[Bro-Dev] #774: IPv6 in signatures

Bro Tracker bro at tracker.bro-ids.org
Wed Oct 17 09:13:43 PDT 2012

#774: IPv6 in signatures
  Reporter:  seth     |      Owner:
      Type:  Problem  |     Status:  new
  Priority:  Low      |  Milestone:  Bro2.2
 Component:  Bro      |    Version:  git/master
Resolution:           |   Keywords:  ipv6

Comment (by jsiwek):

 In [e835a55229315f61e6994811b0eb6423f14c905a/bro]:
 #!CommitTicketReference repository="bro"
 Add IPv6 support to signature header conditions.

 - "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
   They must be written in colon-hexadecimal representation and enclosed
   in square brackets (e.g. [fe80::1]).  Addresses #774.

 - "icmp6" is now a valid protocol for use with "ip-proto" and "header"
   conditions.  This allows signatures to be written that can match
   against ICMPv6 payloads.  Addresses #880.

 - "ip6" is now a valid protocol for use with the "header" condition.
   (also the "ip-proto" condition, but it results in a no-op in that
   case since signatures apply only to the inner-most IP packet when
   packets are tunneled).  This allows signatures to match specifically
   against IPv6 packets (whereas "ip" only matches against IPv4 packets).

 - "ip-proto" conditions can now match against IPv6 packets.  Before,
   IPv6 packets were just silently ignored which meant DPD based on
   signatures did not function for IPv6 -- protocol analyzers would only
   get attached to a connection over IPv6 based on the well-known ports
   set in the "dpd_config" table.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/774#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list