IPv6 ==== Snort 2.8 adds optional support for IPv6. To enable IPv6 support, configure with --enable-ipv6. Once enabled, Snort will process both IPv4 and IPv6 traffic, though some Snort modules are not supported. The following preprocessors are specifically supported when Snort is compiled with IPv6 support: Stream5 HTTP Inspect DCERPC Portscan BO RPC Decode IPv6 support is not included for the following, but will be added in a future release: Frag3 Database Aruba Prelude Respond Respond2 Dynamic plugins (Shared Object rules) FTP Telnet DNS SMTP Stream4 Flow Note: For stream reassembly and flow, use Stream5. All rule options are supported with the exception of the following: react resp IPv6 limitations ================ IPv6 fragmentation reassembly is not presently supported. Fragmented packets will be treated as individual, unfragmented packets. Various IP mapping techniques are ignored in Snort. If a user has a rule that matches any IPv4 address a.b.c.d, but the target packet is tunneling IPv4 within IPv6 using some IP-mapping that corresponds to the address a.b.c.d, the rule will not match. No rule options have yet been added to support inspection of specific IP extension headers. These will be added in a later release. No special support is given to ICMP6; it is handled the same as ICMP. IPv6 configuration ================== All configuration options are consistent with past versions of Snort, with the obvious exception that IPv6 addresses can be used in place of IPv4 addresses at will. IP lists are allowed to have IP addresses from both families simultaneously. For example: ipvar example [1.1.1.1,2::2] alert tcp [3::0/120,!3::3,4.4.4.4] any -> $example any (msg:"Example";sid:1;) See README.variables for more information. Miscellaneous - BSD Fragmented IPv6 Vulnerability (CVE-2007-1365) ================================================================= Some versions of BSD are vulnerable to an attack that involves sending two fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID 22901 or CVE-2007-1365). Snort will, by default alert if it sees the both packets in sequence, or the second packet by itself. Note: IPv6 support does NOT have to be enabled to gain this functionality. Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions, up to a user-configurable timeout or until a session can be confirmed to be safe. To configure this module's behavior, add a line to snort.conf with: ipv6_frag <option1 arg1>[, <option2 arg2>, ...] Options: bsd_icmp_frag_alert [on/off] - Whether or not to alert on the BSD fragmented ICMPv6 vulnerability bad_ipv6_frag_alert [on/off] - Whether or not to alert if the second packet is seen by itself frag_timeout [integer] - Length of time to track the attack in seconds. Min 0, max 3600, default 60 (consistent with BSD's internal default). max_frag_sessions [integer] - Total number of possible attacks to track. Min 0, default 10000. To enable drops in inline mode, use "config enable_decode_drops".