frag2 IP defragmentation preprocessor.
    stream4 reassembling TCP stream
    telnet_decode normalization telnet control protocol characters
    rpc_decode normalization RPC multiple fragmented records into a single unfragmented record
    perfmonitor instrumenting various aspects of snort for performance
    http_flow ignoring HTTP Server responses after the HTTP headers

  4. Output plug-ins
    Currently we support the log_ascii output plugins.

    Log example: 
    [**] [1:1113:4] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
12/04-15:53:16.761868 [2001:200:0:7000::a]:1524 -> [2001:200:0:7000::5]:80
TCP FlowID:60000000 Ip6PayLoadLen:262 HopLimit:64
***AP*** Seq: 0xCF0FDC8B  Ack: 0x194FECD  Win: 0xE4B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 115780317 206234279
[Xref => http://www.whitehats.com/info/IDS297]

    We think it is not difficult to extend syslog/SNMP/PorstgreSQL output plug-ins for IPv6.

  5. New rules
    We define the rulesfor ICMPv6 traffic. Using this rule file, you can detect the ICMPv6 information traffic.

利用方法 abekatsu @ 2003/12/14
  1. build
    download the package from here. extract it and do
    "./configure; make"
  2. edit snort.conf for your site.
  3. run snort as super user

Copyright © 2003 Cyber Solutions Inc. All rights reserved.
supported by WIDE Project Sendai NOC Team