Home page logo
/

snort logo Snort mailing list archives

Re: Automatically decoding of Teredo traffic
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Tue, 2 Apr 2013 11:10:36 -0500

Hello.  I am thinking maybe I should ask Snort-Sigs this question or maybe
a 'nother list?

Thanks.

-Lord C.


On Fri, Mar 29, 2013 at 8:35 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com>wrote:

Thanks Joel for looking it to this.  I am eagerly await the results and
the expert(s) determination of this.  Most of the times I am wrong about a
configuration or process so hopefully my error can be make clear or you can
let me know if there is a *real* problem.

I apologize in advance if this is an error on my end but secretly hope it
is not the case :)

-Lord C.


On Tue, Mar 26, 2013 at 4:52 PM, Joel Esler <jesler () sourcefire com> wrote:

Let me take a look at this tomorrow.

On Mar 26, 2013, at 3:56 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
wrote:

Hello.  Were anyone able to see the problem that I am having?  Thanks.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt <
l0rdch0de1m0rt () gmail com> wrote:

Hello.  Joel, please refer to the pcap file from
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap,
packet 31.  I tried this rule:

alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|";
offset:8; depth:1; sid:135792468;)

I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at
offset 8 in the true IPv4 payload?

Thanks.

-Lord C.


On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler () sourcefire com>wrote:

Do you have a pcap you can send us off list?


On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
wrote:

Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full
packet displayed.  However, it seems 2 me that Snort 2.9 compiled with IPv6
is detecting the encapsulation and not populating the matching buffers as
one would expects.  I don't have the same experience as Yun but also I am
not able to detect on the actual payload like I needs to - the actual IPv4
payload is what I want to match on with the Snort rules ("content", etc.)
and because the payload is IPv6 and the snort is compiled with IPv6
support, the engine seems to mange the packet so that I cannot detect on
actual payload but may have to guess what the engine is doing and detect on
the modified data?  The snort binary is compiled with the IPv6 support and
I tried to modify configs like comment out 'preprocessor normalize_ip6' but
I still get packet mangle for the sensor detection engine and I do not know
how to tell it not to do this.

Thank you for the help.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs () sourcefire com>wrote:

There is no way to turn off teredo at runtime and, as of 2.9.4, there
is no way to build without ip6 support, but Snort rules can be written to
match on either the inner or outer IP layers.  Furthermore, snort -A cmg
will show both layers and unified2 packets have both as well.

As for the example, need to see a pcap.  There should be no need to
add the ip6 address, which doesn't really make sense since it is a udp rule
(meaning the ip6 header is considered payload assuming something like
eth:ip4:udp:ip6:icmp6).

On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <
l0rdch0de1m0rt () gmail com> wrote:

Hello.  I have not seen an answer to this question and I was thinking
the same thing myself.  Would perhaps this be better asked on snort-sigs?
I hate to cross-post so maybe Joel E. you can do the needful with asking
who might know this answer?  Thank you.

Cheers,

-Lord C.


On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu () gmail com>wrote:

Hi all,

I have Snort compiled with IPv6 support, and now it seems to
automatically decode Teredo traffic. This is a nice feature but I
want
to detect Teredo tunnels on my network, but because the packet is
automatically decoded I cannot detect on the original ipv4 packets
that created the tunnel.

For example, the following signature works on Snort without ipv6
support and reports the ipv4 source and dest that created the tunnel:

alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
sid:xxx; rev:1;)

However with Snort and ipv6 support the signature stopped working and
i had to modify the signature to:

alert udp $EXTERNAL_NET 3544 ->
[$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
00 00 00 00 00 80 00|"; offset:29; depth:10;
classtype:policy-violation; sid:xxxx; rev:1;)

However it would then report the ipv6 addresses from the decoded
Teredo traffic instead of the original ipv4 addresses:

[**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
[**] [Classification: Potential Corporate Privacy Violation]
[Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
fe80:0000:0000:0000:0000:ffff:ffff:ffff

Is there a configuration option that disables the automatic decoding
of teredo (and 6in4) tunnels? Ofcourse i could compile it without
ipv6
support but i'm looking for a better solution.
I'm not sure if this is a bug, but I think this actually degrades the
detection capabilities of Snort because it lost the original ipv4
addresses.

Regards,

Yun


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort news!




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:

http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault