Snort mailing list archives
Re: Snort IPv6
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 2 Feb 2006 16:25:20 -0500
We have the same requirements at Sourcefire and we'll be addressing them in Snort as soon as we can. I think it'd be a bad idea to rewrite everything independent of Sourcefire because we'll be duplicating the work and we're likely to come up with different solutions.
The "real answer" to this problem is to restructure Snort's decoder (as I've said before) so that it can gracefully handle layers/ encapsulation in a way that's not a big retrofit over everything we have. That's a big undertaking because to do it we need a new Packet struct. If you grep for "Packet" in Snort's source code you'll see this is a pretty serious refactoring effort.
We definitely will be interested in getting feedback and testing from the community on the implementation as it becomes available, this is a big change and we don't make any claims that our in-house testing can be as all encompassing as the the diverse operating environments that all of you have at your fingertips.
Anyway, stay tuned and sorry for the delay!
-Marty
On Feb 2, 2006, at 9:56 AM, Eric Hines wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Community: Recently, OMB (Office of Management and Budget) issued a mandate thatall federal agencies be IPv6 compliant by 2008. This sparks the question of federal and military organizations who will be going through an IPv6roll-out as to when Snort will have support for IPv6 addressing. I understand that previous attempts were made to make modifications tothe Snort core for support of IPv6 but were abandoned and whether or notthey are still being worked on is in question.My understanding is that support of IPv6 will require a rewrite of some,if not all, of Snort's Preprocessors and IPv6 support furthermore, cannot be done simply with the use of a Preprocessor, rather modificationsto the Snort core itself. Does anyone have any insight in to these efforts or can anyone answer intelligently to this issue. Does anyone know of a project currently being developed or worked on that is working towards this effort? Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eric.hines () appliedwatch com - -------------------------------------------- "Enterprise Open Source Snort Management" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD4h27bOqF2QHgUK0RAr0uAJ0QU5JgA/lGsjqAuxn39CjhzDcOCACg11Rf 78Flj534c780OyDtVbNHK/4= =CZg6 -----END PGP SIGNATURE----- -------------------------------------------------------This SF.net email is sponsored by: Splunk Inc. Do you grep through log filesfor problems? Stop! Download the new AJAX search engine that makessearching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel? cmd=lnk&kid=103432&bid=230486&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alerting with snort Hubert Edward kIYIMBA (Jan 31)
- <Possible follow-ups>
- alerting with snort Hubert Edward kIYIMBA (Jan 31)
- Re: alerting with snort Matt Kettler (Jan 31)
- Snort IPv6 Eric Hines (Feb 02)
- Re: Snort IPv6 Martin Roesch (Feb 02)
- Re: Snort IPv6 Eric Hines (Feb 02)
- Re: Snort IPv6 Martin Roesch (Feb 03)