Snort-IPv6 extended snort© featuring IPv6 function.

Resources » News   Latest news about Snort-IPv6 » Document   Information on features and how to setup «Japanese» » Download   Get Snort-IPv6 source code » Contacts   Question and so on.

Documents Introduction abekatsu @ Dec. 14 2003 Currently, there are few Network Intrusion Detection System applied for IPv6 network. (Nevertheless it is applied for IPv6, its features are limited to detect only packets.) So firstly, we extend snort, which is one of famous open-software's NIDS software, to detect IPv6 suspicious packets. Using this package, you can detect IPv6 suspicious packets like as IPv4. And we also extend some preprocessors/detection plug-ins/output plug-ins and you can detect some IPv6 suspicious flows such as portscan. Features abekatsu @ Dec. 14 2003 We extend snort for IPv6 about the following features: Rule Header You can write IPv6 addresses in Rule Header, like "ip6 fe80::/12 any -> any any". You can also write "any" to detect both IPv4 packets and IPv6 ones. Rule Options/detection plug-ins We can support the following rule option to extend the corresponding detection plug-ins to IPv6 features. We refer to Snort Users Manual to fill the Feature field. Rule Option Feature msg prints a message in alerts and packet logs hlim test the IPv6 header's Hop Limit filed value i6type test the ICMPv6 type field against a specific value i6code test the ICMPv6 code field against a specific value content search for a pattern in the packet's payload uricontent search for a pattern in the URI portion of a packet Currently, there are only supports IPv4. Rule Option Feature ttl test the IP header's TTL field value tos test the IP header's TOS field value id test the IP header's fragment ID field for a specific value ipoption watch the IP option fields for specific codes fragbits test the fragmentation bits of the IP header itype test the ICMP type field against a specific value icode test the ICMP code field against a specific value icmp_id test the ICMP ECHO ID field against a specific value icmp_seq test the ICMP ECHO sequence number against a specific value ip_proto test the IP header's protocol value The below is under testing. But there is no guarantee that the following rule options works well for IPv6 traffic. Rule Option Feature logto log the packet to a user specified filename instead of the standard output file dsize test the packet's payload size against a value flags test the TCP flags for certain values seq test the TCP sequence number field for a specific value ack test the TCP acknowledgement field for a specific value window test the TCP window field for a specific value content-list search for a set of patterns in the packet's payload offset modifier for the content option, sets the offset to begin attempting a pattern match depth modifier for the content option, sets the maximum search depth for a pattern match attempt no-case match the preceding content string with case insensitivity session dumps the application layer information for a given session rpc watch RPC services for specific application/procedure calls resp active response (knock down connections, etc) react active response (block web sites) tag advanced logging actions for rules sameip determines if source ip equals the destination ip ip6_proto test IPv6 header's Next Header value i6type test the ICMPv6 type field against a specific value i6code test the ICMPv6 code field against a specific value icmp6_id test the ICMPv6 ECHO ID field against a specific value icmp6_seq test the ICMPv6 ECHO sequence number against a specific value stateless valid regardless of stream state regex wildcard pattern matching byte_test numerical evaluation distance forcing relative pattern matching to skip space within forcing relative pattern matching to be within a count byte_test numerical pattern testing byte_jump numerical pattern testing and offset adjustment Preprocessor We extend the following preprocessor. Preprocessor Features conversation geting basic conversation status on protocols rather than just with TCP as done in spp_stream4 portscan2 this module allows portscans to be detected Currently, there are only supporting IPv4. Preprocessor Features http_decode processing HTTP URI strings and converting theri data to non-obfuscated ASCII strings. portscan logging the start and end of portscans from a single source IP th the standard logging facility portscan-ignorehosts telling preprocessor portscan to ignore portscans from certain hosts. frag2 IP defragmentation preprocessor. stream4 reassembling TCP stream telnet_decode normalization telnet control protocol characters rpc_decode normalization RPC multiple fragmented records into a single unfragmented record perfmonitor instrumenting various aspects of snort for performance http_flow ignoring HTTP Server responses after the HTTP headers Output plug-ins Currently we support the log_ascii output plugins. Log example: [**] [1:1113:4] WEB-MISC http directory traversal [**] [Classification: Attempted Information Leak] [Priority: 2] 12/04-15:53:16.761868 [2001:200:0:7000::a]:1524 -> [2001:200:0:7000::5]:80 TCP FlowID:60000000 Ip6PayLoadLen:262 HopLimit:64 ***AP*** Seq: 0xCF0FDC8B Ack: 0x194FECD Win: 0xE4B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 115780317 206234279 [Xref => http://www.whitehats.com/info/IDS297] We think it is not difficult to extend syslog/SNMP/PorstgreSQL output plug-ins for IPv6. New rules We define the rulesfor ICMPv6 traffic. Using this rule file, you can detect the ICMPv6 information traffic. Usage abekatsu @ Dec. 14 2003 build download the package from here. extract it and do "./configure; make" edit snort.conf for your site. run snort as super user

Copyright © 2003 Cyber Solutions Inc. All rights reserved. supported by WIDE Project Sendai NOC Team Last Updated Dec. 14 2003