In my previous diary, I started sharing some of my experiences with trying to update my automated malware analysis and honeynet environments to handle IPv6 (the conversation I started with my talk by the same name at SANSFIRE last month). In this diary, I'd like to wrap that up and provide a couple of updates. So, here are the rest of the tools/categories that I've been looking at/thinking about in my upgrade process.
There you have the tools that I've looked at and some that I've just thought about. I'm sure I've missed some tools/categories that are important to some of the rest of you. Please feel free to use the comment section or contact form to let me know what I missed. Update: Since the previous diary, one of our readers pointed out that a new version of httpry (v0.1.6) has just been released that does handle IPv6. Also, due to some personal issues, I haven't been able to get back to any of my scripts until this week. I've updated the tools in http://handlers.sans.edu/jclausing/ipv6/ to handle type 0, 43, and 60 extension headers (hop-by-hop, routing header, and destination options). --------------- SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749 I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022 |
Jim 423 Posts ISC Handler Aug 23rd 2011 |
Thread locked Subscribe |
Aug 23rd 2011 1 decade ago |
Oracle should have started adding ipv6 support from 11gR2 (single instance mode, however)
http://www.oracle.com/technetwork/database/enterprise-edition/oracledatabase-ipv6-sod-132278.pdf |
Anonymous |
Quote |
Aug 23rd 2011 1 decade ago |
Nessus works under *nix platforms with IPv6, but the windows stack doesn't support the features needed for nessus to work
|
Anonymous |
Quote |
Aug 23rd 2011 1 decade ago |
Have the db schemas for snort been updated to support IPv6? (Sure, I could look, but that's what we have a community for, right?)
|
Hal 50 Posts |
Quote |
Aug 23rd 2011 1 decade ago |
Sorry, replying to self. It doesn't look like the schemas distributed with Sort version 2.9.0.5 have any concept of IPv6.
I imagine an ip6hdr table is needed along with a field in the event table to indicate v4 or v6. Unless there's a way to overlay both v4 and v6 in the iphdr table. Barnyard/barndard2 would need to be modified to support the new schema. Another question is whether the unified/unified2 output plugins support v6 currently. Or whatever other output plugin(s) you use. |
Hal 50 Posts |
Quote |
Aug 23rd 2011 1 decade ago |
koppensb: I fear that other tools may have the same issue. E.g., some metasploit exploits and/or payloads may not work over IPv6 due to limitations or issues on the target end.
Ken: I'll have to look at my unified2 logs (and barnyard2), but I thought I had seen some IPv6 alerts, but now I can't find them. Hmm... For most of my honeynet stuff, I still use the old alert_full and alert_fast. |
Jim 423 Posts ISC Handler |
Quote |
Aug 23rd 2011 1 decade ago |
Snort's unified2 output plugin code appears to take IPv6 into account. These plugins show positive to "fgrep -il ipv6 *" in the src/output_plugins directory:
spo_alert_arubaaction.c spo_alert_prelude.c spo_csv.c spo_unified2.c spo_unified.c These output plugin source files do not contain the (case-insensitive) "ipv6" string: spo_alert_fast.c spo_alert_full.c spo_alert_sf_socket.c spo_alert_syslog.c spo_alert_test.c spo_alert_unixsock.c spo_database.c spo_log_ascii.c spo_log_null.c spo_log_tcpdump.c That's a crude test, perhaps, but you'd defintely want to look closer if you use one of those. |
Hal 50 Posts |
Quote |
Aug 23rd 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!