Not many people have native IPv6 connectivity and use some form of tunneling. For this reason Nitro Security asked me to develop a Snort preprocessor to unwrap various tunnels. This resulted in the preprocessor ‘ip6tunnel’, which I uploaded to Snort_inline’s SVN yesterday. The preprocessor is capable of unwrapping IPv6-in-IPv4, IPv6-in-IPv6, IPv4-in-IPv6, IPv4-in-IPv4 and finally IPv6-over-UDP. The latter is used by Freenet6.
I chose to develop it as a preprocessor because this allows Snort to inspect both the original packet and the tunnel packet(s). The preprocessor supports recursive unwrapping. The recursion depth is limited to 3 by default, but can be configured differently. Get the preprocessor from Snort_inline’s SVN by checking out the latest trunk:
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
Then have a look at doc/README.IP6TUNNEL for configuration options.
Once again thanks to the great people of Nitro Security. I think it’s great to see this company giving back to the community!
Have you published any IPv6 Snort rules?
The normal rules work with both IPv4 and IPv6 traffic. What kind of rules are you looking for?