[Bro-Dev] #880: Cannot do signature matching for ICMP payload

Bro Tracker bro at tracker.bro-ids.org
Wed Oct 17 09:13:42 PDT 2012

#880: Cannot do signature matching for ICMP payload
  Reporter:  sheharbano.k     |      Owner:
      Type:  Feature Request  |     Status:  new
  Priority:  Normal           |  Milestone:  Bro2.2
 Component:  Bro              |    Version:  git/master
Resolution:                   |   Keywords:

Comment (by jsiwek):

 In [e835a55229315f61e6994811b0eb6423f14c905a/bro]:
 #!CommitTicketReference repository="bro"
 Add IPv6 support to signature header conditions.

 - "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
   They must be written in colon-hexadecimal representation and enclosed
   in square brackets (e.g. [fe80::1]).  Addresses #774.

 - "icmp6" is now a valid protocol for use with "ip-proto" and "header"
   conditions.  This allows signatures to be written that can match
   against ICMPv6 payloads.  Addresses #880.

 - "ip6" is now a valid protocol for use with the "header" condition.
   (also the "ip-proto" condition, but it results in a no-op in that
   case since signatures apply only to the inner-most IP packet when
   packets are tunneled).  This allows signatures to match specifically
   against IPv6 packets (whereas "ip" only matches against IPv4 packets).

 - "ip-proto" conditions can now match against IPv6 packets.  Before,
   IPv6 packets were just silently ignored which meant DPD based on
   signatures did not function for IPv6 -- protocol analyzers would only
   get attached to a connection over IPv6 based on the well-known ports
   set in the "dpd_config" table.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/880#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list