Snort and GIF0 for HE tunnel broker
-
Hello Fellow Netgate community members.
I am trying to get snort to also monitor my ipv6 traffic on hurricane electric tunnel for ipv6 traffic. My isp is ipv4. I asked this before and I have seen ipv6 traffic very seldomly on WAN that is ipv4 only. Do I need to adjust the snap length on WAN do I enable it on the GIF0 interface that handles IPV6 traffic.
What is the correct configuration for use with ipv6 over a tunnel broker with snort? Keep in mind I am aware that it should be on LAN I know that I am doing this with WAN as it took to long to fine tune and set this up.
I have set Snort up on WAN and GIF0 interfaces. Only on GIF0 I changed the snap length it is 65535 in order to see the whole packet because of the encapsulated traffic. Should I have it only configured on WAN with a larger snap length?
I have also added a custom rule to GIF0
alert ip any any -> any any (msg:"Test IPv6 alert"; sid:1003372; rev:1;)My alerts are just blank on GIF0
This is on a 2100-MAX with ARM processor.
I have seen it detect IPV6 items every once in a while but on WAN only. Should I just increase the snap on WAN side and remove GIF0?
-
@JonathanLee I do see traffic when I do packet capture in GUI on gif0 it is all IPV6
-
I also enabled promiscuous mode in gui for WAN and GIF0
-
@JonathanLee if you move it to LAN then
-
Packets that would have been blocked by firewall aren’t scanned anyway
-
You only need one instance running
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
-
@SteveITS I did do that but it only shows the destination as the LAN interface address for all alerts nothing can be tracked to a wan side ip for reporting use. That was my issue with LAN. I do at times make reports to CISA for abuse I can’t see that full wan ip when it’s on the wan, it always shows the interface where the AP resides like 192.168.1.1 but does see what’s going on. CISA does respond also by email for weird ones I find and a couple weeks later that address stops showing up. I wonder if more of us started doing that if more invasive actors would stop.
-
@SteveITS Do you know if Suricata does IPV6 better than Snort when tunnel brokers are in use?
-
@JonathanLee don’t know, sorry.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS I am gonna try it, it says it has better threading support and is faster plus it can run my oink code. I will let you know
-
@SteveITS It looks like it is detecting ipv6 better
already is showing alerts
It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it
