[Bro-Dev] #880: Cannot do signature matching for ICMP payload
Bro Tracker
bro at tracker.bro-ids.org
Wed Oct 17 09:13:42 PDT 2012
#880: Cannot do signature matching for ICMP payload
------------------------------+------------------------
Reporter: sheharbano.k | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
------------------------------+------------------------
Comment (by jsiwek):
In [e835a55229315f61e6994811b0eb6423f14c905a/bro]:
{{{
#!CommitTicketReference repository="bro"
revision="e835a55229315f61e6994811b0eb6423f14c905a"
Add IPv6 support to signature header conditions.
- "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
They must be written in colon-hexadecimal representation and enclosed
in square brackets (e.g. [fe80::1]). Addresses #774.
- "icmp6" is now a valid protocol for use with "ip-proto" and "header"
conditions. This allows signatures to be written that can match
against ICMPv6 payloads. Addresses #880.
- "ip6" is now a valid protocol for use with the "header" condition.
(also the "ip-proto" condition, but it results in a no-op in that
case since signatures apply only to the inner-most IP packet when
packets are tunneled). This allows signatures to match specifically
against IPv6 packets (whereas "ip" only matches against IPv4 packets).
- "ip-proto" conditions can now match against IPv6 packets. Before,
IPv6 packets were just silently ignored which meant DPD based on
signatures did not function for IPv6 -- protocol analyzers would only
get attached to a connection over IPv6 based on the well-known ports
set in the "dpd_config" table.
}}}
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/880#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list