Snort 2.9.2.3 v2.5.0 IPv6 support



  • The latest snort package should support fully the IPv6.
    If you reinstall the binary of the package all should work.

    If you find anything not working correctly please post here.

    Also do not forget donations if you feel in the mood.



  • So far so good, thanks again Ermal!!

    Alittle tip for IPv6 users
    Most will think to put snort on their IPv6 WAN, which is ok but this will only monitor traffic that hits your IPv6 WAN IP directly. Its your LAN IPv6 where your going to see the alerts. IPv6 is routing to thru our boxes, not being natted(well unless you really want too).

    I tested this over the last month testing snort and snort-dev….. I had snort enabled on my he.net tunnel.. No alerts but my LAN would have them. Now if i attacked my WAN IP, then alerts would show up for the he.tunnel



  • Great work Ermal! Only when an IP6 adddress gets blocked I can't remove it…



  • @digdug3:

    Great work Ermal! Only when an IP6 adddress gets blocked I can't remove it…

    re-install.. i'm able to remove them.. check snort2c table, they should be removed from there

    edit: are you trying to remove from the block page or from the alert page? i havent tried from the alert page yet



  • I was afraid this was going to happen, snort is blocking local lan IPv6 addresses.. my custom home_net looks seems to fix it tho

    adding 2001:470:x❌:/64

    
    07/16-16:46:19 	2 	TCP 	Potentially Bad Traffic 	2001:470:x Delete 	23749 	2a03:2880:10:1f02:face:b00c:0:25 	443 	137:1:2 [click to add to suppress list] 	"(ssp_ssl) Invalid Client HELLO after Server HELLO Detected"
    
    07/16-16:36:14 	3 	TCP 	Not Suspicious Traffic 	2001:470:x Delete 	23321 	2607:f8b0:4004:801::1002 	80 	119:2:1 [click to add to suppress list] 	"(http_inspect) DOUBLE DECODING ATTACK"
    
    

    default

    
    # Define Local Network  #
    var HOME_NET [127.0.0.1,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.x,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
    var EXTERNAL_NET [!$HOME_NET]
    
    

    custom

    
    # Define Local Network  #
    var HOME_NET [127.0.0.1,10.0.0.0/8,2001:470:x:x::/64,x.x.x.x/22,192.168.0.1/24,2001:470:x:x::1/64,192.168.200.1/32,172.16.50.1/32,2001:470:x:x::2/64,192.168.5.1/24,x.x.x.x,209.18.47.61,209.18.47.62,192.168.200.0/24,192.168.50.0/24,172.16.50.0/24,192.168.60.0/24,172.16.60.0/24]
    var EXTERNAL_NET [!$HOME_NET]
    
    


  • Had to remove 2.5.0 on two installs as the WAN connection was being blocked, so DNS not found, resulting in router dropping WAN connection.  AMD 64, 2.0.1



  • Normally there were issues with alert_pf(blocking) parsing the whitelist but they should be fixed on latest binary of snort.
    So reinstall even the binary and not just the package.



  • Donation link, please?




Log in to reply