1IPv6 configuration 2================== 3 4All configuration options are consistent with past versions of Snort, with the 5obvious exception that IPv6 addresses can be used in place of IPv4 addresses 6at will. IP lists are allowed to have IP addresses from both families 7simultaneously. For example: 8 9 ipvar example [1.1.1.1,2::2] 10 alert tcp [3::0/120,!3::3,4.4.4.4] any -> $example any (msg:"Example";sid:1;) 11 12See README.variables for more information. 13 14 15Miscellaneous - BSD Fragmented IPv6 Vulnerability (CVE-2007-1365) 16================================================================= 17 18Some versions of BSD are vulnerable to an attack that involves sending two 19fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID 2022901 or CVE-2007-1365). Snort will, by default alert if it sees the both 21packets in sequence, or the second packet by itself. 22 23Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions, 24up to a user-configurable timeout or until a session can be confirmed to be 25safe. 26 27To configure this module's behavior, add a line to snort.conf with: 28 29 ipv6_frag <option1 arg1>[, <option2 arg2>, ...] 30 31Options: 32 33 bsd_icmp_frag_alert [on/off] - Whether or not to alert on the 34 BSD fragmented ICMPv6 vulnerability 35 36 bad_ipv6_frag_alert [on/off] - Whether or not to alert if the 37 second packet is seen by itself 38 39 frag_timeout [integer] - Length of time to track the attack 40 in seconds. Min 0, max 3600, 41 default 60 (consistent with BSD's 42 internal default). 43 44 max_frag_sessions [integer] - Total number of possible attacks 45 to track. Min 0, default 10000. 46 47To enable drops in inline mode, use "config enable_decode_drops". 48 49