Snort IPv6



  • Hi,

    Snort - ipv6  is not activate ?

    [2.3.3-DEVELOPMENT][admin@jr.toto.local]/root: snort -v
    Running in packet dump mode

    –== Initializing Snort ==--
    Initializing Output Plugins!
    pcap DAQ configured to passive.
    Acquiring network traffic from "vmx0".
    Decoding Ethernet

    --== Initialization Complete ==--

    ,,_    -> Snort! <-
      o"  )~  Version 2.9.8.3 GRE (Build 383) FreeBSD
      ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
              Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
              Copyright (C) 1998-2013 Sourcefire, Inc., et al.
              Using libpcap version 1.8.0
              Using PCRE version: 8.39 2016-06-14
              Using ZLIB version: 1.2.8

    ==> view http://searchitchannel.techtarget.com/tip/Snort-280-new-features-IPv6-and-port-lists

    my test is custom rule :

    alert icmp any any -> any any (msg:"LOCAL ICMP echo test"; itype:8; sid:2000000;)

    Thanks for the help

    Best regard

    fred



  • I believe its enabled. If you look at config files that are generated, you should see your IPv6 addresses in there. Suricata supports IPv6, that I can confirm. I'm starting to use Snort again, I'll keep an eye on it for IPv6 alerts.



  • I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for
    1:2018959  ET POLICY PE EXE or DLL Windows file download HTTP