Snort FAQ


IPv6 configuration

All configuration options are consistent with past versions of Snort, with the obvious exception that IPv6 addresses can be used in place of IPv4 addresses at will. IP lists are allowed to have IP addresses from both families simultaneously. For example:

ipvar example [,2::2]
alert tcp [3::0/120,!3::3,] any -> $example any (msg:"Example";sid:1;)

See README.variables for more information.

Miscellaneous - BSD Fragmented IPv6 Vulnerability (CVE-2007-1365)

Some versions of BSD are vulnerable to an attack that involves sending two fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID 22901 or CVE-2007-1365). Snort will, by default alert if it sees the both packets in sequence, or the second packet by itself.

Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions, up to a user-configurable timeout or until a session can be confirmed to be safe.

To configure this module’s behavior, add a line to snort.conf with:

ipv6_frag <option1 arg1>[, <option2 arg2>, ...]


bsd_icmp_frag_alert [on/off]    -       Whether or not to alert on the 
                                        BSD fragmented ICMPv6 vulnerability

bad_ipv6_frag_alert [on/off]    -       Whether or not to alert if the 
                                        second packet is seen by itself

frag_timeout [integer]          -       Length of time to track the attack
                                        in seconds.  Min 0, max 3600, 
                                        default 60 (consistent with BSD's
                                        internal default).

max_frag_sessions [integer]     -       Total number of possible attacks 
                                        to track.  Min 0, default 10000.

To enable drops in inline mode, use “config enable_decode_drops”.