Are your tools ready for IPv6? (part 2) - SANS Internet Storm Center

Are your tools ready for IPv6? (part 2)
In my previous diary, I started sharing some of my experiences with trying to update my automated malware analysis and honeynet environments to handle IPv6 (the conversation I started with my talk by the same name at SANSFIRE last month). In this diary, I'd like to wrap that up and provide a couple of updates. So, here are the rest of the tools/categories that I've been looking at/thinking about in my upgrade process. Network Management SNMP - Back when I was doing a lot more network troubleshooting, one of the primary tools we used to monitor just about everything was HP OpenView which relied on SNMP. While I am not using SNMP in my automated malware analysis environment or (currently) my honeynets, I did start thinking about it. It appears that net-snmp has run fine in IPv6 since 2002 or 2003 and OpenView for at least a couple of years (at least 2009, maybe since 2005). WIN FTP/TFTP/SFTP - Again, not something I actually use in these environments, but tools that were used in some previous environments for installing or backing up configurations. There are FTP, TFTP, and SFTP clients and servers for all the OSes that I've looked at that can do IPv6. Whether or not your devices have the appropriate versions installed or not though, who knows. WIN? NTP - For log correlation, you want synchronized clocks. If the system can do NTP and IPv6, it can probably do NTP over IPv6. BTW, ff0x::101 are the multicast addresses set aside for the local NTP servers. I'm going to assume WIN Logging syslog (classic) - okay syslog dates to the 1980s, long before IPv6. You wouldn't really expect the stock syslogd on older OSes to handle IPv6. FAIL rsyslog - The current standard on Ubuntu, handles IPv6 just fine. WIN syslog-ng - My favorite syslog daemon, also handles IPv6 just fine. WIN Kiwi/SNARE - I'm not using any tools to send Windows event logs to a syslog server, so I haven't checked to see how they do with IPv6, but I imagine some of our readers have. ???? web server/applications - these are pretty much left as an exercise to the reader. ???? Databases Postgresql - One of the things I really like about postgresql is the built-in cidr and inet datatypes for storing IP addresses in databases. As of, at least, v8.2 either type can handle an IPv6 address as well as IPv4. WIN MySQL -While it lacks the built-in types that Postgreql has, for IPv4 they provide built-in functions inet_aton() and inet_ntoa() to convert addresses to integers for storage in the database. As of version 5.6.3, MySQL will (does?) have inet6_aton() and inet6_ntoa(). WIN? Oracle - It has been over a decade since I was an Oracle DBA, but from what I can tell...not so much. FAIL IDS/IPS snort/snort-inline - As with the firewalls discussion in the previous diary, I haven't looked at the commercial products lately. if any of our readers can fill me in on how they do, it would be greatly appreciated. The previous setup was based on the Honeynet Project's roo honeywall (the issues with updating roo are worthy of a diary all their own) which was running snort 2.8.something. I am using 2.9.0.5 in the updated setup and it seems to work just fine. I've heard reports of some issues with snort and IPv6, but have not encountered any problems myself. WIN Scanning nmap - Okay, with the tremendous increase in the size of the target space, linear scanning isn't particularly practical anymore. We will need to figure out more efficient ways to scan. That said, there is still no ability to specify an IPv6 CIDR block as of 5.52.IPv6.beta (from June 2011). FAIL fping/fping6 - while fping6 exists and can do many of the things that fping can do on IPv6 addresses. Unfortunately, you cannot specify an IPv6 CIDR block or a range of IPv6 addresses with the -g option. FAIL nessus - I honestly haven't looked at vulnerability scanners lately. Can any of our readers help me out here? ???? Pentest tools metasploit - I don't do much pen testing these days either, but when I've needed to use metasploit it has mostly worked for me. WIN? Miscellaneous other tools netcat - there are a number of netcat versions out there that work with IPv6 just fine. WIN p0f - this one wasn't on my list for the SANSFIRE talk because, frankly, it just occurred to me about 1.5 weeks ago. Unfortunately, it doesn't support IPv6 now and seems to no longer be supported. I haven't sent off a request to the author though. FAIL prads - As a result of p0f not handling IPv6, I started looking around for tools that could do passive (or active) OS fingerprinting of IPv6 traffic and happened across prads. It look promisiing. Is there anything else out there? WIN There you have the tools that I've looked at and some that I've just thought about. I'm sure I've missed some tools/categories that are important to some of the rest of you. Please feel free to use the comment section or contact form to let me know what I missed. Update: Since the previous diary, one of our readers pointed out that a new version of httpry (v0.1.6) has just been released that does handle IPv6. Also, due to some personal issues, I haven't been able to get back to any of my scripts until this week. I've updated the tools in http://handlers.sans.edu/jclausing/ipv6/ to handle type 0, 43, and 60 extension headers (hop-by-hop, routing header, and destination options). --------------- Jim Clausing, GIAC GSE #26 jclausing --at-- isc [dot] sans (dot) edu SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749 I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022	Jim 423 Posts ISC Handler Aug 23rd 2011
Thread locked Subscribe	Aug 23rd 2011 1 decade ago
Oracle should have started adding ipv6 support from 11gR2 (single instance mode, however) http://www.oracle.com/technetwork/database/enterprise-edition/oracledatabase-ipv6-sod-132278.pdf	Anonymous
Quote	Aug 23rd 2011 1 decade ago
Nessus works under *nix platforms with IPv6, but the windows stack doesn't support the features needed for nessus to work	Anonymous
Quote	Aug 23rd 2011 1 decade ago
Have the db schemas for snort been updated to support IPv6? (Sure, I could look, but that's what we have a community for, right?)	Hal 50 Posts
Quote	Aug 23rd 2011 1 decade ago
Sorry, replying to self. It doesn't look like the schemas distributed with Sort version 2.9.0.5 have any concept of IPv6. I imagine an ip6hdr table is needed along with a field in the event table to indicate v4 or v6. Unless there's a way to overlay both v4 and v6 in the iphdr table. Barnyard/barndard2 would need to be modified to support the new schema. Another question is whether the unified/unified2 output plugins support v6 currently. Or whatever other output plugin(s) you use.	Hal 50 Posts
Quote	Aug 23rd 2011 1 decade ago
koppensb: I fear that other tools may have the same issue. E.g., some metasploit exploits and/or payloads may not work over IPv6 due to limitations or issues on the target end. Ken: I'll have to look at my unified2 logs (and barnyard2), but I thought I had seen some IPv6 alerts, but now I can't find them. Hmm... For most of my honeynet stuff, I still use the old alert_full and alert_fast.	Jim 423 Posts ISC Handler
Quote	Aug 23rd 2011 1 decade ago
Snort's unified2 output plugin code appears to take IPv6 into account. These plugins show positive to "fgrep -il ipv6 *" in the src/output_plugins directory: spo_alert_arubaaction.c spo_alert_prelude.c spo_csv.c spo_unified2.c spo_unified.c These output plugin source files do not contain the (case-insensitive) "ipv6" string: spo_alert_fast.c spo_alert_full.c spo_alert_sf_socket.c spo_alert_syslog.c spo_alert_test.c spo_alert_unixsock.c spo_database.c spo_log_ascii.c spo_log_null.c spo_log_tcpdump.c That's a crude test, perhaps, but you'd defintely want to look closer if you use one of those.	Hal 50 Posts
Quote	Aug 23rd 2011 1 decade ago

In my previous diary, I started sharing some of my experiences with trying to update my automated malware analysis and honeynet environments to handle IPv6 (the conversation I started with my talk by the same name at SANSFIRE last month). In this diary, I'd like to wrap that up and provide a couple of updates.

So, here are the rest of the tools/categories that I've been looking at/thinking about in my upgrade process.

Network Management
- SNMP - Back when I was doing a lot more network troubleshooting, one of the primary tools we used to monitor just about everything was HP OpenView which relied on SNMP. While I am not using SNMP in my automated malware analysis environment or (currently) my honeynets, I did start thinking about it. It appears that net-snmp has run fine in IPv6 since 2002 or 2003 and OpenView for at least a couple of years (at least 2009, maybe since 2005). WIN
- FTP/TFTP/SFTP - Again, not something I actually use in these environments, but tools that were used in some previous environments for installing or backing up configurations. There are FTP, TFTP, and SFTP clients and servers for all the OSes that I've looked at that can do IPv6. Whether or not your devices have the appropriate versions installed or not though, who knows. WIN?
- NTP - For log correlation, you want synchronized clocks. If the system can do NTP and IPv6, it can probably do NTP over IPv6. BTW, ff0x::101 are the multicast addresses set aside for the local NTP servers. I'm going to assume WIN
Logging
- syslog (classic) - okay syslog dates to the 1980s, long before IPv6. You wouldn't really expect the stock syslogd on older OSes to handle IPv6. FAIL
- rsyslog - The current standard on Ubuntu, handles IPv6 just fine. WIN
- syslog-ng - My favorite syslog daemon, also handles IPv6 just fine. WIN
- Kiwi/SNARE - I'm not using any tools to send Windows event logs to a syslog server, so I haven't checked to see how they do with IPv6, but I imagine some of our readers have. ????
- web server/applications - these are pretty much left as an exercise to the reader. ????
Databases
- Postgresql - One of the things I really like about postgresql is the built-in cidr and inet datatypes for storing IP addresses in databases. As of, at least, v8.2 either type can handle an IPv6 address as well as IPv4. WIN
- MySQL -While it lacks the built-in types that Postgreql has, for IPv4 they provide built-in functions inet_aton() and inet_ntoa() to convert addresses to integers for storage in the database. As of version 5.6.3, MySQL will (does?) have inet6_aton() and inet6_ntoa(). WIN?
- Oracle - It has been over a decade since I was an Oracle DBA, but from what I can tell...not so much. FAIL
IDS/IPS
- snort/snort-inline - As with the firewalls discussion in the previous diary, I haven't looked at the commercial products lately. if any of our readers can fill me in on how they do, it would be greatly appreciated. The previous setup was based on the Honeynet Project's roo honeywall (the issues with updating roo are worthy of a diary all their own) which was running snort 2.8.something. I am using 2.9.0.5 in the updated setup and it seems to work just fine. I've heard reports of some issues with snort and IPv6, but have not encountered any problems myself. WIN
Scanning
- nmap - Okay, with the tremendous increase in the size of the target space, linear scanning isn't particularly practical anymore. We will need to figure out more efficient ways to scan. That said, there is still no ability to specify an IPv6 CIDR block as of 5.52.IPv6.beta (from June 2011). FAIL
- fping/fping6 - while fping6 exists and can do many of the things that fping can do on IPv6 addresses. Unfortunately, you cannot specify an IPv6 CIDR block or a range of IPv6 addresses with the -g option. FAIL
- nessus - I honestly haven't looked at vulnerability scanners lately. Can any of our readers help me out here? ????
Pentest tools
- metasploit - I don't do much pen testing these days either, but when I've needed to use metasploit it has mostly worked for me. WIN?
Miscellaneous other tools
- netcat - there are a number of netcat versions out there that work with IPv6 just fine. WIN
- p0f - this one wasn't on my list for the SANSFIRE talk because, frankly, it just occurred to me about 1.5 weeks ago. Unfortunately, it doesn't support IPv6 now and seems to no longer be supported. I haven't sent off a request to the author though. FAIL
- prads - As a result of p0f not handling IPv6, I started looking around for tools that could do passive (or active) OS fingerprinting of IPv6 traffic and happened across prads. It look promisiing. Is there anything else out there? WIN

There you have the tools that I've looked at and some that I've just thought about. I'm sure I've missed some tools/categories that are important to some of the rest of you. Please feel free to use the comment section or contact form to let me know what I missed.

Update: Since the previous diary, one of our readers pointed out that a new version of httpry (v0.1.6) has just been released that does handle IPv6. Also, due to some personal issues, I haven't been able to get back to any of my scripts until this week. I've updated the tools in http://handlers.sans.edu/jclausing/ipv6/ to handle type 0, 43, and 60 extension headers (hop-by-hop, routing header, and destination options).

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022

Jim

423 Posts
ISC Handler

Aug 23rd 2011

Oracle should have started adding ipv6 support from 11gR2 (single instance mode, however)

http://www.oracle.com/technetwork/database/enterprise-edition/oracledatabase-ipv6-sod-132278.pdf

Anonymous

Nessus works under *nix platforms with IPv6, but the windows stack doesn't support the features needed for nessus to work

Anonymous

Have the db schemas for snort been updated to support IPv6? (Sure, I could look, but that's what we have a community for, right?)

Hal

50 Posts

Sorry, replying to self. It doesn't look like the schemas distributed with Sort version 2.9.0.5 have any concept of IPv6.

I imagine an ip6hdr table is needed along with a field in the event table to indicate v4 or v6. Unless there's a way to overlay both v4 and v6 in the iphdr table. Barnyard/barndard2 would need to be modified to support the new schema.

Another question is whether the unified/unified2 output plugins support v6 currently. Or whatever other output plugin(s) you use.

Hal

50 Posts

koppensb: I fear that other tools may have the same issue. E.g., some metasploit exploits and/or payloads may not work over IPv6 due to limitations or issues on the target end.
Ken: I'll have to look at my unified2 logs (and barnyard2), but I thought I had seen some IPv6 alerts, but now I can't find them. Hmm... For most of my honeynet stuff, I still use the old alert_full and alert_fast.

Jim

423 Posts
ISC Handler

Snort's unified2 output plugin code appears to take IPv6 into account. These plugins show positive to "fgrep -il ipv6 *" in the src/output_plugins directory:

spo_alert_arubaaction.c
spo_alert_prelude.c
spo_csv.c
spo_unified2.c
spo_unified.c

These output plugin source files do not contain the (case-insensitive) "ipv6" string:

spo_alert_fast.c
spo_alert_full.c
spo_alert_sf_socket.c
spo_alert_syslog.c
spo_alert_test.c
spo_alert_unixsock.c
spo_database.c
spo_log_ascii.c
spo_log_null.c
spo_log_tcpdump.c

That's a crude test, perhaps, but you'd defintely want to look closer if you use one of those.

Hal

50 Posts