SlideShare a Scribd company logo
1 of 43
Download to read offline
The IPv6 Snort Plugin 
Martin Schütte 
20 November 2014
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Context 
• Diploma thesis 
• 2011 at Potsdam University 
• part of “attack prevention 
and validated protection 
of IPv6 networks” 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 2 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
State s 1994 
IPv4 Internet: 
• Research and Academic 
Networks 
• Known design & 
implementation errors 
• Little experience with 
protocol security 
• No urgency for improvement 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 3 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
State s today 
IPv6 Internet: 
• Research and Academic 
Networks 
• Known design & 
implementation errors 
• Little experience with 
protocol security 
• No urgency for improvement (?) 
I WANT YOU 
TO USE IPv6 
– Vint Cerf 
www.cs.brown.edu/~adf/cerf/ 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 4 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Network Device s 1990s 
by Mike Chapman 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 5 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Network Devices s 2012 
gumstix-based Somniloquy prototype, Yuvraj Agarwal et al. Smartphone pictures by PaulK and Egy.One 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 6 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
IPv6 Security / Design Issues 
• Main IPv6 RFCs from 1995/1998 
) many years of IPv4 security experience to catch up with 
) designed for 1990s networks to solve 1990s problems 
• No consideration of: mobile usage 
• Few (yet already old) implementations 
• Very little in end user devices 
• Uncertainty hinders deployment 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 7 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Multiple Generations of Standards 
www.ernw.de 
Back to that IPv6’n’RFCs Time Bar … 
Neighbor 
Discovery 
RFC 1970 RFC 2410 
3/17/14 #52 
… 
RFC 6980 
Address 
Selection 
Generation 
of IID 
RFC 3484 RFC 6724 
EUI-64 Privacy Extensions draft-ietf-6man-stable-privacy- 
addresses-17 
RFC 4861 
… 
… 
NOW: 
 Please spot … for $OS in your environment. 
 Please spot … for $OTHER_OS in your environment. 
 Please spot … $EACH_TYPE_OF_NETWORK_DEVICE 
 Please spot … $STORAGE_DEVICES 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 8 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Where are we now? s 2014 
• Adoption starts to take off 
• Yet another wave of RFCs 
• RA Guard in some switches 
• Implementation bugfixes 
• Enough to protect CPEs? 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 9 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Attacks Against IPv6 
The usual: 
• Value ranges 
• Fragmentation 
• Denial of Service 
• Portscans 
• Errors in Application Layer 
IPv6 specific: 
• Autoconfiguration 
• Neighbor Discovery 
• Variable headers 
• Multicast 
• Routing 
• v4/v6 Transition 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 10 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Local Attacks 
Simple Denial of Service: 
1. Host Alice starts Duplicate Address Detection: 
”Anyone using IP X?” 
2. Host Eve answers ”I have IP X.” 
3. goto 1 
Routing/Man in the Middle: 
1. Host Eve sends ICMPv6 Redirect: 
”This is router Bob, for google.com please use router Eve.” 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 11 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Remote Attacks 
• Denial of Service 
• Neighbor Cache Exhaustion 
• Oversized IPv6 Header Chains 
• Excessive Hop-by-Hop Options 
• Routing 
• RH0 source routing 
• Loop using IPv6 Automatic Tunnels 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 12 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Attack Collections: THC Toolkit 
by Marc Heuse 
Tools for specific attacks/tests: 
• Autoconfiguration DoS 
• Neighbor Cache 
• Routing/Redirect 
• Flood-Attacks 
• Multicast Listener Discovery 
• DHCPv6 
• implementation6 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 13 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Attack Collections: SI6 Networks’ IPv6 Toolkit 
by Fernado Gont 
Tools for security assessments: 
• Neighbor Discovery messages 
• Adresses 
• Flow Labels 
• Fragmentation 
• Jumbograms 
• ICMP Error messages 
• TCP segments 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 14 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Attack Collections: Chiron 
by Antonios Atlasis 
“IPv6 Attacking Framework”: 
• Neighbor Discovery messages 
• Scanner 
• IPv4-to-IPv6 Proxy 
• based on Scapy 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 15 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Countermeasures 
Very few; Depending on network and usage context. 
• Collect data for correlation and detection 
• Show anomalous network activity 
• Filter known-bad packets 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 16 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
How to Filter and Monitor a Network? 
Placement at: 
• Routers 
• Switches 
• Packet Filters 
• Hosts 
Implementation as: 
• Stand-alone tool 
• Add-on for existing 
application 
• Operating System module 
)High versatility: Intrusion Detection Systems 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 17 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Target System: Snort 2.9 
• Widely used Open Source NIDS 
• Filter/inline mode 
(Intrusion Prevention System) 
• Plugin APIs 
• Decoder for common 
tunnel protocols ©2012 Snort, the Snort Pig are registered trademarks of 
Sourcefire, Inc. All rights reserved. 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 18 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Snort Packet Processing Overview 
Network 
DAQ/libpcap 
Packet 
Decoder 
Pre-processor 
Detection 
Engine 
Rules 
Alert, Log 
Output Logfiles, 
Database 
Snort 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 19 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Decoding 
Incoming 
Packet 
DecodeEthPkt 
Ethernet 
DecodeVlanPkt 
802.1Q 
DecodePPPoEPkt 
PPPoE 
DecodePppPktEncapsulated 
PPP 
DecodeARP 
ARP 
DecodeIP 
IPv4 
DecodeIPV6 
IPv6 
DecodeIPV6Extensions 
IPv6 Ext Hdrs 
DecodeIPV6Options 
IPv6 Options 
DecodeICMP 
ICMP 
DecodeUDP 
UDP 
DecodeTCP 
TCP 
DecodeICMP6 
ICMPv6 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 20 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Decoding Result: struct _Packet 
typedef struct _Packet 
{ 
const DAQ_PktHdr_t *pkth; // packet meta data 
const uint8_t *pkt; // raw packet data 
EtherARP *ah; 
const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ 
const VlanTagHdr *vh; 
const IPHdr *iph , *orig_iph; /* and orig. headers for ICMP_*_UNREACH */ 
const IPHdr *inner_iph; /* if IP -in -IP , this will be the inner */ 
const IPHdr *outer_iph; /* if IP -in -IP , this will be the outer */ 
uint32_t preprocessor_bits; /* flags for preprocessors to check */ 
uint32_t preproc_reassembly_pkt_bits; 
uint8_t ip_option_count; /* number of options in this packet */ 
uint8_t tcp_option_count; 
uint8_t ip6_extension_count; 
uint8_t ip6_frag_index; 
IPOptions ip_options[MAX_IP_OPTIONS]; 
TCPOptions tcp_options[MAX_TCP_OPTIONS]; 
IP6Extension ip6_extensions[MAX_IP6_EXTENSIONS]; 
// ... 
} Packet; 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 21 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Rule Engine 
Example detection rule: 
var EXTERNAL_NET any 
var SMTP_SERVERS [192.0.2.123 , 2001: db8 :12:ab ::123] 
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( 
flow:to_server ,established; 
content: "|0A|Croot |0A|Mprog "; 
metadata:service smtp; 
msg:"SMTP sendmail 8.6.9 exploit "; 
reference:bugtraq ,2311; reference:cve ,1999 -0204; 
classtype:attempted -user; 
sid :669; rev :9; 
) 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 22 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
IPv6 Support 
technically yes, but … 
All major IDS have IPv6 support. 
What does that mean? 
• Fragment reassembly 
• TCP & UDP decoding)upper-layer checks 
• Decoder-warning on severe protocol errors 
Not: 
• check extensions (Routing Headers, Jumbograms) 
• support all rule options (fragbits) 
• IPv6 specific detection (ICMPv6/Neighbor Discovery) 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 23 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
IPv6 Signatures 
Existing rules work for IPv4 and IPv6 
No keywords for IPv6-only fields, no IPv6-only rules provided 
alert ip icmp any -> any any  
(msg:"IPv6 ICMP Echo -Request ?"; itype :128;  
classtype:icmp -event; sid :2000001; rev :1;) 
Good for application layer checks 
Bad for protocol layer detection 
)need to develop a IPv6-Plugin 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 24 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Snort Customizations 
• Writing rules 
• Dynamic Detection API: compiled rule evaluations 
• Dynamic Preprocessor API: 
• add rule options 
• do something with a packet 
Network 
libpcap 
Packet 
Decoder 
Pre-processor 
Detection 
Engine 
Rules 
Alert, Log 
Output Logfiles, 
Database 
Snort 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 25 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
New IPv6 Rule Options 
Goal: Provide IPv6 access for signatures 
• Basic Header 
• Extension Headers 
• Neighbor Discovery Options 
Functionality: 
• Handler for option parsing on config (re-)load 
• Callbacks for option keywords 
• Called with rule parameter and current packet 
• Return match/no_match 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 26 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
IPv6 Rule Options 
alert icmp any any -> any any (itype :8; ipv: 4;  
msg:" ICMPv4 PING in v4 pkt"; sid :1000000; rev :1;) 
alert icmp any any -> any any (itype :8; ipv: 6;  
msg:" ICMPv4 PING in v6 pkt"; sid :1000001; rev :1;) 
alert icmp any any -> any any (itype :128; ipv: 4;  
msg:" ICMPv6 PING in v4 pkt"; sid :1000002; rev :1;) 
alert icmp any any -> any any (itype :128; ipv: 6;  
msg:" ICMPv6 PING in v6 pkt"; sid :1000003; rev :1;) 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 27 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Resulting Evaluation Tree 
Port Group 
ICMP any->any 
NC Rule 
Tree Root 
itype:8 itype:128 
ipv:4 ipv:6 
leaf leaf 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 28 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Rule Options of the IPv6-Plugin 
ipv IP version 
ip6_tclass Traffic Class 
ip6_flow Flow Label 
ip6_exthdr Extension Header 
ip6_extnum Num. of Ext Hdrs. 
ip6_ext_ordered Ext Hdrs. correctly ordered (bool) 
ip6_option Destination-/HbH-Option 
ip6_optval Destination-/HbH-Option Value 
ip6_rh Routing Header 
icmp6_nd Neighbor Discovery (bool) 
icmp6_nd_option Neighbor Discovery Option 
(Most rules accept comparison operators = ! < >) 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 29 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
More Examples 
alert ip any any -> any any (ip6_rh: !2;  
msg:" invalid routing hdr";  
sid :1000004; rev :1;) 
alert ip any any -> any any (ip6_option: 0.0 xc2;  
msg:"ip6 option: Jumbo in HBH hdr";  
sid :100066; rev :1;) 
# event threshold 
alert icmp any any -> any any (icmp6_nd;  
detection_filter: track by_dst , count 50, seconds 1;  
msg:" ICMPv6 flooding ";  
sid :100204; rev :1;) 
# log only one flooding event per second: 
event_filter gen_id 1, sig_id 100204 ,  
type limit , track by_src ,  
count 1, seconds 1 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 30 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Preprocessor for Neighbor Discovery Tracking 
Goal: monitor network changes 
• new hosts 
• new routers 
• basic extensions/options check 
Functionality: 
• Reads ICMPv6 messages 
• Follows network state, i. e. (MAC, IP) tuple of: 
• On-link Routers 
• On-link Hosts 
• Ongoing DADs 
• Alert on change 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 31 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Configuration 
in snort.conf, all optional 
net_prefix subnet prefixes 
router_mac known router MAC addresses 
host_mac known host MAC addresses 
max_routers max routers in state (default: 32) 
max_hosts max hosts in state (default: 8 K) 
max_unconfirmed max unconfirmed nodes in state (default: 32 K) 
keep_state remember nodes for n minutes (default: 180) 
expire_run clean memory every n minutes (default: 20) 
disable_tracking only rules & stateless checks (default: false) 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 32 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Configuration 
“normal use” 
preprocessor ipv6 :  
net_prefix 2001:0 db8 :1::/64  
router_mac 00:16:76:07: bc :92 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 33 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Snort IPv6 Alerts: ND Tracking 
SID Message 
1 RA from new router 
2 RA from non-router MAC address 
3 RA prefix changed 
4 RA flags changed 
5 RA for non-local net prefix 
6 RA with lifetime 0 
7 new DAD started 
8 new host in network 
9 new host with non-allowed MAC addr. 
10 DAD with collision 
11 DAD with spoofed collision 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 34 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Snort IPv6 Alerts: Packet Attributes 
SID Message 
12 mismatch in MAC/NDP src ll addr. 
13 extension header has only padding 
14 option lengths̸= ext length 
15 padding option data̸= zero 
16 consecutive padding options 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 35 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
tester.pl 
Test Runner 
(snort -c -r) 
Logfile 
(unified2) 
Compare 
PCAP data 
snort.conf 
lines 
Expected SIDs Result 
Verify intended results for given packet samples. 
Extremely useful for development. 
(But too limited for real network testing). 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 36 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Output/Visualization 
• Big Problem 
• barnyard2 tool for Snort log 
processing (e. g. write SQL) 
• Few Open Source frontends 
(BASE & Snorby) 
• All using old SQL Schema, 
without IPv6 field 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 37 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Alternative: Use ELK and build your own 
• Very good general purpose Log Collectors: 
Elasticsearch/Logstash/Kibana, Graylog2, Splunk 
Kibana-Screenhot by Éric Leblond 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 38 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Performance 
Theory: 
• Stateless checks require processing 
• ND Tracking requires memory)DoS risk 
Practice: 
• Snort’s packet decoding does 90 % of the work 
• Configurable memory limit ~ 8 Mb 
• TCP stream reassembly is much more expensive 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 39 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Bugs Found in Snort (2.9.0) 
or: Real-World Problems of Major Commercial Security Products 
• Ping of Death, cannot process > 40 extension headers 
• wrong Endianness in GET_IPH_VER() 
• fragmentation breaks ICMP/UDP checksums 
• Routing Headers break ICMP/UDP checksums 
• fragbits rules not supported 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 40 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Extension Header Parsing in Snort 2.9.0 
void DecodeIPV6Options(int type , const uint8_t *pkt , uint32_t len , Packet *p) 
{ 
uint32_t hdrlen = 0; 
if(p->ip6_extension_count < IP6_EXTMAX) { 
switch (type) { 
case IPPROTO_HOPOPTS: 
hdrlen = sizeof(IP6Extension) + (exthdr ->ip6e_len << 3); 
} 
} 
/* missing else => hdrlen =0 => infinite mutual recursion */ 
DecodeIPV6Extensions (*pkt , pkt + hdrlen , len - hdrlen , p); 
} 
void DecodeIPV6Extensions(uint8_t next , const uint8_t *pkt , uint32_t len , Packet *p) 
{ 
switch(next) { 
case IPPROTO_HOPOPTS: 
case IPPROTO_DSTOPTS: 
case IPPROTO_ROUTING: 
case IPPROTO_AH: 
DecodeIPV6Options(next , pkt , len , p); 
return; 
} 
} 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 41 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Conclusion 
• It works! 
• Dynamic Library (no need to recompile Snort) 
• Enables IPv6-specific detection signatures 
• Snort & IPv6-Plugin detect several THC attacks 
• Cannot solve fundamental problems: DoS and insecure Ethernet 
• Can raise visibility and awareness of network threat situation 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 42 / 43
IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion 
Contact 
E-Mail: info@mschuette.name 
Project Page: http://mschuette.name/wp/snortipv6/ 
Source Code: https://github.com/mschuett/spp_ipv6 
Thanks to: 
heavy lifting for complex 
web and mobile systems 
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 43 / 43

More Related Content

What's hot

Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettDPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingMichelle Holley
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6Positive Hack Days
 

What's hot (20)

Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
100197
100197100197
100197
 
Wireshark
WiresharkWireshark
Wireshark
 
Tech f42
Tech f42Tech f42
Tech f42
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
 
Libpcap
LibpcapLibpcap
Libpcap
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettDPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles Shiflett
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudy
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
 

Viewers also liked

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolMiguel Luis
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015AFCEA International
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESOlle E Johansson
 

Viewers also liked (8)

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security Protocol
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issues
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIES
 

Similar to The IPv6 Snort Plugin (at DeepSec 2014)

Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialsaryu2011
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsDigicomp Academy AG
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdfFernandoGont
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECShumon Huque
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on Videoguy
 
IPv6 for the Enterprise
IPv6 for the EnterpriseIPv6 for the Enterprise
IPv6 for the EnterpriseJohn Rhoton
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 

Similar to The IPv6 Snort Plugin (at DeepSec 2014) (20)

IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on June 2004 IPv6 – Hands on
June 2004 IPv6 – Hands on
 
Presd1 09
Presd1 09Presd1 09
Presd1 09
 
IPv6 for the Enterprise
IPv6 for the EnterpriseIPv6 for the Enterprise
IPv6 for the Enterprise
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 

More from Martin Schütte

Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)Martin Schütte
 
Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)Martin Schütte
 
Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)Martin Schütte
 
Terraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeTerraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeMartin Schütte
 
Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)Martin Schütte
 
Terraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud ServicesTerraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud ServicesMartin Schütte
 
Software Testing on the Web
Software Testing on the WebSoftware Testing on the Web
Software Testing on the WebMartin Schütte
 
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...Martin Schütte
 

More from Martin Schütte (10)

Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)
 
Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)
 
Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)
 
Terraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeTerraform -- Infrastructure as Code
Terraform -- Infrastructure as Code
 
Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)
 
Terraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud ServicesTerraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud Services
 
Software Testing on the Web
Software Testing on the WebSoftware Testing on the Web
Software Testing on the Web
 
PGP/GPG Einführung
PGP/GPG EinführungPGP/GPG Einführung
PGP/GPG Einführung
 
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 

Recently uploaded

A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfROWELL MARQUINA
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Recently uploaded (20)

A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

The IPv6 Snort Plugin (at DeepSec 2014)

  • 1. The IPv6 Snort Plugin Martin Schütte 20 November 2014
  • 2. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Context • Diploma thesis • 2011 at Potsdam University • part of “attack prevention and validated protection of IPv6 networks” Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 2 / 43
  • 3. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion State s 1994 IPv4 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 3 / 43
  • 4. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion State s today IPv6 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement (?) I WANT YOU TO USE IPv6 – Vint Cerf www.cs.brown.edu/~adf/cerf/ Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 4 / 43
  • 5. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Network Device s 1990s by Mike Chapman Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 5 / 43
  • 6. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Network Devices s 2012 gumstix-based Somniloquy prototype, Yuvraj Agarwal et al. Smartphone pictures by PaulK and Egy.One Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 6 / 43
  • 7. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion IPv6 Security / Design Issues • Main IPv6 RFCs from 1995/1998 ) many years of IPv4 security experience to catch up with ) designed for 1990s networks to solve 1990s problems • No consideration of: mobile usage • Few (yet already old) implementations • Very little in end user devices • Uncertainty hinders deployment Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 7 / 43
  • 8. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Multiple Generations of Standards www.ernw.de Back to that IPv6’n’RFCs Time Bar … Neighbor Discovery RFC 1970 RFC 2410 3/17/14 #52 … RFC 6980 Address Selection Generation of IID RFC 3484 RFC 6724 EUI-64 Privacy Extensions draft-ietf-6man-stable-privacy- addresses-17 RFC 4861 … … NOW:  Please spot … for $OS in your environment.  Please spot … for $OTHER_OS in your environment.  Please spot … $EACH_TYPE_OF_NETWORK_DEVICE  Please spot … $STORAGE_DEVICES Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 8 / 43
  • 9. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Where are we now? s 2014 • Adoption starts to take off • Yet another wave of RFCs • RA Guard in some switches • Implementation bugfixes • Enough to protect CPEs? Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 9 / 43
  • 10. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Attacks Against IPv6 The usual: • Value ranges • Fragmentation • Denial of Service • Portscans • Errors in Application Layer IPv6 specific: • Autoconfiguration • Neighbor Discovery • Variable headers • Multicast • Routing • v4/v6 Transition Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 10 / 43
  • 11. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Local Attacks Simple Denial of Service: 1. Host Alice starts Duplicate Address Detection: ”Anyone using IP X?” 2. Host Eve answers ”I have IP X.” 3. goto 1 Routing/Man in the Middle: 1. Host Eve sends ICMPv6 Redirect: ”This is router Bob, for google.com please use router Eve.” Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 11 / 43
  • 12. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Remote Attacks • Denial of Service • Neighbor Cache Exhaustion • Oversized IPv6 Header Chains • Excessive Hop-by-Hop Options • Routing • RH0 source routing • Loop using IPv6 Automatic Tunnels Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 12 / 43
  • 13. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Attack Collections: THC Toolkit by Marc Heuse Tools for specific attacks/tests: • Autoconfiguration DoS • Neighbor Cache • Routing/Redirect • Flood-Attacks • Multicast Listener Discovery • DHCPv6 • implementation6 Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 13 / 43
  • 14. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Attack Collections: SI6 Networks’ IPv6 Toolkit by Fernado Gont Tools for security assessments: • Neighbor Discovery messages • Adresses • Flow Labels • Fragmentation • Jumbograms • ICMP Error messages • TCP segments Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 14 / 43
  • 15. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Attack Collections: Chiron by Antonios Atlasis “IPv6 Attacking Framework”: • Neighbor Discovery messages • Scanner • IPv4-to-IPv6 Proxy • based on Scapy Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 15 / 43
  • 16. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Countermeasures Very few; Depending on network and usage context. • Collect data for correlation and detection • Show anomalous network activity • Filter known-bad packets Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 16 / 43
  • 17. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion How to Filter and Monitor a Network? Placement at: • Routers • Switches • Packet Filters • Hosts Implementation as: • Stand-alone tool • Add-on for existing application • Operating System module )High versatility: Intrusion Detection Systems Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 17 / 43
  • 18. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Target System: Snort 2.9 • Widely used Open Source NIDS • Filter/inline mode (Intrusion Prevention System) • Plugin APIs • Decoder for common tunnel protocols ©2012 Snort, the Snort Pig are registered trademarks of Sourcefire, Inc. All rights reserved. Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 18 / 43
  • 19. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Snort Packet Processing Overview Network DAQ/libpcap Packet Decoder Pre-processor Detection Engine Rules Alert, Log Output Logfiles, Database Snort Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 19 / 43
  • 20. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Decoding Incoming Packet DecodeEthPkt Ethernet DecodeVlanPkt 802.1Q DecodePPPoEPkt PPPoE DecodePppPktEncapsulated PPP DecodeARP ARP DecodeIP IPv4 DecodeIPV6 IPv6 DecodeIPV6Extensions IPv6 Ext Hdrs DecodeIPV6Options IPv6 Options DecodeICMP ICMP DecodeUDP UDP DecodeTCP TCP DecodeICMP6 ICMPv6 Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 20 / 43
  • 21. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Decoding Result: struct _Packet typedef struct _Packet { const DAQ_PktHdr_t *pkth; // packet meta data const uint8_t *pkt; // raw packet data EtherARP *ah; const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ const VlanTagHdr *vh; const IPHdr *iph , *orig_iph; /* and orig. headers for ICMP_*_UNREACH */ const IPHdr *inner_iph; /* if IP -in -IP , this will be the inner */ const IPHdr *outer_iph; /* if IP -in -IP , this will be the outer */ uint32_t preprocessor_bits; /* flags for preprocessors to check */ uint32_t preproc_reassembly_pkt_bits; uint8_t ip_option_count; /* number of options in this packet */ uint8_t tcp_option_count; uint8_t ip6_extension_count; uint8_t ip6_frag_index; IPOptions ip_options[MAX_IP_OPTIONS]; TCPOptions tcp_options[MAX_TCP_OPTIONS]; IP6Extension ip6_extensions[MAX_IP6_EXTENSIONS]; // ... } Packet; Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 21 / 43
  • 22. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Rule Engine Example detection rule: var EXTERNAL_NET any var SMTP_SERVERS [192.0.2.123 , 2001: db8 :12:ab ::123] alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( flow:to_server ,established; content: "|0A|Croot |0A|Mprog "; metadata:service smtp; msg:"SMTP sendmail 8.6.9 exploit "; reference:bugtraq ,2311; reference:cve ,1999 -0204; classtype:attempted -user; sid :669; rev :9; ) Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 22 / 43
  • 23. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion IPv6 Support technically yes, but … All major IDS have IPv6 support. What does that mean? • Fragment reassembly • TCP & UDP decoding)upper-layer checks • Decoder-warning on severe protocol errors Not: • check extensions (Routing Headers, Jumbograms) • support all rule options (fragbits) • IPv6 specific detection (ICMPv6/Neighbor Discovery) Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 23 / 43
  • 24. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion IPv6 Signatures Existing rules work for IPv4 and IPv6 No keywords for IPv6-only fields, no IPv6-only rules provided alert ip icmp any -> any any (msg:"IPv6 ICMP Echo -Request ?"; itype :128; classtype:icmp -event; sid :2000001; rev :1;) Good for application layer checks Bad for protocol layer detection )need to develop a IPv6-Plugin Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 24 / 43
  • 25. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Snort Customizations • Writing rules • Dynamic Detection API: compiled rule evaluations • Dynamic Preprocessor API: • add rule options • do something with a packet Network libpcap Packet Decoder Pre-processor Detection Engine Rules Alert, Log Output Logfiles, Database Snort Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 25 / 43
  • 26. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion New IPv6 Rule Options Goal: Provide IPv6 access for signatures • Basic Header • Extension Headers • Neighbor Discovery Options Functionality: • Handler for option parsing on config (re-)load • Callbacks for option keywords • Called with rule parameter and current packet • Return match/no_match Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 26 / 43
  • 27. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion IPv6 Rule Options alert icmp any any -> any any (itype :8; ipv: 4; msg:" ICMPv4 PING in v4 pkt"; sid :1000000; rev :1;) alert icmp any any -> any any (itype :8; ipv: 6; msg:" ICMPv4 PING in v6 pkt"; sid :1000001; rev :1;) alert icmp any any -> any any (itype :128; ipv: 4; msg:" ICMPv6 PING in v4 pkt"; sid :1000002; rev :1;) alert icmp any any -> any any (itype :128; ipv: 6; msg:" ICMPv6 PING in v6 pkt"; sid :1000003; rev :1;) Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 27 / 43
  • 28. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Resulting Evaluation Tree Port Group ICMP any->any NC Rule Tree Root itype:8 itype:128 ipv:4 ipv:6 leaf leaf Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 28 / 43
  • 29. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Rule Options of the IPv6-Plugin ipv IP version ip6_tclass Traffic Class ip6_flow Flow Label ip6_exthdr Extension Header ip6_extnum Num. of Ext Hdrs. ip6_ext_ordered Ext Hdrs. correctly ordered (bool) ip6_option Destination-/HbH-Option ip6_optval Destination-/HbH-Option Value ip6_rh Routing Header icmp6_nd Neighbor Discovery (bool) icmp6_nd_option Neighbor Discovery Option (Most rules accept comparison operators = ! < >) Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 29 / 43
  • 30. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion More Examples alert ip any any -> any any (ip6_rh: !2; msg:" invalid routing hdr"; sid :1000004; rev :1;) alert ip any any -> any any (ip6_option: 0.0 xc2; msg:"ip6 option: Jumbo in HBH hdr"; sid :100066; rev :1;) # event threshold alert icmp any any -> any any (icmp6_nd; detection_filter: track by_dst , count 50, seconds 1; msg:" ICMPv6 flooding "; sid :100204; rev :1;) # log only one flooding event per second: event_filter gen_id 1, sig_id 100204 , type limit , track by_src , count 1, seconds 1 Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 30 / 43
  • 31. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Preprocessor for Neighbor Discovery Tracking Goal: monitor network changes • new hosts • new routers • basic extensions/options check Functionality: • Reads ICMPv6 messages • Follows network state, i. e. (MAC, IP) tuple of: • On-link Routers • On-link Hosts • Ongoing DADs • Alert on change Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 31 / 43
  • 32. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Configuration in snort.conf, all optional net_prefix subnet prefixes router_mac known router MAC addresses host_mac known host MAC addresses max_routers max routers in state (default: 32) max_hosts max hosts in state (default: 8 K) max_unconfirmed max unconfirmed nodes in state (default: 32 K) keep_state remember nodes for n minutes (default: 180) expire_run clean memory every n minutes (default: 20) disable_tracking only rules & stateless checks (default: false) Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 32 / 43
  • 33. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Configuration “normal use” preprocessor ipv6 : net_prefix 2001:0 db8 :1::/64 router_mac 00:16:76:07: bc :92 Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 33 / 43
  • 34. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Snort IPv6 Alerts: ND Tracking SID Message 1 RA from new router 2 RA from non-router MAC address 3 RA prefix changed 4 RA flags changed 5 RA for non-local net prefix 6 RA with lifetime 0 7 new DAD started 8 new host in network 9 new host with non-allowed MAC addr. 10 DAD with collision 11 DAD with spoofed collision Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 34 / 43
  • 35. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Snort IPv6 Alerts: Packet Attributes SID Message 12 mismatch in MAC/NDP src ll addr. 13 extension header has only padding 14 option lengths̸= ext length 15 padding option data̸= zero 16 consecutive padding options Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 35 / 43
  • 36. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion tester.pl Test Runner (snort -c -r) Logfile (unified2) Compare PCAP data snort.conf lines Expected SIDs Result Verify intended results for given packet samples. Extremely useful for development. (But too limited for real network testing). Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 36 / 43
  • 37. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Output/Visualization • Big Problem • barnyard2 tool for Snort log processing (e. g. write SQL) • Few Open Source frontends (BASE & Snorby) • All using old SQL Schema, without IPv6 field Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 37 / 43
  • 38. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Alternative: Use ELK and build your own • Very good general purpose Log Collectors: Elasticsearch/Logstash/Kibana, Graylog2, Splunk Kibana-Screenhot by Éric Leblond Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 38 / 43
  • 39. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Performance Theory: • Stateless checks require processing • ND Tracking requires memory)DoS risk Practice: • Snort’s packet decoding does 90 % of the work • Configurable memory limit ~ 8 Mb • TCP stream reassembly is much more expensive Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 39 / 43
  • 40. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Bugs Found in Snort (2.9.0) or: Real-World Problems of Major Commercial Security Products • Ping of Death, cannot process > 40 extension headers • wrong Endianness in GET_IPH_VER() • fragmentation breaks ICMP/UDP checksums • Routing Headers break ICMP/UDP checksums • fragbits rules not supported Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 40 / 43
  • 41. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Extension Header Parsing in Snort 2.9.0 void DecodeIPV6Options(int type , const uint8_t *pkt , uint32_t len , Packet *p) { uint32_t hdrlen = 0; if(p->ip6_extension_count < IP6_EXTMAX) { switch (type) { case IPPROTO_HOPOPTS: hdrlen = sizeof(IP6Extension) + (exthdr ->ip6e_len << 3); } } /* missing else => hdrlen =0 => infinite mutual recursion */ DecodeIPV6Extensions (*pkt , pkt + hdrlen , len - hdrlen , p); } void DecodeIPV6Extensions(uint8_t next , const uint8_t *pkt , uint32_t len , Packet *p) { switch(next) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_AH: DecodeIPV6Options(next , pkt , len , p); return; } } Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 41 / 43
  • 42. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Conclusion • It works! • Dynamic Library (no need to recompile Snort) • Enables IPv6-specific detection signatures • Snort & IPv6-Plugin detect several THC attacks • Cannot solve fundamental problems: DoS and insecure Ethernet • Can raise visibility and awareness of network threat situation Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 42 / 43
  • 43. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion Contact E-Mail: info@mschuette.name Project Page: http://mschuette.name/wp/snortipv6/ Source Code: https://github.com/mschuett/spp_ipv6 Thanks to: heavy lifting for complex web and mobile systems Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 43 / 43