Home page logo
/

snort logo Snort mailing list archives

Re: Automatically decoding of Teredo traffic
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 2 Apr 2013 14:47:16 -0400

Just to follow up, someone took a look at this and we think this is a bug.  We've put it into the system and I'll 
follow up when we get a release date.

J

On Apr 2, 2013, at 1:56 PM, Joel Esler <jesler () sourcefire com> wrote:

I've looked into this and have bounced it to another person to take a look.  Let me ping.


On Apr 2, 2013, at 12:10 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:

Hello.  I am thinking maybe I should ask Snort-Sigs this question or maybe a 'nother list?

Thanks.

-Lord C.


On Fri, Mar 29, 2013 at 8:35 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
Thanks Joel for looking it to this.  I am eagerly await the results and the expert(s) determination of this.  Most 
of the times I am wrong about a configuration or process so hopefully my error can be make clear or you can let me 
know if there is a *real* problem.

I apologize in advance if this is an error on my end but secretly hope it is not the case :)

-Lord C.


On Tue, Mar 26, 2013 at 4:52 PM, Joel Esler <jesler () sourcefire com> wrote:
Let me take a look at this tomorrow.

On Mar 26, 2013, at 3:56 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:

Hello.  Were anyone able to see the problem that I am having?  Thanks.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 11:07 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
Hello.  Joel, please refer to the pcap file from 
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Teredo.pcap, packet 31.  I tried this 
rule: 

alert udp any 3544 -> any any (msg:"Packet 31 Detected"; content:"|60|"; offset:8; depth:1; sid:135792468;)

I do not see an alert!  Did I write the rule wrong?  Is not 0x60 at offset 8 in the true IPv4 payload?

Thanks.

-Lord C.


On Wed, Mar 20, 2013 at 10:33 AM, Joel Esler <jesler () sourcefire com> wrote:
Do you have a pcap you can send us off list?


On Mar 20, 2013, at 11:30 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:

Hello.  Thanks for the responce Russ.  Using '-A cmg' I see the full packet displayed.  However, it seems 2 me 
that Snort 2.9 compiled with IPv6 is detecting the encapsulation and not populating the matching buffers as one 
would expects.  I don't have the same experience as Yun but also I am not able to detect on the actual payload 
like I needs to - the actual IPv4 payload is what I want to match on with the Snort rules ("content", etc.) and 
because the payload is IPv6 and the snort is compiled with IPv6 support, the engine seems to mange the packet so 
that I cannot detect on actual payload but may have to guess what the engine is doing and detect on the modified 
data?  The snort binary is compiled with the IPv6 support and I tried to modify configs like comment out 
'preprocessor normalize_ip6' but I still get packet mangle for the sensor detection engine and I do not know how 
to tell it not to do this.

Thank you for the help.

Cheers,

-Lord C.

On Wed, Mar 20, 2013 at 9:06 AM, Russ Combs <rcombs () sourcefire com> wrote:
There is no way to turn off teredo at runtime and, as of 2.9.4, there is no way to build without ip6 support, but 
Snort rules can be written to match on either the inner or outer IP layers.  Furthermore, snort -A cmg will show 
both layers and unified2 packets have both as well.

As for the example, need to see a pcap.  There should be no need to add the ip6 address, which doesn't really make 
sense since it is a udp rule (meaning the ip6 header is considered payload assuming something like 
eth:ip4:udp:ip6:icmp6).

On Tue, Mar 19, 2013 at 10:35 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
Hello.  I have not seen an answer to this question and I was thinking the same thing myself.  Would perhaps this 
be better asked on snort-sigs?  I hate to cross-post so maybe Joel E. you can do the needful with asking who might 
know this answer?  Thank you.

Cheers,

-Lord C.


On Wed, Jun 20, 2012 at 6:11 AM, Yun Zheng Hu <yunzheng.hu () gmail com> wrote:
Hi all,

I have Snort compiled with IPv6 support, and now it seems to
automatically decode Teredo traffic. This is a nice feature but I want
to detect Teredo tunnels on my network, but because the packet is
automatically decoded I cannot detect on the original ipv4 packets
that created the tunnel.

For example, the following signature works on Snort without ipv6
support and reports the ipv4 source and dest that created the tunnel:

alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"Teredo IPv6
Tunneling - Router Advertisement to Client"; content:"|FE 80 00 00 00
00 00 00 80 00|"; offset:29; depth:10; classtype:policy-violation;
sid:xxx; rev:1;)

However with Snort and ipv6 support the signature stopped working and
i had to modify the signature to:

alert udp $EXTERNAL_NET 3544 ->
[$HOME_NET,fe80:0000:0000:0000:0000:ffff:ffff:ffff] any (msg:"Teredo
IPv6 Tunneling - Router Advertisement to Client"; content:"|FE 80 00
00 00 00 00 00 80 00|"; offset:29; depth:10;
classtype:policy-violation; sid:xxxx; rev:1;)

However it would then report the ipv6 addresses from the decoded
Teredo traffic instead of the original ipv4 addresses:

[**] [1:xxx:1] Teredo IPv6 Tunneling - Router Advertisement to Client
[**] [Classification: Potential Corporate Privacy Violation]
[Priority: 4] {IPV6-ICMP} fe80:0000:0000:0000:8000:xxxxx ->
fe80:0000:0000:0000:0000:ffff:ffff:ffff

Is there a configuration option that disables the automatic decoding
of teredo (and 6in4) tunnels? Ofcourse i could compile it without ipv6
support but i'm looking for a better solution.
I'm not sure if this is a bug, but I think this actually degrades the
detection capabilities of Snort because it lost the original ipv4
addresses.

Regards,

Yun

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!








------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault