All configuration options are consistent with past versions of Snort, with the obvious exception that IPv6 addresses can be used in place of IPv4 addresses at will. IP lists are allowed to have IP addresses from both families simultaneously. For example:
ipvar example [1.1.1.1,2::2]
alert tcp [3::0/120,!3::3,4.4.4.4] any -> $example any (msg:"Example";sid:1;)
See README.variables for more information.
Some versions of BSD are vulnerable to an attack that involves sending two fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID 22901 or CVE-2007-1365). Snort will, by default alert if it sees the both packets in sequence, or the second packet by itself.
Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions, up to a user-configurable timeout or until a session can be confirmed to be safe.
To configure this module’s behavior, add a line to snort.conf with:
ipv6_frag <option1 arg1>[, <option2 arg2>, ...]
Options:
bsd_icmp_frag_alert [on/off] - Whether or not to alert on the
BSD fragmented ICMPv6 vulnerability
bad_ipv6_frag_alert [on/off] - Whether or not to alert if the
second packet is seen by itself
frag_timeout [integer] - Length of time to track the attack
in seconds. Min 0, max 3600,
default 60 (consistent with BSD's
internal default).
max_frag_sessions [integer] - Total number of possible attacks
to track. Min 0, default 10000.
To enable drops in inline mode, use “config enable_decode_drops”.