IPv6 configuration
==================

All configuration options are consistent with past versions of Snort, with the
obvious exception that IPv6 addresses can be used in place of IPv4 addresses 
at will.  IP lists are allowed to have IP addresses from both families 
simultaneously.  For example: 

    ipvar example [1.1.1.1,2::2]
    alert tcp [3::0/120,!3::3,4.4.4.4] any -> $example any (msg:"Example";sid:1;)

See README.variables for more information.


Miscellaneous - BSD Fragmented IPv6 Vulnerability (CVE-2007-1365)
=================================================================

Some versions of BSD are vulnerable to an attack that involves sending two
fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID
22901 or CVE-2007-1365).  Snort will, by default alert if it sees the both
packets in sequence, or the second packet by itself.  

Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions,
up to a user-configurable timeout or until a session can be confirmed to be
safe.

To configure this module's behavior, add a line to snort.conf with:
    
    ipv6_frag <option1 arg1>[, <option2 arg2>, ...]

Options:
   
    bsd_icmp_frag_alert [on/off]    -       Whether or not to alert on the 
                                            BSD fragmented ICMPv6 vulnerability

    bad_ipv6_frag_alert [on/off]    -       Whether or not to alert if the 
                                            second packet is seen by itself

    frag_timeout [integer]          -       Length of time to track the attack
                                            in seconds.  Min 0, max 3600, 
                                            default 60 (consistent with BSD's
                                            internal default).

    max_frag_sessions [integer]     -       Total number of possible attacks 
                                            to track.  Min 0, default 10000.

To enable drops in inline mode, use "config enable_decode_drops".