This document discusses the development of an IPv6 plugin for the Snort intrusion detection system. It provides context on IPv6 security issues and attacks. It then describes how the plugin was implemented to add IPv6-specific rule options and decode/process IPv6 traffic. A neighbor discovery preprocessor was also created to monitor network changes using ICMPv6 messages. The plugin allows Snort to better detect IPv6 attacks and anomalies.
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
(https://www.troopers.de/troopers14/troopers14-ipv6-security-summit-2014/troopers14-ipv6-security-summit-2014-presentations/index.html#IPv6Snort)
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
(https://www.troopers.de/troopers14/troopers14-ipv6-security-summit-2014/troopers14-ipv6-security-summit-2014-presentations/index.html#IPv6Snort)
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
DPDK Summit 2015 in San Francisco.
Intel's presentation by Keith Wiles.
For additional details and the video recording please visit www.dpdksummit.com.
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
DPDK Summit 2015 in San Francisco.
NTT presentation by Yoshihiro Nakajima.
For additional details and the video recording please visit www.dpdksummit.com.
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
DPDK Summit 2015 in San Francisco.
Presentation by Charles Shiflett, Aspera.
For additional details and the video recording please visit www.dpdksummit.com.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.
DPDK Summit 2015 in San Francisco.
Intel's presentation by Keith Wiles.
For additional details and the video recording please visit www.dpdksummit.com.
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
DPDK Summit 2015 in San Francisco.
NTT presentation by Yoshihiro Nakajima.
For additional details and the video recording please visit www.dpdksummit.com.
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
DPDK Summit 2015 in San Francisco.
Presentation by Charles Shiflett, Aspera.
For additional details and the video recording please visit www.dpdksummit.com.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.
Presented on 6 September 2013 in a seminar organised by Progreso Training.
Sign up for free seminars at http://progresotraining.eventbrite.sg or http://www.progreso.com.sg/training/event_view_all.php for an overview of IPv6 Security.
Aspekte von IPv6-Security
• Hackertools & ein paar Angriffsszenarien
• 3 Empfehlungen
q a) Ist IPv6 sicherer als IPv4?
q b) Ist IPv6 unsicherer als IPv4?
q c) Wer ist an allem Schuld?
q d) Wie wirkt sich die Integration von IPv6 in
meine Organisation auf deren IT-Sicherheit aus?
Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6.
Das Referat vom 29. April 2015 widmete sich dem wiedersprüchlichen Verhalten von Betriebssystemen im SLAAC/DHCPv6-Umfeld. In einer IPv6-Umgebung können Knoten ihre IP-Konfiguration entweder stateless (SLAAC) oder stateful (DHPCv6) erhalten. Dafür gibt es in Router Advertisements (RA) drei Flags: das A-, M- und O-Flag. Die Spezifikation definiert jedoch kein klares Verhalten bei widersprüchlicher Konfiguration. Ein kürzliches IETF-Draft zeigt, dass verschiedene Betriebssysteme unterschiedlich auf diese Flags reagieren. Referent Enno Rey zeigte Resultate eines weiterführenden Tests dazu.
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
Having just celebrated it's 10th birthday, Suricata has learned a lot about monitoring network traffic during the past decade. Suricata today is more than IDS/IPS— it is also a metadata creating, lua scripting, multi threaded, json logging, rule alerting, network security monitoring beast. Development for Suricata is funded by the non-profit Open Information Security Foundation which, along with feedback and support from the community, has made Suricata what it is today. In this talk we will discuss various aspects of modern Suricata, such as deployment, alerting, rule writing, compilation, protocols, lua, and more. Join us for a look into where Suricata has been, what it does today, and where it's going to go in the future.
WiFiSlax es una distribución GNU/Linux diseñada y estructurada para la auditoría de seguridad, especializada en evaluaciones de seguridad inalámbrica.
Contiene una amplia lista de herramientas de seguridad y auditoría donde se incluyen escáneres de puertos, de servicios y de vulnerabilidades, herramientas para creación y diseño de exploits, ‘sniffers’, herramientas de análisis forense y herramientas para la evaluación de la seguridad de dispositivos wíreless.
En esta presentación oficial de la versión 4.0 se mostrarán una serie de importantes cambios estructurales que han permitido al grupo de desarrolladores continuar innovando en cuanto al soporte hardware tal y como han hecho en sus anteriores versiones anticipándose al resto de distribuciones. Estos cambios les han permitido mantenerse en la vanguardia en las tecnologías inalámbricas.
Ansible is an established tool for server and network configuration. One reason for it's success is the simple architecture that encourages own customization and extension.
Here I want to present how own modules, i.e. single configuration actions on the target host, are implemented with Python or other languages.
Hashicorp’s Terraform provides a declarative notation (like Puppet) to describe various Cloud resources. It is an open-source tool, provider-independent, and thus able to combine resources from multiple cloud platforms and to be extended through plugins. The talk demonstrates how to describe web application infrastructure with Terraform, showing how easily all related components can be started, updated, and stopped.
Terraform: Configuration Management for Cloud ServicesMartin Schütte
Hashicorp's Terraform provides a declarative notation (like Puppet) to describe various cloud resources. It is an open-source tool, provider-independent, and thus able to combine resources from multiple cloud platforms and to be extended through plugins.
The talk demonstrates how to describe a small web application with Terraform, showing how easily all related components can be started, updated, and stopped. It also shows how to organise larger projects using modules and gives an introduction to writing plugins for one’s own services.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
2. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Context
• Diploma thesis
• 2011 at Potsdam University
• part of “attack prevention
and validated protection
of IPv6 networks”
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 2 / 43
3. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
State s 1994
IPv4 Internet:
• Research and Academic
Networks
• Known design &
implementation errors
• Little experience with
protocol security
• No urgency for improvement
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 3 / 43
4. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
State s today
IPv6 Internet:
• Research and Academic
Networks
• Known design &
implementation errors
• Little experience with
protocol security
• No urgency for improvement (?)
I WANT YOU
TO USE IPv6
– Vint Cerf
www.cs.brown.edu/~adf/cerf/
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 4 / 43
5. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Network Device s 1990s
by Mike Chapman
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 5 / 43
6. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Network Devices s 2012
gumstix-based Somniloquy prototype, Yuvraj Agarwal et al. Smartphone pictures by PaulK and Egy.One
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 6 / 43
7. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
IPv6 Security / Design Issues
• Main IPv6 RFCs from 1995/1998
) many years of IPv4 security experience to catch up with
) designed for 1990s networks to solve 1990s problems
• No consideration of: mobile usage
• Few (yet already old) implementations
• Very little in end user devices
• Uncertainty hinders deployment
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 7 / 43
8. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Multiple Generations of Standards
www.ernw.de
Back to that IPv6’n’RFCs Time Bar …
Neighbor
Discovery
RFC 1970 RFC 2410
3/17/14 #52
…
RFC 6980
Address
Selection
Generation
of IID
RFC 3484 RFC 6724
EUI-64 Privacy Extensions draft-ietf-6man-stable-privacy-
addresses-17
RFC 4861
…
…
NOW:
Please spot … for $OS in your environment.
Please spot … for $OTHER_OS in your environment.
Please spot … $EACH_TYPE_OF_NETWORK_DEVICE
Please spot … $STORAGE_DEVICES
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 8 / 43
9. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Where are we now? s 2014
• Adoption starts to take off
• Yet another wave of RFCs
• RA Guard in some switches
• Implementation bugfixes
• Enough to protect CPEs?
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 9 / 43
10. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Attacks Against IPv6
The usual:
• Value ranges
• Fragmentation
• Denial of Service
• Portscans
• Errors in Application Layer
IPv6 specific:
• Autoconfiguration
• Neighbor Discovery
• Variable headers
• Multicast
• Routing
• v4/v6 Transition
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 10 / 43
11. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Local Attacks
Simple Denial of Service:
1. Host Alice starts Duplicate Address Detection:
”Anyone using IP X?”
2. Host Eve answers ”I have IP X.”
3. goto 1
Routing/Man in the Middle:
1. Host Eve sends ICMPv6 Redirect:
”This is router Bob, for google.com please use router Eve.”
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 11 / 43
23. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
IPv6 Support
technically yes, but …
All major IDS have IPv6 support.
What does that mean?
• Fragment reassembly
• TCP & UDP decoding)upper-layer checks
• Decoder-warning on severe protocol errors
Not:
• check extensions (Routing Headers, Jumbograms)
• support all rule options (fragbits)
• IPv6 specific detection (ICMPv6/Neighbor Discovery)
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 23 / 43
24. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
IPv6 Signatures
Existing rules work for IPv4 and IPv6
No keywords for IPv6-only fields, no IPv6-only rules provided
alert ip icmp any -> any any
(msg:"IPv6 ICMP Echo -Request ?"; itype :128;
classtype:icmp -event; sid :2000001; rev :1;)
Good for application layer checks
Bad for protocol layer detection
)need to develop a IPv6-Plugin
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 24 / 43
26. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
New IPv6 Rule Options
Goal: Provide IPv6 access for signatures
• Basic Header
• Extension Headers
• Neighbor Discovery Options
Functionality:
• Handler for option parsing on config (re-)load
• Callbacks for option keywords
• Called with rule parameter and current packet
• Return match/no_match
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 26 / 43
27. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
IPv6 Rule Options
alert icmp any any -> any any (itype :8; ipv: 4;
msg:" ICMPv4 PING in v4 pkt"; sid :1000000; rev :1;)
alert icmp any any -> any any (itype :8; ipv: 6;
msg:" ICMPv4 PING in v6 pkt"; sid :1000001; rev :1;)
alert icmp any any -> any any (itype :128; ipv: 4;
msg:" ICMPv6 PING in v4 pkt"; sid :1000002; rev :1;)
alert icmp any any -> any any (itype :128; ipv: 6;
msg:" ICMPv6 PING in v6 pkt"; sid :1000003; rev :1;)
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 27 / 43
28. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Resulting Evaluation Tree
Port Group
ICMP any->any
NC Rule
Tree Root
itype:8 itype:128
ipv:4 ipv:6
leaf leaf
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 28 / 43
29. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Rule Options of the IPv6-Plugin
ipv IP version
ip6_tclass Traffic Class
ip6_flow Flow Label
ip6_exthdr Extension Header
ip6_extnum Num. of Ext Hdrs.
ip6_ext_ordered Ext Hdrs. correctly ordered (bool)
ip6_option Destination-/HbH-Option
ip6_optval Destination-/HbH-Option Value
ip6_rh Routing Header
icmp6_nd Neighbor Discovery (bool)
icmp6_nd_option Neighbor Discovery Option
(Most rules accept comparison operators = ! < >)
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 29 / 43
30. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
More Examples
alert ip any any -> any any (ip6_rh: !2;
msg:" invalid routing hdr";
sid :1000004; rev :1;)
alert ip any any -> any any (ip6_option: 0.0 xc2;
msg:"ip6 option: Jumbo in HBH hdr";
sid :100066; rev :1;)
# event threshold
alert icmp any any -> any any (icmp6_nd;
detection_filter: track by_dst , count 50, seconds 1;
msg:" ICMPv6 flooding ";
sid :100204; rev :1;)
# log only one flooding event per second:
event_filter gen_id 1, sig_id 100204 ,
type limit , track by_src ,
count 1, seconds 1
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 30 / 43
31. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Preprocessor for Neighbor Discovery Tracking
Goal: monitor network changes
• new hosts
• new routers
• basic extensions/options check
Functionality:
• Reads ICMPv6 messages
• Follows network state, i. e. (MAC, IP) tuple of:
• On-link Routers
• On-link Hosts
• Ongoing DADs
• Alert on change
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 31 / 43
32. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Configuration
in snort.conf, all optional
net_prefix subnet prefixes
router_mac known router MAC addresses
host_mac known host MAC addresses
max_routers max routers in state (default: 32)
max_hosts max hosts in state (default: 8 K)
max_unconfirmed max unconfirmed nodes in state (default: 32 K)
keep_state remember nodes for n minutes (default: 180)
expire_run clean memory every n minutes (default: 20)
disable_tracking only rules & stateless checks (default: false)
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 32 / 43
34. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Snort IPv6 Alerts: ND Tracking
SID Message
1 RA from new router
2 RA from non-router MAC address
3 RA prefix changed
4 RA flags changed
5 RA for non-local net prefix
6 RA with lifetime 0
7 new DAD started
8 new host in network
9 new host with non-allowed MAC addr.
10 DAD with collision
11 DAD with spoofed collision
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 34 / 43
36. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
tester.pl
Test Runner
(snort -c -r)
Logfile
(unified2)
Compare
PCAP data
snort.conf
lines
Expected SIDs Result
Verify intended results for given packet samples.
Extremely useful for development.
(But too limited for real network testing).
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 36 / 43
37. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Output/Visualization
• Big Problem
• barnyard2 tool for Snort log
processing (e. g. write SQL)
• Few Open Source frontends
(BASE & Snorby)
• All using old SQL Schema,
without IPv6 field
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 37 / 43
38. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Alternative: Use ELK and build your own
• Very good general purpose Log Collectors:
Elasticsearch/Logstash/Kibana, Graylog2, Splunk
Kibana-Screenhot by Éric Leblond
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 38 / 43
39. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Performance
Theory:
• Stateless checks require processing
• ND Tracking requires memory)DoS risk
Practice:
• Snort’s packet decoding does 90 % of the work
• Configurable memory limit ~ 8 Mb
• TCP stream reassembly is much more expensive
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 39 / 43
40. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Bugs Found in Snort (2.9.0)
or: Real-World Problems of Major Commercial Security Products
• Ping of Death, cannot process > 40 extension headers
• wrong Endianness in GET_IPH_VER()
• fragmentation breaks ICMP/UDP checksums
• Routing Headers break ICMP/UDP checksums
• fragbits rules not supported
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 40 / 43
41. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Extension Header Parsing in Snort 2.9.0
void DecodeIPV6Options(int type , const uint8_t *pkt , uint32_t len , Packet *p)
{
uint32_t hdrlen = 0;
if(p->ip6_extension_count < IP6_EXTMAX) {
switch (type) {
case IPPROTO_HOPOPTS:
hdrlen = sizeof(IP6Extension) + (exthdr ->ip6e_len << 3);
}
}
/* missing else => hdrlen =0 => infinite mutual recursion */
DecodeIPV6Extensions (*pkt , pkt + hdrlen , len - hdrlen , p);
}
void DecodeIPV6Extensions(uint8_t next , const uint8_t *pkt , uint32_t len , Packet *p)
{
switch(next) {
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_AH:
DecodeIPV6Options(next , pkt , len , p);
return;
}
}
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 41 / 43
42. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Conclusion
• It works!
• Dynamic Library (no need to recompile Snort)
• Enables IPv6-specific detection signatures
• Snort & IPv6-Plugin detect several THC attacks
• Cannot solve fundamental problems: DoS and insecure Ethernet
• Can raise visibility and awareness of network threat situation
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 42 / 43
43. IPv6 Security Issues IDS/Snort IPv6 Plugin Conclusion
Contact
E-Mail: info@mschuette.name
Project Page: http://mschuette.name/wp/snortipv6/
Source Code: https://github.com/mschuett/spp_ipv6
Thanks to:
heavy lifting for complex
web and mobile systems
Martin Schütte IPv6 Snort Plugin DeepSec, 2014-11-20 43 / 43