Snort IPv6
-
Hi,
Snort - ipv6 is not activate ?
[2.3.3-DEVELOPMENT][admin@jr.toto.local]/root: snort -v
Running in packet dump mode–== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "vmx0".
Decoding Ethernet--== Initialization Complete ==--
,,_ -> Snort! <-
o" )~ Version 2.9.8.3 GRE (Build 383) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.0
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.8==> view http://searchitchannel.techtarget.com/tip/Snort-280-new-features-IPv6-and-port-lists
my test is custom rule :
alert icmp any any -> any any (msg:"LOCAL ICMP echo test"; itype:8; sid:2000000;)
Thanks for the help
Best regard
fred
-
I believe its enabled. If you look at config files that are generated, you should see your IPv6 addresses in there. Suricata supports IPv6, that I can confirm. I'm starting to use Snort again, I'll keep an eye on it for IPv6 alerts.
-
I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for
1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP